GE PROPRIETARY & CONFIDENTIAL RELEASE V1.6.1 1 of 185
PROGRAM GOVERNANCE FRAMEWORK
GE PROPRI ETARY & CONFI DENTI AL
This document with its contents, terms and notations are the sole property of GE and is being published to GE GDC partners to enable them to understand GEs requirements and implement mature practices that enables proactive governance and provides for a low-risk operating environment. The information contained in this document is GE PROPREITARY & CONFIDENTIAL and is not to be used for any purpose other than the purposes for which this document is furnished by the General Electric Company, nor is this document (in whole or in part) to be reproduced or furnished to other third parties or other agencies without the explicit written approval of the GE GDC Program Office
VIEWERSHIP RESTRICTIONS This document is restricted to GE's Certified GDCs, GE Employees and GE Certified External Auditors on the GE GDC Program. Use of this document in any shape or form, by all other parties requires an explicit approval from GE GDC Program Office
GE PROPRIETARY & CONFIDENTIAL RELEASE V1.6.1 2 of 185
PROGRAM GOVERNANCE FRAMEWORK REVI SI ON HI STORY
Revision Date Version/ Revision No. Types of Changes Author Dec 2009 Draft Program Maturity Model Handbook Draft Uma Mohan Mar 22, 2010 Draft Integrated inputs from Bithal Bithal Bhardwaj, Uma Mohan Mar 24, 2010 Draft Updates to Sections based on Reviews Bithal Bhardwaj, Uma Mohan Apr 8, 2010 Draft V 1 Updates to Sections based on Reviews Bithal Bhardwaj, Uma Mohan April 9, 2010 Draft V 2 Updates to Governance Maturity Model Section, Network & Systems Security, Data Security Bithal Bhardwaj, Uma Mohan April 12, 2010 Draft V 3 Updates to linkages diagrams, practice classifications, Minimum Audit Requirements for Resource sharing practice, Contractual Management Bithal Bhardwaj, Uma Mohan May 3, 2010 Draft V 3.01 Corrections & Inclusions of Operations Management Practices Bithal Bhardwaj, Uma Mohan May 5, 2010 Draft V 3.02 Correction in SSD, NSS and DS sections Bithal Bhardwaj, Uma Mohan May 13, 2010 Draft V 3.03 Corrections to sub-requirements based on GDC inputs Bithal Bhardwaj, Uma Mohan May 17, 2010 RELEASE V 1.0 FIRST FORMAL RELEASE Uma Mohan January 2011 DRAFT V 4 Changes to handbook for 2011 incorporated Bithal, , Ting Ting, Nachiket, Uma Mohan January 31 2011 RELEASE V 1.5 VERSION RELEASED Uma Mohan February 15, 2011 RELEASE 1.6 Version release with changes Uma Mohan March 3, 2011 RELEASE 1.6.1 Incorporated weekly SSO ID reconciliation and GE email for GDC resources requirements Uma Mohan
GE PROPRIETARY & CONFIDENTIAL RELEASE V1.6.1 3 of 185
TABLE OF CONTENTS
1.0 I ntroduction __________ 5 1.1 Program Governance Vision _____________ 5 1.2 Objectives of the Handbook _____________ 5 1.3 How to use this Handbook _______________ 6 1.4 Abbreviations, Acronyms & Terms _______ 6 1.5 Roles & Responsibilities _____________ 8 2.0 Governance Maturity Model _________________ 10 3.0 Organization Process Management ____________ 20 3.1 Organization Governance Structure (ELEMENTARY) _______________________ 21 3.2 Organization Policy & Process Definition (ELEMENTARY) _______________________ 26 3.3 Organization Awareness &Training (ELEMENTARY) _______________________ 31 3.4 Organization Process Performance Measurement (MATURE) _________________ 34 3.5 Internal Audits & Assessments (ELEMENTARY) _______________________ 38 3.6 Incident Management (ELEMENTARY) _ 42 3.7 Risk Management (ELEMENTARY) ____ 46 3.8 Organization Innovation & Technology Deployment (ADVANCED) _______________ 50 4.0 Resource Management _ 55 4.1 Non-Solicitation (ELEMENTARY) ______ 56 4.2 Background Check (ELEMENTARY) ___ 60 4.3 GDC Resource On-Boarding/Off-Boarding (ELEMENTARY) _______________________ 64 4.4 SSO Id GOVERNANCE (ELEMENTARY) 70 4.5 Sub-contractor Management (ELEMENTARY) _______________________ 75 4.6 GE Site Contractor Management (ELEMENTARY) _______________________ 79 4.7 Work VISA Management (ELEMENTARY) _______________________________________ 83 4.8 Resource Retention Management (ELEMENTARY) _______________________ 86 5.0 Physical Security & Safety ______________________ 89 5.1 Environment, Health & Safety (ELEMENTARY) _______________________ 90 5.2 Physical Security (ELEMENTARY) _____ 94 6.0 Delivery Management _102 6.1 Secure Software Delivery (ELEMENTARY) ______________________________________ 102 7.0 Network & Systems Security _______________107 7.1 Vulnerabilities Management (ELEMENTARY) ______________________ 108 7.2 Systems Management (ELEMENTARY) _ 112 7.3 Supplier Connectivity (ELEMENTARY)_ 117 7.4 Resource Sharing (ELEMENTARY) ____ 121 8.0 Data Security ________123 8.1 Data Classification, Privacy, Confidentiality & IP Protection (MATURE) ______________ 124 8.2 GE Knowledge Management (ELEMENTARY) ______________________ 134 9.0 Contractual Management ______________________136 9.1 Communication & Media Management (MATURE) ____________________________ 137 9.2 Contractual Performance Reporting (ELEMENTARY) ______________________ 141 9.3 Working for Competitors (MATURE) ___ 144 10.0 Operations Management ______________________147 10.1 Site Communications Infrastructure Management (ELEMENTARY) ___________ 148 10.2 GDC Site Management (ELEMENTARY) ______________________________________ 152 10.3 Assets Governance (ELEMENTARY) __ 159 10.4 Software Governance (ELEMENTARY) 163 10.5 Business Divestiture Management (ELEMENTARY) ______________________ 167 10.6 No PO, No WORK (ELEMENTARY) __ 169
GE PROPRIETARY & CONFIDENTIAL RELEASE V1.6.1 4 of 185
10.7 Invoice & Outstanding Management (ELEMENTARY) _______________________171 10.8 Business Continuity Management (MATURE) _____________________________174 10.9 Engagement Closure / Termination Management ( ELEMENTARY) ___________179 11.0 APPENDI X _______ 183 11.1 Reporting __________________________183 11.2 GE Coreload ________________________184 11.3 Additional Scope for External Audits____184
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 5 of 185 1.0 Introduction overnance in the GE GDC Program has evolved over a period of time and has come to a stage where the basics are in place for a steady GDC operations. From maintaining basic network security and workplace security, the Program has evolved to include multiple dimensions of Contractual, Information Security and Operational Security. Changing business needs, increased focus on globalization and new technologies are leading to emergence of innovative engagement models, new solutions and ever increasing threats are no longer far and few in-between. This changing landscape with its new set of threats necessitates an increased focus on Proactive Governance with the objective of ensuring a safe and secure operating environment while delivering increased value at optimal costs to the GE Businesses. 1.1 Program Governance Vision Continuously deliver Increased Value to GE Businesses in a cost-effective, safe and secure environment through innovative solutions and proactive risk management 1.2 Objectives of the Handbook The Handbook aims to provide the audience with a complete view of the Program Governance Framework, its components and the detailed requirements of the framework. The Handbook is organized into multiple chapters as follows Chapter 1: Introduction to the Handbook Chapter 2: Program Governance Framework An Overview Chapter 3 to Chapter 10: Dedicated to Governance Focus Areas and Practices within each of these Focus Areas Chapter 11: Governance Reporting Requirements & Tools Chapter 12: Additional References The Handbook is intended for use by G P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 6 of 185 GEGDC Team to understand GEs requirement so as to design and implement mature practices & controls that help in maintaining a safe and secure GDC operating environment while delivering increased value to GE in a cost-effective manner GE Business GDC Leaders, Business Stakeholders across IM/Engineering/Business Organization (who use GDC) to understand GEs requirement and facilitate GDC Governance through increased awareness of GEs responsibilities and collaboration with GE GDC Program Office to identify and mitigate risks for GE 1.3 How to use this Handbook
The Icon Key provides a quick reference to symbols being used within this Handbook. A Practice has Goals and these are articulated using Practice Goals symbol. GDC and GE Responsibilities for a Practice are articulated using the specific symbols outlined here. Operating Guidelines are GE specific guidelines/requirements to be met for a given Practice. Minimum Audit Requirements provides pointers to evidences required. Related Practices articulate inter-dependencies between the practices. eGDC Toolset highlights the eGDC Toolset module (where applicable) relevant to the practice. MSA Linkage establishes references (where applicable) to MSA Sections pertaining to the requirements. Online Resources point the Audience to additional references and guidelines associated with the practice. 1.4 Abbreviations, Acronyms & Terms
TERM Description AOR Assignment of Rights AUG Acceptable use guidelines BCP Business Continuity Planning BGC Background Check I C O N K E Y Practice Goals GE Responsibilities GDC Responsibilities Related Practices Min. Audit Requirements MSA Linkage eGDC Suite Linkage Online References Best Practices P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 7 of 185 C&S/CnS Compliance & Security CPR Cost per Resource DRP Disaster Recovery Planning FTE Fulltime Equivalent GDC Global Development Centre; refers to Certified GDC Partners IR Incident Response KPI Key Performance Indicator LCC Low Cost Country NCS Net Compliance Score NIS Net Improvement Score PO Purchase Order PSA Purchased Services Agreement RPO Recovery Point Objective RTO Recovery Time Objective SIA Secrecy Inventions Agreement SLA Service Level Agreement SOP Standard Operating Procedure SoW Statement of Work SSO Id Single Sign-On Id TO Task Order TOD Tests of Design TOE Tests of Effectiveness P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 8 of 185 DLP Data Leakage Prevention HPA Highly Privileged Account GE Data It includes data (inclusive of documents) provided by GE to GDC as well as all data (inclusive of documents) created by GDC during the life of a project/relationship Shall The word shall used in conjunction with a compliance handbook requirement indicates that the GDC is obligated to perform the designated effort or adhere to requirement. This is a mandatory requirement on the GDC, failure of which may potentially be deemed sufficient reason to invoke Consequence model Should The word should used in conjunction with a compliance handbook requirement indicates a desire or preference by GE for a particular method, technique, product, technology, option, or other feature. While the GDC is not obligated to perform the designated effort or provide the designated services or use the designated products in the exact fashion expressed by GE, the GDC shall provide equivalent capabilities May The word may used in conjunction with a Compliance Handbook requirement indicates that GE has no specific desire or preference for a particular method, technique, product or other feature. The GDC is free to use discretion in performing the effort or adhering to requirement.
1.5 Roles & Responsibilities
Role Description & Responsibilities GE GDC Director Individual within GE Organization with overall responsibility for GE GDC Program P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 9 of 185 GE GDC Program Governance Leader Individual within GE Organization with overall responsibility for GDC Program Governance GE GDC Program Security Leader Individual within GE Corporate and a member of GE Information Security Organization, with responsibility for Information Security within GE GDC Program GE Business Security Leader Individual within GE Business and a member of GE Information Security Organization, with responsibility for Information Security within the GE Business GE Business GDC / VMO Leader Individual within a GE Super Business with responsibility for GDC engagements across all Businesses at the Super Business level GDC C&S Leader Individual within GDC Organization with responsibility for Compliance & Security within GEGDC Organization GDC Global Relationship Manager Individual within GDC Organization with responsibility for Relationship between the GDC Organization and GE Businesses across the globe GDC Global Governance Manager Individual within GDC Organization with responsibility for overall Governance of the Program inclusive of Compliance, Security, Delivery & Operations across the globe P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 10 of 185 2.0 Governance Maturity Model
FIGURE 1 Governance Model.
The Governance Maturity Model is based on the GDC Master Services Agreement (ITSA), the GDC Hygiene Factor Addendum (HFA) and the GE Information Security Guidelines. The components of this model are Governance Focus Areas Behavior demonstrated (Spirit as perceived by GE) in performing / operating on these areas External Audits GE Assessment of GDC Maturity Certification of GDC based Assessment of Business Impact of GDC Maturity on GE Business Post Assessment Planning Governance Components P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 11 of 185
There are 8 Key Process areas that serve as the backbone of the Governance Maturity Model. Each of these process areas is further divided into Practices that shall be implemented by the GDC Organization. Practices fall into one of three classifications
FIGURE 2 Practice Classifications
Elementary Practices are the basic founding blocks of Governance required for a GDC Organization Mature Practices are the pillars of Governance that together with the fundamentals create a strong operating environment within the GDC Organization Advanced Practices form the roof that together with the strong pillars and fundamentals create a proactive, reliable & secure operating environment within the GDC Organization Most practices are specific in nature and address specific requirements of a process area. There are a few generic practices that are applicable across all the practices. Practices have a purpose, a set of goals, GDC responsibility statements, GE responsibility statements (where applicable) and requirements that must be fulfilled in designing and implementing the practice. Given below is a high level view of the 8 process areas and the associated practices. Organization Process Management focuses on Organization-wide practices that are generic in nature and are critical for the performance of all other focus areas. There are 8 practices within this focus area as follows
Governance Focus Areas ELEMENTARY MATURE ADVANCED P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 12 of 185 Process Area Practice Area Classification Type Organization Process Management Organization Governance Structure (OGS) ELEMENTARY SPECIFIC Organization Policy & Process Definition (OPD) ELEMENTARY GENERIC Organization Awareness & Training (OAT) ELEMENTARY GENERIC Organization Process Performance Measurement (OPM) MATURE GENERIC Organization Innovation & Technology Deployment (OIT) ADVANCED GENERIC Incident Management (OIM) ELEMENTARY GENERIC Risk Management (ORM) ELEMENTARY GENERIC Internal Audits & Assessments (IAA) ELEMENTARY SPECIFIC
Resource Management focuses on 8 practices that are resource centered and applies to all human resources associated with GE GDC Process Area Practice Area Classification Type Resource Management Non-solicitation (NS) ELEMENTARY SPECIFIC Background Check (BGC) ELEMENTARY SPECIFIC GE GDC Resource On- boarding/Off-boarding (GOO) ELEMENTARY SPECIFIC SSO Id Governance (SIG) ELEMENTARY SPECIFIC P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 13 of 185 Sub-contractor Management (SCM) ELEMENTARY SPECIFIC GE Site Contractor Management (GCM) ELEMENTARY SPECIFIC Work Visa Management (WVM) ELEMENTARY SPECIFIC Resource Retention Management (RRN) ELEMENTARY SPECIFIC
Physical Security & Safety focuses on 2 Practices that pertain to the GE GDC physical infrastructure security and safety. Process Area Practice Area Classification Type Physical Security & Safety Environment, Health & Safety (EHS) ELEMENTARY SPECIFIC Physical Security (PS) ELEMENTARY SPECIFIC
Delivery Management focuses on 3 Practices that are critical to ensuring consistent delivery excellence Process Area Practice Area Classification Type DELIVERY MANAGEMENT Secure Software Delivery (SSD) ELEMENTARY SPECIFIC Software/Service Quality Management (SQM) MATURE SPECIFIC Process & Productivity Management (PPM) MATURE SPECIFIC
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 14 of 185 Network & Systems Security focus area is made up of 4 practices that are critical to safeguard GEs networks Process Area Practice Area Classification Type NETWORK & SYSTEMS SECURITY Vulnerabilities Management (VM) ELEMENTARY SPECIFIC Systems Management (SM) ELEMENTARY SPECIFIC Supplier Connectivity (SC) ELEMENTARY SPECIFIC Resource Sharing (RS) ELEMENTARY SPECIFIC
Data Security comprises 2 Practices that together ensure protection of GE Data, Knowledge & Information. These practices are Process Area Practice Area Classification Type Data Security Data Classification, Confidentiality, Privacy & IP Management (DCP) MATURE SPECIFIC GE Knowledge Management (GKM) ELEMENTARY SPECIFIC
Operations Management focuses on 9 Practices that are operational in nature and are central to the operational success of the GDC Process Area Practice Area Classification Type OPERATIONS MANAGEMENT Communications Infrastructure Management (CIM) ELEMENTARY SPECIFIC GDC Site Management (GSM) ELEMENTARY SPECIFIC P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 15 of 185 Assets Governance (AGN) ELEMENTARY SPECIFIC Software Governance (SGN) ELEMENTARY SPECIFIC Engagement Termination/Closure Management (ETM) ELEMENTARY SPECIFIC No PO, No WORK (NPO) ELEMENTARY SPECIFIC Invoice & Outstanding Management (IOM) ELEMENTARY SPECIFIC Business Continuity Management (BCM) MATURE SPECIFIC Business Divestiture Management (BDM) ELEMENTARY SPECIFIC
Contractual Management focuses on 3 Practices that are contractual in nature and do not necessarily qualify to be a part of any of the above process areas. These practices are Process Area Practice Area Classification Type CONTRACTUAL MANAGEMENT Communication & Media Management (CMM) MATURE SPECIFIC Contractual Performance Reporting (CPR) ELEMENTARY SPECIFIC Working for Competitors (WFC) MATURE SPECIFIC
The Program Maturity Model lays emphasis on the SPIRIT demonstrated in implementing the LETTER. This SPIRIT is seen as a key differentiator in driving proactive and generative solutions that are innovative, cost effective and are oriented towards maintaining a safe and secure Spirit & Letter P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 16 of 185 environment. Key characteristics that define this SPIRIT are Alignment, Openness and Initiative. The VALUES thus demonstrated are External Acceptance at a superficial level without a clear engagement or understanding Does not engage in dialogue Lacks openness and transparency in communication; high degree of resistance / unwillingness to validate assumptions or look at new perspectives Reactive in nature, does not take any tangible / visible actions unless it is mandated by GE PASSIVE Primarily focuses on Letter based on feedback, seeks to understand the Spirit behind GEs requirements; Organization culture is primarily focused on compliance to stated requirements without adequate insights of the Spirit Dialogues on need basis to understand stated requirements; shares information to the extent defined / necessitated by GEs stated requirements; does not actively look for new insights/feedback/learning opportunities Demonstrates commitment to meet stated requirements; waits to be told what to do & how to do once defined, does what is required to be done PARTICIPATIVE Focuses on Spirit & Letter accepts and engages with GE to uncover new perspectives that may create a deeper understanding and appreciation of GEs requirements; seeks to share this understanding with its people in a focused manner Builds dialogue to understand and reach consensus open to changing viewpoints / assumptions; shares risks and actively seeks feedback & works on it Primarily focused on driving performance results;voluntary problem-solving culture; engages actively and takes visible & tangible actions towards new ideas and opportunities, when pointed to in that direction COLLABORATIVE Focuses on Spirit & Letter shows understanding of GEs requirements and proactively enrolls people in the Spirit & Letter mode, making it a DNA of the GDC Organization Builds dialogue based on active listening and deep understanding of GEs requirements complete transparency & pro-activeness in Operations promotes trust & long term relationship While continuously driving performance results, uses insights & expertise to identify new ideas & opportunities, predict and invest for future Maps future based on changing business environment Mines exceptions to gain valuable insights Seeks and promotes breakthrough ideas that creates multiplying positive value to GE and GDC STRATEGIC DEMONSTRATED BEHAVIOUR VALUES RATING External Acceptance at a superficial level without a clear engagement or understanding Does not engage in dialogue Lacks openness and transparency in communication; high degree of resistance / unwillingness to validate assumptions or look at new perspectives Reactive in nature, does not take any tangible / visible actions unless it is mandated by GE PASSIVE Primarily focuses on Letter based on feedback, seeks to understand the Spirit behind GEs requirements; Organization culture is primarily focused on compliance to stated requirements without adequate insights of the Spirit Dialogues on need basis to understand stated requirements; shares information to the extent defined / necessitated by GEs stated requirements; does not actively look for new insights/feedback/learning opportunities Demonstrates commitment to meet stated requirements; waits to be told what to do & how to do once defined, does what is required to be done PARTICIPATIVE Focuses on Spirit & Letter accepts and engages with GE to uncover new perspectives that may create a deeper understanding and appreciation of GEs requirements; seeks to share this understanding with its people in a focused manner Builds dialogue to understand and reach consensus open to changing viewpoints / assumptions; shares risks and actively seeks feedback & works on it Primarily focused on driving performance results;voluntary problem-solving culture; engages actively and takes visible & tangible actions towards new ideas and opportunities, when pointed to in that direction COLLABORATIVE Focuses on Spirit & Letter shows understanding of GEs requirements and proactively enrolls people in the Spirit & Letter mode, making it a DNA of the GDC Organization Builds dialogue based on active listening and deep understanding of GEs requirements complete transparency & pro-activeness in Operations promotes trust & long term relationship While continuously driving performance results, uses insights & expertise to identify new ideas & opportunities, predict and invest for future Maps future based on changing business environment Mines exceptions to gain valuable insights Seeks and promotes breakthrough ideas that creates multiplying positive value to GE and GDC STRATEGIC DEMONSTRATED BEHAVIOUR VALUES RATING
FIGURE 3 Values Assessment Performed annually by GE Certified Global Audit Firms, the External Audits are a critical component of the Governance Maturity Framework. External Audits shall be performed in accordance with GE guidelines for these audits and reports submitted in a timely fashion to facilitate GE Assessment of GDC Maturity. GE Guidelines for External Audits shall be published ahead of the Audits and GE shall facilitate discussion with Auditors to develop a common understanding of GEs expectations across Auditors and GDC With a view of performance as a continuous function, the GE Assessment process is focused on identifying gaps in GDC Operating environment that could be potential risks/threats to GE. Assessments would be carried out at frequent intervals over the year. The final External Audits GE Assessment Process P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 17 of 185 assessment leading to certification of the GDC, considers as inputs the findings from External Audits as well as the performance view obtained from GE Spot Audits, Monthly reporting, Incidences, Customer Complaints, Innovations and Best practices implemented in GDC operating environment. It also lays emphasis on assessing The SPIRIT demonstrated by the GDC in implementing the LETTER (measured through the VALUE indicators discussed in Figure3 above) Risks in the GDC Operating Environment based on all the above sources. Like in any formal assessment, the findings and observations shall be shared with the GDCs. The GE assessment phase plays a critical role in determining the maturity and consistency of practices in the GDC Operating environment
Recognition of GDC Organizations maturity of practices and controls in maintaining a safe and secure operating environment while continuously delivering increased value to GE Businesses. The 5 possible levels of Maturity are as follows FIGURE 4 Program Governance Maturity Levels The maturity level shall be determined based on the GE Assessment process and formally communicated to the GDC.
GDC Maturity Certification P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 18 of 185 With a view to understanding the impact of GDC Maturity on GE Businesses, this GE internal phase focuses on mapping the business exposure to the GDC with the Maturity level of the GDC to arrive at the GDC Profile as shown here. As can be seen from the matrix, $ Spend with GDC and the nature of work done by the GDC influence the Profile of the GDC
FIGURE 5 GDC PROFILING This GDC Profile is further mapped to the Maturity level of the GDC to arrive at a risk impact score as shown here
FIGURE 6 Business Risk Impact
The risk impact score along with qualified risk statements by Practice area shall be published to the Businesses for their planning.
Business Impact Assessment P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 19 of 185 As the final phase in one cycle of the Maturity Model Assessment, this phase focuses on both GDC Action Planning as well as GE Action planning. GDC Action plans shall be reviewed and corrective actions closed with the GE GDC Program Office as per schedule below Maturity Level Action Closure Period LEVEL 1 (AD-HOC) 90 Days LEVEL 2 (BASIC) 60 Days LEVEL 3 (DEFINED) 30 Days LEVEL 4 & 5 Case to case basis based on observations
GE Action plans shall focus on risk mitigation, changes to requirements and internal process improvements and may result in changes to the Handbook and guidelines.
Post Assessment Planning P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 20 of 185 3.0 Organization Process Management Organization Process Management is the one focus area that differentiates a mature organization with proactive, reliable and secure operating environment from the others. This focus area calls for an organization to invest in people, processes and tools which together enable an organization to establish and maintain a proactive, reliable and secure operating environment that benefits its employees, customers and stakeholders. The diagram below gives a perspective on the practices within the Organization Process Management focus area and the relationship between the practices
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 21 of 185
FIGURE 7 Organization Process MANAGEMENT Practices & Linkages
GDC Organization shall have a formal governance program in place. A senior member of the GDC Organization shall head this Governance Program. The purpose of this Practice is to establish and maintain a Governance Organization structure that has the accountability and appropriate authority for managing the Governance Program and achieving the desired outcome of maintaining a safe and secure operating environment POLICY P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 22 of 185
Organization Governance Program is led by a Senior Leader and has Organization Management sponsorship Governance Organization is staffed by the right people on the right roles and who have the accountability and authority to perform their roles GDC Organization resources are fully aware of the roles and responsibilities of the members within the GDC Governance Organization
As the primary owner of this Practice, GDC is responsible for ensuring that appropriate focus and attention goes into setting up the governance organization. The specific responsibilities are OGS 1.0 Establish and maintain an effective Governance Organization Structure OGS 2.0 Establish and maintain Management Review rhythm GDC shall share the Governance Organization structure with the GE Businesses so as to create awareness on the structure, members in key roles and responsibilities GOALS RESPONSIBILITIES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 23 of 185
OGS 1.0 Establish and maintain an effective Governance Organization Structure GE GDC Governance Organization structure shall exist and be documented The Governance Organization shall be headed by a Senior Leader with accountability for the desired outcome of maintaining a safe and secure GDC Operating environment The Governance Organization Leader shall have appropriate authority to perform the activities required to meet the role expectations The Governance Organization Leader shall have a reporting relationship to the GDC Parent Organizations Compliance Leader (or an equivalent role) At a minimum, the GDC Organization shall have the following critical roles defined for Global Operations and staffed appropriately Governance Leader Information Security Leader/ GDC Security Leader Data Privacy Leader Physical Security Leader Crisis Management Leader Application Security Leader Product Quality Leader Ombuds Person Internal Audits Leader Risk Leader OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 24 of 185 These roles shall have accountability for performance and shall also have appropriate authority to perform the activities required to meet the role expectations Roles of Ombuds Person and Internal Audits Leader shall be defined in a manner to minimize conflict of interest and potential controllership issues Where appropriate, the Organization Governance structure shall also define GDC Site level roles Linkages to Parent Organizations key roles in the respective areas All Committees like Risk Council, Management committee and their linkages with governance roles. GDC shall formally publish the Governance Organization structure to the entire GDC Organization and to GE GDC Program Office Any changes to staffing or the structure itself shall be formally communicated to the GDC Organization and to GE GDC Program Office GDC shall ensure that secondary or backup resources are identified for all critical roles. OGS 2.0 Establish and maintain Management Review Rhythm GDC Governance Organization priorities and performance shall be periodically reviewed by Organization Management Committee for effectiveness of the Governance Program Organization Management Committee shall at a minimum include the Global Relationship Leader, Global Delivery & Operations Leader, Parent Organizations Information Security Leader and the Parent Organizations Governance/Compliance Leader Formal Management Review meetings shall be held Quarterly, at a minimum The Management Review meetings shall be well represented by all the key roles of the Governance Organization; specifically, the Internal Audits team and the Ombuds Person shall be permanent members of these meetings Organization Management Committee shall set the Vision and Operating goals for the GDC Governance Organization, thereby facilitating formal reviews of performance Actions arising out of Management review meetings shall be clearly documented and monitored for closure P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 25 of 185 GDC shall also clearly define the Communication & Escalation Methods with Organization Management Committee Minimum Audit Requirements Evidence of communication on GDC Governance Organization Structure to GDC Organization Evidence of Change communication (where changes have been effected in the Organization) Evidence of Management Reviews on performance and priorities of Governance Organization, follow-up actions and closure of the same MSA Linkage Not Applicable Related Practices All practices within the Organization Process Management eGDC Suite Linkage GDC Contacts Module Online Resources Not Applicable
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 26 of 185 3.2 Organization Policy & Process Definition (ELEMENTARY)
GDC Organization shall have well-defined operating procedures in place to meet the policies and the requirements of the various practices. The purpose of this Practice is to establish and maintain well-defined Operating procedures that meet the spirit and letter of GEs requirements on Governance, are specific to the Organization, usable by GDC Users, and promotes consistency of practice across the GDC Organization
GDC Organization shall have a formal process in place to define policy, process and operating procedures for GDC Organization GDC Organization shall have well-defined Standard Operating procedures that clearly define GDC Organizations implementation of GEs policy and requirements on Governance 0 defects in coverage (process design) GDC Organization shall ensure uniform and consistent implementation of the practice across all global operations covering all functions, services and global locations of GDC Organization
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate policies, processes, procedures and controls are designed and implemented within the GDC Organization to meet the policies and goals of this governance framework. The specific responsibilities are OPD 1.0 Establish and maintain a process for policy & process definition OPD 2.0 Establish and maintain Standard Operating Procedures for all practices OPD 3.0 Deploy the Standard Operating Procedures across GDC Organization POLICY GOALS RESPONSIBILITIES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 27 of 185
OPD 1.0 Establish and maintain a process for policy & process definition GDC shall have a well-defined process in place for New Process Introductions and Revisions to existing processes (collectively referred to as New process introductions hereafter) The process shall clearly define the review, approval and release protocols for new process introductions The process shall clearly define the communication protocols, publishing mechanisms and orientation procedures associated with new process introductions The process shall clearly define the change management triggers and guidelines associated with revisions to existing processes The process shall clearly articulate the structure for documenting the Standard Operating procedures by clearly defining the mandatory components of the documentation and the optional aspects The process shall clearly articulate preventive, detective & corrective controls. The process shall clearly articulate tailoring & customization guidelines The process shall clearly identify the repository for storage of all process artifacts associated with the GDC Organization and the access control mechanisms for the same
OPD 2.0 Establish and maintain Standard Operating Procedures GDC Organization shall have a well-defined, documented and easy to use set of Standard Operating Procedures Standard Operating Procedures shall at a minimum cover all requirements outlined in this Handbook Standard operating procedures may be defined at any level by the GDC Organization Functional/Process Level GDC may choose to have a single SOP that covers the requirements across multiple practices pertaining to the function /process area (as an example, GDC may choose to have a single SOP for entire Resource Management function) OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 28 of 185 Practice Level GDC may choose to have individual SOP associated with a single practice (as an example, GDC may choose to have a SOP for Sub-contractor Management practice and another SOP for GE Site Contractor Management) Hybrid approach GDC may choose to have a combination of functional and practice level SOPs, as appropriate to the GDC Organization Traceability to requirements outlined in the handbook shall be established irrespective of the approach used GDC Organization may choose to maintain a separate policy document or maintain the policies as a part of the Standard Operating Procedures Standard Operating Procedures shall depict the complete process/practice design and detail out the implementation aspects of the process/practice, to the level of detail required to implement the process in an uniform and consistent manner across the GDC Organization (with its global locations and range of services) Standard Operating Procedures shall at the minimum describe the following Purpose & Performance Objectives Entry Criteria Inputs to the process/practice Process Design Applicable procedures, methods, tools and resources Applicable standards (if any) Control mechanisms in place (preventive control, corrective control or contingent control) Verification points and parts Process performance and product performance measures and measurement points Interfaces & Dependencies, inclusive of linkages to parent organization processes & procedures Exit Criteria Certain process/practice steps may require to be P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 29 of 185 Tailored to meet the needs of a country and/or a GE Functional Division (ITO, Engineering or BPO) or a Business. Customized based on GDCs design and/or implementation of the specific requirements For example, Background Check practice steps may require tailoring/customization to a country and the GE Business Sub-contractor Management practice steps may require tailoring/customization based on GE Functional Division (ITO, Engineering or BPO) All such needs for tailoring/customization shall be discussed with GE GDC Program Office and undertaken with approval from the GE GDC Program Office The Standard Operating Procedure shall clearly identify all such tailored/customized processes GDC shall ensure that there is appropriate integration between the various processes and procedures At a minimum, SOPs shall adhere to document management guidelines of the GDC Parent Organization and follow the GE Data Classification guidelines
OPD 3.0 Deploy Standard Operating Procedures across GDC Organization GDC shall deploy the standard operating procedures across the entire GDC organization in a planned manner. The deployment shall be uniform across all global sites of the GDC GDC shall maintain a plan for deployment of standard operating procedures to new GDC Sites within a month of the site becoming operational GDC shall ensure that appropriate training material and orientation plan is in place to ensure that new process introductions, changes to procedures are introduced in the right manner at the start of deployment GDC shall monitor the implementation of the processes, practices and procedures across all its sites to ensure that the performance objectives are met
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 30 of 185
Minimum Audit Requirements Evidence of New Process Introductions in alignment with GDC Organization process for new process introductions Evidence of Process Change communication Evidence of GE approvals for tailoring/customization MSA linkage Not Applicable Related Practices All practices within the Organization Process Management eGDC Suite Linkage Not Applicable Online Resources Not Applicable
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 31 of 185 3.3 Organization Awareness &Training (ELEMENTARY)
GDC Organization resources are trained on the governance framework and standard operating procedures before being assigned to GE GDC The purpose of this Practice is to establish and maintain well-defined training and orientation program and plan for training that ensures all resources are trained and made aware of the GE Governance framework and their role in maintaining a safe and secure operating environment that delivers value in a cost-effective manner
100% of GDC resources are trained on Governance framework and the Standard Operating Procedures before being assigned to a GE Engagement 0 incidents due to GDC resources lack of awareness of policy/practice
As the primary owner of this Practice, GDCs are responsible for ensuring that every resource belonging to GDC Organization is trained adequately and in a timely manner on the appropriate policies, processes, procedures and controls of this governance framework. The specific responsibilities are OAT 1.0 Establish and maintain a training policy & plan for training / orientation OAT 2.0 Develop Training material OAT 3.0 Deliver training/orientation as per plan As a key stakeholder, GE shall provide additional inputs to GDC where there are business-specific guidelines (or) more stringent controls that need to be adhered to meet business-specific regulatory requirements and/or handling of business sensitive information OAT 4.0 Provide direction/inputs to GDC on additional training required to meet regulatory requirements and/or handling of business sensitive information
POLICY GOALS RESPONSIBILITIES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 32 of 185
OAT 1.0 Establish and maintain a training policy & plan for training/orientation GDC shall clearly establish a training/orientation policy The training policy shall at a minimum identify the scope, coverage and timing of the training and orientation program applicable to all resources. At a minimum, GDC shall have the New Joinee Orientation Program and Annual Refresher Program on Governance framework The training policy shall also identify additional contexts/situations (if any) where add-on trainings/orientations become applicable. For example, GDC may choose to mandate resources working on projects dealing with Sensitive data or IP go through an additional course on Data Privacy & Confidentiality, just before the start of the engagement The training policy shall include the minimum qualification criteria on each program and the period within which the qualification must be obtained. For example, GDC may stipulate that a minimum score of 80% is mandatory to qualify GDC shall maintain an annual plan for training and orientation. The plan shall be formally published to the GDC Organization and tracked. Any changes to the plan shall be formalized and shall follow the communication rhythm for process change GDC may additionally plan role-specific training programs to provide in-depth orientation on appropriate requirements to specific roles, inclusive of GDC resource roles at GE Sites OAT 2.0 Develop Training Materials GDC shall have appropriate training material for each of the programs. The training material shall cover the policy and the governance requirements as well as the implementation aspects The training program may be delivered in one or more of many approaches like Classroom Training, Online Training, Guided Self-study, Facilitated Videos GDC shall choose the most appropriate training approach for the various programs and shall develop appropriate material GDC shall maintain multi-language support of the training material to ensure training of resources across its global locations
OAT 3.0 Deliver Training/Orientation as per plan OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 33 of 185 GDC shall conduct the training in a manner that makes it effective. The training shall also focus on contextual case studies so as to ensure a better understanding of the policy and the requirements GDC shall analyze incident data to ascertain opportunities for improvement of awareness training & orientation programs GDC shall maintain records of training, inclusive of training date, participants list GDC shall assess training effectiveness and participant performance in Certification process Minimum Audit Requirements Evidence of Training Policy being published Evidence of Annual Training Plan (in alignment to training policy) and execution of the training plan Evidence of training effectiveness assessment, identification of improvement opportunities Evidence of on-boarding to GE GDC post the certification MSA Linkage Sections 3.7, 3.8 Related Practices All practices within the Organization Process Management eGDC Suite Linkage Not Applicable Online Resources Not Applicable P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 34 of 185 3.4 Organization Process Performance Measurement (MATURE)
GDC Organization shall have formal practices in place to measure the effectiveness of their practices and ensure that process/practice improvements are planned and executed The purpose of this Practice is to establish and maintain a well-defined quantitative program that measures the effectiveness of the process design as well as the effectiveness of the implementation across the GDC Organization, with the objective of continuously improving the process/practice and associated set of standards, guidelines, tools and resources towards maintaining a low-risk environment that consistently delivers high value at optimal cost
Every process/practice area has tangible effectiveness measures defined and documented Quantitative process/practice management is a part of the Organization DNA
As the primary owner of this Practice, GDCs are responsible for defining performance measures and monitoring their performance to plan improvements and institutionalize these improvements. The specific responsibilities are OPM 1.0 Establish and maintain performance measures and performance objectives OPM 2.0 Perform periodic performance assessments OPM 3.0 Review performance with GDC Organization Steering Committee, plan and deliver on improvements
POLICY GOALS RESPONSIBILITIES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 35 of 185
OPM 1.0 Establish and maintain Performance Measures and Performance Objectives GDC shall ensure that every process/practice has clearly defined performance measures Performance measure description shall at the minimum include the metric, the measurement criteria, frequency of measurement, data collection mechanism Performance measures shall include both process measures and product measures GDC shall perform baseline assessment and gain an understanding of their baseline performance level Based on the current performance baseline and the expected performance, GDC shall define their performance objectives Performance objectives shall include the metric, the measurement criteria (it shall be defined and accessible to GE and GDC), the target/objectives and the timeline for achieving the target GDC Organization Steering Committee shall review and approve the Performance Measures and Performance Objectives Performance Objectives shall be reviewed for applicability at least once in 6 months GDC shall establish and maintain a formal measurement plan. The plan shall at the minimum identify data sources, methods of data collection, frequency of collection, consolidation & analysis mechanisms, assessment frequency
OPM 2.0 Perform periodic performance assessment GDC shall ensure that every practice/process is assessed as per the measurement plan OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 36 of 185 The data collected thus shall be maintained in a repository for analysis purpose Alignment to performance objectives shall be assessed and strengths, weaknesses and risks shall be identified OPM 3.0 Review performance with GDC Organization Steering Committee, plan and deliver on improvements GDC shall share the performance assessment report with the GDC Organization Steering committee Based on the assessment, GDC shall identify performance risks and shall review the same with GDC Steering Committee GDC shall proactively conduct RCA on the existing control mechanisms and identify opportunities for improvement. Such opportunities for improvement shall be reviewed with GDC Steering Committee and improvement initiatives shall be signed off with Steering Committee Where the proposed improvement modifies/alters GEs policy/practice/requirements (as stated in the Handbook or its source documents), GE GDC Program Office sign-off shall be obtained before commencing the initiatives GDC shall monitor the progress on all these improvement initiatives and validate the performance of these improvements GDC shall communicate the progress/status of these initiatives on a monthly basis to GE GDC Program Office P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 37 of 185
Minimum Audit Requirements Evidence of Performance measures and performance objectives being defined Evidence of periodic assessments across global sites and Evidence of process improvement initiatives being taken up MSA Linkage Not Applicable Related Practices All practices within the Organization Process Management eGDC Suite Linkage Ad-hoc Approvals Online Resources Not Applicable P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 38 of 185 3.5 Internal Audits & Assessments (ELEMENTARY)
GDC Organization shall have a formal practice of internal audits and assessments in place to assure that GEs requirements of Governance is established and implemented to maintain a safe and secure operating environment that consistently delivers high value The purpose of this Practice is to establish and maintain an internal audits & assessment practice that verifies and validates the performance of the GDC Organization and provides early warning signals to GDC Organization Leadership on gaps and risks due to incomplete process/practice design or inadequate rigor in implementation
0 surprises in External Audits 0 surprises in GE Assessment of Maturity Level
As the primary owner of this Practice, GDCs are responsible for establishing their Internal Audits & Assessment team, plan and performing the audits and assessment to meet the policy and goals of this practice. The specific responsibilities are IAA 1.0 Establish an Internal Audits and Assessment practice IAA 2.0 Perform Internal Audits & Assessments
IAA 1.0 Establish an Internal Audits & Assessment Practice GDC Organization shall establish an Internal Audits & Assessment practice POLICY GOALS RESPONSIBILITIES OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 39 of 185 The practice shall be staffed appropriately with qualified and dedicated team members The GDC Organization may choose to engage a third party audit firm as its internal auditors. However, the selection of such an audit firm shall be reviewed and approved by GE GDC Program Office The team shall have independence of organizational reporting to increase effectiveness of the audits & assessments The team shall have a well-defined audit & assessment framework that shall be well documented. The framework shall also clearly articulate the roles and responsibilities of the IAA team, the Governance team, and all other parts of the GE GDC Organization The IAA practice team shall establish an annual plan for audits & assessment with the scope, coverage, approach clearly defined Internal Audits & Assessments shall be carried out on a quarterly basis covering at least 3 quarters, at all Sites that are used to deliver GE engagements. Any exceptions to this schedule shall be discussed and signed off with GEs GDC Program Office IAA team can determine whether there are practices that are centrally managed from a single site and therefore the scope of audit at the individual sites for such practices IAA team shall clearly document the Audit & Assessment methodology to be used for each audit/assessment The Annual plan of Audits & Assessments shall be signed off by the GDC Organization Steering Committee The IAA practice team shall publish the Audits & Assessment plan for the year to GE GDC Program Office, on creation as well as on change The IAA practice team shall collaborate with the Governance Leader to identify External Auditors and ensure that external audits are carried out as per GE guidelines Only GE approved external auditors are permitted to be used for external audits External audits shall be performed within the timelines expected by GE and reports published to GE
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 40 of 185 Where contractual regulatory external audits or Business-specific regulatory external audits are required, GDC shall work closely with the GE GDC Program Office to ensure that all the requirements of the regulatory audit are covered IAA 2.0 Perform Internal Audits & Assessments The IAA practice team shall conduct Internal Audits & Assessments as per plan Audit checklists shall be customized to meet the GDC Organization specific design and customization of practices The Audits & Assessment shall cover all sites of GDC and partner sites (where the GDC uses partners to deliver work for GE) GDC shall ensure that a full scope internal assessment is carried out once at a minimum during the year Deviations from plan shall be approved by the GDC Organization Steering Committee Detailed documentation of the Audits & Assessments shall be maintained Formal report of performance shall be prepared and discussed with the GDC Organization stakeholders (the Governance team, the GDC Organization Steering Committee and any other critical member of the GDC Organization) The IAA team shall carry out an assessment of the GDC Organization maturity level as per GE guidelines and identify the maturity of individual practices at each site and at organization level The Assessment report shall be shared with GE GDC Program Office along with the action plan for closures GDC Organization shall identify corrective actions and process/practice improvements based on the Audit/Assessment findings. All action items shall be tracked for closure and signed-off by IAA team
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 41 of 185
Minimum Audit Requirements Evidence of Internal Audits & Assessments Plan (creation, review & sign-off by GDC Steering committee, communication to stakeholders) Evidence of internal audits and assessments being carried out as per plan across global sites Evidence of closures on action items being reviewed and signed-off by IAA team MSA Linkage Sections 3.2, 4.5 and 6.1 Related Practices All practices within the Organization Process Management eGDC Suite Linkage Not applicable Online Resources Not Applicable P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 42 of 185 3.6 Incident Management (ELEMENTARY)
Customer complaints, non-compliances to any of the 38 practices of the Governance framework and any physical event that compromise confidentiality, security and safety shall be considered as an incident. GDC shall report any incident associated with its Organization or an occurrence observed at a GE Site/Business to GE GDC Program Office. Material Incident occurrences shall be reported within 2 hours to GE GDC Program Office and non-material incidences within 48 hours. GDC shall establish and maintain Incident Management framework that enables identification, reporting & management of different types of incidents to meet the GE SLAs on Incident Management The purpose of this Practice is to establish and enforce Incident reporting and Incident Response planning (IR Plan) as it relates to computer & non-computer related incidents, incorporating timely detection, reporting, acknowledgement, containment, root cause analysis, and closure within GE SLAs.
100% adherence to GE Incident management SLAs 0 instances of repeat incidents related to non-compliances or governance lapse Reduction in Critical/High impact incidents due to effectiveness of Risk Management & IR Plans
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented within the Incident Response plan of GDC Organization to meet the policy and goal of this practice. The specific responsibilities are OIM 1.0 Establish and maintain Incident Response (IR) plan for different types of incidents OIM 2.0 Report Incidents to GE and adhere to defined SLAs As a stakeholder, GE shall be responsible for OIM 3.0 Report GDC incidents to GE GDC Program Office POLICY GOALS RESPONSIBILITIES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 43 of 185 OIM 4.0 Investigate incidents raised by GDC on GE and take corrective actions
OIM 1.0 Establish and maintain Incident Response (IR) plan for different types of incidents Material incident may occur due to violation of any of the 38 practice areas across the focus areas or due to failure in meeting customer commitments and not essentially because of the security or natural/artificial disaster Incidents may be reported by GDC for their sites (or) may be raised by GE on GDC GDC shall maintain IR plans for different categories of incidents. These IR Plans shall be specific to the severity of the incidents GDC may choose to define the IR plans as a part of the SOP on Incident Management (or) have these as separate documents with clear references in the SOP Computer Incident Response plans shall be treated separately and designed to incorporate GE GDC projects, services and assets. The plan may be a part of the parent company IR plan, but should have a section specifically for GE GDC The GE GDC IR Plan must have clear definitions for monitoring, vulnerability management and endpoint hardening as per GE GDC requirements GDC IR Plan shall support handling of incidents reported by GE GDC shall clearly identify a Single Point of Contact/Owner for each IR Plan. The owner may be a part of the governance team or be a part of an extended governance support team. The owner shall be aware of their responsibility on the IR Plans GDC IR Plans shall be reviewed on a periodic basis to ascertain validity of the plan and to identify potential risks/gaps with the plan. Corrective actions shall be executed basis this assessment GDC IR Plans must have a clear path on communication and escalation with the GE GDC Program Office and other GE Stakeholders, as the case may be GDC resources shall be trained on relevant IR Plans OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 44 of 185 GDC shall encourage all members of the GDC Organization to raise an incident without the fear of retaliation. GDC may have mechanisms for employees to raise incidents anonymously
OIM 2.0 Report Incidents to GE and adhere to GE SLAs Material Incident occurrences shall be escalated within 2 hours of the occurrence of the incident and other type incidents should be escalated within 2 days Material Incidences shall be communicated through phone and/or email and followed up with eGDC Toolset reporting within a week All computer related incidents reported by GE must work within the SLA per the GE Incident Response Plan in the following manner
All other categories of Incidents that are classified as Critical / High impact shall be contained within 4 hours or as agreed with GEs GDC Program Office. Low/medium impact incidents shall be contained as per the plan agreed with the Program Office Regular updates shall be sent to all the stakeholders till the operations are back to normal Root cause analysis and corrective action plans shall be shared before closing the incidence as well as updated to the risk register (see Section 3.7 Risk Management) In case of Critical/High impact incidents, GDC shall obtain approval from GE GDC Program Office on RCA and Corrective actions P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 45 of 185 GDC shall assess the effectiveness of their risk management and IR processes and provide feedback to process owners on gaps identified Repeated occurrences of an incident shall be further investigated for potential threats and appropriate treatment executed GDC shall report non-compliances observed at GE Business level to the Business VMO Leader and GE GDC Program Office through the eGDC Toolset Minimum Audit Requirements Evidences of IR Plans in place for all categories of Incidences Training records on IR Plans to GDC resources Evidence of Incident reporting as per GE guidelines Evidence of Incidence resolution as per GE guideline/agreement with GE MSA Linkage Section 4.25 Related Practices All practices within the Organization Process Management eGDC Suite Linkage Incident Management Module Online Resources Not Applicable P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 46 of 185 3.7 Risk Management (ELEMENTARY)
GDC Organization shall have a formal integrated risk management practice in place. Risks associated with the GDC Organization shall be managed and reported to GE GDC Program Office at a minimum on a monthly basis The purpose of this Practice is to establish and maintain an integrated risk management practice that enables the GDC Organization to become more aware of the possible threats, weaknesses or gaps in the operating environment and deal with these in a proactive manner in order to maintain a safe and secure operating environment that consistently delivers high value at optimal costs
0 instances of identified risks materializing as high/medium impact incidents (effectiveness of risk mitigation) 0 instances of communication failure on high risk items to appropriate stakeholder in GE (effectiveness of proactive communication) 0 instances of high/medium impact incidences that have not been identified as risks (effectiveness of risk identification)
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented within the GDC Organization to meet the policy and goal of this practice. The specific responsibilities are ORM 1.0 Establish a framework & process for managing risks at GDC Organization level ORM 2.0 Manage risks As a key stakeholder, GE shall be responsible for escalating any risks that they may see with the GDC Organization and collaborating with the GDC Organization to mitigate those risks that GDC may escalate to GE. The specific responsibilities are ORM 3.0 Report risks seen at GDC Organization POLICY GOALS RESPONSIBILITIES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 47 of 185 ORM 4.0 Collaborate with GDC Organization to mitigate risks that are co-owned by GE
ORM 1.0 Establish a framework and process for managing risks GDC Organizations integrated risk management framework shall cover all functions, operations and locations of the GDC Organization Risk Management shall be an integral part of all practices within the GDC Organization The framework shall encourage all members of the GDC Organization to raise a risk without the fear of retaliation. GDC may have mechanisms for employees to raise risks anonymously Accountabilities and responsibilities for risk management shall be established appropriately for different levels of management/leadership at GDC Organization Risk hierarchy is established and is understood by stakeholders Performance objectives of key resources and practice owners shall include the risk management objectives (for specific practices that they are accountable/responsible for) External and Internal risk factors are supported by the framework External risk factors include (but are not limited to) Geo-Political Environment, Legal, Regulatory, Financial, Technology Advancements, Economic, Competitive Landscape, Natural Calamities, Cultural, Perceived Brand & Values Internal risk factors include (but are not limited to) Organizational capabilities (human resources, technology areas, organization resources like tools, standards, frameworks), Organizational systems & procedures, Organization Objectives and Strategies, Internal Stakeholders, Organization Structure (roles & responsibilities), Organization culture & values Organizational context (internal and external) is supported by the framework External context represents alignment to GE in terms of the Business structure (Super Business, Business and sub-business structure), Location (globalization regions) and divisions (ITO, BPO and Engineering) OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 48 of 185 Internal context represents alignment to GDC Organizations internal structuring inclusive of its sites, Business Units, partners, COEs The framework shall support a robust process of risk management covering the key activities of Risk Identification, Risk Analysis & Evaluation, Risk Treatment, Risk Monitoring and Review, Communication on Risk information GDC may choose to use a Risk Council approach as a fundamental element of their Risk Management process. If so chosen, the roles & responsibilities of a Risk Council and the context shall be clearly defined The framework shall provide visibility on relevant risk information to key internal stakeholders in order to help them perform their responsibilities The framework shall support communication, reporting & escalation on risk information to appropriate internal and external stakeholders based on pre-defined business rules GDC shall escalate risks seen at GE Business to Business VMO Leader and GE GDC Program Office through eGDC Toolset ORM 2.0 Manage risks GDC Organization shall establish a Risk Management Plan (a live document) that articulates clearly the operational aspects of the integrated risk management based on the framework and process the plan shall clearly articulate the context, performance objectives, risk criteria, risk management process, tools available, ownership & responsibilities, communication & escalation plans, monitoring and review rhythms Risk Management process shall be applied in all areas of operations, delivery and management across all functions and services GDC Organization wide Integrated Risk Register shall be maintained Risks identified via any source ranging from either a GDC /GE stakeholder/3rd Party Auditors as it relates to continuity of operations in GE GDC engagements shall be reported to risk register Risk Analysis & Evaluation shall be consistent with the framework & process defined Any decisions to accept a risk (and not treat it/mitigate it) that may have a potential impact on GE shall be discussed and reviewed with GE GDC Program Office and sign-off obtained P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 49 of 185 Treatment plans shall be put in place for all risks identified above and tracked to closure Risk Register shall be reviewed on a periodic basis (minimum Quarterly) with GDC Organization Steering committee Periodic assessment of the risks and effectiveness of treatment plans shall be carried out by the GDC and critical, high risks shall be escalated to GE GDC Program Office
Minimum Audit Requirements Evidence of Risk Management framework and process being established and in consistent USE Evidence of Integrated Risk Register in practice Evidence of Critical/High Risk items being shared/published to GE MSA LINKAGE Not Applicable Related Practices All practices within the Organization Process Management eGDC Suite Linkage Risk Register Online Resources Not Applicable
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 50 of 185 3.8 Organization Innovation & Technology Deployment (ADVANCED)
GDC may choose to deploy validated technology platforms and innovative practices within the GE GDC Operating Environment that delivers high quality, high value solutions in a cost-effective manner and in a safe and secure environment with 0 surprises The purpose of this practice is to encourage selection and deployment of proactive, generative solutions/practices that measurably minimizes risks and is cost-effective, delivers increased value to GE Businesses.
Deploy appropriate technology solutions within GDC Operating environment to strengthen performance of practices within GDC Operating Environment Demonstrate consistent & continuous value-creation through deployment of innovative solutions that are of high quality and deliver increased value to Businesses while reducing risks and costs for the Business Conceptualize, pilot and deploy at a minimum 1 generative solution (per year) that reduces governance risks and overheads significantly for GDC and GE
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented within the GDC Organization to support and accelerate use of appropriate technologies and innovative practices in meeting the purpose and goals of this practice. The specific responsibilities are OIT 1.0 Establish and maintain a process for new technology/innovative practice recommendations OIT 2.0 Deploy new technology/innovative practice to GDC Operating Environment POLICY GOALS RESPONSIBILITIES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 51 of 185 As the beneficiary of this practice, GE shall be specifically responsible for validating, verifying and approving any such new technology, innovative practices deployment OIT 3.0 Verify, Validate and approve recommendation for pilots, deployment of new technology and/or innovative practices
OIT 1.0 Establish and maintain a process for recommending new technology/innovative practices GDC shall define a framework that enables new technology and innovation ideas to be proposed, assessed and piloted The framework shall enable any member of the GDC Organization to participate /propose potential incremental improvements or innovations to processes/practices/procedures /work products Innovative improvements are game changers and have a significant impact on the way a process/practice or technology is viewed and deployed, resulting in benefits that are of much higher magnitude. Innovative improvements are generative in nature and may be adaptable across the entire ecosystem of GE and/or its partners Incremental Improvements or innovation proposals may at a minimum, focus on one or more of the following Minimizing risk of Governance Increasing effectiveness/efficiency of a process/practice Increasing product /process quality Increasing reliability of service Reducing cycle time Reducing time to deliver Increasing productivity Decreasing Total cost of Ownership OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 52 of 185 Decreased cost/unit Increased Business Value to GE Improvements/Innovation proposals shall focus on innovative practices and/or use of technology to achieve one or more of the above benefits The framework shall at a minimum support the submission of the business context along with an initial assessment of risks and benefits of the proposed incremental improvement or innovation. Where the deployment of this proposal is likely to have a monetary impact, a cost-benefit analysis shall also be included GDC Organization may choose to define an Innovation Council that is responsible for screening proposals, assessing the merit of these proposals and making recommendations for pilot GDC Organization shall have minimum qualification criteria to select proposals for detailed assessment and pilots GDC Organization shall perform detailed assessment of selected proposals. At a minimum, the assessment shall focus on risks & benefits from a short-term (<12 months) and medium-term (12 to 36 months) perspective, change barriers and strategies for overcoming these barriers. The success measures shall be clearly defined Where the proposed solution may have an impact on GE or is a change to GEs existing processes/practices/expectations, the proposal shall be submitted to GE along with the detailed assessment report for approvals Decision for deployment/pilot may be taken by Innovation Council (where GE approvals are required, the GE team shall decide the need for Pilots/Direct deployment) Where pilots are required to be performed, GDC Organization shall have a formal plan to monitor, track and report progress and results. Critical parameters to be tracked and reported shall be formally published Pilot reports shall be formally published to Innovation Council, pilot results evaluated against proposed risks & benefits GDC Organization Steering Committee shall be a primary stakeholder in deciding on deployments of the pilots Where GE is involved in proposal approval, GE shall be the final authority in determining the deployment of the proposed solution P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 53 of 185 GDC Organization shall maintain a repository that enables tracking, analysis and reporting on the above activities OIT 2.0 Deploy new technology/innovative practices GDC shall assess the context of the deployment and formulate a specific deployment plan that takes into consideration the context, scope and potential impact of the change. GDC shall formally communicate and collaborate with stakeholders on deployment to minimize disruptive impact while working towards meeting the goals of the plan Where the deployment touches end users, GDC shall invest on end user education to minimize impact while increasing awareness GDC shall manage the deployment by monitoring the risks, impact that may arise during the deployment face GDC shall report the progress of the deployment to GDC Organization Steering Committee and to GE GDC Program Office on a regular basis GDC Organization shall measure the outcome of the deployment for the minimum period defined in the plan and perform assessment of benefits compared to the proposed benefits
Minimum Audit Requirements Evidence of framework & process for new technology/innovation proposal assessment & deployment Evidence of assessments being carried out and review, approvals by Innovation Council and GDC Steering Committee Evidence of GE approval where innovation/new technology/improvement proposal has an impact on GE Evidence of deployment planning and monitoring Evidence of communication and status reporting on all new technology/improvement/innovation proposals (to internal stakeholders and to GE) MSA Linkage Not Applicable
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 54 of 185
Related Practices All practices within the Organization Process Management eGDC Suite Linkage Adhoc Approvals Online Resources Not Applicable
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 55 of 185 4.0 Resource Management Resource Management is a critical process area and is a basic building block of the entire Governance framework. Resources play a vital role in the success of a GDC organization and have a far-reaching impact. While most practices within this process area may be owned by the Human Resource function, the Operations and Governance team have a key role to play in ensuring that the Resource Management practices are defined keeping the GE Policies around each of the practice areas and designing specific controls and procedures that meet the policies in spirit and letter The diagram below gives a perspective on the practices within the Resource Management process area and the relationship between the practices
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 56 of 185
FIGURE 8 RESOURCE MANAGEMENT Practices & Linkages
4.1 Non-Solicitation (ELEMENTARY)
GDC shall not recruit resources who have worked for GE in the last 12 months without an explicit approval from GE GDC Program Office. GDC shall also not recruit/allocate other GDC resources that have serviced GE in the last 12 months The purpose of this Practice is to establish and maintain the integrity (Spirit & Letter) of the MSA in the GDC Organization in the context of hiring or allocating resources who may have served on a GE Task Order (or) been a part of GE in the last twelve months
POLICY GOALS P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 57 of 185 0 incidents associated with recruitment/allocation of other GDC resources or GE resources to GDC
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented within the recruitment and resource allocation processes of GDC Organization to meet the policy and goal of this practice. The specific responsibilities are NS 1.0 Manage recruitment process across the Organization to minimize risk of hiring resources who had been with GE in the last 12 months (or) hiring resources who may have been a part of GE GDC with other GDCs in the last 12 months NS 2.0 Manage resource allocation process to GE GDC to minimize risk of allocating resources who had been with GE in the last 12 months (or) other GDC resources who may have been a part of GE GDC in the last 12 months As a stakeholder of this Practice, GE Businesses are responsible for ensuring that solicitation of GDC resources is not recommended to another GDC nor are GDC resources hired by GE NS 3.0 GE shall neither hire a GDC resource who may have been a part of GE GDC in the last 12 months nor shall it recommend the hiring of a GDC resource to another GDC
NS 1.0 Manage recruitment process Recruiting or attempting to recruit past employee of GE, who had been with GE in the last 12 months, is not permitted Exception to the above shall be brought to notice of GE GDC Program Office and recruitment shall proceed only if formally signed off by GE GDC Program Office. GE GDC Program Office shall provide an approval based on discussions with the appropriate GE GDC Business leaders / GE HR manager Resources (inclusive of sub-contractors) belonging to other GDCs or GE Business specified third parties working on GE Engagements, cannot be recruited/contracted by a GDC for GE GDC Engagements, for up to twelve months of their disengagement from GE Task Orders RESPONSIBILITIES OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 58 of 185 This norm shall apply even if the resource has exited the GDC and is a part of another Organization In exception cases, where a GDC wishes to recruit the resource ahead of the 12- month norm, No Objection note shall be obtained from the Global Relationship Manager/Global Delivery & Operations Leader, by the GDC who wishes to recruit the resource GDC Organizations Recruitment process shall have adequate controls to identify and prevent or proactively mitigate risk of hiring a resource from another GDC thereby impacting GDC Operations GDC shall maintain evidences of exception approvals and verification for hiring NS 2.0 Manage resource allocation process GDC shall ensure that a resource who had served GE in the last 12 months as a part of another GDC Organization or a Business-specified third party organization is not assigned to a GE engagement, for a period of twelve months since their disengagement from GE Task Orders This norm shall apply even if the resource has exited the GDC and is a part of another Organization In exception cases, where a GDC wishes to recruit the resource ahead of the 12- month norm, No Objection note shall be obtained from the Global Relationship Manager/Global Delivery & Operations Leader, by the GDC who wishes to recruit the resource GDC shall have well defined practices and procedures to manage exception cases; clear documentation of these exceptions and approvals obtained from GE GDC Program Office or other GDC Organization shall be maintained Minimum Audit Requirements Evidence of Non-Solicitation verification in hiring and resource allocation Evidence of exception approvals for on-boarding resources with GE association (either as an employee of GE or as a resource in one of the GDC or business-specified third party organizations) in the last 12 months MSA Linkage Sections 3.13 to 3.15 Related Practices P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 59 of 185 Background Check Management, GDC On-boarding/Off-boarding, Sub-Contractor Management eGDC Suite Linkage Adhoc Approvals (for exception hiring of GE resources) Incident Management Response to Incidents raised (if any) on hiring from another GDC or GE Online Resources Not Applicable
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 60 of 185 4.2 Background Check (ELEMENTARY)
GDC Resources, irrespective of their work location or role shall be BGC Cleared as per GE Guidelines by a GE Certified BGC Agency, before being deployed to GE GDC The purpose of this practice is to establish and maintain integrity of background check performance and clearance status (in spirit and letter) for every GDC resource associated with GE (irrespective of their role)
100% of resources assigned to GE GDC are Background check cleared (as per GE guidelines by GE Certified Background Check agencies) before being on-boarded to GE GDC
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented to meet the policy and goal of this Practice. The specific responsibilities are BGC 1.0 Perform background checks as per GE guidelines on BGC BGC 2.0 Deploy only BGC cleared resources to GE BGC 3.0 Manage BGC to ensure timely deployment of resources to GE As a stakeholder of this Practice, GE Businesses are responsible for ensuring that no resources are permitted to work on GE engagements without being BGC cleared BGC 4.0 Validate BGC Status prior to SSO Id Creation
POLICY GOALS RESPONSIBILITIES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 61 of 185
BGC 1.0 Perform Background checks as per GE Guidelines on BGC GE Authorized suppliers shall be used for conducting BGC In exception cases, BGC may also be carried out by Government Agencies or by the HR Staff of the GDC Organization, based on the practices of the Region/Country Standard operating procedures specific to a region shall be followed for the background checks performed in that region Exemptions to checks may apply in certain cases, as per the exemptions document provided in the Online Resources. In case of few states in India / few countries that do not permit criminal checks, GDCs shall define the process to handle it and adhere to the same. In case of GDC resources being placed at GE Site, additional Business-specific requirements for BGC shall be understood and performed In case of GDC resource/subcontractor getting allocated to GE engagements after break in service, GDCs shall perform applicable additional checks as defined in the GE BGC exception handling guidelines (part of GE BGC Exemptions Document) Well-documented procedures shall be in place to handle exceptions [inclusive of unverifiable data or insufficiencies], be these reported by BGC agency or a decision taken by GDC Organization. Clear documentation and evidence shall exist and auditable for every case of exception BGC 2.0 Deploy only BGC Cleared resources to GE All GDC resources/subcontractors shall be deployed to GE only after they are BGC cleared Includes new recruits, internal moves inclusive of re-allocations [as per BGC Exemptions Document], sub-contractors, support staff, management staff and any other resource requiring access to GEGDC area or other GE resources OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 62 of 185 Includes all roles examples BRM, Sales & Marketing, IT Security & Compliance, Network & Infrastructure, Delivery, Leadership, PMO, Quality, HR & Finance Support, Physical Security Staff, Facility Maintenance Staff and any others involved in providing services to GEGDC Includes resources working at GE Site, GDC Site or from any other location Internal Support Staff of GDC Organization that are not full time members of GEGDC Organization but who provide support services to GEGDC, shall also be cleared on BGC BGC shall be done before allowing physical or logical access to GDC area or before requesting for SSO Id to GE Sponsor Well-documented procedures shall be in place to handle exception decisions on deployment of a non-GREEN case (as reported by BGC Agency). Clear documentation and evidence shall exist and be auditable for every case of exception. BGC 3.0 Manage BGC to ensure timely deployment of resources GDC Organization shall monitor and manage the SLA with the agency to ensure timely deployment of resources Insufficiencies and non-GREEN cases shall be verified by GDC Organization and process improvement initiatives shall be undertaken to minimize impact of these cases on timely deployment to GE or on compromises to Quality of checks
Minimum Audit Requirements Evidence of BGC Clearance report from GE Authorized BGC Agency shall be maintained for every resource (as outlined in BGC 2.0) Evidences of exception/exemption cases and adherence to Exception Handling guidelines shall be maintained, for all exception cases. This shall include Clearance of non-GREEN cases, decisions on insufficiencies, exemption cases and any others outlined in BGC 1.0 and BGC 2.0 MSA Linkage Sections 3.17, 3.18
Related Practices SSO Id Governance, GDC On-boarding, GE Site Contractor Management, Sub-Contractor Management P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 63 of 185 eGDC Suite Linkage BGC Dashboard Online Resources Following additional guidelines found at GE GDC Knowledge Center http://supportcentral.ge.com/81973 Policies & Procedures Compliance & Security HR/Staff Related Additional Guidelines BGC Guidelines for India, Mexico, China, European Countries, US, Brazil, Japan Guidelines on BGC Exemptions GE Certified BGC Agency List
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 64 of 185 4.3 GDC Resource On-Boarding/Off-Boarding (ELEMENTARY)
GDC Organization shall have a formal on boarding, off boarding and transfer process to enforce timely implementation of governance procedures related to the on boarding of a resource, off boarding of a resource The Purpose of this Practice is to enforce compliance to governance practices and procedures when resources are on boarded, off boarded from a project/location/GE GDC
0 defects/incidences in On boarding of a resource 0 defects/incidences in Off Boarding of a resource
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented to meet the policy and goals of this practice. The specific responsibilities are GOO 1.0 Maintain Resource Register GOO 2.0 Manage On boarding of GDC Resource GOO 3.0 Manage Off Boarding of GDC Resource As a stakeholder of this Practice, GE Businesses are required to be aware of the on boarding and off boarding requirements and participate, where specific requests are raised GOO 4.0 Review requests for action and facilitate/perform authorized actions
POLICY GOALS RESPONSIBILITIES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 65 of 185
GOO 1.0 Maintain Resource Register GDC shall ensure that a complete resource register is maintained. The resource register shall at a minimum track resource personnel information, employment details, GDC organization on-boarding details, current deployment details, past deployment details (within GE GDC), documents signed by GDC resource (linked to specific engagement or practice), VISA details, details on Assets assigned to resource Data shall be maintained for existing and off-boarded resources GDC shall ensure that resource data is available to GE, on demand GDC shall ensure that a minimum traceability of 7 years (data) is maintained for all resources within GDC Organization Data of resources who have been off-boarded from GDC Organization shall also be maintained for a period of 7 years GDC shall ensure that data is current and complete in all aspects GOO 2.0 Manage Resource On-Boarding GDC shall ensure that only BGC cleared resources are on-boarded to GE GDC irrespective of their location of work GDC shall also ensure that such resources have been cleared from a non-solicitation perspective GDC shall ensure that resources joining GE GDC read and acknowledges the AUG, SIA and the Commitment to Integrity Spirit & Letter documents. GDC shall ensure that the resources joining GE GDC are trained and certified on GE Governance practices and their responsibilities in maintaining a safe and secure environment GDC shall ensure that the resources joining GE GDC are placed at GE Site only after the above steps are completed Physical and Logical access to GDC work area at GDC Site shall be granted to new joinees only after the training and assessment is completed OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 66 of 185 GDC shall request for SSO IDs after the resource has cleared BGC and signed AUG SIA documents. The resource shall also be certified as being trained on GE Governance practices and are aware of their responsibilities as a GE GDC resource before the request of SSO ID If the resource is a sub-contractor, GDC shall ensure that appropriate approval is obtained from GE Business VMO leader for on-boarding a sub-contractor resource GDC shall maintain evidence of Resource assessment before requesting GE for approval Where the resources are being on boarded for sensitive locations, GDC shall ensure that additional documents as required by GE Business (over and above the standard AUG, SIA and Commitment to Integrity documents) are signed GDC shall ensure that additional trainings (as seen appropriate to the engagement) are discussed and provided to resources being allocated to critical/sensitive projects Where resources are being on-boarded to GE site, GDC Organization shall ensure verification and validation of resource status as given below, Resource is trained and is aware of the guidelines to be followed for GE Site work VISA required for WORK is of appropriate type and does not violate Immigration rules VISA is valid for the entire duration of work and where the VISA expiry is before the end date of engagement, the same is communicated formally to GE Manager with plans for mitigating risk Where the resource is deployed on a non-PSA engagement, the GE Site duration completed is validated for potential risk of exceeding the threshold period (as defined in GE Site contractor management). GDC shall not deploy resources whose GE Site duration may fall into a Watch Period within 3 to 6 months of being deployed. In other cases, GDC shall proactively communicate the risk and collaborate with GE Business to mitigate the same Assets provided to GDC Resource shall be in complete compliance with all the practices on the GDC Program. GDC shall upload the on-boarding information to eGDC Suite within a week of the resource being on-boarded to GE GDC GOO 3.0 Manage Resource Off-Boarding P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 67 of 185 Where a GDC resource is being off-boarded from GDC Organization (irrespective of whether the resource is exiting the parent Organization or moving to another part of the parent Organization), the following steps shall be adhered to Resource shall sign the Assignment of Rights document with details about the projects undertaken and the duration of service provided. The Assignment of Rights document shall be counter-signed by a GDC authorized signatory. Any data folders being maintained/owned by the resource shall be transferred to appropriate Leadership within GDC Organization GE Data residing on individual owned Folder/Shared drives/Local machine/GE Libraries shall be validated and appropriate treatment provided GDC Organization shall ensure that GE data is not misused (copy/upload to online storage tools, attachment to emails) Any work requests/tickets raised by the resource that may require follow-up shall be assigned to successor, where applicable, and with appropriate approvals from GE Business owner GE Software and Hardware Assets (if any) assigned to resource shall be surrendered GDC Organization assets assigned to SSO Id shall be surrendered and desktops/laptops completely formatted SSO Id shall be surrendered Where a GDC resource is being off-boarded to a different project/role within the GDC Organization, GDC shall adhere to the following SSO Id shall be surrendered/transferred to appropriate sponsor as the case may be In exception scenarios where the resource is expected to be assigned to a project with the same sponsor (with the Business being the same), the SSO Id can be retained Where SSO Id is retained (same or different sponsor), GDC Organization shall collaborate with GE Managers to ensure that all access associated with the SSO Id for applications/sites related to project being off-boarded are removed Any data being maintained/owned by the resource folders with data pertaining to project from where resource is off-boarded, shall be transferred to appropriate Leadership within GDC Organization and all such Folders/Libraries shall be deleted P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 68 of 185 GE Data residing on individual owned Folder/Shared drives/Local machine/GE Libraries shall be validated and appropriate treatment provided GDC Organization shall ensure that GE data is not misused (copy/upload to online storage tools, attachment to emails) Any work requests/tickets raised by the resource (and associated with the project being exited) that may require follow-up shall be assigned to successor, where applicable, and with appropriate approvals from GE Business owner GE Software and Hardware Assets (if any) assigned to resource shall be surrendered GDC Organization assets assigned to resource shall be surrendered and desktops/laptops completely formatted If the resource being off-boarded is a critical resource, project-specific BC/DR Plans shall be updated to reflect the change (where projects are not closed/terminated) Physical and logical access shall be removed for the resource according to the nature of off boarding. This shall take into account Server room access, Restricted area access and GDC Site access If the resource is being off-boarded from GE Site, GDC Organization shall collaborate with GE Business to ensure that the above are performed in a timely manner GDC Organization shall validate the resource off-boarding as planned/unplanned and update the resource register accordingly
Minimum Audit Requirements Evidence of BGC Clearance being obtained prior to On-boarding Evidence of AUG SIA and training/assessment documents signed prior to Physical/Logical Access Evidence of SSO Id request, Physical/Logical access being assigned after on-boarding
MSA Linkage Not Applicable Related Practices P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 69 of 185 Background Check Management, GDC On-boarding/Off-boarding, Sub-Contractor Management, Assets Governance, Project/Engagement Termination/Closure, GE Knowledge Management, GE Site contractor management eGDC Suite Linkage Contingent Worker Data* Online Resources Following template can be found at GE GDC Knowledge Center http://supportcentral.ge.com/81973 Policies & Procedures Compliance & Security HR/Staff Related Additional Guidelines Resource Register Template
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 70 of 185 4.4 SSO Id GOVERNANCE (ELEMENTARY)
Every resource associated with GE GDC shall have a valid SSO Id that is current and applicable to the role and engagement for the individual. Accesses associated with the SSO Id shall be relevant to the role and the engagements for the individual The Purpose of this Practice is to ensure that appropriate controls are established to ensure governance and proper use of SSO IDs issued to GDC resources, in alignment to the Policy above.
100% of SSO Ids for GDC are current and with right sponsorship, access 0 instances of GDC resources without SSO ID 0 instances of shared SSO ids
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented to meet the goals of this practice. The specific responsibilities are SIG 1.0 Manage SSO id Creation SIG 2.0 Monitor and manage SSO Id USE As a stakeholder of this Practice, GE Businesses are responsible for SSO Id Creation, assigning appropriate access and deleting Ids when they are no longer required SIG 3.0 Validate BGC Status and existence of SSO Id for GDC resource prior to Creation SIG 4.0 Manage Access and SSO Id end date
POLICY GOALS RESPONSIBILITIES OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 71 of 185
SIG 1.0 Manage SSO id Creation Every resource of the GDC Organization shall have a valid SSO Id GDC shall request for SSO IDs only after the resource is BGC cleared and AUG, SIA are signed. Evidence of such request shall be maintained by GDC GDC shall ensure that the resource does not already have a SSO Id Request for creation of SSO ids shall explicitly identify the GDC Organization name, BGC Clearance status, the role of the individual in the GDC Organization, address of the location at which the resource would be based, resource contact details GDC resources shall only have GE email ID mapped to their SSO ID. No direct or in- direct mapping of non GE email ID is permitted Where there are business-specific guidelines to be followed in requesting SSO Id creation, GDCs shall ensure that such guidelines are clearly documented and followed Evidences shared with GE for SSO id Creation shall be maintained as a part of the SSO Id Inventory SSO Id sponsor shall be relevant to current engagement for the resource Sponsorship for shared resources within GDCs Leadership team, PMO, Compliance & Governance and support functions like Quality, HR, Finance, IS, Network Management and the like, shall be provided by the GE GDC Program Office In exception scenarios, where shared resources are leveraged for project delivery across multiple businesses, GDC shall communicate clearly the shared status to all the businesses concerned and ensure that approvals are obtained from the businesses concerned, for Enabling additional access (pertaining to the new businesses) to an existing SSO Id Issue of an additional SSO Id for the same resource GDC shall ensure that such exceptions are tracked for proper USE and SSO ids, accesses surrendered when no longer required GDC shall report to GDC Program Office on a monthly basis all such exception cases P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 72 of 185
SIG 2.0 Monitor and manage SSO id USE Inventory of all SSO ids assigned to the GDC resources inclusive of support and project personnel shall be maintained by the GDC for up to one year after its surrender. Beyond the 1-year period, the details of such SSO Ids no longer in USE shall be maintained in archive for a period of 7 years. The inventory shall include: SSO Id, Email, Sponsor SSO Id, Location, Worker Type, Person Type, Project Assignment, Role Description, Status, Date of Creation, Date of Last Renewal and Surrender Date GDC shall ensure that SSO id Sponsorship is current and validated to ensure the resources assigned are under the current project sponsorship In case of project transfers within the same Business, GDC shall ensure transfer of sponsorship and surrender of access to applications and information that are not relevant to the current project. It is recommended that SSO Ids are surrendered and new SSO ID created for transfers within the same business. In case of movement across Businesses, GDCs shall surrender SSO Id before requesting for new SSO id. GDCs shall follow-up with sponsor to ensure deletion of Id Assets linked to SSO ID (for e.g. VPN tokens for Software Licenses) shall be surrendered immediately when ID is deleted or sponsorship is changed to respective business Requests for revoking access / deleting Ids shall be raised within a maximum threshold period of 1 business day of the resource moving out of the engagement. The GDC shall follow up to ensure the SSO ID is deleted within a maximum threshold period of 5 business days of the resource moving out, In exception cases, where the SSO Id has to be retained for an extended period, explicit communication and approval from the sponsor is required. Retention of access to applications / restricted sites that are no longer supported by the resource or not relevant to current engagements would be seen as a violation of SSO Id USE P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 73 of 185 Extension/Renewal of SSO Id shall be explicitly requested for based on the project need and evidence of the same shall be maintained SSO Ids shall not be shared between resources (irrespective of the reason or duration of share) and where such group SSO Ids exist, GDCs shall escalate the same to the Business VMO and GE GDC Program Office for resolution GDC shall reconcile their SSO ID inventory with GE on a weekly basis, to ensure inventory is accurate and correct. GDC shall take measures to correct any discrepancies found in reconciliation. GDC shall have well defined practices and procedures to manage exception cases; clear documentation of these exceptions and approvals obtained from GE GDC Program Office shall be maintained Minimum Audit Requirements Evidence of SSO Id Creation requests to Business shall be maintained Evidence of transfer, deletion requests to businesses shall be maintained Evidence of approvals for exception cases of Multiple SSO Ids for an individual or extension of SSO Id use after off-boarding on an engagement and other such exception scenarios, shall be maintained Evidence of reconciliation of SSO ID inventory with GE on a weekly basis. SSO id Inventory and archives shall be auditable MSA Linkage Not Applicable Related Practices Background Check Management, GDC On-boarding/Off-boarding, Sub-Contractor Management, Assets Governance, Project/Engagement Termination/Closure eGDC Suite Linkage Contingent Worker Data * Exception Reporting on SSO Id* Online Resources Following additional guidelines found at GE GDC Knowledge Center http://supportcentral.ge.com/81973 Policies & Procedures Compliance & Security HR/Staff Related Additional Guidelines P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 74 of 185 GE GDC Program Office Sponsorship Guidelines for SSO Ids Business-specific submissions for SSO id Creation P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 75 of 185 4.5 Sub-contractor Management (ELEMENTARY)
USE of Sub-contractors in GE GDC shall be by exception only and cannot exceed a threshold of 1% FTE. Sub-contracting shall not be permitted as a rule The purpose of this Practice is to ensure that GDC use of sub-contractors or sub-contracting (in services to GE) even when carried out on exception basis is managed, controlled and monitored to minimize risks to GE and GDC
Minimize use of Sub-Contractors to < 1% of GDC FTE on GE Services Proactive management of risks associated with Sub-Contractor USE/sub-contracting so as to minimize or neutralize the same
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented to meet the goals of this Practice. The specific responsibilities are SCM1.0 Manage Contractual Agreement with Sub-Contractor/Sub-Contracting Organization SCM2.0 Manage Sub-Contractor USE SCM3.0 Manage Sub-Contracting As a stakeholder of this Practice, GE Businesses are responsible for ensuring that any requests for USE of sub-contractor/sub-contracting is verified and validated from a business need and risks to GE/GDC are understood before approving any such USE. The specific responsibilities of GE are SCM4.0 Approve every instance of USE of Sub-contractor/Sub-Contracting by reviewing the business need, risk assessment and measures taken to minimize risks in compliance with GE stated requirements POLICY GOALS RESPONSIBILITIES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 76 of 185 SCM5.0 Support periodic risk assessment and mitigation
SCM1.0 Manage Contractual Agreement with Sub-Contractor/Sub-Contracting Organization Sub-Contract companies shall be selected based on formal due diligence/assessments that are conducted as per the established process of the GDC Organization GDC Organization shall have contractual agreements in place with Sub-Contractor companies Contracts shall incorporate sub-contract companys responsibilities with respect to protecting GDC Organization and its Clients information and assets Contracts shall also incorporate appropriate clauses that enable GDC Organization to audit Sub-Contract company for compliance to the Contractual requirements Periodic assessments/re-evaluation (defined based on the criticality of the services offered by the Sub-Contract company) of Sub-Contract companies shall be undertaken as per the established process of the GDC Organization. Such assessments include work performance, competency and capability assessment and organization performance SCM2.0 Manage Sub-Contractor USE Sub-contractors (for use on GE GDC services) shall be selected from Companies that have a formal contractual relationship with the GDC Organization Every instance of use of sub-contractors by GDC towards service to GE shall be approved by appropriate GE Leaders, prior to on boarding of the individual sub-contractor resource to GE GDC; request for approval shall indicate the business case for use of sub- contractors along with risk assessment (if any) GE Business VMO Leaders shall be the approving authority for sub-contractor use on GE Business engagements GE GDC Program Office shall be responsible for approving all other cases of sub- contractor use OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 77 of 185 GDC shall obtain explicit approval from appropriate GE Leaders for every instance of Extension of use (beyond the originally approved period Change of project/location of use shall warrant a fresh approval to be obtained Sub-contractors shall comply with all the compliance and security requirements applicable to GDC employees, irrespective of their location of work Placement of sub-contractors at GE Site shall be in compliance with the requirements on GE Site Contractor Resource Management Sub-contractor USE on GE GDC shall not exceed 1% of GDC FTE, unless otherwise explicitly approved by GE GDC Program Office GDCs shall practice Strategic forecasting of sub-contractor use (inclusive of sub- contractor use at third party locations). As a part of such forecasting practice, GDCs shall set their thresholds and define the use scenarios. If the GDC defined threshold exceeds the default 1% limit, GDC shall proactively seek approval from GE GDC Program Office by submitting formal business case and risk assessment. GDC shall monitor and manage their sub-contractor use within their default/pre- approved thresholds SCM 3.0 Manage Sub-Contracting GDC shall ensure that resources working out of any sub-contracting sites (be it sub- contractor resources or GDC employees) adhere to all the compliance and security requirements, as per the GDC MSA with GE; use of such resources shall be monitored and managed as per the guidelines above Use of third party locations for delivering services to GE shall not be permitted as a rule. Exceptions to this rule shall require to be submitted to GE GDC Program Office for approvals One-off USE for specific project scenarios shall be approved by GE Business VMO Leader & GE GDC Program Office based on a business case and risk assessment Strategic Use of third party locations for servicing GE shall be forecasted by GDC using business case, risk assessment and approval obtained from GE GDC Program Office. Depending on the nature of USE, the site may require to be certified for USE as per the GE GDC Site Optimization process guidelines Every instance of such use of third party locations shall be explicitly specified in response to proposals (even if location is certified) P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 78 of 185 MINIMUM AUDIT REQUIREMENTS Evidence of first-time selection and periodic performance assessment of Agency and individual sub-contractor resources Contracts with Sub-contractor agencies and sub-contracting companies are auditable GE GDC Resource database is auditable Evidences of adherence to sub-contractor on-boarding & USE requirements Evidences of adherence to sub-contracting (to third-party locations) requirements shall be maintained this is inclusive of audit evidences of sub-contracting sites MSA Linkage Sections 5.1 to 5.4 Related Practices SSO Id Governance, GDC On-boarding, GE Site Contractor Management, Background Check, Work Visa Management, Non-Solicitation, Working for Competitors, Site Management eGDC Suite Linkage Sub-contractor Management module Online Resources Not Applicable
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 79 of 185 4.6 GE Site Contractor Management (ELEMENTARY)
GDC Resources on non-PSA engagement shall not remain deployed in a GE Site or across GE sites for more than twelve months in total (without a cool off period of a minimum of 6 months) The purpose of this Practice is to ensure that GDC deployment of resources at GE Sites is done in a controlled manner keeping in perspective the compliance risks and the business needs.
0 instances of GDC Resources (employees/sub-contractors) remaining deployed at one or more GE sites for more than twelve months in total (without a cool off period of a minimum of 6 months), under engagements other than PSA
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented to meet the goals of this Practice. The specific responsibilities are GCM1.0 Collaborate with Business to manage Project Classification GCM 2.0 Manage Deployment & USE of GE Site Contractor resources GCM3.0 Collaborate with Business to mitigate GE Site Contractor risks As a co-owner of this Practice, GE Businesses are responsible for ensuring that the risks of continued use of a contractor resource at GE Sites are understood and mitigated. The specific responsibilities of GE are GCM4.0 Ensure Projects are clearly classified as being a PSA or non-PSA GCM5.0 Support periodic risk assessment and mitigation
POLICY GOALS RESPONSIBILITIES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 80 of 185
GCM1.0 Collaborate with Business to manage Project Classification Every engagement shall be clearly classified as being a PSA or non-PSA. GDC shall have an established process to identify PSA from a non PSA Where the classification has not been explicitly defined by the Business as a part of the SOW or PO, the GDC shall assess the engagement based on their established process and obtain formal approval from the Business VMO Leader for the classification GCM 2.0 Manage Deployment & USE of GE Site Contractor resources A GDC resource (inclusive of sub-contractor) shall be deployed at GE Site on non-PSA engagements for a maximum period of 12 months of Total Duration Total Duration is the cumulative period spent by the GDC resource at one or more GE Sites on non-PSA engagements with one or more Businesses (irrespective of Country or Manager) Total Duration for a GDC resource, increases for every deployment period (however small), on a non-PSA engagement to a GE Site Total Duration is reset to 0 when a resource has a minimum period of continuous 6 months of break, away from a GE Site (either through movement to a GDC Site or away from GE GDC) GDCs shall track allocation of all resources to GE Sites, irrespective of their allocation to a PSA or non-PSA engagement GDC shall ensure that resources deployed to GE Site (irrespective of whether they work on PSA or non-PSA) are aware of the guidelines associated with working from a Customer Location and the organizational responsibility associated with working at a Customer Location GDC Organization shall continue to maintain managerial control over the resources and sub-contractors it deploys at any GE site OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 81 of 185 GDC Organization shall continue to be responsible for the resources awareness on the Governance requirements and compliance to the same For every instance of a GDC resource being deployed to a GE Site, the GDC shall assess the nature of project (PSA/non-PSA) and for every non-PSA deployment assess potential risk, plan mitigation and communicate the same to GE in a proactive manner In cases where transitions are required, GDC Resource Managers shall plan in advance for such transition of resources/sub-contractors and shall collaborate with Business stakeholders to effect the transition in a smooth manner GCM3.0 Collaborate with Business to mitigate GE Site Contractor risks GDCs shall implement proactive planning and monitoring mechanisms to identify potential risks GDCs shall proactively collaborate with Business VMO Leaders to communicate and mitigate/minimize risk of overstays on a non-PSA engagement or practices that increases a risk on a non-PSA engagement or a PSA engagement operating in a non-PSA mode All such risks shall be proactively and formally communicated to Business VMO Leaders Extensions up to a maximum period of 18 months of Total Duration may be permitted in exception cases on approval from the Global CIO/Global VMO Leader for the Business Any exceptions that may require a Business to continue with the resource or a practice even with the inherent risks, shall be approved by the Global CIO/Global VMO Leader Minimum Audit Requirements Evidence of Contracts with PSA/non-PSA classification (or) Business approved GDC assessment of Classification Evidence of the classification process being followed consistently Evidence of assessment of Total Duration, risks on a continuous basis and proactive communication to GE Businesses of risks, mitigation plans Evidence of transitions being implemented in collaboration with Businesses Evidences of adherence to sub-contractor on-boarding & USE requirements
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 82 of 185 MSA Linkage Sections 3.12, 5.1 Related Practices SSO Id Governance, GDC On-boarding, Sub Contractor Management, Background Check, Work Visa Management, Non-Solicitation, Working for Competitors eGDC Suite Linkage eMeasure Project reporting as PSA/non-PSA GE Site Contractor Management module Online Resources Following additional guidelines found at GE GDC Knowledge Center http://supportcentral.ge.com/81973 Policies & Procedures Compliance & Security HR/Staff Related Additional Guidelines Non-PSA Guidelines
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 83 of 185 4.7 Work VISA Management (ELEMENTARY)
The right type of work VISA in accordance to the nature of work shall be obtained and managed for GDC resources/sub-contractors servicing GE in a foreign country. The purpose of this practice is to ensure that GDC adhere to the work VISA requirements of the foreign country to maintain VISA regulatory compliance in servicing GE in a foreign country, irrespective of the role of GDC resources/sub-contractors.
0 instances of violation of work VISA requirements of foreign country by GDC Resources (employees/sub-contractors) servicing GE in foreign country. 0 instances of GDC Resources (employees/sub-contractors) using Business VISA or any other non-work VISA for purposes of work towards servicing GE. 0 instances of GDC Resources (employees/sub-contractors) staying in the foreign country beyond expiry date of VISA. 0 instances of impact on Project Delivery due to VISA expiry
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented to meet the goals of this Practice. The specific responsibilities are WVM 1.0 Maintain integrity in obtaining correct VISA type WVM 2.0 Manage work VISA processing, renewal & expiry process As a co-owner of this Practice, GE Businesses are responsible for ensuring that the risks of violation of work VISA regulations are understood. The specific responsibilities of GE are WVM 3.0 Ensure clear scope of work is provided to GDC for VISA processing WVM 4.0 Ensure any change in scope of work is informed to GDC immediately POLICY GOALS RESPONSIBILITIES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 84 of 185
WVM 1.0 Maintain integrity in obtaining correct VISA type For every instance of a GDC Resources (employees/sub-contractors) being deployed in a foreign country for GE work, the GDC shall assess the nature of work and process appropriate work VISA as required by the VISA requirements of the foreign country Business VISA shall not be used for purposes of any billable work towards servicing GE, unless otherwise explicitly communicated by GDC Program office. They shall only be used for the purpose of business meetings For GDC Resources (employees/sub-contractors) already deployed on a work VISA, in the event that the scope of work changes, GDC organization is required to validate VISA requirements accordingly and take necessary steps GE sponsorship for VISA processing shall not be sought. However, invite letters may be issued on request - only for Port of Entry once travel itinerary is finalized GDC shall not share GDC MSA/Business SOW with Consulates or other third parties for VISA processing purpose. Where, additional documentation is required by GDC for this purpose, GDC shall request GE GDC Program Office for the same through an approval process. WVM 2.0 Manage work VISA processing, renewal & expiry process GDC shall track VISA type & validity status of all GDC Resources (employees/sub- contractors) deployed in a foreign country for GE work No GDC Resource (employee/sub-contractor) is permitted to stay beyond expiry date of VISA Procuring of relevant work VISA for GDC Resources (employees/sub-contractors) shall be done in advance to avoid delays in deployment In the event of foreseen VISA expiry, GDC Resource Managers shall plan in advance for transition of GDC Resources (employees/sub-contractors) deployed. This shall be shared with the GE Business with adequate notice in case resource needs to move out before the completion of engagement OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 85 of 185 GDC shall proactively collaborate with Business VMO Leaders to communicate and mitigate/minimize risk of any work VISA requirement violations All such risks shall be proactively and formally communicated to Business VMO Leaders Minimum Audit Requirements Evidence of VISA expiry monitoring and proactive communication to GE Managers MSA Linkage Sections 3.2, 5.12 Related Practices GE Site Contractor Management, GDC On-Boarding/Off-Boarding eGDC Suite Linkage Contingent Worker Data* Risk Register Online Resources Not Applicable
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 86 of 185 4.8 Resource Retention Management (ELEMENTARY)
GDC shall maintain retention of GDC Organization resources at the GE GDC level at a minimum 85% while ensuring 0 misses on delivery/quality of deliverables due to resource transitions/movements The purpose of this practice to establish and maintain appropriate processes and controls in GDC Organization to minimize risk and impact on GE engagements due to planned or unplanned attrition of GDC resources.
Minimum 85% retention of GE GDC resources at the GE GDC level 0 instances of impact at a Project / Engagement level 100% adherence of retention targets at the project level and business level
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented to meet the goals of this Practice. The specific responsibilities are RRN 1.0 Monitor and manage retention levels at Project, Business & GE GDC level As a stakeholder of this practice, a GE Business is responsible for setting expectations (if any) on project-specific retention requirements and collaborating with GDC Organization to execute on transitions RRN 2.0 Define Project/Engagement specific Retention Levels (in case of critical engagements) RRN 3.0 Collaborate with GDC Organization to execute on transition plans
POLICY GOALS RESPONSIBILITIES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 87 of 185
RRN 1.0 Monitor and manage retention levels GDC shall monitor and track retention at resource level for all resources on GE Engagements to ensure that no service/delivery to GE is impacted due to attrition Resource Register shall maintain retention status for every resource GDC shall manage attrition to minimize risk of impact to service / delivery / quality Scope of reporting to GE shall be specifically on T&M engagements and critical Resources on Fixed Bid For the purpose of reporting to GE, Retention shall be calculated as (1-(Unplanned Attrition) / Total Workers in scope) * 100 where Planned movement of resources (irrespective of exit/internal movements) shall be communicated proactively to GE Managers and acknowledgement of transition and date of release obtained Exits and internal movements within GDC Organization or to parent organization that are not communicated to GE/acknowledged by GE Manager shall be treated as Unplanned Attrition Deviations in planned movements that impact GE Engagement shall be treated as Unplanned Attrition, unless otherwise approved by GE Manager to be a Planned Attrition GDC shall ensure that the Retention is calculated at GDC Program Level using the above formula GDC shall ensure that the retention at GDC program level is maintained at a minimum of 85% (as calculated using the above formula) In the event of a particular Statement of Work explicitly specifying a retention percentage, the same shall be met at that project level In the event of business specified retention percentage as a part of a MTO or an equivalent document, the same shall be met at a business level OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 88 of 185
Minimum Audit Requirements Evidence of retention status tracking in Resource Register Evidence of acknowledgement from GE Manager on Planned Attritions Evidence of approval from GE Manager on Deviations in Planned Attritions MSA linkage Sections 2.4, 3.10 Related Practices GDC On-Boarding/Off-Boarding, Engagement Termination/Closure Management, Business Continuity Management eGDC Suite Linkage Contingent Worker Data * Retention Reporting* Online Resources Not Applicable
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 89 of 185 5.0 Physical Security & Safety Physical Security & Safety is an important aspect of secure GDC operations and is considered as a first line of defense and a non-negotiable process area of the governance program. There are many aspects and elements to implementing and maintaining physical security & safety. This section outlines the minimum physical security & safety needs of GDC
FIGURE 9 Physical Security & Safety Practices and Linkages P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 90 of 185 5.1 Environment, Health & Safety (ELEMENTARY)
GDC facilities used for servicing GE shall adhere to requirements that ensure Employee Health and Safety (EHS). GDC facilities that do not conform to EHS requirements shall not be permitted to continue operations The purpose of this Practice is to enforce compliance to the local infrastructure norms/regulations and GE stated Employee Health and Safety (EHS) requirements
100% adherence to GE stated minimum Employee Health and Safety (EHS) requirements for all GDC facilities. Where the Local Infrastructure norm/regulation is superior to the GE Standard, the local standard shall apply
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented to meet the goals of this Practice. The specific responsibilities are. EHS 1.0 Establish and maintain compliance to EHS requirements for all GDC facilities (new/existing) EHS 2.0 Local infrastructure norms/regulations is periodically reviewed by GDC C&S leader to ensure conformance As a stakeholder, GE shall be responsible for reporting any potential risks or deviations to EHS at GDC Site, observed or heard EHS 3.0 Report Risk/Incident, in case of any observations/information of non-compliance
POLICY GOALS RESPONSIBILITIES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 91 of 185
EHS 1.0 Establish & maintain compliance for all GDC facilities GDC facilities shall adhere to the better standards of local infrastructure norms/regulations (or) GE Stated minimum standards for facilities GDC shall ensure that the flooring in the site is evenly laid out In case of variations in level on flooring, GDC shall ensure that appropriate marking of the floor is done so that the level variation is visible even in dark GDC shall ensure that workstations are designed such that work area available to every resource is at a minimum 6 foot by 5 foot (Common area shall not be included in the calculation of this space) GDC shall ensure that pathways (main and secondary pathways) and stairways (main and emergency) shall be at least 5 feet in width GDC shall ensure that no obstructive objects/artifacts shall be placed in pathways or staircases, thereby ensuring safety of GDC resources in the site GDC shall ensure that all electrical fittings, false ceiling and other equipments or devices are fitted securely GDC shall ensure that walls, doors, filing cabinets and other units in the GDC Site do not have sharp corners or surface (that may impact a resource) GDC shall ensure that staircases (main and emergency) are not steep or slippery to prevent injuries during evacuation GDC shall ensure that staircase (main and emergency) landing areas shall be even flooring, marked clearly and shall be anti-skid proof GDC shall ensure that staircase (main and emergency) railings shall be tested for safety and stability GDC shall ensure that staircase (main and emergency) shall be brightly lit GDC shall ensure that electrical wiring shall be secured and no loose wiring in place OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 92 of 185 GDC shall ensure the installation of appropriate number of smoke detectors and water sprinklers across the GDC site GDC shall ensure that adequate Fire-extinguishers shall be placed in the floor to ensure easy accessibility and reach (at a minimum one every 2500 square-feet of person area) GDC shall have signage that clearly indicates the presence of the Fire Extinguisher GDC shall ensure that these are placed in an area thats easily accessible GDC shall ensure that fire extinguishers are not placed in locations that may cause injury to resources during evacuation GDC shall maintain Safe area (size in proportion to the number of personnel) at a distance of approximately 100 meters from the main building. Any variations in distance of the safe area shall be determined based on the local standards adjusted for height of the building GDC shall ensure that fuel storage area shall be adequately away from the main building GDC shall ensure that Vehicle-parking area is designated such that access of/to Fire Engines and other emergency equipment is not obstructed GDC shall ensure that exit signs are visible from all employee seats, corridors and aisle ways in the facility. The exit signs shall be fluorescent and self-luminescent for a minimum period of 4 to 6 hours Server-rooms at GDC Sites shall be protected by smoke detection systems and gas flooding systems. All ceiling, floor and wall openings shall be closed. GDC shall ensure floor leveling, surface smoothness, safety of filing cabinets, safety of electrical wiring, fastening of electrical fittings, equipments & devices to ensure safety of resources operating in the server room Where GDC owns/operates a facility, GDC shall adhere to local regulations on Air Quality, Waste disposal and Water treatment GDC Organization shall orient/train their resources on Environment, Health and safety standards. It is mandatory for all resources in GDC Organization to be trained in Safety standards GDC Organization shall have the fire/emergency drill at least once every rolling three months P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 93 of 185 GDC Organization shall have a framework / process in place for their resources to raise concerns / suggestions on Health & Safety standards at the site GDC organization shall plan preventive maintenance and periodic spot checks of safety standards and take immediate corrective measures where gaps are seen Where changes to local norms/regulations exceeds GE stated minimum standards, GDC shall take immediate, appropriate steps to meet these requirements after seeking approval from GE GDC Program office
Minimum Audit Requirements Evidence of adherence to EHS norms in GDC sites Evidence of safety training to all GDC resources Evidence of preventive maintenance and spot checks being conducted at sites Evidence of safety risk assessment being performed and actions being taken MSA Linkage Sections 5.13 Related Practices Physical Security, GDC Site Management eGDC Suite Linkage GDC Site Management Adhoc Approvals Online Resources Not Applicable
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 94 of 185 5.2 Physical Security (ELEMENTARY)
Third party area with access to GE network or from where work for GE shall be executed/delivered shall be restricted to GDC personnel authorized for access. The Purpose of this Practice is to ensure that appropriate controls are established and practiced in GDC sites to safeguard GE/GDC information and assets that may be accessible from GDC Sites.
100% adherence to Physical Security norms 0 incidents of GE data access by unauthorized personnel at GDC sites 0 incidents associated with physical security
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented to meet the policy and goal of this practice. The specific responsibilities are PS 1.0 Manage GDC Resource security PS 2.0 Manage access control & Security at GDC facility PS 3.0 Manage visitor security PS 4.0 Manage computer room security PS 5.0 Manage Security of Restricted Areas As a stakeholder, GE is responsible for bringing to notice any risks/non-compliances in physical security at GDC Sites PS 6.0 Report risks and incidents associated with physical security practice at GDC Site
POLICY GOALS RESPONSIBILITIES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 95 of 185
PS 1.0 Manage GDC Resource security Badges shall be worn by all GDC resources and required personnel unless local laws or regulations do not permit Badges shall clearly identify GE GDC resources from other resources Badges shall also differentiate GDC employees from their sub-contractors Access to GE GDC area shall be restricted to BGC cleared and AUG, SIA acknowledged GDC personnel GDC shall have a formal process to identify and avoid any data/asset to be taken out of the GDC area. Access termination procedure shall be in place. Employment termination / Exit from GEGDC or change in GDC location shall result in access termination (immediate for administrator access) GDC shall have a formal process for handling of access to resources on leave from site for more than 21 days. PS 2.0 Manage Access control & Security at GDC facility Electronic access control shall protect entry and exit to GDC area Software-based access control systems shall be secured, have proper backups and be highly available Identification Badge Systems shall generate a log of each entry. All door openings shall generate a log entry Every time the identification badge reader is used, it shall log date, time, room location, badge number and employee Id More sophisticated access control mechanisms may be deployed by GDC in consultation with GE GDC Program Office Entry and exit logging shall be done for all entry and exit points at GDC Site OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 96 of 185 Logs shall be maintained for at least one year in archive with past 30 days easily accessible All Entry points shall be staffed 24x7 and entry point security cameras shall be installed and be monitored by the central security desk with recordings retained for at least one month, accessible online/digitally, and be in archive for up to one year. Any Exit point that does not have an alarm door shall have security cameras installed and be monitored by the central security desk with recordings retained at least one-month, accessible online/digitally, and be in archive for up to one year Any restricted area within the GDC Site shall have security cameras installed and be monitored by the central security desk with recordings retained at least one- month, accessible online/digitally, and be in archive for up to one year At every entry point of every GE GDC location, a notice shall be displayed informing GDC resources and visitors, that the site is under electronic surveillance Tailgating shall be avoided and communicated as a violation of policy. Notice communicating the same shall be displayed at all the entry & exit points GDC shall deploy tailgating prevention systems at the sites Guidelines for assets that can be carried into GE GDC area shall be displayed at entry point to GE GDC. List of prohibited assets shall be displayed at all the entry points GDC shall have formal identification mechanism for authorized USE of assets into GE GDC and the same shall be verified (asset verification and USE authorization verification) at entry on a regular basis GDC shall ensure formal verification mechanism at entry and workstations for USE of unauthorized assets Secure printing (using access code) shall be implemented in all print stations within the GE GDC Site GDC shall monitor and maintain logs of all prints taken within the GE GDC Site. Such logs shall be maintained for a period of 12 months Clear desk and Clear screen policy shall be followed at all times P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 97 of 185 GE confidential and restricted documents shall be locked when not in use and destroyed with a shredder when not needed GDC shall not permit photography within the GDC Site GDC shall undertake periodic checks and preventive maintenance to ensure that security gaps are identified and corrective actions taken
PS 3.0 Manage visitor security Approvals for any external visits shall be obtained from GEs GDC Program Office and visit report filed with GEs GDC Program Office Visitors (internal or external) to GE GDC Site shall be escorted by authorized GDC resources only. If continued access (beyond 1 week) to GDC site is required for internal visitors, BGC shall be done and access permission shall be time bound If continued access (beyond 1 week) to GDC Site is required for GE Employees who are co-located with GDC and require physical access, GE Business VMO Leader approval and HR acknowledgement that BGC is cleared, shall be obtained GDC shall have a formal process to identify Visitors with long term access and short term access GDC shall have a formal process to identify and avoid any physical or electronic device/data to be taken out of the GDC area GDC shall have a formal Visitor badging process Visitor logbooks shall be maintained which includes clear description of the visitor name, Organization, purpose, person to meet, date of visit, arrival and leaving time, assets carried, details of GDC escort and signatures of visitor and escort GDC may choose to implement Visitor Identity access card systems Log of Visitors shall be maintained for audit purpose for a minimum period of 12 months PS 4.0 Manage computer room security Computer room shall be isolated. GEGDC computer rooms cannot be shared with the parent organization server rooms. P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 98 of 185 In case project specific servers are maintained in GEGDC computer room, GDCs are expected to implement additional controls and training for those personnel requiring access to these servers to maintain the compliance levels Computer room doors shall be secured to prevent access into the room unless otherwise authorized by the GDC Security Leader. Computer room access shall have two factor authentications which can include: Badge/Pin, Biometric/PIN, Biometric/Badge, etc. A physical key is not a form of authentication Each computer room door shall have signs on both sides indicating it is to be closed and locked with a contact to notify if it is found unsecured. Server rooms shall have solid walls on all sides with no glass window panes /doors Server room shall have only 1 door with the signage RESTRICTED ACCESS TO AUTHORIZED USERS only Server room door shall have automatic closing mechanism with timing adjusted to close immediately. GDC shall ensure installation & configuration of alarm to alert Users if Server room door is open for more than 20 seconds Server room shall be fitted with adequate cameras (2 at a minimum) for surveillance purpose, to ensure that there are no blind spots. These shall be monitored by the central security desk with recordings retained at least one- month, accessible online/digitally, and be in archive for up to one year GDC shall ensure that server room racks shall be locked with unique keys GDC shall ensure that fire proof safe is available in server room to store backups and other important media/information GDC shall ensure that only named people (limited people) are provided access to the server room and access log is maintained for all entry / exits. The logs shall be available for a minimum period of 12 months In case GE Data Servers (even if used for test purpose) are maintained in GEGDC computer room, additional access controls shall be implemented at the server room and such servers shall be maintained on separate racks with exclusive access controls. In case the Server room supports Data Servers pertaining to Export Control work or GE IP work, such servers shall be maintained in separate racks with access restricted to named people who are authorized for such access P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 99 of 185 Anyone having badge access to a computer room shall not give or loan their badge to another to gain access to a computer room. The air conditioning system supplying server rooms shall have dust filtration systems in place and should provide alarm notification if the air quality degrades / contamination increases. Server room temperature shall be controlled and set to level within the manufacturers suggested operating temperatures. It is suggested temperature be controlled in the region of 20 - 22C with a +/-1C tolerance for alarm notification. Server room humidity shall be controlled and set to a level within the manufacturers suggested operating levels. It is suggested humidity be controlled in the region of 50% RH (Relative Humidity) with a +/- 5% RH tolerance limit for alarm notification. Temperature and humidity sensors shall be monitored in the 24 x 7 manned centralized security control room GDC shall have a formal process for approval and revocation of access to Server room. The process shall at a minimum, capture for all authorized users, the badge holders name, badge number, computer room location, reason for access, validity period(start date and end date) along with authorizers details and actual termination date, Badge access must only be given to individuals who require long-term access (those who are responsible for continuous administration or maintenance of the equipment located in the room). Visitors access and temporary access (For Ex: Housekeeping staff) to the server room need to be approved by the GDC Security Leader in advance and the access should be an escorted one. Logs of access to computer room shall be maintained for a minimum period of 1 year PS 5.0 Manage Physical Security at special restricted sites GDC may have special restricted sites for export control work or Engineering IP work or otherwise as identified with the program office. In such cases, GDC shall ensure additional level of Physical security as per guidelines below P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 100 of 185 Each Restricted area within GDC Site shall be separated with access control mechanisms. Two-factor authentication shall be implemented for access to restricted areas Restricted areas shall have only one entry/exit door and one emergency exit door with the signage RESTRICTED ACCESS TO AUTHORIZED USERS only. Emergency Exit Doors shall not be used for regular entry/exits Emergency Exit door shall be fitted with alarm system to alert when the door is opened The entry/exit door to restricted area shall have automatic closing mechanism with timing adjusted to close immediately. GDC shall ensure installation & configuration of alarm to alert Users if this door is open for more than 20 seconds Restricted area shall be fitted with adequate cameras (2 at a minimum) for surveillance purpose, to ensure that there are no blind spots Entry/Exit door and Emergency Exit door shall have security cameras fitted and these shall be monitored by the central security desk with recordings retained at least one-month, accessible online/digitally, and be in archive for up to one year GDC shall ensure that only named people (limited people) with authorization (from GE) to access the restricted areas are provided access to the restricted area and access log is maintained for all entry / exits. The logs shall be available for a minimum period of 12 months GDC shall have a formal process for approving access to restricted sites Internal/External Visitors (inclusive of GE Visitors) to restricted sites shall not be permitted unless otherwise authorized by GE GDC Program Office GDC shall prohibit any physical or electronic device/data to be taken in or out of the special restricted area (by employees or visitors) unless approved by the GE GDC Program office. Logs of all assets permitted to be carried in or out will have to be maintained for a minimum period of 12 months.
Minimum Audit Requirements Evidence of GE approval on physical security reviews Evidence of Visitor Logging, CCTV logs, access logs, print logs Evidence of adherence to access assignment to Server room and Restricted areas P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 101 of 185 MSA Linkage Sections 1, 4.8 Related Practices EHS, Data Security eGDC Suite Linkage GDC Site Management Adhoc Approvals Online Resources Following additional guidelines found at GE GDC Knowledge Center http://supportcentral.ge.com/81973 Policies & Procedures Compliance & Security Physical Security Additional Guidelines New Site Approval Process-Guidelines Guidelines for Restricted Site EHS Guidelines
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 102 of 185 6.0 Delivery Management Delivery Management is one of the basic focus areas of the Program Governance Maturity Model and comprises 3 Practices Secure Software Delivery, Software/Service Quality Management, and Process & Productivity Management. GDC shall follow industry standards like ITIL, Six Sigma, ISO 27001, to name a few, for Software/Service Quality Management (MATURE) and Process & Productivity Management (MATURE) for executing GE engagements. 6.1 Secure Software Delivery (ELEMENTARY)
GDC shall deliver all software as developed or maintained by GE GDC (Applications) that are free of any known Critical, High and medium Application Security Vulnerabilities as detailed per GE Guidelines GE has the right to have the code reviewed for security flaws anytime during the engagement. GDC shall provide necessary support to the review team by providing source code and access to test environments. Security reviews shall cover all aspects of the Applications delivered, including custom code, components, products, and system configuration The purpose of this Practice is to establish secure software development lifecycle practices used by GDC and ensure vulnerability free code development
0 Critical/high/medium vulnerabilities in code delivered to GE 100% engagements involving software development/enhancement/change adhering to GE Secure Software development / delivery requirements covered in this practice.
POLICY GOALS RESPONSIBILITIES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 103 of 185 As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented to meet the goals of this Practice. The specific responsibilities are. SSD 1.0 Use Secure Software development lifecycle practices in software development projects SSD 2.0 Secure Software delivery SSD 3.0 Track & report Secure software delivery metrics As recipient of the deliverables from the GDC, GE is responsible for ensuring that the deliverables are aware of the Secure software delivery practices and enforce the same in GE GDC SSD 4.0 Establish Ownership and performance targets on secure software delivery
SSD 1.0 Use Secure Software development lifecycle practices in software development projects Application Security controls apply to all GE GDC engagements (Development/Enhancement/RTS/Support). For RTS or Support the evaluation will not be at a release level but will be required periodically (at a minimum bi-annually or as indicated by business) unless the release is more than 40 person hours. GDC Organizations Standard Operating Procedure should comply at a minimum with GE Secure SDLC guidelines for integration of Application Security checks with the SDLC process or equivalent. Any deviation or exception from GE Secure SDLC guidelines for any project(s) shall be reviewed and agreed upon with GE Application Security Leader. Development (inclusive of enhancements) shall at least be done in accordance with the GE Best Practices for Secure Coding and all developers shall have awareness of this practice. Any deviations to the GE specified Secure Coding practices shall be disclosed to GE Application Security Leader and signed off prior to implementation Quantitative feedback on common vulnerabilities found along with prevention and remediation measures shall be shared with developers OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 104 of 185 Each GDC shall have a lead representative and active participant on the GDC AppSec Working Group led by the GE GDC Application Security Leader. Participation and representation on bi-weekly meetings is required. Developers shall be trained on Application Security practices and web developers should have access to and be encouraged to complete the available Computer Based Training (CBT1 & CBT2) and Guidance materials at the Secure Software COE site. The completion of trainings shall be tracked by the GDC GDC shall at a minimum follow GE Secure Architecture & Deployment Guidelines in design and provide documentation to GE that clearly explains the design for achieving each of the security requirements. GDC Organizations internal Application Security team shall be responsible at a minimum for ensuring adherence to GE Secure Coding practices on all deliverables to GE. This team shall be responsible for finding and remediation of security vulnerabilities in addition to training developers in the use of the available Guidance, Education and Tools to drive defect prevention. GDC shall at a minimum promote the use of available GE tools like GE Secure COR and GEEAS in all the web application projects and track the usage. GDC shall ensure that all applications are On-boarded as per the SSD v2 guidelines SSD 2.0 Secure Software delivery GDC shall execute the Application security test against the security requirements and Secure coding guidelines and fix all the High & Critical vulnerabilities found in the code before releasing code to GE. GDC shall track the final Internal Application Security Assessment results and share it with GE Application team at the time of releasing code to GE. GDC shall disclose the tools used in the software development environment to encourage secure coding when requested by GE. Security issues uncovered after application release will be reported to the GDC. The GDC shall remediate and retest all the identified High and Critical vulnerabilities for any application they own as per GDC Application ownership process or any application they develop. All the Medium, Low or Informational Security issues discovered after delivery shall be handled in the same manner as other bugs and issues as specified in the SOW. Any exceptions to the above should be fully documented by GDC upon delivery of the application(s). P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 105 of 185 GDC shall appropriately protect information regarding security issues and associated documentation, to help limit the likelihood that vulnerabilities in operational software are exposed. GDC shall follow GDC Vulnerability Remediation Ownership process at the time of transition of project or application from other vendor or GDC. SSD 3.0 Track and Report Secure software delivery metrics GDCs shall report the % Of GE applications which have had a security assessment performed by an internal application security team prior to delivery to GE on a monthly basis Internal security assessment results for all initial and subsequent releases Root cause corrective actions for all high/critical vulnerabilities found by GE AppSec COE. % Of developers trained upon Secure Coding practices on a quarterly basis Quarterly report on Vendor adherence with the requirements outlined in the Application Security Framework GDC shall track all security issues uncovered during the application lifecycle under its engagement scope, whether a requirements, design, implementation, testing, deployment, or operational issue. The risk associated with each security issue should be evaluated, documented, issue fixed and reported to GE as soon as possible after discovery. Common vulnerabilities for all the platforms GDC work with should be documented; maintained current and posted on shared repository Minimum Audit Requirements Evidence of Security Reviews & Testing on all deliveries to GE Evidence of exception approvals from GE Business Security leader for releasing code with Critical/High Vulnerabilities to GE (where code is released with Critical/High vulnerabilities) MSA Linkage Section 4.10 Related Practices Quality Management P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 106 of 185 eGDC Suite Linkage Application Ownership Process Online Resources Application Security guidelines at http://sc.ge.com/@SSCOE
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 107 of 185 7.0 Network & Systems Security GDCs are connected to GE internal network in a manner identical to any GE office so it is critical that GDC networks and systems are secure, safe and not pose any threat to GE network and data. GDCs should adhere to GE Third Party Information Security Policy; follow the guidelines listed out this section and have appropriate controls & rigor in place to mitigate any risk to GE network and data.
FIGURE 10 Network & Systems Security Practices and Linkages P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 108 of 185 7.1 Vulnerabilities Management (ELEMENTARY)
All GDC systems shall be minimally patched with all GE trackable patches and any other patches relevant in the environment. All GDC systems shall have GE standard client firewalls and antivirus deployed to prevent threats. GDC shall proactively find and fix any vulnerability in all GDC systems and networks. The purpose of this Practice is to enforce controls to protect systems and networks from threats through implementation of Sophos antivirus & client firewall and proactive vulnerabilities scanning using Qualys.
0 Critical/High/Medium security vulnerabilities in network & systems across all GDC sites 100% systems patched within 7 days of GE trackable patch release 100% coverage of vulnerability scanning across all GDC subnets 100% of GDC servers and workstations with antivirus running with latest policies & signatures
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented to meet the goals of this Practice. The specific responsibilities are. VM 1.0 Track & implement GE trackable patches on all GDC systems VM 2.0 Manage Qualys network scanning and vulnerability remediation VM 3.0 Manage Sophos deployment on all GDC systems and mitigate threats As a co-owner of this Practice, GE Businesses are responsible for providing patching notification, Qualys access and Sophos to GDC. The specific responsibilities of GE are POLICY GOALS RESPONSIBILITIES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 109 of 185 VM 4.0 Ensure patch releases by GE security council is communicated to GDC VM 5.0 Ensure Qualys console access is provided to GDC VM 6.0 Ensure Sophos license & software is provided to GDC
VM 1.0 Track & implement GE trackable patches on all GDC systems GDC shall be part of GE Security council patch release notification list GDC machines shall be minimally patched with GE trackable patches. All GE trackable patches shall be applied on all machines in less than 7 days. Patches shall be tested on test boxes before applying in production.
In case Critical patches conflict with the applications, it shall be discussed with the business/corporate security leaders and approvals obtained. GE GDC Program Security Leader shall be notified of all such approvals and any exceptions. Emergency patching process shall be defined and documented. GDC shall maintain their own security bulletin and process to identify and remediate new vulnerabilities and threats related to software & hardware in their environment. VM 2.0 Manage Qualys network scanning and vulnerability remediation GDC shall leverage GE provided Qualys tool to run vulnerability scans GDC shall configure Qualys with account(s) having appropriate privileges to run successful authenticated scans for all GDC systems Each GDC shall maintain and communicate updates to subnet inventory to the GE GDC Program Security Leader through monthly reporting All networks including partner locations, shall be scanned every week or as agreed with GE GDC Program Security Leader and missing patches shall be applied OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 110 of 185 Any vulnerability with no patch or remediation available will require a machine rebuild and any exceptions shall be approved by GE GDC Program Security Leader It is the responsibility of the GE GDC to close all vulnerability related incidents in a timely manner. This should be no more than 2 business days unless the RCA and Action Plan states the reason for a longer time period and is approved by GE GDC Security Leader shall do weekly monitoring of Qualys dashboard in http://securitymetrics.ge.com to measure the patching process health. Review and remediate newly discovered security vulnerabilities using repeatable process.
VM 3.0 Manage Sophos deployment on all GDC systems and mitigate threats GDC shall install GE provided Sophos antivirus on all the servers and workstations (desktops & laptops). Sophos client firewall shall be installed on all workstations. Latest version recommended by GE shall be used. GDC shall ensure all Sophos clients are able to communicate with the centralized Sophos server and have signature/policy/engine updates no more than 1 week old GDC resources shall not have privileges to disable, stop services or uninstall Sophos antivirus or client firewall on their systems GDC shall review and implement all policy changes, updates and upgrades as required by GE. Sophos console in conjunction with Sophos defect report in http://securitymetrics.ge.com shall be reviewed daily and infected assets shall be investigated and closed within a 48- hour timeframe. GDC shall maintain Sophos CMV console access. Only appropriate personnel should have access, GDC is responsible for maintaining personnel list and requesting access creation and removal through correct processes. Machines infected with any form of malicious code (virus, trojan, malware, logic bombs, worms) or critical patch missing shall be removed from network immediately and shall be cleaned / patched before connecting back on network.
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 111 of 185 GDC shall review and remediate newly discovered security vulnerabilities using repeatable process. Appropriate tracking should be done to detect any potential threats and policy violations.
Minimum Audit Requirements Sophos CMV console access is maintained and up to date with current identified GE GDC security personnel Management review of defects and opportunities against the goals of Vulnerabilities practice Records shall be maintained for weekly network scans and patching cycle time Evidence of approval in case of critical patch conflict and adherence to resolution plan agreed shall be maintained Evidence of coverage of 100% GDC Systems in Qualys Evidence of vulnerability fixes as reported through Sophos & Qualys MSA Linkage Section 4.25 Related Practices Software Governance, Secure Software Delivery, Systems Management, Supplier Connectivity eGDC Suite Linkage Not Applicable Online Resources Sophos Community- http://supportcentral.ge.com/products/sup_products.asp?prod_id=37974 Qualys Community - http://supportcentral.ge.com/products/sup_products.asp?prod_id=89136
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 112 of 185 7.2 Systems Management (ELEMENTARY)
GDC shall secure all endpoints (i.e. desktops/laptops/workstations/servers/mobile computing devices), access accounts and implement data leakage prevention controls to protect GE data. The purpose of this Practice is to establish and enforce controls to secure endpoints, access accounts and GE/GDC assets to prevent any threats to GE data.
0 incidents of system management requirements violations
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented to meet the goals of this Practice. The specific responsibilities are. SM1.0 Secure GE GDC endpoints SM2.0 Implement secure Account & password management practices SM3.0 Implement Secure Servers and operating systems practices SM4.0 Implement secure Server Administration practices As a co-owner of this Practice, GE Businesses are responsible to identify endpoint security controls and take Business Security Leader approval before allowing GDC to have machines in GE Domains. The specific responsibilities of GE are SM 5.0 Ensure necessary end-point security controls & business security leader approvals are in place before approving any machines located in GDC site in GE domain
POLICY GOALS RESPONSIBILITIES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 113 of 185
SM 1.0 Secure GE GDC endpoints All GE GDC endpoints shall meet GE requirements for Antivirus, Personal Firewall, Vulnerability Patching and Network Access Control. This includes the health, reporting and signature updates of the required client as mandated by GE. In cases, where exception has been granted by GE Business Security Leader to have GDC system in GE domain, GDC shall take appropriate actions to make sure that such systems meet the above requirement. USB Ports/DVD burners/any other removable media ports shall be disabled. For cases where exception has been granted by GE GDC Program office, removable storage media shall be encrypted Laptop disk shall be encrypted using GE recommended version of Safeboot Back up tapes shall be encrypted. Laptop computers or other portable computing devices shall primarily be used for access, not storage GE Data should not be stored on GDC systems GDC shall have preventive and detection controls to prevent data leakage from GDC/GE systems assigned to GDC resources irrespective of the location (excluding GE sites), specifically laptop or any portable computing devices that can be taken out of GDC facility. No personal devices shall be allowed to execute GE engagements from any location Procedure to deal with stolen laptops, workstations or any computing/storage device used to execute GE engagement shall be well defined GDC shall ensure data confidentiality and privacy of each user assigned to the shared system from other users assigned to the same shared system. SM 2.0 Implement secure Account & password management practices Password-protected screen savers shall be activated upon a maximum of 15-minute timeout on all systems with a monitor. OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 114 of 185 Automated account lockout shall be enabled after a minimum of 3 and maximum of 7 attempts, with authentication failures and successes logged and reviewed for security violations Accounts shall have an expiration date and are reviewed periodically. Logical access control shall be in place to Identify a user Sharing of user id and password is prohibited. VPN hard tokens and soft tokens shall not be shared. Hard token can be re-allocated to another individual upon release of resource from project/program, unless otherwise explicitly required by the Business to surrender the token. GDCs shall maintain traceability and record of all VPN token allocations and re-allocations centrally GE GDC Password policy shall be at a minimum as strong as the GE password policy Initial password shall be forced to be changed during first logon GDC shall ensure that the users are given access privileges with the minimum requirements as per their job requirements. Non-administrative users shall not have access to administrative system software or utilities. Privileged or administrative accounts shall only be given to the persons responsible for managing systems, databases & applications and shall be tracked centrally by GDC Local administrator access and rights shall be disabled. Exceptions to this shall be time bound and approved by GDC security leader. GE domain administrator access shall not be given to offshore resources. Exceptions to this shall be time bound and approved by GE GDC or business security leader. SM 3.0 Secure Servers and operating systems The following minimum requirements for server and operating system lockdown shall be expanded upon based upon industry best practices Only the minimum/necessary set of applications and services shall be installed. Source code of server-side executables and scripts shall not be viewable by external users. Packet filters (such as host-based firewall and TCP wrappers) shall be installed to restrict connections to necessary hosts on necessary services and log incoming requests. Users shall not be able to modify configuration of the filters P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 115 of 185 Synchronize time to a trusted time service. Services that require different access shall use different accounts IDs. No SNMP accessibility from the Internet. It is recommended to disable all SNMP. There shall be legal notice warning of unauthorized access penalties where applicable. The password database shall be encrypted. SM 4.0 Follow secure Server Administration practices The following minimum requirements for server administration lock down using industry best practices are: If GDC has the capability to remotely administer servers (GE & GDC), the remote connection shall take place over an encrypted tunnel, and shall require two-factor authentication. All administrator accounts shall have IP address restrictions, two-factor authentication or be limited to console login. All administrative traffic shall be encrypted. Encryption level shall be defined based on the needs of the application. All default accounts shall be renamed or removed and all default passwords changed. Access to devices involved in the provision of services shall be granted only on a need to have basis. Server administration permissions are typically granted to a limited number of individuals within an organization. More than one person shall approve the granting of new administrator account access, and the addition/removal of account access shall be auditable. Shared administrative accounts shall not be used. Instead, use individual accounts with an auditable method to escalate privileges for administration (example: PowerBroker, sudo) where possible. Admin passwords may also be checked out for a period of time then reset. System and service account passwords used by automated and batch processes shall only be granted restricted access. The account shall be single purpose, non- interactive login, from controlled sources such as a fixed source IP as a second login factor. If account shall have more access, the GE Sponsor shall be made P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 116 of 185 fully aware of their account responsibilities with the account description field annotating the contact. Success and failure for all user account logins, system logins (desktops/laptops/servers), and administrative requests must be logged. General server event logs, utilization logs, and application events and errors must be periodically verified as functioning in case of a forensics investigation. GDC must maintain record for all hardware problems, operating system crashes and system formatting Authentication failures and successes must be reviewed (at least weekly) for security violations. Unless required otherwise by law, GDC must, at a minimum maintain server logs for a period of no less than 180 days from origination. Minimum Audit Requirements Evidence of approval and monitoring of local admin access Evidence of 100% machines coverage for end point security Evidence of implementation of secure account & password management practices Evidence of servers & operating systems security and secure server administration practices being followed across all GDC sites Evidence of end point security for GDC machines in GE Domain along with exception approval from GE Security Leader MSA Linkage Section 4.25 Related Practices Business Continuity Management, GDC Site Management, Asset Governance, SSO id Governance, GDC Resource On-boarding/Off-boarding eGDC Suite Linkage Adhoc Approvals, Systems on GE Domain*, Local Admin Rights Reporting* Online Resources Not Applicable P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 117 of 185 7.3 Supplier Connectivity (ELEMENTARY)
GDC shall have trusted third party connectivity to GE i.e. a physically and logically isolated segment of the GDC connected to GE network in compliance with GE Trusted Third Party Security Policy. GDC shall ensure that there are no risks to GE network. The purpose of this Practice is to enforce compliance to GEs trusted third party connectivity requirements
100% GDC site in compliance with GE trusted third party connectivity requirements
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented to meet the goals of this Practice. The specific responsibilities are. SC 1.0 Ensure every GDC resource signs AUG (Acceptable use guidelines) before granting physical access to GE GDC area. SC 2.0 Implement and maintain compliance to logical network connectivity requirements SC 3.0 Implement and maintain compliance to Proxy requirements SC 4.0 Implement and maintain compliance to secure Emails system requirements SC 5.0 Monitor & respond to any intrusions and unexpected network & system behavior
POLICY GOALS RESPONSIBILITIES OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 118 of 185 SC 1.0 Ensure every GDC resource signs AUG (Acceptable use guidelines) before granting physical access to GE GDC area. AUG shall be signed by every individual GDC resource (inclusive of subcontractors) before granting physical access to GE GDC area or logical access to GE network Annual re-acknowledgment shall be done by every individual GDC resource (inclusive of subcontractors) SC 2.0 Implement and maintain compliance to logical network connectivity requirements Logical network connectivity of any GE Extension Segment to networks other than GE shall not exist. All current and new interconnections between GDC network and any other non GE network, including the Internet, parent and other companies, shall be managed by GE and it shall meet all GE standards and requirements VPN Gateways and Remote User Gatewaysincluding two-factor authentication for dial- up, VPN, shall be managed by GE only. Third Party-managed gateways including GDC parent organization VPN is not allowed Inbound modems shall not connect to GDC network. Outbound modems should only be implemented in exception approval basis by GE GDC Program Security Leader and tracked under Asset Governance guidelines. Inbound Gateways (hosting) shall subscribe to an existing GE shared service for gateway access. Outbound Gateways (Internet access) shall be either through GE shared service for gateway access or through GE GIS managed firewall & proxy if using GDC parent gateway access GDCs shall not use Wireless LAN (GE network or GDC parent network) in GDC areas Connections and LANseparate Layer-2 switch infrastructure for IP, but may use shared ISP connectivity for site-to-site VPN transport GDC shall not permit/use FTP, Peer to peer network, Bluetooth or any other file transfer mechanisms between systems/networks GDC shall not permit work from unauthorized remote locations to service GE P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 119 of 185 Physical access to the network devices (routers, hubs, switches, etc.) shall be protected to allow access only by named network administrators GDC shall not extend GE network outside the certified GDC area without approval from GDC Program office or following appropriate GE process GDC shall track all the changes in the logical environment. GDC shall have process to track expiry of time bound connection approvals and shall work with GE to revoke or extend any expired connections on time. For any special restricted sites for export control work, the site shall be in compliance with GE Export Control guidelines. For special IP work restricted sites, the site shall be in compliance with the applicable business policies/guidelines. SC 3.0 Implement and maintain compliance to Proxy requirements GIS-managed proxy shall be used for Internet access. Proxy servers shall comply with GE Outbound proxy standard and recommended build Proxy change should be disabled for all GDC resources. Exceptions to this should be time bound and approved and monitored by GDC security leader GDC shall not use any GE business proxy or proxy script (Pac file) for individuals or sites without approval from GE GDC Program office Periodic Audits shall be conducted and reviewed quarterly for resources for whom proxy is not disabled GDC laptop users shall not be able browse any internet sites before signing into GE VPN from non GDC locations. GDC shall restrict access to internet-based email sites and data storage/sharing sites to prevent data leakage. SC 4.0 Implement and maintain compliance to secure Emails system requirements Emails to/from GDC-GE shall not transit public networks (like the Internet) in unencrypted form. TLS shall be enabled for email communication. Auto forward from GE email account to non-GE email accounts is not permitted. GE GDC Extension Segment email servers should at minimum filter GE standard attachment extensions. P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 120 of 185 SC 5.0 Monitor & respond to any intrusions and unexpected network & system behavior GDC shall have Intrusion Prevention System (GE Standard device) for inappropriate activity monitoring and prevention for the networks/sites identified by GE GDC Program Office; IPS devices shall be managed by GE and shall have signature updates no more than 1 week old. Monitor systems and servers. Use automated tools to filter logs, identify security incidents, and provide automated alerts. Intrusion Detection Coverage on network entry points (non GE) and mission critical servers Monitor and respond to high alerts in IDS/IPS logs on a 24x7 basis Minimum Audit Requirements Records of IDS/IPS log review and action of every high alert shall be maintained Evidence of approval and monitoring of proxy change rights Records and evidence of GE GDC Program Security leader approval for any change implemented in the GDC site network MSA Linkage Section 4.25 Related Practices GDC Site Management, Business Continuity Management eGDC Suite Linkage Site Proxy Data, Client Proxy*, New Site Approvals Online Resources GE Export Control Guidelines http://libraries.ge.com/download?entity_id=3869850101&fileid=48218071101&sid=101 GE Outbound proxy standard - http://libraries.ge.com/download?fileid=76455681101&entity_id=13957680101&sid=101
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 121 of 185 7.4 Resource Sharing (ELEMENTARY)
Any non-GE or non-GE GDC resources like people, applications, & systems, used to execute or facilitate GE engagements shall not compromise confidentiality and integrity of GE data, Intellectual property. The purpose of this Practice is to establish and manage controls to mitigate risks of compromising Confidentiality & Integrity of GE data & IP due to resource sharing
0 incidents of any unauthorized shared resources 0 incidents of unauthorized GE data & IP residing in any shared resource
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented to meet the goals of this Practice. The specific responsibilities are. RS 1.0 Identify shared resources RS 2.0 Establish and manage confidentiality and integrity of GE data on shared resources
RS 1.0 Identify shared resources GDC shall limit shared resources to minimum and shall have process to do risk assessment and seek approval from GE GDC Program Office for any shared resource before using them. POLICY GOALS RESPONSIBILITIES OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 122 of 185 GDC shall maintain inventory of all the shared resources. This includes resources provided by GE and GDC for the use within GE GDC. (i.e. Email, Project Management Tools). This inventory should depict the ownership of the resource being used. RS 2.0 Establish and manage confidentiality and integrity of GE data on shared resources GDC shall perform periodic risk assessment of all shared resources GDC shall implement logical or systematic data leakage prevention controls for all shared resources. All data relevant to shared resources must follow the Classification, Confidentiality & IP protection. Minimum Audit Requirements Inventory of shared resources Evidence of Access controls in place for all the shared resources MSA Linkage Section 4.25 Related Practices Data Classification, Confidentiality, Privacy & IP Protection, Knowledge Management, eGDC Suite Linkage Adhoc Approvals Online Resources Not Applicable
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 123 of 185 8.0 Data Security GE Data Security is the most important aspect of GDC program and the GE data needs to be protected based on its need for secrecy, sensitivity, or confidentiality. While servicing GE, GDCs will have access to different type of GE data and it is GDC responsibility to protect GE information from disclosure to any unauthorized individual or entity. The practice areas covered in this section outlines minimum requirements for GDCs to maintain Integrity, Confidentiality & Availability of GE data.
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 124 of 185
FIGURE 11 Data Security Practices and Linkages
8.1 Data Classification, Privacy, Confidentiality & IP Protection (MATURE)
Any data created/used/handled by GDCs shall be classified and shall be protected using adequate measures as per GE Data Security guidelines. For a period of 7 years following the date of disclosure, the GDC shall not itself use or share with any third party or sub contractor any GE confidential/restricted information The purpose of this Practice is to formalize and enforce the practice of securing GE data based on assigned labels of importance and sensitivity POLICY P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 125 of 185
100% of GE data/information in any form tagged with appropriate data classification 0 instances of improper access control/unauthorized sharing/USE of GE confidential/restricted data 0 incidents of IP / Data Privacy violations
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented to meet the goals of this Practice. The specific responsibilities are. DCP 1.0 Classify all GE data/information according to GE Data classification guidelines DCP 2.0 Establish accountability to protect GE Data DCP 3.0 Protect GE Data/Information according to Classification DCP 4.0 Manage IP Use & Protection
As a co-owner of this Practice, GE Businesses are responsible for ensuring that all data accessible/shared/processed/created by GDC have correct GE Data classification level tagged to it. The specific responsibilities of GE are DCP 5.0 Ensure all GE data/information shared with GDC carries correct GE Data classification DCP 6.0 Provide guidance to GDC to establish correct GE Data classification levels for the data created/used by the GDC during the life of project/relationship - involve Business Data Privacy Leader to identify specific controls that may be required to address country-specific data privacy requirements GOALS RESPONSIBILITIES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 126 of 185 DCP 7.0 Monitor & manage GDC access to Sensitive data on a need-to-know basis and ensure that access is revoked when no longer needed DCP 8.0 Identify and treat GDC IP, GE IP in appropriate manner involve Business Legal teams in appropriate treatment of GDC IP
DCP 1.0 Classify all GE data/information according to GE Data classification guidelines GE data/information" here refers not only to the data provided to the GDC, but data created by the GDC during the life of a project/relationship Electronic/Non-electronic Data (documents, code, databases, concept papers, reports, media, email and the like) shall be classified and encrypted as per GE data classification guidelines. In case of documents (irrespective of the nature of the document), all pages shall contain the classification Correct and consistent classification shall be ensured Functional Ownership and classification of data shall follow the guidelines below Classification indicates the type of data. Apart from information that is intended for public disclosure, all other information shall be classified as Internal or Confidential or Restricted based on guidelines below Internal non-public information that is specific to an entity with access to a larger group of authorized people consisting of employees and authorized non-employees (examples: Organization Chart, Standards & Guidelines, to name a few) Confidential - Information that is sensitive or confidential within an entity and intended for business use only by those with a need-to-know (examples: sensitive personnel information, individually identifiable customer or client information; cost or pricing information, to name a few) Restricted - Information that is extremely sensitive or private, of highest value to the entity, and intended for use by named individuals/entity only (examples: strategic plans; intellectual property, financial results prior to release; OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 127 of 185 individually identifiable medical records; trade-controlled information; files containing clear-text passwords, to name a few) Ownership identifies the owner of the data GE - a significant portion of the data being used or generated in the GE GDC shall be owned by GE and hence tagged as GE Internal, GE Confidential or GE Restricted. Any/All artifact(s) given by GE or are generated / used as part of the GE project/program shall be considered as GE Ownership. This shall include all deliverables/work products (inclusive of code, design documents, process charts, test plans, development plans, KT documents, risk mitigation plans), responses to RFP, status reports, project management documents, to name a few GE <GDC> - a small portion of the data generated in the GE GDC shall have shared ownership between GE and the GDC team and hence tagged as GE <GDC> Internal, GE <GDC> Confidential or GE <GDC> Restricted (examples: GDC Standard Operating Procedures based on GE requirements, GDC specific performance metrics report, to name a few) <GDC> - a very small portion of the data generated/used in the GE GDC shall be owned completely by the GDC (examples: GDC Organizations Financial Information, GDC Employee Performance Report, GDC Organizations IP, to name a few) The below table provides a summary of the permissible 9 Classification possibilities in addition to the PUBLIC classification
GE Confidential/Restricted information may include all information furnished or made available to the GDC orally or in writing by any GE personnel in connection with the overall Program or a specific Task Order, without limitation, non-public Intellectual Property, Deliverables, ideas, concepts, procedures, agreements, notes, summaries, reports, analyses, compilations, studies, lists, charts, surveys and other materials, both written and oral, in whatever form maintained concerning the business of the Company and its customers and/or vendors, including P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 128 of 185 Material Non Public Information. Confidential Information shall also include, without limitation, any reports, findings, conclusions, recommendations, or reporting data and analysis prepared by GDC for GEs use While using GE classification (GE Internal, GE Confidential and GE Restricted), GDC shall adhere to Business specific classification requirements, if explicitly requested to do so. This may involve identification of Business name in the tag (examples: GE Healthcare Confidential, NBCU Restricted) In cases where GDC receives data/information that are not classified by GE, GDC shall follow exception guidelines for treatment/handling of such data. One or more of the following treatment recommendations may be applied by the GDC Such unclassified data belonging to GE shall not be stored on any other media except on GE Systems residing in GE Data Centers Printing of such unclassified data shall not be permitted In exception scenarios where such data needs to be stored in GDC systems for project needs, GDC shall post such data to Business-specific folders that are configured in GDC configuration systems with appropriate classification and access to named individuals on need to know basis GDC shall raise an incident / risk alert (as seen appropriate) when unclassified data that is perceived by GDC to be either GE Confidential/GE Restricted is provided to GDC for use/information purpose DCP 2.0 Establish accountability to protect GE Data SIA (Secrecy and inventions agreement) shall be signed by every individual GDC resource (inclusive of subcontractors) before granting physical access to GEGDC area. Annual re- acknowledgment shall be done In case confidential/restricted data pertains to GE Personal or financial data or GE IP information, additional confidentiality agreements as required by the business shall be signed by individual GDC resources Every GDC resource shall physically (cannot be digitized) sign the Assignment of Rights on an annual basis for work done in prior year. If during the course of the year, a GDC Resource exits GEGDC, he/she shall sign this document for the duration he/she worked with GEGDC in that year. Assignment of Rights documents shall carry counter signature by GDC authorized signatory GDC shall have appropriate processes in place to identify projects dealing with confidential/restricted information and educate resources on their responsibility/accountability to adhere to Acceptable Use Guidelines and Non-disclosures P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 129 of 185 Where controls established by the Business are seen to be inadequate/inappropriate, GDC shall proactively discuss the risks with the Business and recommend appropriate controls to be implemented. DCP 3.0 Protect GE data/information appropriately according to data classification level Data classified as GE Internal/Confidential/Restricted or GE <GDC> Internal/Confidential/Restricted cannot be stored on a non-GE system, shared or used for any purpose other than related to GE GDC Storage/transmission/Disposal of both physical and electronic data shall be as per GE Data classification guidelines and the business Document Retention Guidelines. GE Confidential/Restricted information shall be stored in a secured manner on a GE system residing in a GE Data Center with access provided to named individuals within GE GDC Organization, on a need-to-know basis No GE confidential/restricted data shall be shared in any location with public access (including GE SupportCentral, Libraries, Folders) Any requirement for storage of GE Confidential/Restricted data on a GDC system or an external (to GE) system shall be explicitly approved by the GE Project Manager and / or GE Business Security Leader Such data shall be secured in the GDC server room with data level access controls and encryption, where appropriate such data shall not reside on individual resource systems Access restrictions for confidential and restricted data shall be built in at the individual artifact and folders or shared repositories that house these artifacts. Access to restricted/business confidential (where additional agreements are signed for confidentiality) artifacts shall be limited to those with valid SSO Ids, as approved by the Business Printing of classified documents shall be on secure printers only available within the secured GE GDC area. The controls around printers can include but not be limited to: Pin per print, key card per print, centralized printers. Notices shall be posted that documents sent for printing shall be removed from the print queue if not printed using the secure print key within a maximum time of 4 hours. Additionally, any printed documents that are left behind at printer stations or unattended on desks or conference rooms for more than 2 hours, shall be shredded P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 130 of 185 Treating GE Personal Information including information on GE Personnel, its Customers, Suppliers, Vendors or other Affiliates (collection/storage/use/protection/disposal) shall be in line with local applicable Privacy laws and compliant to GE policy AUDIT REQUIREMENTS Use/sharing of GE Confidential/Restricted data shall be in line with the Business approved access list. This norm shall apply for USE/sharing of such data across GE Businesses. Any exceptions to this shall be raised to Business VMO Leader/GE GDC Program Office for approval Archival of GE Confidential & Restricted data and GE GDC classified data shall be done only if explicitly requested for by the Business and maintained for the specific duration stated by the Business. Such archives shall be maintained in an encrypted form and in a secured location with restricted access to named individuals within GE GDC Personnel/Classified production data shall be scrambled/unidentified before using in testing environment. Employee awareness on GE data classification shall be ensured. Classified data shall be treated appropriately in meetings/tele-conferences Databases accessed for executing GE engagements shall be assessed for its classification and appropriate classification guidelines shall be applied GDC shall centrally maintain an inventory of all GE information assets that are accessible by individual GDC resources. The inventory shall at a minimum contain information on the name of the asset, type of asset, storage location, type of access along with the resource details and engagement details (business case for access) GDC shall ensure that the Access Inventory is accurate and current GDC shall implement controls to protect accounts with increased rights above a standard user and have processes to protect and manage Highly Privileged Accounts (HPA). At a minimum, HPAs are accounts with the following: System level administrative or super-user access to devices, applications or databases Administration of accounts and passwords on a system Any additional accounts considered by the business or system owner to pose a high risk
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 131 of 185 GDC shall identify and implement data leakage prevention controls to protect GE data in its operating environment
DCP 4.0 Manage IP Use & Protection Intellectual Property (IP) shall be defined as any and all Deliverables, work product or results of Services and inventions, innovations, discoveries, designs, plans, models, prototypes, computer programs (including source and object code and documentation), know-how, techniques and specifications (whether patentable or not or copyrightable or not and whether made solely by Contractor or jointly with others) that are conceived, created, developed or discovered directly or indirectly as part of or in connection with any work performed for GE or on behalf of GE Intellectual Property may belong to GE, GDC or to a third party Unless otherwise explicitly declared by GDC and agreed upon by GE, any IP that may be used, developed or conceived while working on a GE engagement shall be treated as GEs property GDC shall ensure that any identification of a potential IP is notified to GE immediately and appropriate action taken to classify and protect such IP GDC shall ensure that any and all rights on work done by GDC resources (inclusive of sub- contractors) is assigned to GE Such assignment of rights shall be carried out at end of Task Orders, where explicitly stated by a Business. In all other cases, such assignment shall be done on An annual basis for all work carried out from the last assignment date/start date in GE GDC (as applicable) to current date At GDC Off-boarding point, if the resource is being off-boarded from GE All such assignments shall be duly verified and validated for accuracy & completeness by the appropriate authorized signatory of the GDC organization and signed off GDC shall ensure that all such IP are fully documented, classified as GE Restricted and treated as per the classification guidelines for such data. Where the IP is specific to a Business, GDC shall ensure that the Business name is used in the Classification as GE <Business> Restricted. Where seen appropriate, additional tag of GE Proprietary shall be included P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 132 of 185 Any use/re-production/sharing (in any form) of such an IP shall not be permitted without the explicit written approval of the GE Business Legal (facilitated by GE Business VMO Leader or GE GDC Program Office) This norm shall apply to sharing of IP across GE Businesses as well Any proposed use of third party IP or GDC IP shall be declared upfront and clearance obtained from GE Business Legal/Security team (facilitated by GE Project Manager and/or GE Business VMO Leader) for use of such of IP in deliverables to GE Prior to use of GDC IP or third party IP on GE deliverables, GDC shall ensure verification of the scope and terms of USE. Such terms and scope shall be clearly agreed upon and signed off by all parties involved. In cases where Joint IP Development is undertaken by GDC with GE and/or with other third parties, GDC shall ensure that the scope and terms of IP development, rights for USE are discussed, documented and complied with GDC shall educate its resources on proper treatment of IP and ensure that norms around IP use are complied with. Any violations of IP (GE/GDC/third party) shall be treated as a critical incident and handled appropriately
Minimum Audit Requirements Classification of Data stored in GDC systems and on GE Knowledge repositories Evidence of GE Data Access Inventory being available, accurate and current Evidence of treatment/handling of Confidential/restricted data being handled/treated as per GE guidelines for treatment of such data Evidence of Business Legal sign-off for USE of GDC IP/Third Party IP in deliverables to GE MSA Linkage Sections 4.3, 8 Related Practices GE Knowledge Management, GDC Resource On-boarding/Off-Boarding, Engagement Termination/Closure, Business Divestiture Management, GDC Site Management, Software Governance, Secure Software Delivery eGDC Suite Linkage Not Applicable P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 133 of 185 Online Resources Following additional guidelines found at GE GDC Knowledge Center http://supportcentral.ge.com/81973 Policies & Procedures Program Governance Data Security Additional Guidelines GE Data Classification Guidelines http://libraries.ge.com/download?fileid=16926504101&entity_id=2688000101&sid=101
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 134 of 185 8.2 GE Knowledge Management (ELEMENTARY)
Knowledge accumulated by GDC from and about GE engagements, shall be retained in the GE Knowledge Management repository The purpose of this Practice is to establish appropriate controls to ensure that Intellectual property and knowledge developed/gained during the engagement lifecycle is retained in GE to mitigate long-term operational risks of engagements.
100% engagements to have knowledge repository with complete information required for vendor agnostic seamless operations
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented to meet the goals of this Practice. The specific responsibilities are. GKM 1.0 Establish knowledge management plan for all engagements GKM 2.0 Manage completeness of engagement knowledge in knowledge repository through- out the life of an engagement As a key stakeholder, GE is responsible for ensuring that it encourages and validates the GDC use of GEs Knowledge Management system for completeness, accuracy and effectiveness GKM 3.0 Be aware of GE Knowledge Repository and ensure appropriate USE of the same for information protection, engagement risk management and effectiveness of delivery
GKM 1.0 Establish knowledge management plan for all engagements GE data" here refers not only to the data provided to the GDC, but data created by the GDC during the life of a project/relationship POLICY GOALS RESPONSIBILITIES OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 135 of 185 Knowledge accumulated by GDC from and about GE engagements, shall be retained in the GE Knowledge Management (KM) repository GDC shall maintain KM Plan for every GE engagement the plan shall clearly describe the Knowledge assets that would be applicable to the engagement, KM Repository update Plan, Review Plan, Access rights Management and Assessment of completeness and accuracy of content GDC shall proactively ensure the adoption and rigor of USE of GE KM across GE GDC GKM 2.0 Manage completeness of engagement knowledge in knowledge repository through-out the life of an engagement GDC shall ensure that the engagement specific KM Plan is signed-off by the Governance Leader of the GDC. Governance Leader can delegate this to named individuals within extended governance team. GDCs all update the GE KM Repository on a continuous basis and obtain periodic sign-off from the GE Manager for the content and accuracy of the KM. Transferring data from GE KM to the GDC KM is not permitted without an explicit approval from the GE GDC Program Office In the event of termination of the GE Task Order, GDC shall transfer any remaining engagement knowledge to the GE KM Repository and ensure completeness of all documentation. Minimum Audit Requirements Evidence of KM practice across all engagements of GE MSA Linkage Sections 5.23, 5.24 Related Practices Data Classification, Confidentiality, Privacy & IP Management, Delivery Management, Engagement Termination/Closure, Business Divestiture Management eGDC Suite Linkage Knowledge Gateway Online Resources Not Applicable P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 136 of 185 9.0 Contractual Management Contractual Management is an important area with focus on contractual obligations that emanate from the MSA that GDC has with GE. Many of these contractual obligations have been covered in other process areas. The section therefore focuses only on those few practices that are broad based but specific to GEs MSA and Business-specific contracts with GDC.
FIGURE 12 Contractual Management Practices & Linkages P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 137 of 185
9.1 Communication & Media Management (MATURE)
External or internal communications, USE, sharing of information related to GE relationship or GDC Organization (inclusive of GE engagement information or GE process) is not permitted without the prior approval of the GE GDC Program Office.
0 instances of unapproved (by GE GDC Program Office) sharing of GE information 0 instances of in-appropriate USE of GE Assets
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented to meet the goals of this Practice. The specific responsibilities are CMM 1.0 Establish and maintain a verification & approval protocol for sharing of information related to GE CMM 2.0 Publish guidelines on acceptable USE of GE assets in internal and external communications As a co-owner of this Practice, GE Businesses are responsible for ensuring that the authorized people handle requests for approval of information sharing in an appropriate manner. The specific responsibilities of GE are CMM 4.0 Forward requests for sharing of information on GE to Business VMO Leader and GE GDC Program Office Decision for approval of request shall be taken by GE GDC Program Office in collaboration with GE Business VMO Leader and appropriate Legal teams POLICY GOALS RESPONSIBILITIES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 138 of 185
CMM 1.0 Establish & maintain a verification protocol for sharing of information related to GE GDC shall ensure the existence of a formal process for review and approval of all requests for publishing / sharing (commonly referred as USE) GE related information The process shall cater to internal and external USE The process shall cater to all USE scenarios inclusive of technical papers presentation, technical problem resolution, best practice sharing, media announcements, external client visits, trade shows & conferences, third party surveys, internal Knowledge repositories/portals, newsletters and the like Requests shall clearly identify the scope of information, scope of USE along with the media of USE and the timelines As a part of the Verification process, GDC shall ensure that the content is sanitized to prevent potential violations of Contractual obligations, Acceptable USE, Data Classification guidelines Where the content is seen as specific to GE and may violate the contractual obligations, if used/shared/published, GDC shall ensure appropriate approvals on content and use by authorized GE personnel As a general guideline, where the information/content is seen as specific to a GE Business (and is likely to compromise on Confidentiality/IP Protection), the GDCs shall obtain an approval from the GE Business GDC Leader for publishing/sharing of such information (inclusive of seeking technical expertise) As a general guideline, where the information/content is at the overall GE Relationship or pertains to a broad overview of the practices and processes deployed within GE GDC, GDC shall obtain an approval from the GE GDC Program Office for publishing/sharing of such information Request for all such approvals shall be presented to GE with a clear business case, intended audience, context and duration of information use, and details of the publishing media. Approvals shall be granted at the discretion of GE GDC Program Office and may contain additional norms/criteria of use OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 139 of 185 GDCs shall be responsible for ensuring that the information publishing/use is in line with the approval conditions. Validation of the same is required at periodic intervals (at a minimum once in 6 months) GDCs shall be responsible for maintaining records of all approvals and communication with GE Establish and maintain a proactive detection mechanism to identify unauthorized/unacceptable use (Inclusive of publishing on the internet/media) of GE information and remediate the same. The GDC shall maintain a record all such remediation actions taken. CMM 2.0 Publish guidelines on acceptable use of GE assets in internal/external communications As a general guideline, GDC resources are expected to comply with the Acceptable USE Guidelines External or internal communication/sharing of information regarding the GE GDC engagements (inclusive of delivery methodologies, technology usage, business process knowledge, process improvement initiatives) is not permitted External communications/sharing of information Press Releases, web-site listings, blogs, mass-marketing campaigns, advertisements, technology/business/analyst forum discussions and presentations that include information about GE GDC or GE engagements or GE are not permitted GE shall not provide endorsements for GDC Internal communication/sharing of information/USE of GE specific information regarding GE GDC (overall account information or engagement specific information) to non-GEGDC audience is not permitted. Within GE GDC, such information shall be shared only on a need to know basis GDC resources shall not use the identity of GE GDC in their communication to non- GE world GE email-ids of GDC resources shall be used purely for communication within GE and GE GDC - any need for use of a GE email-id beyond the GE and GE GDC Program context shall be pre-approved by GE GDC Program Office / GE Business VMO Leader for the respective Business Email signatures shall clearly identify the GDC Organization of the resource (example: Patni GE GDC); any request for deviation shall be pre-approved by GE GDC Program Office P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 140 of 185 No GE related information inclusive of information available on GE intranet unless classified as public shall be shared with non-GE audience GE logo and typeset cannot be used in any external or internal material/communications Any need for use of GE information or GE assets beyond GE GDC, shall follow their Review & Approval process. Exception approvals by GE GDC Program Office/GE Business VMO Leaders shall be a part of this GDC Review & approval process GDC shall ensure adequate awareness of the above guidelines across all GDC resources (inclusive of sub-contractors) GDCs shall escalate to GE (GDC Program Office) if any deviations from above are observed Minimum Audit Requirements Evidence of GE/GE GDC Information use requests, review & appropriate action Evidence of exception approvals from GE GDC Program Office/GE Business VMO Leaders for deviations in USE MSA Linkage Sections 11.13, 16.11 Related Practices Practices in Data Security, Delivery Management, Physical Security eGDC Suite Linkage Adhoc Approvals Online Resources Not Applicable P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 141 of 185
Contractual performance data shall be reported to GE in a timely and consistent manner in the format as expected by GE. GDC shall be accountable for the integrity of the data being reported to GE
0 misses on reporting contractual performance data 0 data integrity issues in data reported to GE
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented to meet the goals of this Practice. The specific responsibilities are. CPR 1.0 Publish guidelines and operating procedures for every Contractual performance requirement within GE GDC to ensure consistency and validity of data capture, computations (if any), verification and timely reporting As a co-owner of this Practice, GE Businesses are responsible for verification & validation of data being reported by GDC. The specific responsibility of GE is as shown below CPR 2.0 Verify data being reported and escalate non-compliance to GDC and GE GDC Program Office POLICY GOALS RESPONSIBILITIES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 142 of 185
CPR 1.0 Publish guidelines and operating procedures for every Contractual performance requirement within GE GDC to ensure consistency and validity of data capture, computations (if any), verification and timely reporting Based on the Contractual requirements at the GE GDC Program level and the individual Business or project level, GDC may have reporting requirements. These reporting requirements may be defined explicitly as a part of the contract/SOW or may have been communicated through other mechanisms inclusive of email, conference calls. The reporting requirements shall have scope of data being reported along with reporting frequency At the GE GDC Program level, GDCs are expected to report on Project, Resource and Operations performance as per the Program Reporting Requirements provided in the additional guidelines. Online reporting of operations data using eGDC Toolset is expected to ensure that data is current (and not accumulated for updates on monthly basis) Projects data reported in eMeasure is expected to be reported by the 5 th business day of every month Invoice and outstanding data is expected to be updated in the online tools (eInvoice) at a minimum twice a week, if not daily Manual reports (where explicitly mentioned) shall be submitted to GE by the 10th calendar day of every month Incidents are expected to be reported to GE GDC Program Office within the stipulated time depending on the material/non-material nature of the incident Remediation on Security vulnerabilities/incidents shall be completed and reported within the timeframe allocated for specific vulnerabilities GDC Competencies (in alignment with GE technology stack) shall at a minimum be published on a Quarterly basis OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 143 of 185 Contract/SoW based or Project Delivery focused performance reporting as per business requirements and as agreed with business project manager shall be published to GE businesses as per agreed frequency Financial performance of GDC Organization at the GE Engagement level as well as the GDC parent organization level shall be submitted to GE GDC Program Office on a quarterly basis Anticipated or actual change in ownership or financial status, public listing, change in constitution of the controlling board, mergers and acquisitions, upgrading/downgrading of financial ratings shall be disclosed to GE GDC Program Office, as long as the disclosure does not violate any Security and Exchange Commission rules, regulation or other applicable laws Merger and Acquisition of the GDC parent organization with any of the known competitors of GE is not permitted without a prior notification to GE GDC Program Office GDC shall ensure that any data being reported to GE is verified for completeness and accuracy before being reported Minimum Audit Requirements Evidence of contractual data being published to GE in a timely manner Evidence of pre-reporting verifications on completeness and accuracy of contractual data being reported to GE MSA Linkage Section 4.5, 4.7. 4.21, 5.9, 5.20 Related Practices All practices eGDC Suite Linkage EMeasure, eInvoice, Contacts, eGDC Toolset Online Resources Program Reporting Requirements - Additional Guidelines
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 144 of 185
9.3 Working for Competitors (MATURE)
Allocation of GDC resources/sub-contractors that have worked on a GE Task Order, to a project with similar nature of work for a potential GE business competitor, within twelve months of disengagement from GE Task Order is not permitted.
0 instances of resource allocation from GE to engagements with GEs competitors
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented to meet the goals of this Practice. The specific responsibilities are. WFC 1.0 Establish and maintain a process to identify, assess and treat potential conflict of interest (COI) in allocating resources to non-GE engagements seek approval from GE for potential COI cases As a stakeholder of this Practice, GE Businesses are responsible for ensuring that the risks of potential such placements are understood when reviewing GDC requests for placement of resources in potentially conflicting accounts. The specific responsibility of GE is WFC 2.0 Review/Assess potential COI cases raised by GDC and provide feedback/approval POLICY GOALS RESPONSIBILITIES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 145 of 185
WFC 1.0 Establish and maintain a process to identify, assess and treat potential conflict of interest (COI) in allocating resources to non-GE engagements seek approval from GE for potential COI cases GDC shall ensure that no resource that has been off-boarded from GE is assigned to work on a potentially conflicting engagement with a competitor of GE for a period of 12 months from the date of off boarding of the specific GE engagement. The scope for this risk assessment includes all the business engagements that the resource worked on in the 12 month period (and not just the last engagement) The risk assessment will continued to be carried out for a period of 12 months from the date of the last off-boarding from GE In case resource has to be deployed on any engagement with a potential competitor of a specific GE business from where the resource was off-boarded within the last 12 months, GDC shall perform a detailed risk assessment that identifies the potential conflict and seek an exception approval from the GE Business VMO Leader/GE GDC Program Office. On formal written approval to deploy the resource, GDC may proceed with deployment. If the request is rejected or is not responded to by GE, GDC shall not proceed with deployment of the resource. If no potential conflicts are seen with the deployment, GDCs may deploy the resources without any prior approval from GE All resources with less than 2 years of total work experience may be exempted from approval unless the role involves GE business process or application architecture exposure. The GDCs affiliated companies may engage in work or business for GE competitors, provided that such affiliated companies have not received or had access to any GE Information Sub-contractor organizations (inclusive of special partners to GDCs) shall conform to the stated policy and guidelines on allocating resources to working with competitors of GE GDC shall maintain evidences of formal assessment of conflict and approvals for deployment OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 146 of 185 Minimum Audit Requirements Evidence of identification of potential competitors to GE Businesses in the context of the GDC Parent Organization environment Evidence of formal assessment of conflict/risk of conflict for deployment into competitor organization Evidence of approval from GE for deployment in potential conflict scenario MSA Linkage Sections 3.16, 5.22 Related Practices Practices of Data Security, Sub-contractor Management eGDC Suite Linkage Ad-hoc Approvals Online Resources Not Applicable
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 147 of 185 10.0 Operations Management
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 148 of 185 FIGURE 13 Operations Management Practices & Linkages
10.1 Site Communications Infrastructure Management (ELEMENTARY)
GDC shall maintain appropriate communications infrastructure as required for continued effective operations and delivery from its Certified Sites. This shall include communications technology hardware, software and associated support services, such as telephones, amenities, and communication facilities like video-conferencing and adequate telephone lines and failure backup facilities. GDC is required to be linked to the Companys locations via high speed data link(s) connecting to Companys recommended PoP or Companys network service provider. GE GDC Network uptime shall be 100%. Sustained network performance shall be as per GE expectations The Purpose of this Practice is to ensure that GDC adhere to communications infrastructure performance and availability requirements and establishes controls for proactive monitoring & remediation of infrastructure health issues before it impact GE engagements.
100% Redundancy & Validity of all equipments & devices at all GDC sites 0 instances of performance bottlenecks or availability challenges due to inadequate network bandwidth 0 instances of inadequate voice channels for communications 0 impact on GE engagements due to infrastructure performance & availability issues
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented to meet the goals of this Practice. The specific responsibilities are CIM 1.0 Maintain equipment standards of GOLD Site ensure redundancy POLICY GOALS RESPONSIBILITIES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 149 of 185 CIM 2.0 Manage equipments & network for High performance & availability
CIM 1.0 Maintain equipment standards of GOLD Site ensure redundancy A GDC Site supporting multiple businesses or at least 1 critical operation shall be classified as a GOLD Site. In exception cases, where a Certified Site caters exclusively to a single business with non-critical operations ONLY (identified as a part of Site Certification and signed-off as thus), the Site shall be classified as a SILVER site, GOLD Sites shall maintain redundancy on network infrastructure (equipments, devices and the link over the last mile). The backup devices and links shall be of same specification as the primary one In case of SILVER sites, while redundancy is mandatory across all devices, equipments & links, the specifications may be varied for the secondary/backup devices GDC shall ensure high speed connectivity to GE recommended PoP The Voice Channels shall be dedicated to GE GDC and redundancy shall be maintained on voice infrastructure CIM 2.0 Manage Equipments & Networks for High Performance & Availability GDC shall monitor all equipments for performance to the expected standards GDC shall ensure that appropriate Health checks are performed on all devices on a periodic basis. GDC shall have valid maintenance/warranty contracts in place to enable immediate resolution should there be an incident involving any device. GDC shall proactively monitor end of life of equipments and devices and ensure that no device/equipment which has reached end of life is a part of the GE GDC Infrastructure OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 150 of 185 Link capacity utilization shall be monitored by GDC on a daily basis. Peak utilization shall not exceed 60% over a fifteen minute time period over a 10-hour day. If threshold is exceeded, GDC shall upgrade capacity GDC shall have a formal planning & forecast process to assess capacity requirements based on business plan. The process shall take into account the size, the network design (dependencies for other sites needs to be taken into consideration) and the applications being accessed GDC shall proactively set policies to ensure proper use of network bandwidth for business purpose and monitor bandwidth use Where GDC introduces new services (Voice or Video) on the network, GDC shall ensure appropriate estimation of bandwidth impact and proactively plan mitigations to avoid impact on Use/Access/Delivery on GE Engagements GDC shall proactively define performance thresholds that trigger analysis and/or change management process GDC shall monitor end user (GDC) experience performance of GE applications using appropriate methods. If performance drops to a level where it impacts productivity of GDC users at the site, Root Cause Analysis shall be undertaken for curative action and the appropriate fixes applied GDC shall ensure adequate phones/dialcoms are made available for project use. The recommended ratio is 1 voice channel for every 4 projects/15 GDC resources Minimum Audit Requirements Evidence of equipments maintained as per GOLD Site standards Evidence of equipment health & life monitoring as per plan Evidence of network bandwidth planning, forecasting & monitoring MSA Linkage Sections 4.23 Related Practices Incident Management, GDC Site Management eGDC Suite Linkage Site Equipment Information Report, GDC Site Management, Adhoc Approvals Online Resources GIS P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 151 of 185
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 152 of 185 10.2 GDC Site Management (ELEMENTARY)
GDC shall operate from GE Certified Sites. GDC shall ensure that any extension/de- commission of sites is carried out in compliance with GE Guidelines for secure sites. The policy also applies to GDC Partner sites The purpose of this practice is to ensure that GDCs operate from certified sites that are fully compliant
0 instances of GE related work being carried out from locations other than GE Certified sites (or GE Sites) 0 violations on Site Compliance
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented to meet the goals of this Practice. The specific responsibilities are. GSM 1.0 Manage New Site Approvals (TG1 to TG4) GSM 2.0 Manage Site Information GSM 3.0 Manage Site Certifications (TG5) GSM 4.0 Manage Site Extensions GSM 5.0 Manage Site Surrender As a co-owner of this Practice, GE Businesses are responsible for ensuring that potential risks of USE of unauthorized sites are understood and avoided GSM 6.0 Prevent risks for GE by not encouraging GDC resources to work from unauthorized locations POLICY GOALS RESPONSIBILITIES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 153 of 185
GSM 1.0 Manage New Site Approvals GDC shall provide off-site services to GE only from GE certified GDC sites New sites may be planned for within host country (or) in new countries and may be set-up to cater to growth, globalization, de-risk or as a transition from an existing site to a new one New sites may be Offshore, Nearshore or Proximity sites. Proximity sites are typically those set-up in High cost countries with the objective of providing in-country support to GE Businesses Offshore and Nearshore sites are by default Regular sites (200+ FTE Operations). Proximity sites may be a small site (up to 50 FTE) or a medium site (> 50 and < 200 FTE) New sites may be used for broad-based services covering ITO, BPO and Engineering or be used for specific combination of services New sites may offer regular services or special services like Export Control, NPI, to name a few. The special services may require a restricted area to be set-up within the scope of the GE GDC Certification of new sites shall follow a 4 stage Tollgate process the stages are as follows TG1 Business Case for setting up a new GDC site. GDC shall submit a proposal that shall at minimum cover information on justification for a new site supported by appropriate business sponsorships, forecasts for the proposed site, and site strategy in terms of services, people, and technology. GE GDC Program Office may choose to approve the Business Case, which enables the GDC to move to the next tollgate. The Program Office may choose to reject the business case. TG2 Compliance to Physical Infrastructure requirements focused on physical security & safety. GDCs internal audit team shall conduct a physical verification of the site readiness and report the same before GE undertakes physical verification. GEs clearance of the sites readiness on physical security & safety is a must to proceed to the next tollgate OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 154 of 185 If the site is proposed to offer special services requiring restricted access, the guidelines on restricted access sites shall be followed TG3 Compliance to Communication Infrastructure requirements and Designing a secure network connection. This phase commences once GE formally approves the TG2. GDC shall ensure that the local network infrastructure is set-up and in compliance with GEs requirements. GDC shall work with GIS and GE Information Security team to ensure that the network design is secure and the equipments are as per GEs standards for connectivity to GE network If the site is proposed to offer special services requiring restricted access, the guidelines for network security on restricted sites shall be followed TG4 Network Connectivity sign-off and uplink the final stage of the 4 step process, this step is used as a validation point to ensure that open actions (if any) associated with the previous stages are completed and risks are mitigated. Based on approval from GE GDC Program Office, the uplink to GE Network is provided A site is considered ready for Operations once it is TG4 approved by GE GSM 2.0 Manage Site Information GDC shall ensure that information related to every one of the Approved sites is updated on GE repository The information to be maintained current (to be updated as and when changes occur), are Site Contact List Site capacity (GE GDC) & Utilization Site Proxy Information Equipments & Devices at the Site (Communications Infrastructure) along with specifications, end of life information Bandwidth subscription Standard SLAs for Site recovery Night Shift work applicability Information and Evidence on External Certifications related to Physical Infrastructure, Physical Security, EHS and the like, where applicable P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 155 of 185
GSM 3.0 Manage Site Certifications GDC shall ensure that all sites that are approved for operations are certified within 3 to 6 months of the approval for operations (TG4 approval date) Deviations on timelines for Certifications, shall be pre-approved by Program Office GDC shall plan the TG5 Certification and communicate the same to GE GDC Program Office at least a month prior to the start of the Certification process The Certification process involves the following steps A full audit of the Site by the GDCs Internal Audit team (or) the External Auditor Post-Audit review with GE Certification Audit shall cover all practice areas and shall be carried out as a formal audit GDC Internal Audits team shall be responsible for completing the Self-Certification Audit Certification Audits may be included into scope of External Audits if the external audits are due within a period of 6 months from the date of site approval Audits shall additionally focus on closure of all pending action items from the Site Approval process Audit observations and findings shall be formally reported to GE GEs Post-Audit Review of the Site may include one or more of physical site verification, spot audit, Q&A session or a review discussion Gaps/Deviations shall be reviewed and appropriate action plans agreed upon GE shall certify the site if there are no major gaps/deviations identified as a part of the Certification Audit Where major gaps/deviations are found, GE may decide to provide GDC with additional time to fix the challenges and get a re-certification done within a period of 3 months
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 156 of 185
GSM 4.0 Manage Site Extensions Site extensions process applies to the following scenarios New physical area (within the same building or campus of an existing certified site) to be included into GE GDC Program, including temporary arrangements. Conversion of a part of an existing certified area to an access restricted unit for performing business-sensitive work (Export Control (where applicable), IP development and the like) GDC Site extensions, if planned, shall follow the same process as a new site set-up (TG1 to TG4) Site extensions shall be initiated only after the Business case (TG1) is approved Physical Security readiness (TG2) would be a mandatory requirement for all site extensions Depending on the scope of the extensions, GE may decide on the need for a Physical Security Verification as well as the Network Security readiness (TG3) and Network Connectivity readiness (TG4) process steps Where seen as essential process steps, GDC shall follow the guidelines for a new site and complete the TG2, TG3 and TG4 process steps Where a process step is not seen as essential, GE shall provide a waiver Site extensions become operational once they are TG4 approved or through the Waiver process, approved for operations Extended parts of certified sites shall be treated as certified units and would therefore not require a separate Site Certification formality GSM 5.0 Manage Site Surrender (Full/Partial De-Commissions) Site surrender process applies to the following scenarios Full De-commission of existing sites (Site shut down/Site transition) Partial surrender of existing sites (conversion from GE access restricted to non-GE access) P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 157 of 185 Conversion of restricted access GE GDC Sites to regular GE GDC Sites (restricted work areas to regular GE GDC work area) Site surrender shall follow the 3 step Tollgate process involving business case submission (TG1), planning the surrender (TG2) followed by the actual surrender (TG3) GDC shall submit the Business case for surrender, well in advance of the surrender to enable proper planning. The business case shall clearly articulate the rationale for the decision to surrender fully/partially/convert site status along with assessment of potential impact to GE Businesses and the mitigation plans to minimize impact Surrender planning shall involve the planning for surrender operations start and end. GDC shall provide tentative dates for transition of delivery & operations, surrender of assets (data/information and physical assets), network infrastructure and finally the physical infrastructure at the site This plan shall be discussed and agreed upon with GE before the surrender operations commence GDC shall continuously update GE on the status of the surrender operations. GDCs internal audit team shall audit every stage of surrender and sign-off on the completion of the surrender activities. On completion of all the activities associated with the surrender, GDC shall submit to GE a formal surrender report inclusive of the formal Internal Audit report of the site surrender GE may decide to perform physical verification of surrender operations at the final stage of the surrender or during any of the interim stages GEs approval of the site surrender shall be mandatory for the surrender operations to be completed Minimum Audit Requirements Evidence of individual tollgate approvals for every new site established/in progress, site extensions, site surrenders Evidence of internal audit on TG2 prior to submission to GE for physical verification Evidence of internal audit on Surrender Operations prior to submission to GE Evidence of exception approvals for commencing operations at site prior to completion of the 4 tollgate process MSA Linkage P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 158 of 185 Section 4.25 Related Practices Physical Security, EHS, Systems Management, Business Continuity Management, Supplier Connectivity, Vulnerabilities Management, Engagement Termination/Closure, Data Classification, Confidentiality, Privacy & IP Management eGDC Suite Linkage New Site Approval Site Extensions Site De-Commission Site Information Management* Online Resources Additional Guidelines for Site Management
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 159 of 185 10.3 Assets Governance (ELEMENTARY)
GDC shall be responsible for appropriate usage and controllership for all assets (hardware, software and VPN tokens inclusive of those that are GE supplied) in use towards servicing GE. An updated inventory of all assets shall be maintained. The purpose of this Practice is to establish controls to track, monitor and report use of all assets and to prevent violation of any Software license usage agreements, improper use of GE supplied assets and other GDC assets used in servicing GE.
100% of assets in GE GDC are tracked, monitored for appropriate use 0 instances of controllership issues or asset loss/damage of GDC / GE Assets
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented to meet the goals of this Practice. The specific responsibilities are. AGN 1.0 Manage assets AGN 2.0 Manage use of GE provided assets As a key stakeholder of the practice, GE shall AGN 3.0 Provide appropriate authorization documentation for temporary USE of GE Asset while assigning the asset to a project/resource AGN 4.0 Document & track GE Supplied assets allocated to GDC, for proper USE
POLICY GOALS RESPONSIBILITIES OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 160 of 185
AGN 1.0 Manage Assets GDC shall be responsible for providing its resources with all hardware, software and any other assets that may be required for the delivery of services to GE and as per GE recommended build. GDC shall maintain an updated inventory of all hardware assets in use by GDC resources, irrespective of the location of use or the ownership of the assets Assets belonging to GE shall be clearly identified in the inventory Every Asset shall be uniquely identifiable and traceable to its physical location Asset properties/characteristics, Asset location, user and use period shall be clearly defined for every asset in the inventory Shared Assets shall be clearly identifiable GDC shall establish a formal process for hardware asset movement in/out of GE GDC and asset allocation to GDC resources GDC shall track physical movement of assets Asset movement outside of GEGDC area is not permitted as a general rule unless otherwise approved by Asset Governance Leader or an authorized person Sharing of assets (beyond servers, printers and network equipments) is not permitted. In exception cases, the controls shall be discussed with the GE GDC program office and documented. Any logs/ evidences shall be maintained. GDC computer systems shall be pre-loaded with GDC coreload that is in line with GE Coreload. GDCs shall also ensure alignment to business specific coreload wherever specified. The GDC shall procure their own software licenses for the coreload (With the exception of Sophos and WebEx connect) GDC shall establish and follow a formal process for installation and use of software licenses beyond the standard set of coreload software licenses Every such installation shall be approved by an appropriate approving authority within the GDC Organization P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 161 of 185 Software licensed to GDC shall be used only on GDC owned computer systems GDC shall maintain an inventory of all software licenses deployed on individual GDC systems within GE GDC or in use by GDC resources. Inventory shall clearly identify software type, license ownership, license quantity (entitled and in use) Physical reconciliation of all assets in use by GE GDC resources or at GDC locations, shall be carried out at a minimum once in 6 months AGN 2.0 GE Supplied assets governance In exception cases, where GE provides any asset (hardware, software or other asset) to the GDC for TEMPORARY USE, GDC shall ensure that such assets are tracked and managed appropriately Every asset (with the exception of VPN Tokens) supplied by GE, shall be received along with appropriate documentation of the approval from GE (business specified authorized person), along with terms of use, surrender and appropriate commercial declarations (where applicable). Terms around usage, location of use, purpose of use, period of use and return shall be explicitly understood If assets are paid for GE but procured by GDC with the terms of surrender to GE at the end of the USE period, clear documentation shall be maintained between GE, GDC and the vendor (for example, in case of software licenses) on the transferability, terms of transfer inclusive of transfer pricing, legalities and the like. GDC shall ensure that terms of usage, surrender and end of use process shall be agreed to up-front Where there is a need to extend the use of these assets beyond the approved use period or extend use beyond originally approved locations/purpose, GDCs shall follow the renewal, change request processes In cases where GE assets are issued to named resources, exit of resource or completion of engagement, shall lead to surrender and end of use process being initiated. In case of software licenses, such software shall be un-installed before the system is handed over to another resource GE supplied assets shall be tracked and monitored for its intended use at the approved location from the time the asset comes into GDC custody to the time it is surrendered Use of the Asset at a location beyond the approved locations shall be done only if the use has been explicitly approved by an authorized GE Manager, in writing P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 162 of 185 Assets (for example, GE calling cards, where provided by GE) that are permitted for use only from GE Sites, shall not be used by GDC resources for purpose other than GE Business and from authorized locations only Assets provided for use at GE Site shall be surrendered to GE on completion of engagement at the specified site/business. In case assets are carried back to GDC site, the handling and surrender responsibility lies with the GDC. GE supplied assets [with exception of VPN Tokens] shall be returned to GE at the end of the approved period of use Release of asset shall be as agreed with the GE Business and evidence of such agreements and release shall be maintained by GDC VPN Tokens may be re-issued within the GE GDC as permissible by the GE Business unit. Traceability of such reuse/re-allocations shall be enabled GE supplied asset usage shall be tracked, monitored and reported to GE as per the reporting requirements indicated by GE GDC Program Office Minimum Audit Requirements Asset Inventory Evidence of approval addendums for GE Supplied Assets(with exception of VPN Hard Tokens) Evidence of extension approvals, external use approvals and surrenders MSA Linkage Section 4.2, 4.5, 4.6 Related Practices Physical Security, Systems Management, Business Continuity Management, Supplier Connectivity, Vulnerabilities Management, GDC On-boarding/Off-boarding, Engagement Termination/Closure eGDC Suite Linkage Hardware Assets Management Software Assets Management Online Resources Additional Guidelines for GE provided Software Licenses use, GE Software USE Guidelines
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 163 of 185 10.4 Software Governance (ELEMENTARY)
GDCs shall only use authorized software to service all GE engagements. The purpose of this Practice is to enforce Software governance compliance in GDCs to prevent any legal risks to GE due to improper and unauthorized use of software
0 incidents of Software license usage agreement violation for all software 0 instances of freeware/shareware/trial-ware/opensource embedded in any product/application delivery to GE 0 instances of any un-authorized software installation and usage
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented to meet the goals of this Practice. The specific responsibilities are. SG 1.0 Establish & manage software installation & usage SG 2.0 Establish & maintain process for no-cost, low cost software installation use across GE GDC organization (inclusive of use in GE deliverables) SG 3.0 Restrict software that can pose risk to GE or GEGDC environment As a co-owner of this Practice, GE Businesses are responsible for ensuring that freeware/shareware/open source is not recommended for installation / use in GDC environment or as a part of GE deliverables. The specific responsibilities are SG 4.0 Be aware of GE Software USE Guidelines and adhere to GE Guidelines on GDC USE of third party software licensed to GE SG 5.0 Validate and verify with Software Governance Council on appropriate USE of no- cost, low-cost software in GE applications/software POLICY GOALS RESPONSIBILITIES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 164 of 185
SG 1.0 Establish & manage software installation process Software used in GE engagements shall be either procured by GDC organization or formally approved by GE. Download and installation of software shall be disabled by default. In case of an exception, GDC information security leader shall approve request for download/installation Software governance leader for the respective business shall authorize GE Proprietary software use GDC coreload should be aligned with GE coreload. If the business has additional requirements in terms of coreload, that also shall be incorporated. In case of deviations from GE recommended coreload products; GE GDC Program security leader approval should be obtained Approval for all non-Coreload software installations shall be time bound GE GDC security leader shall monitor that personal software is used appropriately SG 2.0 Establish & maintain process for no-cost, low cost software installation use across GE GDC organization (inclusive of use in GE deliverables) Freeware/shareware/spyware/trial-ware/open source shall not be embedded in any product/application delivery to GE. In case of exceptions, GE Business security leader approval shall be obtained and all such use declared to GE GDC Program, for tracking purposes Any use of Open source / freeware/ shareware software in the GE GDC environment shall be permitted only if such a software has been formally evaluated, security assessed and approved for USE (on a periodic basis) by GDC Security Leader and GDC legal team. GDC shall ensure that all such low cost, no cost software approved for use in GE GDC environment are re-assessed for potential security vulnerabilities and licensing, on a periodic basis (at least once in 6 months) In the event that use of such software is required to be discontinued, GDC shall ensure that use of such software is dis-continued and existing installations of such software are removed totally OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 165 of 185 GDC shall report all such software approved for use in GE GDC environment SG 3.0 Restrict software that can pose risk to GE or GEGDC environment Use or installation of any software that can cause risk to GE or GEGDC environment is prohibited. Few such software are listed below: Spyware Instant messaging or social networking software like Yahoo, GTalk, MSN etc. Any tools that are designed to interfere with normal patching or management of your PC or circumvent technology controls in the GE environment. Non-authorized PC remote control software Peerto-peer or other file sharing software Skype or other voice-chat programs Hacking tools (password crackers, web site fuzzers, packet sniffers, etc)
Use/installation of personal software (e.g. mobile, camera, iPods) in GE/GDC assets shall be done with approval of GEGDC security leader Installation of unlicensed software /copyright material for e.g. MP3 files videos, stock photography is prohibited to be used in GDC and in any product/application delivery to GE Minimum Audit Requirements Inventory of Low cost, no cost software used in GE GDC environment Evidence of assessment records (security and licensing) for such software use in GE GDC Evidence of process adherence for use of low cost / no cost software in GE deliverables MSA Linkage Section 4.7, 4.12 Related Practices Systems Management, Supplier Connectivity, Vulnerabilities Management, Secure Software Delivery, Data Classification, Confidentiality, Privacy & IP Management eGDC Suite Linkage FOSS Repository P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 166 of 185 Embedded low cost, no cost software Projects Inventory * Online Resources Software Use Guidelines
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 167 of 185 10.5 Business Divestiture Management (ELEMENTARY)
Operations associated with a divested business shall be fully and formally separated from GE GDC within the timeframe approved by GE. Such a separation shall lead to the divested business being treated as a non-GE entity The purpose of this Practice is to ensure that appropriate controls are designed and deployed to enable a divested business to be formally separated while ensuring protection of GE networks, IP and assets from potential non-GE access
Separation of divested business shall be completed on time, as per plan agreed with GE No IP, information or physical assets belonging to the divested business shall be retained in GE GDC, beyond what is contractually required from a retention perspective No IP, information or physical assets belonging to GE shall be provided to the divested businesses beyond what is formally approved by GE
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented to meet the goals of this Practice. The specific responsibilities are. BDM 1.0 Plan, implement and track the separation of the divested business from GE GDC As a co-owner of this Practice, GE Businesses are responsible for the flow of communication to ensure smooth separation of the divested business from GE GDC BDM 2.0 Provide advance notification to GE GDC Program Office and GDC to ensure adequate time for divestiture based separation planning and timely execution BDM 3.0 Collaborate with GDC Program Office to ensure that the separation is done in compliance to the Divestiture Agreement between GE and the Divested business
POLICY GOALS RESPONSIBILITIES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 168 of 185
BDM 1.0 Plan, implement and track the separation of the divested businesses On receipt of communication from GDC Program Office/GE Business VMO, GDC shall respond to GE GDC Program Office with a high level plan for the separation of the divested business from GE GDC The high level plan shall at a minimum include the dates for Sign-off by GE Business VMO and the Divested Business on the plan for separation, the transition start and end dates GDC shall ensure that a detailed transition plan is submitted to GE GDC Program Office at least a month prior to the transition commencement. The detail plan shall cover physical separation, network separation, information separation and reporting isolation GDC shall review the information separation plan with the GE Business VMO leader and obtain sign-off on the same GDC shall update GE GDC Program Office on the progress of the transition through the transition phase On completion of the transition, GDC shall submit a detailed report on the separation as per the Divestiture guidelines Minimum Audit Requirements Evidence of separation planning and communication with GE GDC Program Office Evidence of approval from GE Business VMO Leader on Information separation for the divested business Evidence of separation report submission MSA Linkage Not Applicable Related Practices Physical Security, Systems Management, Business Continuity Management, Supplier Connectivity, Engagement Termination/Closure, Data Classification, Confidentiality, Privacy & IP Management. Assets Governance eGDC Suite Linkage Business Divestiture Planning & Reporting OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 169 of 185 Online Resources Additional Guidelines for Divestiture Planning
10.6 No PO, No WORK (ELEMENTARY)
Commencing work engagements (new/renewed/extended/change request) without receipt of a valid PO (hard/soft copy of the actual Purchase Order document) is not permitted. The purpose of this Practice is to ensure that appropriate controls are designed and deployed at GDC Organization to ensure that engagements are commenced with a valid PO
0 cases of new projects being commenced without a PO 0 cases of renewals being worked on without a PO for more than 30 calendar days
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented to meet the goals of this Practice. The specific responsibilities are. NPW 1.0 Establish PO Management process As a co-owner of this Practice, GE Businesses are responsible for ensuring that no work is initiated without a valid PO NPW 2.0 Ensure that PO process is completed and PO shared with GDC before new engagements are commenced or NPW 3.0 Ensure that PO process is completed and PO shared with GDC within 30 days of the previous PO expiry in case of renewals, extensions and change orders
POLICY GOALS RESPONSIBILITIES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 170 of 185
NPW 1.0 Establish PO Management process GDC shall ensure that any work undertaken by them for GE shall be done on the basis of a valid PO No new project can be initiated without a valid PO In case of renewals, work can be continued on the engagement for a maximum period of 30 calendar days after the expiry of the PO In case of businesses that provide short cycle POs under a long term SOW, GDC shall collaborate with the business to ensure that early alerts are set up and PO generated to avoid risk of operating without a valid PO Any requests by GE Managers for continuing on projects without a valid PO shall be escalated to the Global Business VMO. Such work cannot be undertaken unless otherwise approved by the Global CIO or the Global Business VMO Leader, on an exception basis GDC shall ensure that change requests that impact the effort/schedule of a project beyond the original contracted value/period is formalized GDC shall report to the GDC Program Office all work undertaken without a PO, irrespective of whether an exceptional approval had been obtained or not Minimum Audit Requirements Evidence of PO being received before a new project is commenced Evidence of PO being received within 30 days of contract expiry, in case of a project being renewed Evidence of exception approval from GE Business VMO Leader for projects that need to be initiated/continued without a valid PO Evidence of reporting work carried out without a valid PO, to GE GDC Program Office MSA Linkage Section 2.7 Related Practices GDC On-boarding/Off-boarding, Contractual Performance Reporting OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 171 of 185 eGDC Suite Linkage eMeasure Online Resources Not Applicable
GDC shall manage their invoicing and collections process in a manner that there are no invoices outstanding beyond 150 days The purpose of this practice is to ensure that GDCs manage their process for invoicing and outstanding collections so as to minimize invoicing errors and outstanding beyond 150 days
0 invoices rejected by GE Business due to invoicing errors 0 invoices outstanding beyond 150 days
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented to meet the goals of this Practice. The specific responsibilities are. IOM 1.0 Establish and maintain robust process to proactively manage Invoicing & Collections tracking As a co-owner of this Practice, GE Businesses are responsible for ensuring that invoices are verified for completeness and paid in a timely manner. The specific responsibilities of GE are IOM 2.0 Ensure that Invoices are verified for accuracy and acknowledged on time IOM 3.0 Ensure that Invoices are paid within the 120 day payment terms (or) if on TPS, with the early payment agreement term with GDC POLICY GOALS RESPONSIBILITIES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 172 of 185
IOM 1.0 Establish and maintain robust process to proactively manage Invoicing & Collections tracking GDC shall ensure that invoices are raised in a timely manner as per the payment schedules agreed with the business Invoices shall be checked for completeness and accuracy Invoices shall be sent to appropriate stakeholder as per the GE Business defined process GDC shall track invoice acknowledgement and escalate to the GE Business VMO Leader on those invoices which have not been acknowledged within the defined threshold time for a business Where invoices are not acknowledged due to conflict, GDC shall ensure that the same is documented and taken up for resolution. Such invoices shall be identifiable GDC shall ensure that invoices that are agreed to be paid through the Early Payment discount term, are clearly marked so and are traceable as such GDC shall ensure that invoices that are to be paid through service credits (either fully or partly), clearly identify the service credit amount and the associated redemption identification number on the invoice. GDC shall ensure that payments are tracked and reconciled with invoices. Where payments are made for specific invoices, GDC shall adjust the payment amount to the invoice amount of the specified invoice only. Where a payment is made without any reference to an invoice, GDC shall collaborate with the GE Business VMO Leader for the reconciliation GDC shall collaborate with GE Business VMO Leader for invoices that are not cleared beyond the 120 days payment terms Minimum Audit Requirements Invoice Acknowledgement & Payment reconciliation Service Credit redemption identification mapping to Invoice MSA Linkage OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 173 of 185 Appendix A-1 Related Practices Contractual Performance Reporting eGDC Suite Linkage EMeasure, eInvoice Online Resources Not Applicable P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 174 of 185
10.8 Business Continuity Management (MATURE)
Actionable Business Continuity Plan and Disaster Recovery Plan shall be maintained at the GE GDC level as well as at the application level for each GDC location, to ensure continuity of services to GE. The purpose of this Practice is to identify risks that can impact service continuity to GE and have effective disaster recovery plans to maintain the continuous operation of a business/service in the event of an emergency/contingency situation.
0 impact on project delivery, service levels due to un-preparedness of GDC to react and handle emergency/contingency situation or incident that may potentially impact business continuity on GE engagements
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented to meet the goals of this Practice. The specific responsibilities are. BCM 1.0 Publish & Maintain up-to-date standards for Site-specific recovery BCM 2.0 Ensure validity and adequacy of DR Site for each of the GDC Sites and publish the same BCM 3.0 Establish & maintain effective Business continuity & Disaster recovery plans that are current and complete BCM 3.1 Understand criticality of application being supported/project being delivered and establish & maintain Project specific BC/DR Plan BCM 4.0 Execute appropriate drills to assess effectiveness of plans and treat risks identified POLICY GOALS RESPONSIBILITIES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 175 of 185 BCM 4.1 Execute appropriate drills to assess effectiveness of project level plan and treat risks identified As a co-owner of this Practice, GE Businesses are responsible for ensuring that they understand the criticality of GDC preparedness to provide continuous operations in case of emergencies. The specific responsibilities of GE are BCM 5.0 Be aware of GDC Site constraints and GDC BC/DR capabilities and state explicitly BC/DR requirements for critical/high impact applications & projects BCM 6.0 Ensure appropriate RTO/RPO definition and monitor the effectiveness of the drills and potential risks for your engagement
BCM 1.0 Publish and maintain up-to-date standards for site recovery GDC shall define for each of its certified GE GDC Sites, the standard operations recovery SLAs that assure continuity of operations after an incident /disaster that impacts the continuity of operations at the site SLAs shall be defined for start of critical services and normal operations GDC shall clearly define the default set of critical services that shall qualify as Critical Services GDC shall publish these standards to GE through the GDC Toolset and also ensure that the standard SLAs for recovery are a part of its responses to RFPs from GE BCM 2.0 Ensure validity and adequacy of DR Site for each of the GDC Sites and publish the same GDC shall define the DR Sites applicable for each of its certified GE GDC Sites A regular site with > 100 FTE shall maintain at a minimum, an intra city and an inter-city DR Site A small site or a regular site with < 100 FTE shall maintain at a minimum, an intra city or inter-city DR Site A GDC with more than 500 FTE shall maintain a country DR Site OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 176 of 185 A GDC may choose to maintain multiple DR Sites for a specific site A DR Site shall at a minimum be 25 Kms away from the candidate site A Site named as a DR Site shall by default be a certified GE GDC Site belonging to the GDC or to a partner in the GE GDC Program In cases where certified sites are not available to be considered as DR Sites, GDC shall propose to GE GDC Program Office, an alternate secure arrangement for a DR Site. On exception approval, such proposals may be implemented by GDC Where a GDC partners site is identified as a DR Site, GDC shall ensure that the DR requirements are identified and agreed upon and a formal contract is signed with the GDC Partner GDC shall review on a periodic basis (at a minimum once in 3 months), the adequacy of the DR Sites and the capacity at the DR Sites, based on the nature of GE engagements and the SLAs with GE Businesses on specific engagements GDC shall ensure validity of DR Site contract, where the DR Site belongs to a GDC Partner GDC shall publish to GE the DR sites relevant to each of its Certified GDC Site and also ensure that the data published to GE is current and up-to-date BCM 3.0 Establish & maintain effective Business continuity & Disaster recovery plans that are current and complete GDC shall maintain actionable Business Continuity Plan and Disaster Recovery Plan across different levels including Organization, Country, site and engagement The GE GDC BCP/DRP shall at the minimum meet requirements stated in the GE GDC Guidelines and include application level BC/DR plans Business Continuity expectations at the individual application level shall be captured explicitly from GE Businesses. This shall be in the form of clearly defined Recovery Time Objectives (RTO), Recovery Point Objective (RPO) and Emergency SLAs. Infrastructure and resources required towards offsite adequacy and readiness, command center, maps, emergency exists, posters, safe area, Crisis Management Team (CMT), emergency telephone numbers shall be provided GDC shall ensure identification of critical resources at project level this shall be done in collaboration with the businesses P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 177 of 185 A well defined and updated crisis notification protocol shall be set up including stake holders from GE, GDC and local authorities Detailed Backup and Recovery Procedures shall be maintained at secure offsite locations Periodic Backup of all data related to conduct of work (assigned by GE) must be carried out in compliance with GE Procedures (where specified) and as per Industry standard (where not explicitly specified by GE) Backups shall be available at more than one offsite location, in alignment with the DR strategy to ensure availability The off-site location shall be accessible 24x7 to facilitate disaster recovery High availability / Multiple sources of retrieval of the following shall be maintained at offsite: SOPs for various crises Inventory of the projects along with the project specific BC/DR Plan Application-specific BC/DR plans must be drawn in collaboration with GE Businesses (100% coverage of work being executed at GDC Site) BC/DR Plans (Program level and Application-specific) must be available on Support Central Site w/access to Specific GE Businesses and GE GDC Program Office Plan must be reviewed for current applicability, on a monthly basis BCM 4.0 Execute appropriate drills to assess effectiveness of plans and treat risks identified GDC shall perform different types of tests, inclusive of table top and cold tests, to assess their preparedness for Business Continuity in wake of disasters Evacuation drills for every site shall be performed at a minimum frequency of once every rolling three months Evacuation drills shall include all types of scenarios and crises levels GDC shall assess potential failure points in their plan/preparedness to provide business continuity, within the expected SLA period Application level BCP/DR shall be tested at a frequency as agreed with business. Effectiveness should be measured against agreed RTO, RPO and other SLAs. P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 178 of 185 Adequacy of BC/DR shall be validated at every GDC Site (at the minimum once in 3 months) for completeness of planning, feasibility, reliability, consistency of execution continuity, recovery Simulations (Validation Tests) must ensure a coverage of minimum 90% of GE GDC Resources and at the minimum of 85% applications (all Mission-Critical applications must be covered) GDC shall report to GE the results of all BC/DR tests (site and application level tests) Minimum Audit Requirements Site BC/DR Plans, Application BC/DR Plans Test/Drill Reports inclusive of Backup Performance & Retrieval BC/DR Effectiveness Review records Availability of BC/DR Plan on GE KM Repository Reporting of BC/DR tests/drills to GE Standard BC/DR SLAs being published to GE DR Sites information being published to GE Backup Process, Storage MSA Linkage Sections 2.4, 2.18, 4.26, 4.27 Related Practices Physical Security & Safety Practices, Assets Governance, GDC Resource eGDC Suite Linkage eMeasure, eGDC Toolset (Site Information, BC/DR Plan, Drill Reports) Online Resources BC/DR Guidelines, GE GDC BC/DR Sample Template, Application BC/DR Template P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 179 of 185
GDC shall ensure appropriate treatment of GE Assets (Information, Access, Software & Hardware) in case of termination/closure of engagements. Retain contractual data for 7 years after termination of contract The purpose of this Practice is to ensure that GE assets related to the contract being terminated/closed are treated as per GE guidelines/agreement with the concerned GE Business
0 contract violations on treatment of GE assets
As the primary owner of this Practice, GDCs are responsible for ensuring that appropriate procedures and controls are implemented to meet the goals of this Practice. The specific responsibilities are. ETM 1.0 Manage Engagement Closure/Termination (includes Project level, Business Level or at GDC Program Level) ETM 2.0 Manage Contractual Data Retention for GE Audit Purpose As a co-owner of this Practice, GE Businesses are responsible for ensuring that critical assets that are accessed/in custody of GDC are identified and special treatment requirements (if any) are agreed upon, in a formal manner ETM 3.0 Set expectations on USE and treatment of GE Assets for every engagement ETM 4.0 Where IP or critical/sensitive information exists as a part of an engagement, verify/audit the GDC treatment of GE Assets on termination/closure
POLICY GOALS RESPONSIBILITIES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 180 of 185
ETM 1.0 Manage Engagement Closure/Termination Closure/Termination may occur at project, business or GE MSA level On closure of one or more engagements, GDC shall ensure that Resource off-boarding process is followed as per the guidelines associated with GDC resource off-boarding If there are project /engagement specific documents that have been maintained (like Assignment of Rights or Non-Disclosure Agreements), such documents shall be transferred to an exclusive GE archive that is easily accessible GE assets (information & physical) associated with the engagement(s) are surrendered/returned to GE. Information assets belonging to GE shall be moved to the GE Knowledge Gateway If there are engagement specific GE Folders/Libraries maintained by the GDC, all such Folders/Libraries shall be transferred to the GE Business VMO leader No GE asset shall be retained with the GDC, unless otherwise explicitly approved by GE GDC Program Office or the GE Business VMO Leader All references (related to the engagements) on the GDC Intranet/Internet site are removed (even though the postings may have been approved by GE GDC Program Office) The desktops and laptops used in servicing the engagement shall be formatted before they are released to other parts of GDC or to the Parent organization for reuse If closure of one or more engagements results in a certified site becoming redundant, GDC shall ensure that appropriate actions are taken towards site de- commission, in close collaboration with GE GDC Program Office Sign-off is obtained from the GE Business VMO Leader on the proper closure/termination of the Project/Business specific engagements OPERATING GUIDELINES P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 181 of 185 On termination of MSA, GDC shall ensure that they work closely with the GE GDC Program Office to complete the engagement(s) specific closure activities. In addition, GDC shall ensure that Resource BGC, On-boarding data, Off-Boarding data, Contractual documents, Project financials, invoices, GE payment receipts are archived and maintained for a minimum period of 7 years from the date of termination of contract/MSA GE software assets (like Sophos, WebEx Connect/Sametime), that are provided to the GDC as a part of their special status with GE, is uninstalled from all the machines and are surrendered to GE. Evidences of such uninstallations shall be maintained. GE Network access (as a Trusted Third Party) is dis-continued In cases where the GDC would continue to operate as a third party supplier to the business, GDC shall ensure that the network connectivity is reviewed with the concerned business and GE GDC Program Office to ensure that the connectivity is appropriate to the nature of engagement and level of Governance Certified sites shall be de-commissioned, unless otherwise approved by GE GDC Program Office to continue operations from a certified site given the continuity of engagements as a Business specific third party supplier Program Office sponsored SSO Ids, access shall be surrendered; business sponsored SSO ids shall be surrendered. In case, the GDC is required to continue on Business specific engagements as a Business third party supplier, a fresh set of SSO ids would require to be obtained from the concerned business for all resources required to work on the business engagements Any references (in the GDC organizations Intranet/Internet sites) to GE as a customer or the organization being a preferred supplier (GDC) to GE shall be removed The termination activities completion sign-off is obtained from GE GDC Program Office
ETM 2.0 Manage Contractual Data Retention for Audits GDC shall ensure that all contractual data inclusive of Resource on-boarding information, off-boarding information, contractual acknowledgement documents (AUG, SIA, Spirit & Letter integrity document, Assignment of Rights), Project financials (eMeasure data loads, P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 182 of 185 SOWs, POs, Invoices, Payment Receipts) are maintained for a period of 7 years from the date of termination of contract (inclusive of closure of engagement level contract) In case of T&M engagements, the resource timesheet records shall be maintained for a period of 3 years from the completion of the engagement GDC shall maintain such contractual data as a GE RESTRICTED archive with access to named individuals GE may choose to audit a GDC on a closed/terminated contract at any point within the 7 year period
Minimum Audit Requirements Evidence of GE Assets surrender and clean-up of GDC systems Backup Storage GDC intranet/internet sites MSA Linkage Sections 2.4, 2.18, 4.26, 4.27 Related Practices Communications & Infrastructure Management, Physical Security & Safety, Data Security, GDC Resource On-boarding & Off-boarding, Non-Solicitation, Communications & Media Management, SSO id Governance, Site Management eGDC Suite Linkage eMeasure, eGDC Toolset (Site De-commission, Contract Termination*) Online Resources GDC Termination Checklist
P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 183 of 185 11.0 APPENDIX 11.1 Reporting Contractual and Operations performance Reporting has now become a part of the eGDC Toolset (GDC Operations Portal) and is therefore not necessarily a monthly reporting exercise but more of a regular discipline of keeping all operational data current. However, there are a few reports that are in the process of being transitioned to eGDC Toolset and would therefore continue to be reported manually, until further notifications. The below list provides a view of the data that would be reported through eGDC Toolset and those that would continue on manual mode P R OGR A M G O V E R NA NC E F R A ME WOR K GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 184 of 185 All manual Reports shall be delivered by the 10th of every month to GE GDC Program Office and the online event based updates are to be submitted to the tool as and when an event occurs. GDCs shall be responsible for the completeness and correctness of the data reported in the prescribed format. Online Resources GDC Reporting Requirements 11.2 GE Coreload All systems on the GE GDC Network are required to be compliant to the GE Coreload requirements on Hardware, General OS and Certified Software. If there are Business specific coreload requirements, GDC shall ensure that such requirements are adhered to Online Resources GE Standard Coreload 11.3 Additional Scope for External Audits In order to complete the assessment of the GDC Operating environment, the following additional areas are being included into the scope of the Annual External Audits. The findings from these areas shall not be included for Maturity assessment of the GDC practices Corporate Governance Delivery Management Software Quality Management Service Quality Management (for RIM, BPO and Engineering Services) Process Management (Service specific process areas)
From Vision to Version - Step by step guide for crafting and aligning your product vision, strategy and roadmap: Strategy Framework for Digital Product Management Rockstars