gegdc

GE GDC PROGRAM PROGRAM GOVERNANCE FRAMEWORK

HANDBOOK of REQUIREMENTS

Version

1

GE PROPRIETARY & CONFIDENTIAL RELEASE V1.6.1 1 of 185

PR OGR AM GOV ERNA NC E F R A M EWOR K

GE PR OP R IETA R Y & C ON FID ENTIA L

This document with its contents, terms and notations are the sole property of GE and is being published to GE GDC partners to enable them to understand GE’s requirements and implement mature practices that enables proactive governance and provides for a low-risk operating environment.

The information contained in this document is GE PROPREITARY & CONFIDENTIAL and is not to be used for any purpose other than the purposes for which this document is furnished by the General Electric Company, nor is this document (in whole or in part) to be reproduced or furnished to other third parties or other agencies without the explicit written approval of the GE GDC Program Office

VIEWERSHIP RESTRICTIONS

This document is restricted to GE's Certified GDCs, GE Employees and GE Certified External Auditors on the GE GDC Program. Use of this document in any shape or form, by all other parties requires an explicit approval from GE GDC Program Office


PR OGR AM GOV ERNA NC E F R A M EWOR K

R EV IS ION H ISTOR Y

Revision Date Version/ Revision No.

Types of Changes Author

Dec 2009 Draft Program Maturity Model Handbook – Draft Uma Mohan

Mar 22, 2010 Draft Integrated inputs from Bithal Bithal Bhardwaj, Uma Mohan

Mar 24, 2010 Draft Updates to Sections based on Reviews Bithal Bhardwaj, Uma Mohan

Apr 8, 2010 Draft V 1 Updates to Sections based on Reviews Bithal Bhardwaj, Uma Mohan

April 9, 2010 Draft V 2 Updates to Governance Maturity Model Section, Network & Systems Security, Data Security

Bithal Bhardwaj, Uma Mohan

April 12, 2010 Draft V 3 Updates to linkages diagrams, practice classifications, Minimum Audit Requirements for Resource sharing practice, Contractual Management


May 3, 2010 Draft V 3.01 Corrections & Inclusions of Operations Management Practices


May 5, 2010 Draft V 3.02 Correction in SSD, NSS and DS sections Bithal Bhardwaj, Uma Mohan

May 13, 2010 Draft V 3.03 Corrections to sub-requirements based on GDC inputs


May 17, 2010 RELEASE V 1.0 FIRST FORMAL RELEASE Uma Mohan

January 2011 DRAFT V 4 Changes to handbook for 2011 incorporated Bithal, , Ting Ting, Nachiket, Uma Mohan

January 31 2011

RELEASE V 1.5 VERSION RELEASED Uma Mohan

February 15, 2011

RELEASE 1.6 Version release with changes Uma Mohan

March 3, 2011 RELEASE 1.6.1 Incorporated weekly SSO ID reconciliation and GE email for GDC resources requirements

Uma Mohan


TA B LE OF C ONTENTS

1.0 Introduction __________ 5

1.1 Program Governance Vision _____________ 5

1.2 Objectives of the Handbook _____________ 5

1.3 How to use this Handbook _______________ 6

1.4 Abbreviations, Acronyms & Terms _______ 6

1.5 Roles & Responsibilities _____________ 8

2.0 Governance Maturity

Model _________________ 10

3.0 Organization Process

Management ____________ 20 3.1 Organization Governance Structure

(ELEMENTARY) _______________________ 21

3.2 Organization Policy & Process Definition

(ELEMENTARY) _______________________ 26

3.3 Organization Awareness &Training

(ELEMENTARY) _______________________ 31

3.4 Organization Process Performance

Measurement (MATURE) _________________ 34

3.5 Internal Audits & Assessments

(ELEMENTARY) _______________________ 38

3.6 Incident Management (ELEMENTARY) _ 42

3.7 Risk Management (ELEMENTARY) ____ 46

3.8 Organization Innovation & Technology

Deployment (ADVANCED) _______________ 50

4.0 Resource Management _ 55

4.1 Non-Solicitation (ELEMENTARY) ______ 56

4.2 Background Check (ELEMENTARY) ___ 60

4.3 GDC Resource On-Boarding/Off-Boarding

(ELEMENTARY) _______________________ 64

4.4 SSO Id GOVERNANCE (ELEMENTARY) 70

4.5 Sub-contractor Management

(ELEMENTARY) _______________________ 75

4.6 GE Site Contractor Management

(ELEMENTARY) _______________________ 79

4.7 Work VISA Management (ELEMENTARY)

_______________________________________ 83

4.8 Resource Retention Management

(ELEMENTARY) _______________________ 86

5.0 Physical Security & Safety

______________________ 89

5.1 Environment, Health & Safety

(ELEMENTARY) _______________________ 90

5.2 Physical Security (ELEMENTARY) _____ 94

6.0 Delivery Management _102

6.1 Secure Software Delivery (ELEMENTARY)

______________________________________ 102

7.0 Network & Systems

Security _______________107

7.1 Vulnerabilities Management

(ELEMENTARY) ______________________ 108

7.2 Systems Management (ELEMENTARY) _ 112

7.3 Supplier Connectivity (ELEMENTARY)_ 117

7.4 Resource Sharing (ELEMENTARY) ____ 121

8.0 Data Security ________123

8.1 Data Classification, Privacy, Confidentiality

& IP Protection (MATURE) ______________ 124

8.2 GE Knowledge Management

(ELEMENTARY) ______________________ 134

9.0 Contractual Management

______________________136

9.1 Communication & Media Management

(MATURE) ____________________________ 137

9.2 Contractual Performance Reporting

(ELEMENTARY) ______________________ 141

9.3 Working for Competitors (MATURE) ___ 144

10.0 Operations Management

______________________147

10.1 Site Communications Infrastructure

Management (ELEMENTARY) ___________ 148

10.2 GDC Site Management (ELEMENTARY)

______________________________________ 152

10.3 Assets Governance (ELEMENTARY) __ 159

10.4 Software Governance (ELEMENTARY) 163

10.5 Business Divestiture Management

(ELEMENTARY) ______________________ 167

10.6 No PO, No WORK (ELEMENTARY) __ 169


10.7 Invoice & Outstanding Management

(ELEMENTARY) _______________________171

10.8 Business Continuity Management

(MATURE) _____________________________174

10.9 Engagement Closure / Termination

Management ( ELEMENTARY) ___________179

11.0 APPENDIX _______ 183

11.1 Reporting __________________________183

11.2 GE Coreload ________________________184

11.3 Additional Scope for External Audits____184

P R O G R A M G O V E R N A N C E F R A M E W O R K

GE PROPRIETARY & CONFIDENTIAL RELEASE V1.7 5 of 185

1.0 Introduction

overnance in the GE GDC Program has evolved over a period of time and has come to a stage where the basics are in place for a steady GDC operations. From maintaining basic network security and workplace security, the Program has evolved to include multiple dimensions of Contractual, Information Security and Operational Security. Changing

business needs, increased focus on globalization and new technologies are leading to emergence of innovative engagement models, new solutions and ever increasing threats are no longer far and few in-between. This changing landscape with its new set of threats necessitates an increased focus on Proactive Governance with the objective of ensuring a safe and secure operating environment while delivering increased value at optimal costs to the GE Businesses.

1.1 Program Governance Vision

Continuously deliver Increased Value to GE Businesses in a cost-effective, safe

and secure environment through innovative solutions and proactive risk

management

1.2 Objectives of the Handbook

The Handbook aims to provide the audience with a complete view of the Program Governance Framework, its components and the detailed requirements of the framework. The Handbook is organized into multiple chapters as follows

Chapter 1: Introduction to the Handbook

Chapter 2: Program Governance Framework – An Overview

Chapter 3 to Chapter 10: Dedicated to Governance Focus Areas and Practices within each of these Focus Areas

Chapter 11: Governance Reporting Requirements & Tools

Chapter 12: Additional References

The Handbook is intended for use by

G



GEGDC Team – to understand GE’s requirement so as to design and implement mature practices & controls that help in maintaining a safe and secure GDC operating environment while delivering increased value to GE in a cost-effective manner

GE Business GDC Leaders, Business Stakeholders across IM/Engineering/Business Organization (who use GDC) – to understand GE’s requirement and facilitate GDC Governance through increased awareness of GE’s responsibilities and collaboration with GE GDC Program Office to identify and mitigate risks for GE

1.3 How to use this Handbook

The Icon Key provides a quick reference to symbols being used

within this Handbook. A Practice has Goals and these are articulated using Practice Goals symbol. GDC and GE Responsibilities for a Practice are articulated using the specific symbols outlined here.

Operating Guidelines are GE specific guidelines/requirements to be met for a given Practice.

Minimum Audit Requirements provides pointers to evidences required. Related Practices articulate inter-dependencies between the practices. eGDC Toolset highlights the eGDC Toolset module (where applicable) relevant to the practice. MSA Linkage establishes references (where

applicable) to MSA Sections pertaining to the requirements. Online Resources point the Audience to additional references and guidelines associated with the practice.

1.4 Abbreviations, Acronyms & Terms

TERM Description

AOR Assignment of Rights

AUG Acceptable use guidelines

BCP Business Continuity Planning

BGC Background Check

I C O N K E Y

Practice Goals

GE Responsibilities

GDC Responsibilities

Related Practices

Min. Audit Requirements

MSA Linkage

eGDC Suite Linkage

Online References

Best Practices



C&S/CnS Compliance & Security

CPR Cost per Resource

DRP Disaster Recovery Planning

FTE Fulltime Equivalent

GDC Global Development Centre; refers to Certified GDC Partners

IR Incident Response

KPI Key Performance Indicator

LCC Low Cost Country

NCS Net Compliance Score

NIS Net Improvement Score

PO Purchase Order

PSA Purchased Services Agreement

RPO Recovery Point Objective

RTO Recovery Time Objective

SIA Secrecy Inventions Agreement

SLA Service Level Agreement

SOP Standard Operating Procedure

SoW Statement of Work

SSO Id Single Sign-On Id

TO Task Order

TOD Tests of Design

TOE Tests of Effectiveness



DLP Data Leakage Prevention

HPA Highly Privileged Account

GE Data It includes data (inclusive of documents) provided by GE to GDC as well as all data (inclusive of documents) created by GDC during the life of a project/relationship

Shall The word ―shall‖ used in conjunction with a compliance handbook requirement indicates that the GDC is obligated to perform the designated effort or adhere to requirement. This is a mandatory requirement on the GDC, failure of which may potentially be deemed sufficient reason to invoke Consequence model

Should The word ―should‖ used in conjunction with a compliance handbook requirement indicates a desire or preference by GE for a particular method, technique, product, technology, option, or other feature. While the GDC is not obligated to perform the designated effort or provide the designated services or use the designated products in the exact fashion expressed by GE, the GDC shall provide equivalent capabilities

May The word ―may‖ used in conjunction with a Compliance Handbook requirement indicates that GE has no specific desire or preference for a particular method, technique, product or other feature. The GDC is free to use discretion in performing the effort or adhering to requirement.

1.5 Roles & Responsibilities

Role Description & Responsibilities

GE GDC Director Individual within GE Organization with overall responsibility for GE GDC Program



GE GDC Program Governance Leader

Individual within GE Organization with overall responsibility for GDC Program Governance

GE GDC Program Security Leader

Individual within GE Corporate and a member of GE Information Security Organization, with responsibility for Information Security within GE GDC Program

GE Business Security Leader

Individual within GE Business and a member of GE Information Security Organization, with responsibility for Information Security within the GE Business

GE Business GDC / VMO Leader

Individual within a GE Super Business with responsibility for GDC engagements across all Businesses at the Super Business level

GDC C&S Leader

Individual within GDC Organization with responsibility for Compliance & Security within GEGDC Organization

GDC Global Relationship Manager

Individual within GDC Organization with responsibility for Relationship between the GDC Organization and GE Businesses across the globe

GDC Global Governance Manager

Individual within GDC Organization with responsibility for overall Governance of the Program inclusive of Compliance, Security, Delivery & Operations across the globe



2.0 Governance Maturity Model

FIGURE 1 Governance Model.

The Governance Maturity Model is based on the GDC Master

Services Agreement (ITSA), the GDC Hygiene Factor Addendum (HFA) and the GE Information Security Guidelines. The components of this model are

Governance Focus Areas

Behavior demonstrated (Spirit as perceived by GE) in performing / operating on these areas

External Audits

GE Assessment of GDC

Maturity Certification of GDC based

Assessment of Business Impact of GDC Maturity on GE Business

Post Assessment Planning

Governance

Components



There are 8 Key Process areas that serve as the backbone of the

Governance Maturity Model. Each of these process areas is further divided into Practices that shall be implemented by the GDC Organization. Practices fall into one of three classifications

FIGURE 2 Practice Classifications

Elementary Practices are the basic founding blocks of Governance required for a GDC Organization

Mature Practices are the pillars of Governance that together with the fundamentals create a strong operating environment within the GDC Organization

Advanced Practices form the roof that together with the strong pillars and fundamentals create a proactive, reliable & secure operating environment within the GDC Organization

Most practices are specific in nature and address specific requirements of a process area. There are a few generic practices that are applicable across all the practices. Practices have a purpose, a set of goals, GDC responsibility statements, GE responsibility statements (where applicable) and requirements that must be fulfilled in designing and implementing the practice. Given below is a high level view of the 8 process areas and the associated practices.

Organization Process Management focuses on Organization-wide practices that are

generic in nature and are critical for the performance of all other focus areas. There are 8 practices within this focus area as follows

Governance

Focus Areas

ELEMENTARY

MATURE

ADVANCED



Process Area Practice Area Classification Type

Organization Process Management

Organization Governance Structure (OGS)

ELEMENTARY SPECIFIC

Organization Policy & Process Definition (OPD)

ELEMENTARY GENERIC

Organization Awareness & Training (OAT)

ELEMENTARY GENERIC

Organization Process Performance Measurement (OPM)

MATURE GENERIC

Organization Innovation & Technology Deployment (OIT)

ADVANCED GENERIC

Incident Management (OIM) ELEMENTARY GENERIC

Risk Management (ORM) ELEMENTARY GENERIC

Internal Audits & Assessments (IAA)

ELEMENTARY SPECIFIC

Resource Management focuses on 8 practices that are resource centered and applies to all

human resources associated with GE GDC


Resource Management

Non-solicitation (NS) ELEMENTARY SPECIFIC

Background Check (BGC) ELEMENTARY SPECIFIC

GE GDC Resource On-boarding/Off-boarding (GOO)

ELEMENTARY SPECIFIC

SSO Id Governance (SIG) ELEMENTARY SPECIFIC



Sub-contractor Management (SCM)

ELEMENTARY SPECIFIC

GE Site Contractor Management (GCM)

ELEMENTARY SPECIFIC

Work Visa Management (WVM)

ELEMENTARY SPECIFIC

Resource Retention Management (RRN)

ELEMENTARY SPECIFIC

Physical Security & Safety focuses on 2 Practices that pertain to the GE GDC physical

infrastructure security and safety.


Physical Security & Safety

Environment, Health & Safety (EHS)

ELEMENTARY SPECIFIC

Physical Security (PS) ELEMENTARY SPECIFIC

Delivery Management focuses on 3 Practices that are critical to ensuring consistent delivery

excellence


DELIVERY MANAGEMENT

Secure Software Delivery (SSD)

ELEMENTARY SPECIFIC

Software/Service Quality Management (SQM)

MATURE SPECIFIC

Process & Productivity Management (PPM)

MATURE SPECIFIC



Network & Systems Security focus area is made up of 4 practices that are critical to

safeguard GE’s networks


NETWORK & SYSTEMS SECURITY

Vulnerabilities Management (VM)

ELEMENTARY SPECIFIC

Systems Management (SM) ELEMENTARY SPECIFIC

Supplier Connectivity (SC) ELEMENTARY SPECIFIC

Resource Sharing (RS) ELEMENTARY SPECIFIC

Data Security comprises 2 Practices that together ensure protection of GE Data, Knowledge &

Information. These practices are


Data Security Data Classification, Confidentiality, Privacy & IP Management (DCP)

MATURE SPECIFIC

GE Knowledge Management (GKM)

ELEMENTARY SPECIFIC

Operations Management focuses on 9 Practices that are operational in nature and are

central to the operational success of the GDC


OPERATIONS MANAGEMENT

Communications Infrastructure Management (CIM)

ELEMENTARY SPECIFIC

GDC Site Management (GSM)

ELEMENTARY SPECIFIC



Assets Governance (AGN) ELEMENTARY SPECIFIC

Software Governance (SGN) ELEMENTARY SPECIFIC

Engagement Termination/Closure Management (ETM)

ELEMENTARY SPECIFIC

No PO, No WORK (NPO) ELEMENTARY SPECIFIC

Invoice & Outstanding Management (IOM)

ELEMENTARY SPECIFIC

Business Continuity Management (BCM)

MATURE SPECIFIC

Business Divestiture Management (BDM)

ELEMENTARY SPECIFIC

Contractual Management focuses on 3 Practices that are contractual in nature and do not

necessarily qualify to be a part of any of the above process areas. These practices are


CONTRACTUAL MANAGEMENT

Communication & Media Management (CMM)

MATURE SPECIFIC

Contractual Performance Reporting (CPR)

ELEMENTARY SPECIFIC

Working for Competitors (WFC)

MATURE SPECIFIC

The Program Maturity Model lays emphasis on the

SPIRIT demonstrated in implementing the LETTER. This SPIRIT

is seen as a key differentiator in driving proactive and generative solutions that are innovative, cost effective and are oriented towards maintaining a safe and secure

Spirit & Letter



environment. Key characteristics that define this SPIRIT are Alignment, Openness

and Initiative. The VALUES thus demonstrated are

• External Acceptance at a superficial level without a clear engagement or understanding

• Does not engage in dialogue Lacks openness and transparency in communication; high degree of resistance / unwillingness to validate assumptions or look at new perspectives

• Reactive in nature, does not take any tangible / visible actions unless it is mandated by GE

PASSIVE

• Primarily focuses on Letter – based on feedback, seeks to understand the Spirit behind GE’s requirements; Organization culture is primarily focused on compliance to stated requirements without adequate insights of the “Spirit”

• Dialogues on need basis to understand stated requirements; shares information to the extent defined / necessitated by GE’s stated requirements; does not actively look for new insights/feedback/learning opportunities

• Demonstrates commitment to meet stated requirements; waits to be told “what to do & how to do” – once defined, does what is required to be done

PARTICIPATIVE

• Focuses on Spirit & Letter – accepts and engages with GE to uncover new perspectives that may create a deeper understanding and appreciation of GE’s requirements; seeks to share this understanding with its people in a focused manner

• Builds dialogue to understand and reach consensus – open to changing viewpoints / assumptions; shares risks and actively seeks feedback & works on it

• Primarily focused on driving performance results;voluntary problem-solving culture; engages actively and takes visible & tangible actions towards new ideas and opportunities, when pointed to in that direction

COLLABORATIVE

• Focuses on Spirit & Letter – shows understanding of GE’s requirements and proactively enrolls people in the Spirit & Letter mode, making it a DNA of the GDC Organization

• Builds dialogue based on active listening and deep understanding of GE’s requirements – complete transparency & pro-activeness in Operations promotes trust & long term relationship

• While continuously driving performance results, uses insights & expertise to identify new ideas & opportunities, predict and invest for future

• Maps future based on changing business environment

• Mines exceptions to gain valuable insights

• Seeks and promotes breakthrough ideas that creates multiplying positive value to GE and GDC

STRATEGIC

DEMONSTRATED BEHAVIOURVALUES RATING

• External Acceptance at a superficial level without a clear engagement or understanding

• Does not engage in dialogue Lacks openness and transparency in communication; high degree of resistance / unwillingness to validate assumptions or look at new perspectives

• Reactive in nature, does not take any tangible / visible actions unless it is mandated by GE

PASSIVE

• Primarily focuses on Letter – based on feedback, seeks to understand the Spirit behind GE’s requirements; Organization culture is primarily focused on compliance to stated requirements without adequate insights of the “Spirit”

• Dialogues on need basis to understand stated requirements; shares information to the extent defined / necessitated by GE’s stated requirements; does not actively look for new insights/feedback/learning opportunities

• Demonstrates commitment to meet stated requirements; waits to be told “what to do & how to do” – once defined, does what is required to be done

PARTICIPATIVE

• Focuses on Spirit & Letter – accepts and engages with GE to uncover new perspectives that may create a deeper understanding and appreciation of GE’s requirements; seeks to share this understanding with its people in a focused manner

• Builds dialogue to understand and reach consensus – open to changing viewpoints / assumptions; shares risks and actively seeks feedback & works on it

• Primarily focused on driving performance results;voluntary problem-solving culture; engages actively and takes visible & tangible actions towards new ideas and opportunities, when pointed to in that direction

COLLABORATIVE

• Focuses on Spirit & Letter – shows understanding of GE’s requirements and proactively enrolls people in the Spirit & Letter mode, making it a DNA of the GDC Organization

• Builds dialogue based on active listening and deep understanding of GE’s requirements – complete transparency & pro-activeness in Operations promotes trust & long term relationship

• While continuously driving performance results, uses insights & expertise to identify new ideas & opportunities, predict and invest for future

• Maps future based on changing business environment

• Mines exceptions to gain valuable insights

• Seeks and promotes breakthrough ideas that creates multiplying positive value to GE and GDC

STRATEGIC

DEMONSTRATED BEHAVIOURVALUES RATING

FIGURE 3 Values Assessment

Performed annually by GE Certified Global Audit Firms, the

External Audits are a critical component of the Governance Maturity Framework. External Audits shall be performed in accordance with GE

guidelines for these audits and reports submitted in a timely fashion to facilitate GE Assessment of GDC Maturity.

GE Guidelines for External Audits shall be published ahead of the Audits and GE shall facilitate discussion with Auditors to develop a common understanding of GE’s expectations across Auditors and GDC

With a view of performance as a continuous function, the GE

Assessment process is focused on identifying gaps in GDC Operating environment that could be potential risks/threats to GE. Assessments would be carried out at frequent intervals over the year. The final

External Audits

GE Assessment

Process



assessment leading to certification of the GDC, considers as inputs the findings from External Audits as well as the performance view obtained from GE Spot Audits, Monthly reporting, Incidences, Customer Complaints, Innovations and Best practices implemented in GDC operating environment. It also lays emphasis on assessing

The SPIRIT demonstrated by the GDC in implementing the LETTER (measured through the VALUE indicators discussed in Figure3 above)

Risks in the GDC Operating Environment based on all the above sources.

Like in any formal assessment, the findings and observations shall be shared with the GDC’s. The GE assessment phase plays a critical role in determining the maturity and consistency of practices in the GDC Operating environment

Recognition of GDC Organization’s maturity of practices and

controls in maintaining a safe and secure operating

environment while continuously delivering increased value to

GE Businesses. The 5 possible levels of Maturity are as follows

FIGURE 4 Program Governance Maturity Levels

The maturity level shall be determined based on the GE Assessment process and formally communicated to the GDC.

GDC Maturity

Certification



With a view to understanding the impact of GDC Maturity on

GE Businesses, this GE internal phase focuses on mapping the

business exposure to the GDC with the Maturity level of the GDC to arrive at the GDC Profile as shown here. As can be seen from the matrix, $ Spend with GDC and the nature of work done by the GDC influence the Profile of the GDC

FIGURE 5 GDC PROFILING

This GDC Profile is further mapped to the Maturity level of the GDC to arrive at a risk impact score as shown here

FIGURE 6 Business Risk Impact

The risk impact score along with qualified risk statements by Practice area shall be published to the Businesses for their planning.

Business Impact

Assessment



As the final phase in one cycle of the Maturity Model

Assessment, this phase focuses on both GDC Action Planning as well as

GE Action planning.

GDC Action plans shall be reviewed and corrective actions closed with the GE GDC Program Office as per schedule below

Maturity Level Action Closure Period

LEVEL 1 (AD-HOC) 90 Days

LEVEL 2 (BASIC) 60 Days

LEVEL 3 (DEFINED) 30 Days

LEVEL 4 & 5 Case to case basis based on observations

GE Action plans shall focus on risk mitigation, changes to requirements and internal process improvements and may result in changes to the Handbook and guidelines.

Post Assessment

Planning



3.0 Organization Process Management

Organization Process Management is the one focus area that differentiates a mature organization with proactive, reliable and secure operating environment from the others. This focus area calls for an organization to invest in people, processes and tools which together enable an organization to establish and maintain a proactive, reliable and secure operating environment that benefits its employees, customers and stakeholders.

The diagram below gives a perspective on the practices within the Organization Process Management focus area and the relationship between the practices



FIGURE 7 Organization Process MANAGEMENT Practices & Linkages

3.1 Organization Governance Structure (ELEMENTARY)

GDC Organization shall have a formal governance program in place. A senior member of the GDC Organization shall head this Governance Program.

The purpose of this Practice is to establish and maintain a Governance Organization structure that has the accountability and appropriate authority for managing the Governance Program and achieving the desired outcome of maintaining a safe and secure operating environment

POLICY



Organization Governance Program is led by a Senior Leader and has Organization Management sponsorship

Governance Organization is staffed by the right people on the right roles and who have the accountability and authority to perform their roles

GDC Organization resources are fully aware of the roles and responsibilities of the members within the GDC Governance Organization

As the primary owner of this Practice, GDC is responsible for ensuring that appropriate focus and attention goes into setting up the governance organization. The specific responsibilities are

OGS 1.0 Establish and maintain an effective Governance Organization Structure

OGS 2.0 Establish and maintain Management Review rhythm

GDC shall share the Governance Organization structure with the GE Businesses so as to create awareness on the structure, members in key roles and responsibilities

GOALS

RESPONSIBILITIES



OGS 1.0 Establish and maintain an effective Governance Organization Structure

GE GDC Governance Organization structure shall exist and be documented

The Governance Organization shall be headed by a Senior Leader with accountability for the desired outcome of maintaining a safe and secure GDC Operating environment

The Governance Organization Leader shall have appropriate authority to perform the activities required to meet the role expectations

The Governance Organization Leader shall have a reporting relationship to the GDC Parent Organization’s Compliance Leader (or an equivalent role)

At a minimum, the GDC Organization shall have the following critical roles defined for Global Operations and staffed appropriately

Governance Leader

Information Security Leader/ GDC Security Leader

Data Privacy Leader

Physical Security Leader

Crisis Management Leader

Application Security Leader

Product Quality Leader

Ombuds Person

Internal Audits Leader

Risk Leader

OPERATING GUIDELINES



These roles shall have accountability for performance and shall also have appropriate authority to perform the activities required to meet the role expectations

Roles of Ombuds Person and Internal Audits Leader shall be defined in a manner to minimize conflict of interest and potential controllership issues

Where appropriate, the Organization Governance structure shall also define

GDC Site level roles

Linkages to Parent Organization’s key roles in the respective areas

All Committees like Risk Council, Management committee and their linkages with governance roles.

GDC shall formally publish the Governance Organization structure to the entire GDC Organization and to GE GDC Program Office

Any changes to staffing or the structure itself shall be formally communicated to the GDC Organization and to GE GDC Program Office

GDC shall ensure that secondary or backup resources are identified for all critical roles.

OGS 2.0 Establish and maintain Management Review Rhythm

GDC Governance Organization priorities and performance shall be periodically reviewed by Organization Management Committee for effectiveness of the Governance Program

Organization Management Committee shall at a minimum include the Global Relationship Leader, Global Delivery & Operations Leader, Parent Organization’s Information Security Leader and the Parent Organization’s Governance/Compliance Leader

Formal Management Review meetings shall be held Quarterly, at a minimum

The Management Review meetings shall be well represented by all the key roles of the Governance Organization; specifically, the Internal Audits team and the Ombuds Person shall be permanent members of these meetings

Organization Management Committee shall set the Vision and Operating goals for the GDC Governance Organization, thereby facilitating formal reviews of performance

Actions arising out of Management review meetings shall be clearly documented and monitored for closure



GDC shall also clearly define the Communication & Escalation Methods with Organization Management Committee

Minimum Audit Requirements Evidence of communication on GDC Governance Organization Structure to GDC Organization

Evidence of Change communication (where changes have been effected in the Organization)

Evidence of Management Reviews on performance and priorities of Governance Organization, follow-up actions and closure of the same

MSA Linkage Not Applicable

Related Practices All practices within the Organization Process Management

eGDC Suite Linkage GDC Contacts Module

Online Resources Not Applicable



3.2 Organization Policy & Process Definition (ELEMENTARY)

GDC Organization shall have well-defined operating procedures in place to meet the policies and the requirements of the various practices.

The purpose of this Practice is to establish and maintain well-defined Operating procedures that meet the spirit and letter of GE’s requirements on Governance, are specific to the Organization, usable by GDC Users, and promotes consistency of practice across the GDC Organization

GDC Organization shall have a formal process in place to define policy, process and operating procedures for GDC Organization

GDC Organization shall have well-defined Standard Operating procedures that clearly define GDC Organization’s implementation of GE’s policy and requirements on Governance

0 defects in coverage (process design)

GDC Organization shall ensure uniform and consistent implementation of the practice across all global operations covering all functions, services and global locations of GDC Organization

As the primary owner of this Practice, GDC’s are responsible for ensuring that appropriate policies, processes, procedures and controls are designed and implemented within the GDC Organization to meet the policies and goals of this governance framework. The specific responsibilities are

OPD 1.0 Establish and maintain a process for policy & process definition

OPD 2.0 Establish and maintain Standard Operating Procedures for all practices

OPD 3.0 Deploy the Standard Operating Procedures across GDC Organization

POLICY

GOALS

RESPONSIBILITIES



OPD 1.0 Establish and maintain a process for policy & process definition

GDC shall have a well-defined process in place for New Process Introductions and Revisions to existing processes (collectively referred to as New process introductions hereafter)

The process shall clearly define the review, approval and release protocols for new process introductions

The process shall clearly define the communication protocols, publishing mechanisms and orientation procedures associated with new process introductions

The process shall clearly define the change management triggers and guidelines associated with revisions to existing processes

The process shall clearly articulate the structure for documenting the Standard Operating procedures by clearly defining the mandatory components of the documentation and the optional aspects

The process shall clearly articulate preventive, detective & corrective controls. The process shall clearly articulate tailoring & customization guidelines

The process shall clearly identify the repository for storage of all process artifacts associated with the GDC Organization and the access control mechanisms for the same

OPD 2.0 Establish and maintain Standard Operating Procedures

GDC Organization shall have a well-defined, documented and easy to use set of Standard Operating Procedures

Standard Operating Procedures shall at a minimum cover all requirements outlined in this Handbook

Standard operating procedures may be defined at any level by the GDC Organization –

Functional/Process Level – GDC may choose to have a single SOP that covers the requirements across multiple practices pertaining to the function /process area (as an example, GDC may choose to have a single SOP for entire Resource Management function)




Practice Level – GDC may choose to have individual SOP associated with a single practice (as an example, GDC may choose to have a SOP for Sub-contractor Management practice and another SOP for GE Site Contractor Management)

Hybrid approach – GDC may choose to have a combination of functional and practice level SOP’s, as appropriate to the GDC Organization

Traceability to requirements outlined in the handbook shall be established irrespective of the approach used

GDC Organization may choose to maintain a separate policy document or maintain the policies as a part of the Standard Operating Procedures

Standard Operating Procedures shall depict the complete process/practice design and detail out the implementation aspects of the process/practice, to the level of detail required to implement the process in an uniform and consistent manner across the GDC Organization (with its global locations and range of services)

Standard Operating Procedures shall at the minimum describe the following

Purpose & Performance Objectives

Entry Criteria

Inputs to the process/practice

Process Design

Applicable procedures, methods, tools and resources

Applicable standards (if any)

Control mechanisms in place (preventive control, corrective control or contingent control)

Verification points and parts

Process performance and product performance measures and measurement points

Interfaces & Dependencies, inclusive of linkages to parent organization processes & procedures

Exit Criteria

Certain process/practice steps may require to be



Tailored to meet the needs of a country and/or a GE Functional Division (ITO, Engineering or BPO) or a Business.

Customized based on GDC’s design and/or implementation of the specific requirements

For example,

Background Check practice steps may require tailoring/customization to a country and the GE Business

Sub-contractor Management practice steps may require tailoring/customization based on GE Functional Division (ITO, Engineering or BPO)

All such needs for tailoring/customization shall be discussed with GE GDC Program Office and undertaken with approval from the GE GDC Program Office

The Standard Operating Procedure shall clearly identify all such tailored/customized processes

GDC shall ensure that there is appropriate integration between the various processes and procedures

At a minimum, SOP’s shall adhere to document management guidelines of the GDC Parent Organization and follow the GE Data Classification guidelines

OPD 3.0 Deploy Standard Operating Procedures across GDC Organization

GDC shall deploy the standard operating procedures across the entire GDC organization in a planned manner. The deployment shall be uniform across all global sites of the GDC

GDC shall maintain a plan for deployment of standard operating procedures to new GDC Sites within a month of the site becoming operational

GDC shall ensure that appropriate training material and orientation plan is in place to ensure that new process introductions, changes to procedures are introduced in the right manner at the start of deployment

GDC shall monitor the implementation of the processes, practices and procedures across all its sites to ensure that the performance objectives are met



Minimum Audit Requirements Evidence of New Process Introductions in alignment with GDC Organization process for new

process introductions

Evidence of Process Change communication

Evidence of GE approvals for tailoring/customization

MSA linkage Not Applicable


eGDC Suite Linkage Not Applicable




3.3 Organization Awareness &Training (ELEMENTARY)

GDC Organization resources are trained on the governance framework and standard operating procedures before being assigned to GE GDC

The purpose of this Practice is to establish and maintain well-defined training and orientation program and plan for training that ensures all resources are trained and made aware of the GE Governance framework and their role in maintaining a safe and secure operating environment that delivers value in a cost-effective manner

100% of GDC resources are trained on Governance framework and the Standard Operating Procedures before being assigned to a GE Engagement

0 incidents due to GDC resource’s lack of awareness of policy/practice

As the primary owner of this Practice, GDC’s are responsible for ensuring that every resource belonging to GDC Organization is trained adequately and in a timely manner on the appropriate policies, processes, procedures and controls of this governance framework. The specific responsibilities are

OAT 1.0 Establish and maintain a training policy & plan for training / orientation

OAT 2.0 Develop Training material

OAT 3.0 Deliver training/orientation as per plan

As a key stakeholder, GE shall provide additional inputs to GDC where there are business-specific guidelines (or) more stringent controls that need to be adhered to meet business-specific regulatory requirements and/or handling of business sensitive information

OAT 4.0 Provide direction/inputs to GDC on additional training required to meet regulatory requirements and/or handling of business sensitive information

POLICY

GOALS

RESPONSIBILITIES



OAT 1.0 Establish and maintain a training policy & plan for training/orientation

GDC shall clearly establish a training/orientation policy

The training policy shall at a minimum identify the scope, coverage and timing of the training and orientation program applicable to all resources. At a minimum, GDC shall have the New Joinee Orientation Program and Annual Refresher Program on Governance framework

The training policy shall also identify additional contexts/situations (if any) where add-on trainings/orientations become applicable. For example, GDC may choose to mandate resources working on projects dealing with Sensitive data or IP go through an additional course on Data Privacy & Confidentiality, just before the start of the engagement

The training policy shall include the minimum qualification criteria on each program and the period within which the qualification must be obtained. For example, GDC may stipulate that a minimum score of 80% is mandatory to qualify

GDC shall maintain an annual plan for training and orientation. The plan shall be formally published to the GDC Organization and tracked. Any changes to the plan shall be formalized and shall follow the communication rhythm for process change

GDC may additionally plan role-specific training programs to provide in-depth orientation on appropriate requirements to specific roles, inclusive of GDC resource roles at GE Sites

OAT 2.0 Develop Training Materials

GDC shall have appropriate training material for each of the programs. The training material shall cover the policy and the governance requirements as well as the implementation aspects

The training program may be delivered in one or more of many approaches like Classroom Training, Online Training, Guided Self-study, Facilitated Videos

GDC shall choose the most appropriate training approach for the various programs and shall develop appropriate material

GDC shall maintain multi-language support of the training material to ensure training of resources across its global locations

OAT 3.0 Deliver Training/Orientation as per plan




GDC shall conduct the training in a manner that makes it effective.

The training shall also focus on contextual case studies so as to ensure a better understanding of the policy and the requirements

GDC shall analyze incident data to ascertain opportunities for improvement of awareness training & orientation programs

GDC shall maintain records of training, inclusive of training date, participants list

GDC shall assess training effectiveness and participant performance in Certification process

Minimum Audit Requirements Evidence of Training Policy being published

Evidence of Annual Training Plan (in alignment to training policy) and execution of the training plan

Evidence of training effectiveness assessment, identification of improvement opportunities

Evidence of on-boarding to GE GDC post the certification

MSA Linkage Sections 3.7, 3.8






3.4 Organization Process Performance Measurement

(MATURE)

GDC Organization shall have formal practices in place to measure the effectiveness of their practices and ensure that process/practice improvements are planned and executed

The purpose of this Practice is to establish and maintain a well-defined quantitative program that measures the effectiveness of the process design as well as the effectiveness of the implementation across the GDC Organization, with the objective of continuously improving the process/practice and associated set of standards, guidelines, tools and resources towards maintaining a low-risk environment that consistently delivers high value at optimal cost

Every process/practice area has tangible effectiveness measures defined and documented

Quantitative process/practice management is a part of the Organization DNA

As the primary owner of this Practice, GDC’s are responsible for defining performance measures and monitoring their performance to plan improvements and institutionalize these improvements. The specific responsibilities are

OPM 1.0 Establish and maintain performance measures and performance objectives

OPM 2.0 Perform periodic performance assessments

OPM 3.0 Review performance with GDC Organization Steering Committee, plan and deliver on improvements

POLICY

GOALS

RESPONSIBILITIES



OPM 1.0 Establish and maintain Performance Measures and Performance

Objectives

GDC shall ensure that every process/practice has clearly defined performance measures

Performance measure description shall at the minimum include the metric, the measurement criteria, frequency of measurement, data collection mechanism

Performance measures shall include both process measures and product measures

GDC shall perform baseline assessment and gain an understanding of their baseline performance level

Based on the current performance baseline and the expected performance, GDC shall define their performance objectives

Performance objectives shall include the metric, the measurement criteria (it shall be defined and accessible to GE and GDC), the target/objectives and the timeline for achieving the target

GDC Organization Steering Committee shall review and approve the Performance Measures and Performance Objectives

Performance Objectives shall be reviewed for applicability at least once in 6 months

GDC shall establish and maintain a formal measurement plan. The plan shall at the minimum identify data sources, methods of data collection, frequency of collection, consolidation & analysis mechanisms, assessment frequency

OPM 2.0 Perform periodic performance assessment

GDC shall ensure that every practice/process is assessed as per the measurement plan




The data collected thus shall be maintained in a repository for analysis purpose

Alignment to performance objectives shall be assessed and strengths, weaknesses and risks shall be identified

OPM 3.0 Review performance with GDC Organization Steering Committee, plan

and deliver on improvements

GDC shall share the performance assessment report with the GDC Organization Steering committee

Based on the assessment, GDC shall identify performance risks and shall review the same with GDC Steering Committee

GDC shall proactively conduct RCA on the existing control mechanisms and identify opportunities for improvement.

Such opportunities for improvement shall be reviewed with GDC Steering Committee and improvement initiatives shall be signed off with Steering Committee

Where the proposed improvement modifies/alters GE’s policy/practice/requirements (as stated in the Handbook or its source documents), GE GDC Program Office sign-off shall be obtained before commencing the initiatives

GDC shall monitor the progress on all these improvement initiatives and validate the performance of these improvements

GDC shall communicate the progress/status of these initiatives on a monthly basis to GE GDC Program Office



Minimum Audit Requirements Evidence of Performance measures and performance objectives being defined

Evidence of periodic assessments across global sites and Evidence of process improvement initiatives being taken up



eGDC Suite Linkage Ad-hoc Approvals




3.5 Internal Audits & Assessments (ELEMENTARY)

GDC Organization shall have a formal practice of internal audits and assessments in place to assure that GE’s requirements of Governance is established and implemented to maintain a safe and secure operating environment that consistently delivers high value

The purpose of this Practice is to establish and maintain an internal audits & assessment practice that verifies and validates the performance of the GDC Organization and provides early warning signals to GDC Organization Leadership on gaps and risks due to incomplete process/practice design or inadequate rigor in implementation

―0‖ surprises in External Audits

―0‖ surprises in GE Assessment of Maturity Level

As the primary owner of this Practice, GDC’s are responsible for establishing their Internal Audits & Assessment team, plan and performing the audits and assessment to meet the policy and goals of this practice. The specific responsibilities are

IAA 1.0 Establish an Internal Audits and Assessment practice

IAA 2.0 Perform Internal Audits & Assessments

IAA 1.0 Establish an Internal Audits & Assessment Practice

GDC Organization shall establish an Internal Audits & Assessment practice

POLICY

GOALS

RESPONSIBILITIES




The practice shall be staffed appropriately with qualified and dedicated team members

The GDC Organization may choose to engage a third party audit firm as its internal auditors. However, the selection of such an audit firm shall be reviewed and approved by GE GDC Program Office

The team shall have independence of organizational reporting to increase effectiveness of the audits & assessments

The team shall have a well-defined audit & assessment framework that shall be well documented. The framework shall also clearly articulate the roles and responsibilities of the IAA team, the Governance team, and all other parts of the GE GDC Organization

The IAA practice team shall establish an annual plan for audits & assessment with the scope, coverage, approach clearly defined

Internal Audits & Assessments shall be carried out on a quarterly basis covering at least 3 quarters, at all Sites that are used to deliver GE engagements. Any exceptions to this schedule shall be discussed and signed off with GE’s GDC Program Office

IAA team can determine whether there are practices that are centrally managed from a single site and therefore the scope of audit at the individual sites for such practices

IAA team shall clearly document the Audit & Assessment methodology to be used for each audit/assessment

The Annual plan of Audits & Assessments shall be signed off by the GDC Organization Steering Committee

The IAA practice team shall publish the Audits & Assessment plan for the year to GE GDC Program Office, on creation as well as on change

The IAA practice team shall collaborate with the Governance Leader to identify External Auditors and ensure that external audits are carried out as per GE guidelines

Only GE approved external auditors are permitted to be used for external audits

External audits shall be performed within the timelines expected by GE and reports published to GE



Where contractual regulatory external audits or Business-specific regulatory external audits are required, GDC shall work closely with the GE GDC Program Office to ensure that all the requirements of the regulatory audit are covered

IAA 2.0 Perform Internal Audits & Assessments

The IAA practice team shall conduct Internal Audits & Assessments as per plan

Audit checklists shall be customized to meet the GDC Organization specific design and customization of practices

The Audits & Assessment shall cover all sites of GDC and partner sites (where the GDC uses partners to deliver work for GE)

GDC shall ensure that a full scope internal assessment is carried out once at a minimum during the year

Deviations from plan shall be approved by the GDC Organization Steering Committee

Detailed documentation of the Audits & Assessments shall be maintained

Formal report of performance shall be prepared and discussed with the GDC Organization stakeholders (the Governance team, the GDC Organization Steering Committee and any other critical member of the GDC Organization)

The IAA team shall carry out an assessment of the GDC Organization maturity level as per GE guidelines and identify the maturity of individual practices at each site and at organization level

The Assessment report shall be shared with GE GDC Program Office along with the action plan for closures

GDC Organization shall identify corrective actions and process/practice improvements based on the Audit/Assessment findings. All action items shall be tracked for closure and signed-off by IAA team



Minimum Audit Requirements Evidence of Internal Audits & Assessments Plan (creation, review & sign-off by GDC Steering

committee, communication to stakeholders)

Evidence of internal audits and assessments being carried out as per plan across global sites

Evidence of closures on action items being reviewed and signed-off by IAA team

MSA Linkage Sections 3.2, 4.5 and 6.1


eGDC Suite Linkage Not applicable




3.6 Incident Management (ELEMENTARY)

Customer complaints, non-compliances to any of the 38 practices of the Governance framework and any physical event that compromise confidentiality, security and safety shall be considered as an incident. GDC shall report any incident

associated with its Organization or an occurrence observed at a GE Site/Business to GE GDC Program Office. Material Incident occurrences shall be reported within 2 hours to GE GDC Program Office and non-material incidences within 48 hours. GDC shall establish and maintain Incident Management framework that enables identification, reporting & management of different types of incidents to meet the GE SLA’s on Incident Management

The purpose of this Practice is to establish and enforce Incident reporting and Incident Response planning (IR Plan) as it relates to computer & non-computer related incidents, incorporating timely detection, reporting, acknowledgement, containment, root cause analysis, and closure within GE SLAs.

100% adherence to GE Incident management SLAs

0 instances of repeat incidents related to non-compliances or governance lapse

Reduction in Critical/High impact incidents due to effectiveness of Risk Management & IR Plans

As the primary owner of this Practice, GDC’s are responsible for ensuring that appropriate procedures and controls are implemented within the Incident Response plan of GDC Organization to meet the policy and goal of this practice. The specific responsibilities are

OIM 1.0 Establish and maintain Incident Response (IR) plan for different types of incidents

OIM 2.0 Report Incidents to GE and adhere to defined SLA’s

As a stakeholder, GE shall be responsible for

OIM 3.0 Report GDC incidents to GE GDC Program Office

POLICY

GOALS

RESPONSIBILITIES



OIM 4.0 Investigate incidents raised by GDC on GE and take corrective actions

OIM 1.0 Establish and maintain Incident Response (IR) plan for different types of

incidents

Material incident may occur due to violation of any of the 38 practice areas across the focus areas or due to failure in meeting customer commitments and not essentially because of the security or natural/artificial disaster

Incidents may be reported by GDC for their sites (or) may be raised by GE on GDC

GDC shall maintain IR plans for different categories of incidents. These IR Plans shall be specific to the severity of the incidents

GDC may choose to define the IR plans as a part of the SOP on Incident Management (or) have these as separate documents with clear references in the SOP

Computer Incident Response plans shall be treated separately and designed to incorporate GE GDC projects, services and assets. The plan may be a part of the parent company IR plan, but should have a section specifically for GE GDC

The GE GDC IR Plan must have clear definitions for monitoring, vulnerability management and endpoint hardening as per GE GDC requirements

GDC IR Plan shall support handling of incidents reported by GE

GDC shall clearly identify a Single Point of Contact/Owner for each IR Plan. The owner may be a part of the governance team or be a part of an extended governance support team. The owner shall be aware of their responsibility on the IR Plans

GDC IR Plans shall be reviewed on a periodic basis to ascertain validity of the plan and to identify potential risks/gaps with the plan. Corrective actions shall be executed basis this assessment

GDC IR Plans must have a clear path on communication and escalation with the GE GDC Program Office and other GE Stakeholders, as the case may be

GDC resources shall be trained on relevant IR Plans




GDC shall encourage all members of the GDC Organization to raise an incident without the fear of retaliation. GDC may have mechanisms for employees to raise incidents anonymously

OIM 2.0 Report Incidents to GE and adhere to GE SLAs

Material Incident occurrences shall be escalated within 2 hours of the occurrence of the incident and other type incidents should be escalated within 2 days

Material Incidences shall be communicated through phone and/or email and followed up with eGDC Toolset reporting within a week

All computer related incidents reported by GE must work within the SLA per the GE Incident Response Plan in the following manner

All other categories of Incidents that are classified as ―Critical‖ / ―High‖ impact shall be contained within 4 hours or as agreed with GE’s GDC Program Office. Low/medium impact incidents shall be contained as per the plan agreed with the Program Office

Regular updates shall be sent to all the stakeholders till the operations are back to normal

Root cause analysis and corrective action plans shall be shared before closing the incidence as well as updated to the risk register (see Section 3.7 Risk Management)

In case of Critical/High impact incidents, GDC shall obtain approval from GE GDC Program Office on RCA and Corrective actions



GDC shall assess the effectiveness of their risk management and IR processes and provide feedback to process owners on gaps identified

Repeated occurrences of an incident shall be further investigated for potential threats and appropriate treatment executed

GDC shall report non-compliances observed at GE Business level to the Business VMO Leader and GE GDC Program Office through the eGDC Toolset

Minimum Audit Requirements Evidences of IR Plans in place for all categories of Incidences

Training records on IR Plans to GDC resources

Evidence of Incident reporting as per GE guidelines

Evidence of Incidence resolution as per GE guideline/agreement with GE

MSA Linkage Section 4.25


eGDC Suite Linkage Incident Management Module




3.7 Risk Management (ELEMENTARY)

GDC Organization shall have a formal integrated risk management practice in place. Risks associated with the GDC Organization shall be managed and reported to GE GDC Program Office at a minimum on a monthly basis

The purpose of this Practice is to establish and maintain an integrated risk management practice that enables the GDC Organization to become more aware of the possible threats, weaknesses or gaps in the operating environment and deal with these in a proactive manner in order to maintain a safe and secure operating environment that consistently delivers high value at optimal costs

0 instances of identified risks materializing as high/medium impact incidents (effectiveness of risk mitigation)

0 instances of communication failure on high risk items to appropriate stakeholder in GE (effectiveness of proactive communication)

0 instances of high/medium impact incidences that have not been identified as risks (effectiveness of risk identification)

As the primary owner of this Practice, GDC’s are responsible for ensuring that appropriate procedures and controls are implemented within the GDC Organization to meet the policy and goal of this practice. The specific responsibilities are

ORM 1.0 Establish a framework & process for managing risks at GDC Organization level

ORM 2.0 Manage risks

As a key stakeholder, GE shall be responsible for escalating any risks that they may see with the GDC Organization and collaborating with the GDC Organization to mitigate those risks that GDC may escalate to GE. The specific responsibilities are

ORM 3.0 Report risks seen at GDC Organization

POLICY

GOALS

RESPONSIBILITIES



ORM 4.0 Collaborate with GDC Organization to mitigate risks that are co-owned by GE

ORM 1.0 Establish a framework and process for managing risks

GDC Organization’s integrated risk management framework shall cover all functions, operations and locations of the GDC Organization

Risk Management shall be an integral part of all practices within the GDC Organization

The framework shall encourage all members of the GDC Organization to raise a risk without the fear of retaliation. GDC may have mechanisms for employees to raise risks anonymously

Accountabilities and responsibilities for risk management shall be established appropriately for different levels of management/leadership at GDC Organization

Risk hierarchy is established and is understood by stakeholders

Performance objectives of key resources and practice owners shall include the risk management objectives (for specific practices that they are accountable/responsible for)

External and Internal risk factors are supported by the framework

External risk factors include (but are not limited to) Geo-Political Environment, Legal, Regulatory, Financial, Technology Advancements, Economic, Competitive Landscape, Natural Calamities, Cultural, Perceived Brand & Values

Internal risk factors include (but are not limited to) Organizational capabilities (human resources, technology areas, organization resources like tools, standards, frameworks), Organizational systems & procedures, Organization Objectives and Strategies, Internal Stakeholders, Organization Structure (roles & responsibilities), Organization culture & values

Organizational context (internal and external) is supported by the framework

External context represents alignment to GE in terms of the Business structure (Super Business, Business and sub-business structure), Location (globalization regions) and divisions (ITO, BPO and Engineering)




Internal context represents alignment to GDC Organization’s internal structuring inclusive of its sites, Business Units, partners, COE’s

The framework shall support a robust process of risk management covering the key activities of Risk Identification, Risk Analysis & Evaluation, Risk Treatment, Risk Monitoring and Review, Communication on Risk information

GDC may choose to use a Risk Council approach as a fundamental element of their Risk Management process. If so chosen, the roles & responsibilities of a Risk Council and the context shall be clearly defined

The framework shall provide visibility on relevant risk information to key internal stakeholders in order to help them perform their responsibilities

The framework shall support communication, reporting & escalation on risk information to appropriate internal and external stakeholders based on pre-defined business rules

GDC shall escalate risks seen at GE Business to Business VMO Leader and GE GDC Program Office through eGDC Toolset

ORM 2.0 Manage risks

GDC Organization shall establish a Risk Management Plan (a live document) that articulates clearly the operational aspects of the integrated risk management based on the framework and process – the plan shall clearly articulate the context, performance objectives, risk criteria, risk management process, tools available, ownership & responsibilities, communication & escalation plans, monitoring and review rhythms

Risk Management process shall be applied in all areas of operations, delivery and management across all functions and services

GDC Organization wide Integrated Risk Register shall be maintained

Risks identified via any source ranging from either a GDC /GE stakeholder/3rd Party Auditors as it relates to continuity of operations in GE GDC engagements shall be reported to risk register

Risk Analysis & Evaluation shall be consistent with the framework & process defined

Any decisions to accept a risk (and not treat it/mitigate it) that may have a potential impact on GE shall be discussed and reviewed with GE GDC Program Office and sign-off obtained



Treatment plans shall be put in place for all risks identified above and tracked to closure

Risk Register shall be reviewed on a periodic basis (minimum Quarterly) with GDC Organization Steering committee

Periodic assessment of the risks and effectiveness of treatment plans shall be carried out by the GDC and critical, high risks shall be escalated to GE GDC Program Office

Minimum Audit Requirements Evidence of Risk Management framework and process being established and in consistent

USE

Evidence of Integrated Risk Register in practice

Evidence of Critical/High Risk items being shared/published to GE

MSA LINKAGE Not Applicable


eGDC Suite Linkage Risk Register




3.8 Organization Innovation & Technology Deployment

(ADVANCED)

GDC may choose to deploy validated technology platforms and innovative practices within the GE GDC Operating Environment that delivers high quality, high value solutions in a cost-effective manner and in a safe and secure environment

with 0 surprises

The purpose of this practice is to encourage selection and deployment of proactive, generative solutions/practices that measurably minimizes risks and is cost-effective, delivers increased value to GE Businesses.

Deploy appropriate technology solutions within GDC Operating environment to strengthen performance of practices within GDC Operating Environment

Demonstrate consistent & continuous value-creation through deployment of innovative solutions that are of high quality and deliver increased value to Businesses while reducing risks and costs for the Business

Conceptualize, pilot and deploy at a minimum 1 generative solution (per year) that reduces governance risks and overheads significantly for GDC and GE

As the primary owner of this Practice, GDC’s are responsible for ensuring that appropriate procedures and controls are implemented within the GDC Organization to support and accelerate use of appropriate technologies and innovative practices in meeting the purpose and goals of this practice. The specific responsibilities are

OIT 1.0 Establish and maintain a process for new technology/innovative practice recommendations

OIT 2.0 Deploy new technology/innovative practice to GDC Operating Environment

POLICY

GOALS

RESPONSIBILITIES



As the beneficiary of this practice, GE shall be specifically responsible for validating, verifying and approving any such new technology, innovative practices deployment

OIT 3.0 Verify, Validate and approve recommendation for pilots, deployment of new technology and/or innovative practices

OIT 1.0 Establish and maintain a process for recommending new

technology/innovative practices

GDC shall define a framework that enables new technology and innovation ideas to be proposed, assessed and piloted

The framework shall enable any member of the GDC Organization to participate /propose potential incremental improvements or innovations to processes/practices/procedures /work products

Innovative improvements are game changers and have a significant impact on the way a process/practice or technology is viewed and deployed, resulting in benefits that are of much higher magnitude. Innovative improvements are generative in nature and may be adaptable across the entire ecosystem of GE and/or its partners

Incremental Improvements or innovation proposals may at a minimum, focus on one or more of the following

Minimizing risk of Governance

Increasing effectiveness/efficiency of a process/practice

Increasing product /process quality

Increasing reliability of service

Reducing cycle time

Reducing time to deliver

Increasing productivity

Decreasing Total cost of Ownership




Decreased cost/unit

Increased Business Value to GE

Improvements/Innovation proposals shall focus on innovative practices and/or use of technology to achieve one or more of the above benefits

The framework shall at a minimum support the submission of the business context along with an initial assessment of risks and benefits of the proposed incremental improvement or innovation. Where the deployment of this proposal is likely to have a monetary impact, a cost-benefit analysis shall also be included

GDC Organization may choose to define an Innovation Council that is responsible for screening proposals, assessing the merit of these proposals and making recommendations for pilot

GDC Organization shall have minimum qualification criteria to select proposals for detailed assessment and pilots

GDC Organization shall perform detailed assessment of selected proposals. At a minimum, the assessment shall focus on risks & benefits from a short-term (<12 months) and medium-term (12 to 36 months) perspective, change barriers and strategies for overcoming these barriers. The success measures shall be clearly defined

Where the proposed solution may have an impact on GE or is a change to GE’s existing processes/practices/expectations, the proposal shall be submitted to GE along with the detailed assessment report for approvals

Decision for deployment/pilot may be taken by Innovation Council (where GE approvals are required, the GE team shall decide the need for Pilots/Direct deployment)

Where pilots are required to be performed, GDC Organization shall have a formal plan to monitor, track and report progress and results.

Critical parameters to be tracked and reported shall be formally published

Pilot reports shall be formally published to Innovation Council, pilot results evaluated against proposed risks & benefits

GDC Organization Steering Committee shall be a primary stakeholder in deciding on deployments of the pilots

Where GE is involved in proposal approval, GE shall be the final authority in determining the deployment of the proposed solution



GDC Organization shall maintain a repository that enables tracking, analysis and reporting on the above activities

OIT 2.0 Deploy new technology/innovative practices

GDC shall assess the context of the deployment and formulate a specific deployment plan that takes into consideration the context, scope and potential impact of the change.

GDC shall formally communicate and collaborate with stakeholders on deployment to minimize disruptive impact while working towards meeting the goals of the plan

Where the deployment touches end users, GDC shall invest on end user education to minimize impact while increasing awareness

GDC shall manage the deployment by monitoring the risks, impact that may arise during the deployment face

GDC shall report the progress of the deployment to GDC Organization Steering Committee and to GE GDC Program Office on a regular basis

GDC Organization shall measure the outcome of the deployment for the minimum period defined in the plan and perform assessment of benefits compared to the proposed benefits

Minimum Audit Requirements Evidence of framework & process for new technology/innovation proposal assessment &

deployment

Evidence of assessments being carried out and review, approvals by Innovation Council and GDC Steering Committee

Evidence of GE approval where innovation/new technology/improvement proposal has an impact on GE

Evidence of deployment planning and monitoring

Evidence of communication and status reporting on all new technology/improvement/innovation proposals (to internal stakeholders and to GE)





eGDC Suite Linkage Adhoc Approvals




4.0 Resource Management

Resource Management is a critical process area and is a basic building block of the entire Governance framework. Resources play a vital role in the success of a GDC organization and have a far-reaching impact. While most practices within this process area may be owned by the Human Resource function, the Operations and Governance team have a key role to play in ensuring that the Resource Management practices are defined keeping the GE Policies around each of the practice areas and designing specific controls and procedures that meet the policies in spirit and letter

The diagram below gives a perspective on the practices within the Resource Management process area and the relationship between the practices



FIGURE 8 RESOURCE MANAGEMENT Practices & Linkages

4.1 Non-Solicitation (ELEMENTARY)

GDC shall not recruit resources who have worked for GE in the last 12 months without an explicit approval from GE GDC Program Office. GDC shall also not recruit/allocate other GDC resources that have

serviced GE in the last 12 months

The purpose of this Practice is to establish and maintain the integrity (Spirit & Letter) of the MSA in the GDC Organization in the context of hiring or allocating resources who may have served on a GE Task Order (or) been a part of GE in the last twelve months

POLICY

GOALS



0 incidents associated with recruitment/allocation of other GDC resources or GE resources to GDC

As the primary owner of this Practice, GDC’s are responsible for ensuring that appropriate procedures and controls are implemented within the recruitment and resource allocation processes of GDC Organization to meet the policy and goal of this practice. The specific responsibilities are

NS 1.0 Manage recruitment process across the Organization to minimize risk of hiring resources who had been with GE in the last 12 months (or) hiring resources who may have been a part of GE GDC with other GDC’s in the last 12 months

NS 2.0 Manage resource allocation process to GE GDC to minimize risk of allocating resources who had been with GE in the last 12 months (or) other GDC resources who may have been a part of GE GDC in the last 12 months

As a stakeholder of this Practice, GE Businesses are responsible for ensuring that solicitation of GDC resources is not recommended to another GDC nor are GDC resources hired by GE

NS 3.0 GE shall neither hire a GDC resource who may have been a part of GE GDC in the last 12 months nor shall it recommend the hiring of a GDC resource to another GDC

NS 1.0 Manage recruitment process

Recruiting or attempting to recruit past employee of GE, who had been with GE in the last 12 months, is not permitted

Exception to the above shall be brought to notice of GE GDC Program Office and recruitment shall proceed only if formally signed off by GE GDC Program Office. GE GDC Program Office shall provide an approval based on discussions with the appropriate GE GDC Business leaders / GE HR manager

Resources (inclusive of sub-contractors) belonging to other GDC’s or GE Business specified third parties working on GE Engagements, cannot be recruited/contracted by a GDC for GE GDC Engagements, for up to twelve months of their disengagement from GE Task Orders

RESPONSIBILITIES




This norm shall apply even if the resource has exited the GDC and is a part of another Organization

In exception cases, where a GDC wishes to recruit the resource ahead of the 12-month norm, ―No Objection‖ note shall be obtained from the Global Relationship Manager/Global Delivery & Operations Leader, by the GDC who wishes to recruit the resource

GDC Organization’s Recruitment process shall have adequate controls to identify and prevent or proactively mitigate risk of hiring a resource from another GDC thereby impacting GDC Operations

GDC shall maintain evidences of exception approvals and verification for hiring

NS 2.0 Manage resource allocation process

GDC shall ensure that a resource who had served GE in the last 12 months as a part of another GDC Organization or a Business-specified third party organization is not assigned to a GE engagement, for a period of twelve months since their disengagement from GE Task Orders

This norm shall apply even if the resource has exited the GDC and is a part of another Organization

In exception cases, where a GDC wishes to recruit the resource ahead of the 12-month norm, ―No Objection‖ note shall be obtained from the Global Relationship Manager/Global Delivery & Operations Leader, by the GDC who wishes to recruit the resource

GDC shall have well defined practices and procedures to manage exception cases; clear documentation of these exceptions and approvals obtained from GE GDC Program Office or other GDC Organization shall be maintained

Minimum Audit Requirements Evidence of Non-Solicitation verification in hiring and resource allocation

Evidence of exception approvals for on-boarding resources with GE association (either as an employee of GE or as a resource in one of the GDC or business-specified third party organizations) in the last 12 months

MSA Linkage Sections 3.13 to 3.15

Related Practices



Background Check Management, GDC On-boarding/Off-boarding, Sub-Contractor Management

eGDC Suite Linkage Adhoc Approvals (for exception hiring of GE resources)

Incident Management – Response to Incidents raised (if any) on hiring from another GDC or GE




4.2 Background Check (ELEMENTARY)

GDC Resources, irrespective of their work location or role shall be BGC Cleared as per GE Guidelines by a GE Certified BGC Agency, before being deployed to GE GDC

The purpose of this practice is to establish and maintain integrity of background check performance and clearance status (in spirit and letter) for every GDC resource associated with GE (irrespective of their role)

100% of resources assigned to GE GDC are Background check cleared (as per GE guidelines by GE Certified Background Check agencies) before being on-boarded to GE GDC

As the primary owner of this Practice, GDC’s are responsible for ensuring that appropriate procedures and controls are implemented to meet the policy and goal of this Practice. The specific responsibilities are

BGC 1.0 Perform background checks as per GE guidelines on BGC

BGC 2.0 Deploy only BGC cleared resources to GE

BGC 3.0 Manage BGC to ensure timely deployment of resources to GE

As a stakeholder of this Practice, GE Businesses are responsible for ensuring that no resources are permitted to work on GE engagements without being BGC cleared

BGC 4.0 Validate BGC Status prior to SSO Id Creation

POLICY

GOALS

RESPONSIBILITIES



BGC 1.0 Perform Background checks as per GE Guidelines on BGC

GE Authorized suppliers shall be used for conducting BGC

In exception cases, BGC may also be carried out by Government Agencies or by the HR Staff of the GDC Organization, based on the practices of the Region/Country

Standard operating procedures specific to a region shall be followed for the background checks performed in that region

Exemptions to checks may apply in certain cases, as per the exemptions document provided in the Online Resources.

In case of few states in India / few countries that do not permit criminal checks, GDCs shall define the process to handle it and adhere to the same.

In case of GDC resources being placed at GE Site, additional Business-specific requirements for BGC shall be understood and performed

In case of GDC resource/subcontractor getting allocated to GE engagements after break in service, GDCs shall perform applicable additional checks as defined in the GE BGC exception handling guidelines (part of GE BGC Exemptions Document)

Well-documented procedures shall be in place to handle exceptions [inclusive of unverifiable data or insufficiencies], be these reported by BGC agency or a decision taken by GDC Organization. Clear documentation and evidence shall exist and auditable for every case of exception

BGC 2.0 Deploy only BGC Cleared resources to GE

All GDC resources/subcontractors shall be deployed to GE only after they are BGC cleared

Includes new recruits, internal moves inclusive of re-allocations [as per BGC Exemptions Document], sub-contractors, support staff, management staff and any other resource requiring access to GEGDC area or other GE resources




Includes all roles – examples BRM, Sales & Marketing, IT Security & Compliance, Network & Infrastructure, Delivery, Leadership, PMO, Quality, HR & Finance Support, Physical Security Staff, Facility Maintenance Staff and any others involved in providing services to GEGDC

Includes resources working at GE Site, GDC Site or from any other location

Internal Support Staff of GDC Organization that are not full time members of GEGDC Organization but who provide support services to GEGDC, shall also be cleared on BGC

BGC shall be done before allowing physical or logical access to GDC area or before requesting for SSO Id to GE Sponsor

Well-documented procedures shall be in place to handle exception decisions on deployment of a non-GREEN case (as reported by BGC Agency). Clear documentation and evidence shall exist and be auditable for every case of exception.

BGC 3.0 Manage BGC to ensure timely deployment of resources

GDC Organization shall monitor and manage the SLA with the agency to ensure timely deployment of resources

Insufficiencies and non-GREEN cases shall be verified by GDC Organization and process improvement initiatives shall be undertaken to minimize impact of these cases on timely deployment to GE or on compromises to Quality of checks

Minimum Audit Requirements Evidence of BGC Clearance report from GE Authorized BGC Agency shall be maintained for

every resource (as outlined in BGC 2.0)

Evidences of exception/exemption cases and adherence to Exception Handling guidelines shall be maintained, for all exception cases. This shall include Clearance of non-GREEN cases, decisions on insufficiencies, exemption cases and any others outlined in BGC 1.0 and BGC 2.0


Related Practices SSO Id Governance, GDC On-boarding, GE Site Contractor Management, Sub-Contractor

Management



eGDC Suite Linkage BGC Dashboard

Online Resources Following additional guidelines found at GE GDC Knowledge Center

http://supportcentral.ge.com/81973 Policies & Procedures Compliance & Security HR/Staff Related – Additional Guidelines

BGC Guidelines for India, Mexico, China, European Countries, US, Brazil, Japan

Guidelines on BGC Exemptions

GE Certified BGC Agency List

http://supportcentral.ge.com/81973



4.3 GDC Resource On-Boarding/Off-Boarding (ELEMENTARY)

GDC Organization shall have a formal on boarding, off boarding and transfer process to enforce timely implementation of governance procedures related to the on boarding of a resource, off boarding of a resource

The Purpose of this Practice is to enforce compliance to governance practices and procedures when resources are on boarded, off boarded from a project/location/GE GDC

0 defects/incidences in On boarding of a resource

0 defects/incidences in Off Boarding of a resource

As the primary owner of this Practice, GDC’s are responsible for ensuring that appropriate procedures and controls are implemented to meet the policy and goals of this practice. The specific responsibilities are

GOO 1.0 Maintain Resource Register

GOO 2.0 Manage On boarding of GDC Resource

GOO 3.0 Manage Off Boarding of GDC Resource

As a stakeholder of this Practice, GE Businesses are required to be aware of the on boarding and off boarding requirements and participate, where specific requests are raised

GOO 4.0 Review requests for action and facilitate/perform authorized actions

POLICY

GOALS

RESPONSIBILITIES



GOO 1.0 Maintain Resource Register

GDC shall ensure that a complete resource register is maintained. The resource register shall at a minimum track resource personnel information, employment details, GDC organization on-boarding details, current deployment details, past deployment details (within GE GDC), documents signed by GDC resource (linked to specific engagement or practice), VISA details, details on Assets assigned to resource

Data shall be maintained for existing and off-boarded resources

GDC shall ensure that resource data is available to GE, on demand

GDC shall ensure that a minimum traceability of 7 years (data) is maintained for all resources within GDC Organization

Data of resources who have been off-boarded from GDC Organization shall also be maintained for a period of 7 years

GDC shall ensure that data is current and complete in all aspects

GOO 2.0 Manage Resource On-Boarding

GDC shall ensure that only BGC cleared resources are on-boarded to GE GDC irrespective of their location of work

GDC shall also ensure that such resources have been cleared from a non-solicitation perspective

GDC shall ensure that resources joining GE GDC read and acknowledges the AUG, SIA and the Commitment to Integrity – Spirit & Letter documents.

GDC shall ensure that the resources joining GE GDC are trained and certified on GE Governance practices and their responsibilities in maintaining a safe and secure environment

GDC shall ensure that the resources joining GE GDC are placed at GE Site only after the above steps are completed

Physical and Logical access to GDC work area at GDC Site shall be granted to new joinees only after the training and assessment is completed




GDC shall request for SSO IDs after the resource has cleared BGC and signed AUG SIA documents. The resource shall also be certified as being trained on GE Governance practices and are aware of their responsibilities as a GE GDC resource before the request of SSO ID

If the resource is a sub-contractor, GDC shall ensure that appropriate approval is obtained from GE Business VMO leader for on-boarding a sub-contractor resource

GDC shall maintain evidence of Resource assessment before requesting GE for approval

Where the resources are being on boarded for sensitive locations, GDC shall ensure that additional documents as required by GE Business (over and above the standard AUG, SIA and Commitment to Integrity documents) are signed

GDC shall ensure that additional trainings (as seen appropriate to the engagement) are discussed and provided to resources being allocated to critical/sensitive projects

Where resources are being on-boarded to GE site, GDC Organization shall ensure verification and validation of resource status as given below,

Resource is trained and is aware of the guidelines to be followed for GE Site work

VISA required for WORK is of appropriate type and does not violate Immigration rules

VISA is valid for the entire duration of work and where the VISA expiry is before the end date of engagement, the same is communicated formally to GE Manager with plans for mitigating risk

Where the resource is deployed on a non-PSA engagement, the GE Site duration completed is validated for potential risk of exceeding the threshold period (as defined in GE Site contractor management). GDC shall not deploy resources whose GE Site duration may fall into a ―Watch Period‖ within 3 to 6 months of being deployed. In other cases, GDC shall proactively communicate the risk and collaborate with GE Business to mitigate the same

Assets provided to GDC Resource shall be in complete compliance with all the practices on the GDC Program.

GDC shall upload the on-boarding information to eGDC Suite within a week of the resource being on-boarded to GE GDC

GOO 3.0 Manage Resource Off-Boarding



Where a GDC resource is being off-boarded from GDC Organization (irrespective of whether the resource is exiting the parent Organization or moving to another part of the parent Organization), the following steps shall be adhered to

Resource shall sign the Assignment of Rights document with details about the projects undertaken and the duration of service provided. The Assignment of Rights document shall be counter-signed by a GDC authorized signatory.

Any data folders being maintained/owned by the resource shall be transferred to appropriate Leadership within GDC Organization

GE Data residing on individual owned Folder/Shared drives/Local machine/GE Libraries shall be validated and appropriate treatment provided

GDC Organization shall ensure that GE data is not misused (copy/upload to online storage tools, attachment to emails)

Any work requests/tickets raised by the resource that may require follow-up shall be assigned to successor, where applicable, and with appropriate approvals from GE Business owner

GE Software and Hardware Assets (if any) assigned to resource shall be surrendered

GDC Organization assets assigned to SSO Id shall be surrendered and desktops/laptops completely formatted

SSO Id shall be surrendered

Where a GDC resource is being off-boarded to a different project/role within the GDC Organization, GDC shall adhere to the following

SSO Id shall be surrendered/transferred to appropriate sponsor as the case may be

In exception scenarios where the resource is expected to be assigned to a project with the same sponsor (with the Business being the same), the SSO Id can be retained

Where SSO Id is retained (same or different sponsor), GDC Organization shall collaborate with GE Managers to ensure that all access associated with the SSO Id for applications/sites related to project being off-boarded are removed

Any data being maintained/owned by the resource folders with data pertaining to project from where resource is off-boarded, shall be transferred to appropriate Leadership within GDC Organization and all such Folders/Libraries shall be deleted



GE Data residing on individual owned Folder/Shared drives/Local machine/GE Libraries shall be validated and appropriate treatment provided

GDC Organization shall ensure that GE data is not misused (copy/upload to online storage tools, attachment to emails)

Any work requests/tickets raised by the resource (and associated with the project being exited) that may require follow-up shall be assigned to successor, where applicable, and with appropriate approvals from GE Business owner

GE Software and Hardware Assets (if any) assigned to resource shall be surrendered

GDC Organization assets assigned to resource shall be surrendered and desktops/laptops completely formatted

If the resource being off-boarded is a critical resource, project-specific BC/DR Plans shall be updated to reflect the change (where projects are not closed/terminated)

Physical and logical access shall be removed for the resource according to the nature of off boarding. This shall take into account Server room access, Restricted area access and GDC Site access

If the resource is being off-boarded from GE Site, GDC Organization shall collaborate with GE Business to ensure that the above are performed in a timely manner

GDC Organization shall validate the resource off-boarding as planned/unplanned and update the resource register accordingly

Minimum Audit Requirements Evidence of BGC Clearance being obtained prior to On-boarding

Evidence of AUG SIA and training/assessment documents signed prior to Physical/Logical Access

Evidence of SSO Id request, Physical/Logical access being assigned after on-boarding


Related Practices



Background Check Management, GDC On-boarding/Off-boarding, Sub-Contractor Management, Assets Governance, Project/Engagement Termination/Closure, GE Knowledge Management, GE Site contractor management

eGDC Suite Linkage Contingent Worker Data*

Online Resources Following template can be found at GE GDC Knowledge Center


Resource Register Template




4.4 SSO Id GOVERNANCE (ELEMENTARY)

Every resource associated with GE GDC shall have a valid SSO Id that is current and applicable to the role and engagement for the individual. Accesses associated with the SSO Id shall be relevant to the role and the engagements for the individual

The Purpose of this Practice is to ensure that appropriate controls are established to ensure governance and proper use of SSO ID’s issued to GDC resources, in alignment to the Policy above.

100% of SSO Id’s for GDC are current and with right sponsorship, access

0 instances of GDC resources without SSO ID

0 instances of shared SSO id’s

As the primary owner of this Practice, GDC’s are responsible for ensuring that appropriate procedures and controls are implemented to meet the goals of this practice. The specific responsibilities are

SIG 1.0 Manage SSO id Creation

SIG 2.0 Monitor and manage SSO Id USE

As a stakeholder of this Practice, GE Businesses are responsible for SSO Id Creation, assigning appropriate access and deleting Id’s when they are no longer required

SIG 3.0 Validate BGC Status and existence of SSO Id for GDC resource prior to Creation

SIG 4.0 Manage Access and SSO Id end date

POLICY

GOALS

RESPONSIBILITIES




SIG 1.0 Manage SSO id Creation

Every resource of the GDC Organization shall have a valid SSO Id

GDC shall request for SSO IDs only after the resource is BGC cleared and AUG, SIA are signed. Evidence of such request shall be maintained by GDC

GDC shall ensure that the resource does not already have a SSO Id

Request for creation of SSO id’s shall explicitly identify the GDC Organization name, BGC Clearance status, the role of the individual in the GDC Organization, address of the location at which the resource would be based, resource contact details

GDC resources shall only have GE email ID mapped to their SSO ID. No direct or in-direct mapping of non GE email ID is permitted

Where there are business-specific guidelines to be followed in requesting SSO Id creation, GDC’s shall ensure that such guidelines are clearly documented and followed

Evidences shared with GE for SSO id Creation shall be maintained as a part of the SSO Id Inventory

SSO Id sponsor shall be relevant to current engagement for the resource

Sponsorship for shared resources within GDC’s Leadership team, PMO, Compliance & Governance and support functions like Quality, HR, Finance, IS, Network Management and the like, shall be provided by the GE GDC Program Office

In exception scenarios, where shared resources are leveraged for project delivery across multiple businesses, GDC shall communicate clearly the shared status to all the businesses concerned and ensure that approvals are obtained from the businesses concerned, for

Enabling additional access (pertaining to the new businesses) to an existing SSO Id

Issue of an additional SSO Id for the same resource

GDC shall ensure that such exceptions are tracked for proper USE and SSO id’s, accesses surrendered when no longer required

GDC shall report to GDC Program Office on a monthly basis all such exception cases



SIG 2.0 Monitor and manage SSO id USE

Inventory of all SSO ids assigned to the GDC resources inclusive of support and project personnel shall be maintained by the GDC for up to one year after its surrender. Beyond the 1-year period, the details of such SSO Id’s no longer in USE shall be maintained in archive for a period of 7 years.

The inventory shall include: SSO Id, Email, Sponsor SSO Id, Location, Worker Type, Person Type, Project Assignment, Role Description, Status, Date of Creation, Date of Last Renewal and Surrender Date

GDC shall ensure that SSO id Sponsorship is current and validated to ensure the resources assigned are under the current project sponsorship

In case of project transfers within the same Business, GDC shall ensure transfer of sponsorship and surrender of access to applications and information that are not relevant to the current project.

It is recommended that SSO Id’s are surrendered and new SSO ID created for transfers within the same business.

In case of movement across Businesses, GDC’s shall surrender SSO Id before requesting for new SSO id. GDC’s shall follow-up with sponsor to ensure deletion of Id

Assets linked to SSO ID (for e.g. VPN tokens for Software Licenses) shall be surrendered immediately when ID is deleted or sponsorship is changed to respective business

Requests for revoking access / deleting Id’s shall be raised within a maximum threshold period of 1 business day of the resource moving out of the engagement. The GDC shall follow up to ensure the SSO ID is deleted within a maximum threshold period of 5 business days of the resource moving out,

In exception cases, where the SSO Id has to be retained for an extended period, explicit communication and approval from the sponsor is required. Retention of access to applications / restricted sites that are no longer supported by the resource or not relevant to current engagements would be seen as a violation of SSO Id USE



Extension/Renewal of SSO Id shall be explicitly requested for based on the project need and evidence of the same shall be maintained

SSO Id’s shall not be shared between resources (irrespective of the reason or duration of share) and where such group SSO Id’s exist, GDC’s shall escalate the same to the Business VMO and GE GDC Program Office for resolution

GDC shall reconcile their SSO ID inventory with GE on a weekly basis, to ensure inventory is accurate and correct. GDC shall take measures to correct any discrepancies found in reconciliation.

GDC shall have well defined practices and procedures to manage exception cases; clear documentation of these exceptions and approvals obtained from GE GDC Program Office shall be maintained

Minimum Audit Requirements Evidence of SSO Id Creation requests to Business shall be maintained

Evidence of transfer, deletion requests to businesses shall be maintained

Evidence of approvals for exception cases of Multiple SSO Id’s for an individual or extension of SSO Id use after off-boarding on an engagement and other such exception scenarios, shall be maintained

Evidence of reconciliation of SSO ID inventory with GE on a weekly basis.

SSO id Inventory and archives shall be auditable


Related Practices Background Check Management, GDC On-boarding/Off-boarding, Sub-Contractor

Management, Assets Governance, Project/Engagement Termination/Closure

eGDC Suite Linkage Contingent Worker Data *

Exception Reporting on SSO Id*






GE GDC Program Office Sponsorship Guidelines for SSO Id’s

Business-specific submissions for SSO id Creation



4.5 Sub-contractor Management (ELEMENTARY)

USE of Sub-contractors in GE GDC shall be by exception only and cannot exceed a threshold of 1% FTE. Sub-contracting shall not be permitted as a rule

The purpose of this Practice is to ensure that GDC use of sub-contractors or sub-contracting (in services to GE) even when carried out on exception basis is managed, controlled and monitored to minimize risks to GE and GDC

Minimize use of Sub-Contractors to < 1% of GDC FTE on GE Services

Proactive management of risks associated with Sub-Contractor USE/sub-contracting so as to minimize or neutralize the same

As the primary owner of this Practice, GDC’s are responsible for ensuring that appropriate procedures and controls are implemented to meet the goals of this Practice. The specific responsibilities are

SCM1.0 Manage Contractual Agreement with Sub-Contractor/Sub-Contracting Organization

SCM2.0 Manage Sub-Contractor USE

SCM3.0 Manage Sub-Contracting

As a stakeholder of this Practice, GE Businesses are responsible for ensuring that any requests for USE of sub-contractor/sub-contracting is verified and validated from a business need and risks to GE/GDC are understood before approving any such USE. The specific responsibilities of GE are

SCM4.0 Approve every instance of USE of Sub-contractor/Sub-Contracting by reviewing the business need, risk assessment and measures taken to minimize risks in compliance with GE stated requirements

POLICY

GOALS

RESPONSIBILITIES



SCM5.0 Support periodic risk assessment and mitigation

SCM1.0 Manage Contractual Agreement with Sub-Contractor/Sub-Contracting

Organization

Sub-Contract companies shall be selected based on formal due diligence/assessments that are conducted as per the established process of the GDC Organization

GDC Organization shall have contractual agreements in place with Sub-Contractor companies

Contracts shall incorporate sub-contract company’s responsibilities with respect to protecting GDC Organization and its Clients’ information and assets

Contracts shall also incorporate appropriate clauses that enable GDC Organization to audit Sub-Contract company for compliance to the Contractual requirements

Periodic assessments/re-evaluation (defined based on the criticality of the services offered by the Sub-Contract company) of Sub-Contract companies shall be undertaken as per the established process of the GDC Organization. Such assessments include work performance, competency and capability assessment and organization performance

SCM2.0 Manage Sub-Contractor USE

Sub-contractors (for use on GE GDC services) shall be selected from Companies that have a formal contractual relationship with the GDC Organization

Every instance of use of sub-contractors by GDC towards service to GE shall be approved by appropriate GE Leaders, prior to on boarding of the individual sub-contractor resource to GE GDC; request for approval shall indicate the business case for use of sub-contractors along with risk assessment (if any)

GE Business VMO Leaders shall be the approving authority for sub-contractor use on GE Business engagements

GE GDC Program Office shall be responsible for approving all other cases of sub-contractor use




GDC shall obtain explicit approval from appropriate GE Leaders for every instance of Extension of use (beyond the originally approved period

Change of project/location of use shall warrant a fresh approval to be obtained

Sub-contractors shall comply with all the compliance and security requirements applicable to GDC employees, irrespective of their location of work

Placement of sub-contractors at GE Site shall be in compliance with the requirements on GE Site Contractor Resource Management

Sub-contractor USE on GE GDC shall not exceed 1% of GDC FTE, unless otherwise explicitly approved by GE GDC Program Office

GDC’s shall practice Strategic forecasting of sub-contractor use (inclusive of sub-contractor use at third party locations). As a part of such forecasting practice, GDC’s shall set their thresholds and define the use scenarios. If the GDC defined threshold exceeds the default 1% limit, GDC shall proactively seek approval from GE GDC Program Office by submitting formal business case and risk assessment.

GDC shall monitor and manage their sub-contractor use within their default/pre-approved thresholds

SCM 3.0 Manage Sub-Contracting

GDC shall ensure that resources working out of any sub-contracting sites (be it sub-contractor resources or GDC employees) adhere to all the compliance and security requirements, as per the GDC MSA with GE; use of such resources shall be monitored and managed as per the guidelines above

Use of third party locations for delivering services to GE shall not be permitted as a rule. Exceptions to this rule shall require to be submitted to GE GDC Program Office for approvals

One-off USE for specific project scenarios shall be approved by GE Business VMO Leader & GE GDC Program Office based on a business case and risk assessment

Strategic Use of third party locations for servicing GE shall be forecasted by GDC using business case, risk assessment and approval obtained from GE GDC Program Office. Depending on the nature of USE, the site may require to be certified for USE as per the GE GDC Site Optimization process guidelines

Every instance of such use of third party locations shall be explicitly specified in response to proposals (even if location is certified)



MINIMUM AUDIT REQUIREMENTS Evidence of first-time selection and periodic performance assessment of Agency and

individual sub-contractor resources

Contracts with Sub-contractor agencies and sub-contracting companies are auditable

GE GDC Resource database is auditable

Evidences of adherence to sub-contractor on-boarding & USE requirements

Evidences of adherence to sub-contracting (to third-party locations) requirements shall be maintained – this is inclusive of audit evidences of sub-contracting sites

MSA Linkage Sections 5.1 to 5.4

Related Practices SSO Id Governance, GDC On-boarding, GE Site Contractor Management, Background Check, Work Visa Management, Non-Solicitation, Working for Competitors, Site Management

eGDC Suite Linkage Sub-contractor Management module




4.6 GE Site Contractor Management (ELEMENTARY)

GDC Resources on non-PSA engagement shall not remain deployed in a GE Site or across GE sites for more than twelve months in total (without a cool off period of a minimum of 6 months)

The purpose of this Practice is to ensure that GDC deployment of resources at GE Sites is done in a controlled manner keeping in perspective the compliance risks and the business needs.

0 instances of GDC Resources (employees/sub-contractors) remaining deployed at one or more GE sites for more than twelve months in total (without a cool off period of a minimum of 6 months), under engagements other than PSA


GCM1.0 Collaborate with Business to manage Project Classification

GCM 2.0 Manage Deployment & USE of GE Site Contractor resources

GCM3.0 Collaborate with Business to mitigate GE Site Contractor risks

As a co-owner of this Practice, GE Businesses are responsible for ensuring that the risks of continued use of a contractor resource at GE Sites are understood and mitigated. The specific responsibilities of GE are

GCM4.0 Ensure Projects are clearly classified as being a PSA or non-PSA

GCM5.0 Support periodic risk assessment and mitigation

POLICY

GOALS

RESPONSIBILITIES



GCM1.0 Collaborate with Business to manage Project Classification

Every engagement shall be clearly classified as being a PSA or non-PSA.

GDC shall have an established process to identify PSA from a non PSA

Where the classification has not been explicitly defined by the Business as a part of the SOW or PO, the GDC shall assess the engagement based on their established process and obtain formal approval from the Business VMO Leader for the classification

GCM 2.0 Manage Deployment & USE of GE Site Contractor resources

A GDC resource (inclusive of sub-contractor) shall be deployed at GE Site on non-PSA engagements for a maximum period of 12 months of ―Total Duration‖

―Total Duration‖ is the cumulative period spent by the GDC resource at one or more GE Sites on non-PSA engagements with one or more Businesses (irrespective of Country or Manager)

―Total Duration‖ for a GDC resource, increases for every deployment period (however small), on a non-PSA engagement to a GE Site

―Total Duration‖ is reset to 0 when a resource has a minimum period of continuous 6 months of break, away from a GE Site (either through movement to a GDC Site or away from GE GDC)

GDC’s shall track allocation of all resources to GE Sites, irrespective of their allocation to a PSA or non-PSA engagement

GDC shall ensure that resources deployed to GE Site (irrespective of whether they work on PSA or non-PSA) are aware of the guidelines associated with working from a Customer Location and the organizational responsibility associated with working at a Customer Location

GDC Organization shall continue to maintain managerial control over the resources and sub-contractors it deploys at any GE site




GDC Organization shall continue to be responsible for the resource’s awareness on the Governance requirements and compliance to the same

For every instance of a GDC resource being deployed to a GE Site, the GDC shall assess the nature of project (PSA/non-PSA) and for every non-PSA deployment assess potential risk, plan mitigation and communicate the same to GE in a proactive manner

In cases where transitions are required, GDC Resource Managers shall plan in advance for such transition of resources/sub-contractors and shall collaborate with Business stakeholders to effect the transition in a smooth manner

GCM3.0 Collaborate with Business to mitigate GE Site Contractor risks

GDC’s shall implement proactive planning and monitoring mechanisms to identify potential risks

GDC’s shall proactively collaborate with Business VMO Leaders to communicate and mitigate/minimize risk of overstays on a non-PSA engagement or practices that increases a risk on a non-PSA engagement or a PSA engagement operating in a non-PSA mode

All such risks shall be proactively and formally communicated to Business VMO Leaders

Extensions up to a maximum period of 18 months of ―Total Duration‖ may be permitted in exception cases on approval from the Global CIO/Global VMO Leader for the Business

Any exceptions that may require a Business to continue with the resource or a practice even with the inherent risks, shall be approved by the Global CIO/Global VMO Leader

Minimum Audit Requirements Evidence of Contracts with PSA/non-PSA classification (or) Business approved GDC

assessment of Classification

Evidence of the classification process being followed consistently

Evidence of assessment of ―Total Duration‖, risks on a continuous basis and proactive communication to GE Businesses of risks, mitigation plans

Evidence of transitions being implemented in collaboration with Businesses

Evidences of adherence to sub-contractor on-boarding & USE requirements




Related Practices SSO Id Governance, GDC On-boarding, Sub Contractor Management, Background Check,

Work Visa Management, Non-Solicitation, Working for Competitors

eGDC Suite Linkage eMeasure – Project reporting as PSA/non-PSA

GE Site Contractor Management module



Non-PSA Guidelines




4.7 Work VISA Management (ELEMENTARY)

The right type of work VISA in accordance to the nature of work shall be obtained and managed for GDC resources/sub-contractors servicing GE in a foreign country.

The purpose of this practice is to ensure that GDC adhere to the work VISA requirements of the foreign country to maintain VISA regulatory compliance in servicing GE in a foreign country, irrespective of the role of GDC resources/sub-contractors.

0 instances of violation of work VISA requirements of foreign country by GDC Resources (employees/sub-contractors) servicing GE in foreign country.

0 instances of GDC Resources (employees/sub-contractors) using Business VISA or any other non-work VISA for purposes of work towards servicing GE.

0 instances of GDC Resources (employees/sub-contractors) staying in the foreign country beyond expiry date of VISA.

0 instances of impact on Project Delivery due to VISA expiry


WVM 1.0 Maintain integrity in obtaining correct VISA type

WVM 2.0 Manage work VISA processing, renewal & expiry process

As a co-owner of this Practice, GE Businesses are responsible for ensuring that the risks of violation of work VISA regulations are understood. The specific responsibilities of GE are

WVM 3.0 Ensure clear scope of work is provided to GDC for VISA processing

WVM 4.0 Ensure any change in scope of work is informed to GDC immediately

POLICY

GOALS

RESPONSIBILITIES



WVM 1.0 Maintain integrity in obtaining correct VISA type

For every instance of a GDC Resources (employees/sub-contractors) being deployed in a foreign country for GE work, the GDC shall assess the nature of work and process appropriate work VISA as required by the VISA requirements of the foreign country

Business VISA shall not be used for purposes of any billable work towards servicing GE, unless otherwise explicitly communicated by GDC Program office. They shall only be used for the purpose of business meetings

For GDC Resources (employees/sub-contractors) already deployed on a work VISA, in the event that the scope of work changes, GDC organization is required to validate VISA requirements accordingly and take necessary steps

GE sponsorship for VISA processing shall not be sought. However, invite letters may be issued on request - only for Port of Entry once travel itinerary is finalized

GDC shall not share GDC MSA/Business SOW with Consulates or other third parties for VISA processing purpose. Where, additional documentation is required by GDC for this purpose, GDC shall request GE GDC Program Office for the same through an approval process.

WVM 2.0 Manage work VISA processing, renewal & expiry process

GDC shall track VISA type & validity status of all GDC Resources (employees/sub-contractors) deployed in a foreign country for GE work

No GDC Resource (employee/sub-contractor) is permitted to stay beyond expiry date of VISA

Procuring of relevant work VISA for GDC Resources (employees/sub-contractors) shall be done in advance to avoid delays in deployment

In the event of foreseen VISA expiry, GDC Resource Managers shall plan in advance for transition of GDC Resources (employees/sub-contractors) deployed. This shall be shared with the GE Business with adequate notice in case resource needs to move out before the completion of engagement




GDC shall proactively collaborate with Business VMO Leaders to communicate and mitigate/minimize risk of any work VISA requirement violations

All such risks shall be proactively and formally communicated to Business VMO Leaders

Minimum Audit Requirements Evidence of VISA expiry monitoring and proactive communication to GE Managers


Related Practices GE Site Contractor Management, GDC On-Boarding/Off-Boarding

eGDC Suite Linkage Contingent Worker Data*

Risk Register




4.8 Resource Retention Management (ELEMENTARY)

GDC shall maintain retention of GDC Organization resources at the GE GDC level at a minimum 85% while ensuring 0 misses on delivery/quality of deliverables due to resource transitions/movements

The purpose of this practice to establish and maintain appropriate processes and controls in GDC Organization to minimize risk and impact on GE engagements due to planned or unplanned attrition of GDC resources.

Minimum 85% retention of GE GDC resources at the GE GDC level

0 instances of impact at a Project / Engagement level

100% adherence of retention targets at the project level and business level


RRN 1.0 Monitor and manage retention levels at Project, Business & GE GDC level

As a stakeholder of this practice, a GE Business is responsible for setting expectations (if any) on project-specific retention requirements and collaborating with GDC Organization to execute on transitions

RRN 2.0 Define Project/Engagement specific Retention Levels (in case of critical engagements)

RRN 3.0 Collaborate with GDC Organization to execute on transition plans

POLICY

GOALS

RESPONSIBILITIES



RRN 1.0 Monitor and manage retention levels

GDC shall monitor and track retention at resource level for all resources on GE Engagements to ensure that no service/delivery to GE is impacted due to attrition

Resource Register shall maintain retention status for every resource

GDC shall manage attrition to minimize risk of impact to service / delivery / quality

Scope of reporting to GE shall be specifically on T&M engagements and critical Resources on Fixed Bid

For the purpose of reporting to GE, Retention shall be calculated as (1-(Unplanned Attrition) / Total Workers in scope) * 100 where

Planned movement of resources (irrespective of exit/internal movements) shall be communicated proactively to GE Managers and acknowledgement of transition and date of release obtained

Exits and internal movements within GDC Organization or to parent organization that are not communicated to GE/acknowledged by GE Manager shall be treated as Unplanned Attrition

Deviations in planned movements that impact GE Engagement shall be treated as Unplanned Attrition, unless otherwise approved by GE Manager to be a Planned Attrition

GDC shall ensure that the Retention is calculated at GDC Program Level using the above formula

GDC shall ensure that the retention at GDC program level is maintained at a minimum of 85% (as calculated using the above formula)

In the event of a particular Statement of Work explicitly specifying a retention percentage, the same shall be met at that project level

In the event of business specified retention percentage as a part of a MTO or an equivalent document, the same shall be met at a business level




Minimum Audit Requirements Evidence of retention status tracking in Resource Register

Evidence of acknowledgement from GE Manager on Planned Attritions

Evidence of approval from GE Manager on Deviations in Planned Attritions

MSA linkage Sections 2.4, 3.10

Related Practices GDC On-Boarding/Off-Boarding, Engagement Termination/Closure Management, Business Continuity Management

eGDC Suite Linkage Contingent Worker Data *

Retention Reporting*




5.0 Physical Security & Safety

Physical Security & Safety is an important aspect of secure GDC operations and is considered as a first line of defense and a non-negotiable process area of the governance program. There are many aspects and elements to implementing and maintaining physical security & safety. This section outlines the minimum physical security & safety needs of GDC

FIGURE 9 Physical Security & Safety Practices and Linkages



5.1 Environment, Health & Safety (ELEMENTARY)

GDC facilities used for servicing GE shall adhere to requirements that ensure Employee Health and Safety (EHS). GDC facilities that do not conform to EHS requirements shall not be permitted to continue operations

The purpose of this Practice is to enforce compliance to the local infrastructure norms/regulations and GE stated Employee Health and Safety (EHS) requirements

100% adherence to GE stated minimum Employee Health and Safety (EHS) requirements for all GDC facilities. Where the Local Infrastructure norm/regulation is superior to the GE Standard, the local standard shall apply

As the primary owner of this Practice, GDC’s are responsible for ensuring that appropriate procedures and controls are implemented to meet the goals of this Practice. The specific responsibilities are.

EHS 1.0 Establish and maintain compliance to EHS requirements for all GDC facilities (new/existing)

EHS 2.0 Local infrastructure norms/regulations is periodically reviewed by GDC C&S leader to ensure conformance

As a stakeholder, GE shall be responsible for reporting any potential risks or deviations to EHS at GDC Site, observed or heard

EHS 3.0 Report Risk/Incident, in case of any observations/information of non-compliance

POLICY

GOALS

RESPONSIBILITIES



EHS 1.0 Establish & maintain compliance for all GDC facilities

GDC facilities shall adhere to the better standards of local infrastructure norms/regulations (or) GE Stated minimum standards for facilities

GDC shall ensure that the flooring in the site is evenly laid out

In case of variations in level on flooring, GDC shall ensure that appropriate marking of the floor is done so that the level variation is visible even in dark

GDC shall ensure that workstations are designed such that work area available to every resource is at a minimum 6 foot by 5 foot (Common area shall not be included in the calculation of this space)

GDC shall ensure that pathways (main and secondary pathways) and stairways (main and emergency) shall be at least 5 feet in width

GDC shall ensure that no obstructive objects/artifacts shall be placed in pathways or staircases, thereby ensuring safety of GDC resources in the site

GDC shall ensure that all electrical fittings, false ceiling and other equipment’s or devices are fitted securely

GDC shall ensure that walls, doors, filing cabinets and other units in the GDC Site do not have sharp corners or surface (that may impact a resource)

GDC shall ensure that staircases (main and emergency) are not steep or slippery to prevent injuries during evacuation

GDC shall ensure that staircase (main and emergency) landing areas shall be even flooring, marked clearly and shall be anti-skid proof

GDC shall ensure that staircase (main and emergency) railings shall be tested for safety and stability

GDC shall ensure that staircase (main and emergency) shall be brightly lit

GDC shall ensure that electrical wiring shall be secured and no loose wiring in place




GDC shall ensure the installation of appropriate number of smoke detectors and water sprinklers across the GDC site

GDC shall ensure that adequate Fire-extinguishers shall be placed in the floor to ensure easy accessibility and reach (at a minimum one every 2500 square-feet of person area)

GDC shall have signage that clearly indicates the presence of the Fire Extinguisher

GDC shall ensure that these are placed in an area that’s easily accessible

GDC shall ensure that fire extinguishers are not placed in locations that may cause injury to resources during evacuation

GDC shall maintain Safe area (size in proportion to the number of personnel) at a distance of approximately 100 meters from the main building. Any variations in distance of the safe area shall be determined based on the local standards adjusted for height of the building

GDC shall ensure that fuel storage area shall be adequately away from the main building

GDC shall ensure that Vehicle-parking area is designated such that access of/to Fire Engines and other emergency equipment is not obstructed

GDC shall ensure that exit signs are visible from all employee seats, corridors and aisle ways in the facility. The exit signs shall be fluorescent and self-luminescent for a minimum period of 4 to 6 hours

Server-rooms at GDC Sites shall be protected by smoke detection systems and gas flooding systems. All ceiling, floor and wall openings shall be closed.

GDC shall ensure floor leveling, surface smoothness, safety of filing cabinets, safety of electrical wiring, fastening of electrical fittings, equipments & devices to ensure safety of resources operating in the server room

Where GDC owns/operates a facility, GDC shall adhere to local regulations on Air Quality, Waste disposal and Water treatment

GDC Organization shall orient/train their resources on Environment, Health and safety standards. It is mandatory for all resources in GDC Organization to be trained in Safety standards

GDC Organization shall have the fire/emergency drill at least once every rolling three months



GDC Organization shall have a framework / process in place for their resources to raise concerns / suggestions on Health & Safety standards at the site

GDC organization shall plan preventive maintenance and periodic spot checks of safety standards and take immediate corrective measures where gaps are seen

Where changes to local norms/regulations exceeds GE stated minimum standards, GDC shall take immediate, appropriate steps to meet these requirements after seeking approval from GE GDC Program office

Minimum Audit Requirements Evidence of adherence to EHS norms in GDC sites

Evidence of safety training to all GDC resources

Evidence of preventive maintenance and spot checks being conducted at sites

Evidence of safety risk assessment being performed and actions being taken

MSA Linkage Sections 5.13

Related Practices Physical Security, GDC Site Management

eGDC Suite Linkage GDC Site Management

Adhoc Approvals




5.2 Physical Security (ELEMENTARY)

Third party area with access to GE network or from where work for GE shall be executed/delivered shall be restricted to GDC personnel authorized for access.

The Purpose of this Practice is to ensure that appropriate controls are established and practiced in GDC sites to safeguard GE/GDC information and assets that may be accessible from GDC Sites.

100% adherence to Physical Security norms

0 incidents of GE data access by unauthorized personnel at GDC sites

0 incidents associated with physical security

As the primary owner of this Practice, GDC’s are responsible for ensuring that appropriate procedures and controls are implemented to meet the policy and goal of this practice. The specific responsibilities are

PS 1.0 Manage GDC Resource security

PS 2.0 Manage access control & Security at GDC facility

PS 3.0 Manage visitor security

PS 4.0 Manage computer room security

PS 5.0 Manage Security of Restricted Areas

As a stakeholder, GE is responsible for bringing to notice any risks/non-compliances in physical security at GDC Sites

PS 6.0 Report risks and incidents associated with physical security practice at GDC Site

POLICY

GOALS

RESPONSIBILITIES



PS 1.0 Manage GDC Resource security

Badges shall be worn by all GDC resources and required personnel unless local laws or regulations do not permit

Badges shall clearly identify GE GDC resources from other resources

Badges shall also differentiate GDC employees from their sub-contractors

Access to GE GDC area shall be restricted to BGC cleared and AUG, SIA acknowledged GDC personnel

GDC shall have a formal process to identify and avoid any data/asset to be taken out of the GDC area.

Access termination procedure shall be in place. Employment termination / Exit from GEGDC or change in GDC location shall result in access termination (immediate for administrator access)

GDC shall have a formal process for handling of access to resources on leave from site for more than 21 days.

PS 2.0 Manage Access control & Security at GDC facility

Electronic access control shall protect entry and exit to GDC area

Software-based access control systems shall be secured, have proper backups and be highly available

Identification Badge Systems shall generate a log of each entry. All door openings shall generate a log entry

Every time the identification badge reader is used, it shall log date, time, room location, badge number and employee Id

More sophisticated access control mechanisms may be deployed by GDC in consultation with GE GDC Program Office

Entry and exit logging shall be done for all entry and exit points at GDC Site




Logs shall be maintained for at least one year in archive with past 30 days easily accessible

All Entry points shall be staffed 24x7 and entry point security cameras shall be installed and be monitored by the central security desk with recordings retained for at least one month, accessible online/digitally, and be in archive for up to one year.

Any Exit point that does not have an alarm door shall have security cameras installed and be monitored by the central security desk with recordings retained at least one-month, accessible online/digitally, and be in archive for up to one year

Any restricted area within the GDC Site shall have security cameras installed and be monitored by the central security desk with recordings retained at least one-month, accessible online/digitally, and be in archive for up to one year

At every entry point of every GE GDC location, a notice shall be displayed informing GDC resources and visitors, that the site is under electronic surveillance

Tailgating shall be avoided and communicated as a violation of policy. Notice communicating the same shall be displayed at all the entry & exit points

GDC shall deploy tailgating prevention systems at the sites

Guidelines for assets that can be carried into GE GDC area shall be displayed at entry point to GE GDC. List of prohibited assets shall be displayed at all the entry points

GDC shall have formal identification mechanism for authorized USE of assets into GE GDC and the same shall be verified (asset verification and USE authorization verification) at entry on a regular basis

GDC shall ensure formal verification mechanism at entry and workstations for USE of unauthorized assets

Secure printing (using access code) shall be implemented in all print stations within the GE GDC Site

GDC shall monitor and maintain logs of all prints taken within the GE GDC Site. Such logs shall be maintained for a period of 12 months

Clear desk and Clear screen policy shall be followed at all times



GE confidential and restricted documents shall be locked when not in use and destroyed with a shredder when not needed

GDC shall not permit photography within the GDC Site

GDC shall undertake periodic checks and preventive maintenance to ensure that security gaps are identified and corrective actions taken

PS 3.0 Manage visitor security

Approvals for any external visits shall be obtained from GE’s GDC Program Office and visit report filed with GE’s GDC Program Office

Visitors (internal or external) to GE GDC Site shall be escorted by authorized GDC resources only.

If continued access (beyond 1 week) to GDC site is required for internal visitors, BGC shall be done and access permission shall be time bound

If continued access (beyond 1 week) to GDC Site is required for GE Employees who are co-located with GDC and require physical access, GE Business VMO Leader approval and HR acknowledgement that BGC is cleared, shall be obtained

GDC shall have a formal process to identify Visitors with long term access and short term access

GDC shall have a formal process to identify and avoid any physical or electronic device/data to be taken out of the GDC area

GDC shall have a formal Visitor badging process – Visitor logbooks shall be maintained which includes clear description of the visitor name, Organization, purpose, person to meet, date of visit, arrival and leaving time, assets carried, details of GDC escort and signatures of visitor and escort

GDC may choose to implement Visitor Identity access card systems

Log of Visitors shall be maintained for audit purpose for a minimum period of 12 months

PS 4.0 Manage computer room security

Computer room shall be isolated. GEGDC computer rooms cannot be shared with the parent organization server rooms.



In case project specific servers are maintained in GEGDC computer room, GDCs are expected to implement additional controls and training for those personnel requiring access to these servers to maintain the compliance levels

Computer room doors shall be secured to prevent access into the room unless otherwise authorized by the GDC Security Leader.

Computer room access shall have two factor authentications which can include: Badge/Pin, Biometric/PIN, Biometric/Badge, etc. A physical key is not a form of authentication

Each computer room door shall have signs on both sides indicating it is to be closed and locked with a contact to notify if it is found unsecured. Server rooms shall have solid walls on all sides with no glass window panes /doors

Server room shall have only 1 door with the signage RESTRICTED ACCESS TO AUTHORIZED USERS only

Server room door shall have automatic closing mechanism with timing adjusted to close immediately. GDC shall ensure installation & configuration of alarm to alert Users if Server room door is open for more than 20 seconds

Server room shall be fitted with adequate cameras (2 at a minimum) for surveillance purpose, to ensure that there are no blind spots. These shall be monitored by the central security desk with recordings retained at least one-month, accessible online/digitally, and be in archive for up to one year

GDC shall ensure that server room racks shall be locked with unique keys

GDC shall ensure that fire proof safe is available in server room to store backups and other important media/information

GDC shall ensure that only named people (limited people) are provided access to the server room and access log is maintained for all entry / exits. The logs shall be available for a minimum period of 12 months

In case GE Data Servers (even if used for test purpose) are maintained in GEGDC computer room, additional access controls shall be implemented at the server room and such servers shall be maintained on separate racks with exclusive access controls.

In case the Server room supports Data Servers pertaining to Export Control work or GE IP work, such servers shall be maintained in separate racks with access restricted to named people who are authorized for such access



Anyone having badge access to a computer room shall not give or loan their badge to another to gain access to a computer room.

The air conditioning system supplying server rooms shall have dust filtration systems in place and should provide alarm notification if the air quality degrades / contamination increases.

Server room temperature shall be controlled and set to level within the manufacturer’s suggested operating temperatures. It is suggested temperature

be controlled in the region of 20 - 22°C with a +/-1°C tolerance for alarm

notification.

Server room humidity shall be controlled and set to a level within the manufacturer’s suggested operating levels. It is suggested humidity be controlled in the region of 50% RH (Relative Humidity) with a +/- 5% RH tolerance limit for alarm notification.

Temperature and humidity sensors shall be monitored in the 24 x 7 manned centralized security control room

GDC shall have a formal process for approval and revocation of access to Server room. The process shall at a minimum, capture for all authorized users, the badge holder’s name, badge number, computer room location, reason for access, validity period(start date and end date) along with authorizers details and actual termination date,

Badge access must only be given to individuals who require long-term access (those who are responsible for continuous administration or maintenance of the equipment located in the room).

Visitors’ access and temporary access (For Ex: Housekeeping staff) to the server room need to be approved by the GDC Security Leader in advance and the access should be an escorted one.

Logs of access to computer room shall be maintained for a minimum period of 1 year

PS 5.0 Manage Physical Security at special restricted sites

GDC may have special restricted sites for export control work or Engineering IP work or otherwise as identified with the program office. In such cases, GDC shall ensure additional level of Physical security as per guidelines below



Each Restricted area within GDC Site shall be separated with access control mechanisms. Two-factor authentication shall be implemented for access to restricted areas

Restricted areas shall have only one entry/exit door and one emergency exit door with the signage RESTRICTED ACCESS TO AUTHORIZED USERS only. Emergency Exit Doors shall not be used for regular entry/exits

Emergency Exit door shall be fitted with alarm system to alert when the door is opened

The entry/exit door to restricted area shall have automatic closing mechanism with timing adjusted to close immediately. GDC shall ensure installation & configuration of alarm to alert Users if this door is open for more than 20 seconds

Restricted area shall be fitted with adequate cameras (2 at a minimum) for surveillance purpose, to ensure that there are no blind spots

Entry/Exit door and Emergency Exit door shall have security cameras fitted and these shall be monitored by the central security desk with recordings retained at least one-month, accessible online/digitally, and be in archive for up to one year

GDC shall ensure that only named people (limited people) with authorization (from GE) to access the restricted areas are provided access to the restricted area and access log is maintained for all entry / exits. The logs shall be available for a minimum period of 12 months

GDC shall have a formal process for approving access to restricted sites

Internal/External Visitors (inclusive of GE Visitors) to restricted sites shall not be permitted unless otherwise authorized by GE GDC Program Office

GDC shall prohibit any physical or electronic device/data to be taken in or out of the special restricted area (by employees or visitors) unless approved by the GE GDC Program office. Logs of all assets permitted to be carried in or out will have to be maintained for a minimum period of 12 months.

Minimum Audit Requirements Evidence of GE approval on physical security reviews

Evidence of Visitor Logging, CCTV logs, access logs, print logs

Evidence of adherence to access assignment to Server room and Restricted areas



MSA Linkage Sections 1, 4.8

Related Practices EHS, Data Security

eGDC Suite Linkage GDC Site Management

Adhoc Approvals

Online Resources Following additional guidelines found at GE GDC Knowledge Center http://supportcentral.ge.com/81973 Policies & Procedures Compliance & Security Physical Security Additional Guidelines

New Site Approval Process-Guidelines

Guidelines for Restricted Site

EHS Guidelines




6.0 Delivery Management

Delivery Management is one of the basic focus areas of the Program Governance Maturity Model and comprises 3 Practices – Secure Software Delivery, Software/Service Quality Management, and Process & Productivity Management.

GDC shall follow industry standards like ITIL, Six Sigma, ISO 27001, to name a few, for Software/Service Quality Management (MATURE) and Process & Productivity Management (MATURE) for executing GE engagements.

6.1 Secure Software Delivery (ELEMENTARY)

GDC shall deliver all software as developed or maintained by GE GDC (―Applications‖) that are free of any known Critical, High and medium Application Security Vulnerabilities as detailed per GE Guidelines

GE has the right to have the code reviewed for security flaws anytime during the engagement. GDC shall provide necessary support to the review team by providing source code and access to test environments. Security reviews shall cover all aspects of the Applications delivered, including custom code, components, products, and system configuration

The purpose of this Practice is to establish secure software development lifecycle practices used by GDC and ensure vulnerability free code development

0 Critical/high/medium vulnerabilities in code delivered to GE

100% engagements involving software development/enhancement/change adhering to GE Secure Software development / delivery requirements covered in this practice.

POLICY

GOALS

RESPONSIBILITIES




SSD 1.0 Use Secure Software development lifecycle practices in software development projects

SSD 2.0 Secure Software delivery

SSD 3.0 Track & report Secure software delivery metrics

As recipient of the deliverables from the GDC, GE is responsible for ensuring that the deliverables are aware of the Secure software delivery practices and enforce the same in GE GDC

SSD 4.0 Establish Ownership and performance targets on secure software delivery

SSD 1.0 Use Secure Software development lifecycle practices in software

development projects

Application Security controls apply to all GE GDC engagements (Development/Enhancement/RTS/Support).

For RTS or Support the evaluation will not be at a release level but will be required periodically (at a minimum bi-annually or as indicated by business) unless the release is more than 40 person hours.

GDC Organization’s Standard Operating Procedure should comply at a minimum with GE Secure SDLC guidelines for integration of Application Security checks with the SDLC process or equivalent. Any deviation or exception from GE Secure SDLC guidelines for any project(s) shall be reviewed and agreed upon with GE Application Security Leader.

Development (inclusive of enhancements) shall at least be done in accordance with the GE Best Practices for Secure Coding and all developers shall have awareness of this practice. Any deviations to the GE specified Secure Coding practices shall be disclosed to GE Application Security Leader and signed off prior to implementation

Quantitative feedback on common vulnerabilities found along with prevention and remediation measures shall be shared with developers




Each GDC shall have a lead representative and active participant on the GDC AppSec Working Group led by the GE GDC Application Security Leader. Participation and representation on bi-weekly meetings is required.

Developers shall be trained on Application Security practices and web developers should have access to and be encouraged to complete the available Computer Based Training (CBT1 & CBT2) and Guidance materials at the Secure Software COE site. The completion of trainings shall be tracked by the GDC

GDC shall at a minimum follow GE Secure Architecture & Deployment Guidelines in design and provide documentation to GE that clearly explains the design for achieving each of the security requirements.

GDC Organization’s internal Application Security team shall be responsible at a minimum for ensuring adherence to GE Secure Coding practices on all deliverables to GE. This team shall be responsible for finding and remediation of security vulnerabilities in addition to training developers in the use of the available Guidance, Education and Tools to drive defect prevention.

GDC shall at a minimum promote the use of available GE tools like GE Secure COR and GEEAS in all the web application projects and track the usage.

GDC shall ensure that all applications are On-boarded as per the SSD v2 guidelines

SSD 2.0 Secure Software delivery

GDC shall execute the Application security test against the security requirements and Secure coding guidelines and fix all the High & Critical vulnerabilities found in the code before releasing code to GE.

GDC shall track the final Internal Application Security Assessment results and share it with GE Application team at the time of releasing code to GE.

GDC shall disclose the tools used in the software development environment to encourage secure coding when requested by GE.

Security issues uncovered after application release will be reported to the GDC. The GDC shall remediate and retest all the identified High and Critical vulnerabilities for any application they own as per GDC Application ownership process or any application they develop. All the ―Medium‖, ―Low‖ or ―Informational‖ Security issues discovered after delivery shall be handled in the same manner as other bugs and issues as specified in the SOW. Any exceptions to the above should be fully documented by GDC upon delivery of the application(s).



GDC shall appropriately protect information regarding security issues and associated documentation, to help limit the likelihood that vulnerabilities in operational software are exposed.

GDC shall follow GDC Vulnerability Remediation Ownership process at the time of transition of project or application from other vendor or GDC.

SSD 3.0 Track and Report Secure software delivery metrics

GDC’s shall report the

% Of GE applications which have had a security assessment performed by an internal application security team prior to delivery to GE on a monthly basis

Internal security assessment results for all initial and subsequent releases

Root cause corrective actions for all high/critical vulnerabilities found by GE AppSec COE.

% Of developers trained upon Secure Coding practices on a quarterly basis

Quarterly report on Vendor adherence with the requirements outlined in the Application Security Framework

GDC shall track all security issues uncovered during the application lifecycle under it’s engagement scope, whether a requirements, design, implementation, testing, deployment, or operational issue. The risk associated with each security issue should be evaluated, documented, issue fixed and reported to GE as soon as possible after discovery.

Common vulnerabilities for all the platforms GDC work with should be documented; maintained current and posted on shared repository

Minimum Audit Requirements Evidence of Security Reviews & Testing on all deliveries to GE

Evidence of exception approvals from GE Business Security leader for releasing code with Critical/High Vulnerabilities to GE (where code is released with Critical/High vulnerabilities)


Related Practices Quality Management



eGDC Suite Linkage Application Ownership Process

Online Resources Application Security guidelines at http://sc.ge.com/@SSCOE



7.0 Network & Systems Security

GDCs are connected to GE internal network in a manner identical to any GE office so it is critical that GDC networks and systems are secure, safe and not pose any threat to GE network and data. GDCs should adhere to GE Third Party Information Security Policy; follow the guidelines listed out this section and have appropriate controls & rigor in place to mitigate any risk to GE network and data.

FIGURE 10 Network & Systems Security Practices and Linkages



7.1 Vulnerabilities Management (ELEMENTARY)

All GDC systems shall be minimally patched with all GE trackable patches and any other patches relevant in the environment. All GDC systems shall have GE standard client firewalls and antivirus deployed to prevent threats. GDC shall proactively find

and fix any vulnerability in all GDC systems and networks.

The purpose of this Practice is to enforce controls to protect systems and networks from threats through implementation of Sophos antivirus & client firewall and proactive vulnerabilities scanning using Qualys.

0 Critical/High/Medium security vulnerabilities in network & systems across all GDC sites

100% systems patched within 7 days of GE trackable patch release

100% coverage of vulnerability scanning across all GDC subnets

100% of GDC servers and workstations with antivirus running with latest policies & signatures


VM 1.0 Track & implement GE trackable patches on all GDC systems

VM 2.0 Manage Qualys network scanning and vulnerability remediation

VM 3.0 Manage Sophos deployment on all GDC systems and mitigate threats

As a co-owner of this Practice, GE Businesses are responsible for providing patching notification, Qualys access and Sophos to GDC. The specific responsibilities of GE are

POLICY

GOALS

RESPONSIBILITIES



VM 4.0 Ensure patch releases by GE security council is communicated to GDC

VM 5.0 Ensure Qualys console access is provided to GDC

VM 6.0 Ensure Sophos license & software is provided to GDC

VM 1.0 Track & implement GE trackable patches on all GDC systems

GDC shall be part of GE Security council patch release notification list

GDC machines shall be minimally patched with GE trackable patches.

All GE trackable patches shall be applied on all machines in less than 7 days.

Patches shall be tested on test boxes before applying in production.

In case Critical patches conflict with the applications, it shall be discussed with the business/corporate security leaders and approvals obtained. GE GDC Program Security Leader shall be notified of all such approvals and any exceptions.

Emergency patching process shall be defined and documented.

GDC shall maintain their own security bulletin and process to identify and remediate new vulnerabilities and threats related to software & hardware in their environment.

VM 2.0 Manage Qualys network scanning and vulnerability remediation

GDC shall leverage GE provided Qualys tool to run vulnerability scans

GDC shall configure Qualys with account(s) having appropriate privileges to run successful authenticated scans for all GDC systems

Each GDC shall maintain and communicate updates to subnet inventory to the GE GDC Program Security Leader through monthly reporting

All networks including partner locations, shall be scanned every week or as agreed with GE GDC Program Security Leader and missing patches shall be applied




Any vulnerability with no patch or remediation available will require a machine rebuild and any exceptions shall be approved by GE GDC Program Security Leader

It is the responsibility of the GE GDC to close all vulnerability related incidents in a timely manner. This should be no more than 2 business days unless the RCA and Action Plan states the reason for a longer time period and is approved by GE

GDC Security Leader shall do weekly monitoring of Qualys dashboard in http://securitymetrics.ge.com to measure the patching process health.

Review and remediate newly discovered security vulnerabilities using repeatable process.

VM 3.0 Manage Sophos deployment on all GDC systems and mitigate threats

GDC shall install GE provided Sophos antivirus on all the servers and workstations (desktops & laptops). Sophos client firewall shall be installed on all workstations. Latest version recommended by GE shall be used.

GDC shall ensure all Sophos clients are able to communicate with the centralized Sophos server and have signature/policy/engine updates no more than 1 week old

GDC resources shall not have privileges to disable, stop services or uninstall Sophos antivirus or client firewall on their systems

GDC shall review and implement all policy changes, updates and upgrades as required by GE.

Sophos console in conjunction with Sophos defect report in http://securitymetrics.ge.com shall be reviewed daily and infected assets shall be investigated and closed within a 48-hour timeframe.

GDC shall maintain Sophos CMV console access. Only appropriate personnel should have access, GDC is responsible for maintaining personnel list and requesting access creation and removal through correct processes.

Machines infected with any form of malicious code (virus, trojan, malware, logic bombs, worms) or critical patch missing shall be removed from network immediately and shall be cleaned / patched before connecting back on network.

http://securitymetrics.ge.com/

http://securitymetrics.ge.com/



GDC shall review and remediate newly discovered security vulnerabilities using repeatable process. Appropriate tracking should be done to detect any potential threats and policy violations.

Minimum Audit Requirements Sophos CMV console access is maintained and up to date with current identified GE GDC

security personnel

Management review of defects and opportunities against the goals of Vulnerabilities practice Records shall be maintained for weekly network scans and patching cycle time

Evidence of approval in case of critical patch conflict and adherence to resolution plan agreed shall be maintained

Evidence of coverage of 100% GDC Systems in Qualys

Evidence of vulnerability fixes as reported through Sophos & Qualys


Related Practices Software Governance, Secure Software Delivery, Systems Management, Supplier Connectivity


Online Resources Sophos Community- http://supportcentral.ge.com/products/sup_products.asp?prod_id=37974

Qualys Community - http://supportcentral.ge.com/products/sup_products.asp?prod_id=89136

http://supportcentral.ge.com/products/sup_products.asp?prod_id=37974

http://supportcentral.ge.com/products/sup_products.asp?prod_id=89136



7.2 Systems Management (ELEMENTARY)

GDC shall secure all endpoints (i.e. desktops/laptops/workstations/servers/mobile computing devices), access accounts and implement data leakage prevention controls to protect GE data.

The purpose of this Practice is to establish and enforce controls to secure endpoints, access accounts and GE/GDC assets to prevent any threats to GE data.

0 incidents of system management requirements violations


SM1.0 Secure GE GDC endpoints

SM2.0 Implement secure Account & password management practices

SM3.0 Implement Secure Servers and operating systems practices

SM4.0 Implement secure Server Administration practices

As a co-owner of this Practice, GE Businesses are responsible to identify endpoint security controls and take Business Security Leader approval before allowing GDC to have machines in GE Domains. The specific responsibilities of GE are

SM 5.0 Ensure necessary end-point security controls & business security leader approvals are in place before approving any machines located in GDC site in GE domain

POLICY

GOALS

RESPONSIBILITIES



SM 1.0 Secure GE GDC endpoints

All GE GDC endpoints shall meet GE requirements for Antivirus, Personal Firewall, Vulnerability Patching and Network Access Control. This includes the health, reporting and signature updates of the required client as mandated by GE.

In cases, where exception has been granted by GE Business Security Leader to have GDC system in GE domain, GDC shall take appropriate actions to make sure that such systems meet the above requirement.

USB Ports/DVD burners/any other removable media ports shall be disabled. For cases where exception has been granted by GE GDC Program office, removable storage media shall be encrypted

Laptop disk shall be encrypted using GE recommended version of Safeboot

Back up tapes shall be encrypted.

Laptop computers or other portable computing devices shall primarily be used for access, not storage

GE Data should not be stored on GDC systems

GDC shall have preventive and detection controls to prevent data leakage from GDC/GE systems assigned to GDC resources irrespective of the location (excluding GE sites), specifically laptop or any portable computing devices that can be taken out of GDC facility.

No personal devices shall be allowed to execute GE engagements from any location

Procedure to deal with stolen laptops, workstations or any computing/storage device used to execute GE engagement shall be well defined

GDC shall ensure data confidentiality and privacy of each user assigned to the shared system from other users assigned to the same shared system.

SM 2.0 Implement secure Account & password management practices

Password-protected screen savers shall be activated upon a maximum of 15-minute timeout on all systems with a monitor.




Automated account lockout shall be enabled after a minimum of 3 and maximum of 7 attempts, with authentication failures and successes logged and reviewed for security violations

Accounts shall have an expiration date and are reviewed periodically.

Logical access control shall be in place to Identify a user

Sharing of user id and password is prohibited.

VPN hard tokens and soft tokens shall not be shared. Hard token can be re-allocated to another individual upon release of resource from project/program, unless otherwise explicitly required by the Business to surrender the token. GDC’s shall maintain traceability and record of all VPN token allocations and re-allocations centrally

GE GDC Password policy shall be at a minimum as strong as the GE password policy

Initial password shall be forced to be changed during first logon

GDC shall ensure that the users are given access privileges with the minimum requirements as per their job requirements. Non-administrative users shall not have access to administrative system software or utilities. Privileged or administrative accounts shall only be given to the persons responsible for managing systems, databases & applications and shall be tracked centrally by GDC

Local administrator access and rights shall be disabled. Exceptions to this shall be time bound and approved by GDC security leader.

GE domain administrator access shall not be given to offshore resources. Exceptions to this shall be time bound and approved by GE GDC or business security leader.

SM 3.0 Secure Servers and operating systems

The following minimum requirements for server and operating system lockdown shall be expanded upon based upon industry best practices

Only the minimum/necessary set of applications and services shall be installed.

Source code of server-side executables and scripts shall not be viewable by external users.

Packet filters (such as host-based firewall and TCP wrappers) shall be installed to restrict connections to necessary hosts on necessary services and log incoming requests. Users shall not be able to modify configuration of the filters



Synchronize time to a trusted time service.

Services that require different access shall use different accounts IDs.

No SNMP accessibility from the Internet. It is recommended to disable all SNMP.

There shall be legal notice warning of unauthorized access penalties where applicable.

The password database shall be encrypted.

SM 4.0 Follow secure Server Administration practices

The following minimum requirements for server administration lock down using industry best practices are:

If GDC has the capability to remotely administer servers (GE & GDC), the remote connection shall take place over an encrypted tunnel, and shall require two-factor authentication.

All administrator accounts shall have IP address restrictions, two-factor authentication or be limited to console login.

All administrative traffic shall be encrypted. Encryption level shall be defined based on the needs of the application.

All default accounts shall be renamed or removed and all default passwords changed.

Access to devices involved in the provision of services shall be granted only on a ―need to have‖ basis. Server administration permissions are typically granted to a limited number of individuals within an organization.

More than one person shall approve the granting of new administrator account access, and the addition/removal of account access shall be auditable.

Shared administrative accounts shall not be used. Instead, use individual accounts with an auditable method to escalate privileges for administration (example: PowerBroker, sudo) where possible. Admin passwords may also be ―checked out‖ for a period of time then reset.

System and service account passwords used by automated and batch processes shall only be granted restricted access. The account shall be single purpose, non-interactive login, from controlled sources such as a fixed source IP as a second login factor. If account shall have more access, the GE Sponsor shall be made



fully aware of their account responsibilities with the account description field annotating the contact.

Success and failure for all user account logins, system logins (desktops/laptops/servers), and administrative requests must be logged.

General server event logs, utilization logs, and application events and errors must be periodically verified as functioning in case of a forensics investigation.

GDC must maintain record for all hardware problems, operating system crashes and system formatting

Authentication failures and successes must be reviewed (at least weekly) for security violations.

Unless required otherwise by law, GDC must, at a minimum maintain server logs for a period of no less than 180 days from origination.

Minimum Audit Requirements Evidence of approval and monitoring of local admin access

Evidence of 100% machines coverage for end point security

Evidence of implementation of secure account & password management practices

Evidence of servers & operating systems security and secure server administration practices being followed across all GDC sites

Evidence of end point security for GDC machines in GE Domain along with exception approval from GE Security Leader


Related Practices Business Continuity Management, GDC Site Management, Asset Governance, SSO id Governance, GDC Resource On-boarding/Off-boarding

eGDC Suite Linkage Adhoc Approvals, Systems on GE Domain*, Local Admin Rights Reporting*




7.3 Supplier Connectivity (ELEMENTARY)

GDC shall have trusted third party connectivity to GE i.e. a physically and logically isolated segment of the GDC connected to GE network in compliance with GE Trusted Third Party Security Policy. GDC shall ensure that there are no risks to GE

network.

The purpose of this Practice is to enforce compliance to GE’s trusted third party connectivity requirements

100% GDC site in compliance with GE trusted third party connectivity requirements


SC 1.0 Ensure every GDC resource signs AUG (Acceptable use guidelines) before granting physical access to GE GDC area.

SC 2.0 Implement and maintain compliance to logical network connectivity requirements

SC 3.0 Implement and maintain compliance to Proxy requirements

SC 4.0 Implement and maintain compliance to secure Emails system requirements

SC 5.0 Monitor & respond to any intrusions and unexpected network & system behavior

POLICY

GOALS

RESPONSIBILITIES




SC 1.0 Ensure every GDC resource signs AUG (Acceptable use guidelines)

before granting physical access to GE GDC area.

AUG shall be signed by every individual GDC resource (inclusive of subcontractors) before granting physical access to GE GDC area or logical access to GE network

Annual re-acknowledgment shall be done by every individual GDC resource (inclusive of subcontractors)

SC 2.0 Implement and maintain compliance to logical network connectivity

requirements

Logical network connectivity of any GE Extension Segment to networks other than GE shall not exist.

All current and new interconnections between GDC network and any other non GE network, including the Internet, parent and other companies, shall be managed by GE and it shall meet all GE standards and requirements

VPN Gateways and Remote User Gateways—including two-factor authentication for dial-up, VPN, shall be managed by GE only. Third Party-managed gateways including GDC parent organization VPN is not allowed

Inbound modems shall not connect to GDC network.

Outbound modems should only be implemented in exception approval basis by GE GDC Program Security Leader and tracked under Asset Governance guidelines.

Inbound Gateways (hosting) shall subscribe to an existing GE shared service for gateway access.

Outbound Gateways (Internet access) shall be either through GE shared service for gateway access or through GE GIS managed firewall & proxy if using GDC parent gateway access

GDCs shall not use Wireless LAN (GE network or GDC parent network) in GDC areas

Connections and LAN—separate Layer-2 switch infrastructure for IP, but may use shared ISP connectivity for site-to-site VPN transport

GDC shall not permit/use FTP, Peer – to – peer network, Bluetooth or any other file transfer mechanisms between systems/networks

GDC shall not permit work from unauthorized remote locations to service GE



Physical access to the network devices (routers, hubs, switches, etc.) shall be protected to allow access only by named network administrators GDC shall not extend GE network outside the certified GDC area without approval from GDC Program office or following appropriate GE process

GDC shall track all the changes in the logical environment.

GDC shall have process to track expiry of time bound connection approvals and shall work with GE to revoke or extend any expired connections on time.

For any special restricted sites for export control work, the site shall be in compliance with GE Export Control guidelines. For special IP work restricted sites, the site shall be in compliance with the applicable business policies/guidelines.

SC 3.0 Implement and maintain compliance to Proxy requirements

GIS-managed proxy shall be used for Internet access.

Proxy servers shall comply with GE Outbound proxy standard and recommended build

Proxy change should be disabled for all GDC resources. Exceptions to this should be time bound and approved and monitored by GDC security leader

GDC shall not use any GE business proxy or proxy script (Pac file) for individuals or sites without approval from GE GDC Program office

Periodic Audits shall be conducted and reviewed quarterly for resources for whom proxy is not disabled

GDC laptop users shall not be able browse any internet sites before signing into GE VPN from non GDC locations.

GDC shall restrict access to internet-based email sites and data storage/sharing sites to prevent data leakage.

SC 4.0 Implement and maintain compliance to secure Emails system

requirements

Emails to/from GDC-GE shall not transit public networks (like the Internet) in unencrypted form. TLS shall be enabled for email communication.

Auto forward from GE email account to non-GE email accounts is not permitted.

GE GDC Extension Segment email servers should at minimum filter GE standard attachment extensions.



SC 5.0 Monitor & respond to any intrusions and unexpected network & system

behavior

GDC shall have Intrusion Prevention System (GE Standard device) for inappropriate activity monitoring and prevention for the networks/sites identified by GE GDC Program Office; IPS devices shall be managed by GE and shall have signature updates no more than 1 week old.

Monitor systems and servers.

Use automated tools to filter logs, identify security incidents, and provide automated alerts.

Intrusion Detection Coverage on network entry points (non GE) and mission critical servers

Monitor and respond to high alerts in IDS/IPS logs on a 24x7 basis

Minimum Audit Requirements Records of IDS/IPS log review and action of every high alert shall be maintained

Evidence of approval and monitoring of proxy change rights

Records and evidence of GE GDC Program Security leader approval for any change implemented in the GDC site network


Related Practices GDC Site Management, Business Continuity Management

eGDC Suite Linkage Site Proxy Data, Client Proxy*, New Site Approvals

Online Resources GE Export Control Guidelines

http://libraries.ge.com/download?entity_id=3869850101&fileid=48218071101&sid=101

GE Outbound proxy standard - http://libraries.ge.com/download?fileid=76455681101&entity_id=13957680101&sid=101

http://libraries.ge.com/download?entity_id=3869850101&fileid=48218071101&sid=101



7.4 Resource Sharing (ELEMENTARY)

Any non-GE or non-GE GDC resources like people, applications, & systems, used to execute or facilitate GE engagements shall not compromise confidentiality and integrity of GE data, Intellectual property.

The purpose of this Practice is to establish and manage controls to mitigate risks of compromising Confidentiality & Integrity of GE data & IP due to resource sharing

0 incidents of any unauthorized shared resources

0 incidents of unauthorized GE data & IP residing in any shared resource


RS 1.0 Identify shared resources

RS 2.0 Establish and manage confidentiality and integrity of GE data on shared resources

RS 1.0 Identify shared resources

GDC shall limit shared resources to minimum and shall have process to do risk assessment and seek approval from GE GDC Program Office for any shared resource before using them.

POLICY

GOALS

RESPONSIBILITIES




GDC shall maintain inventory of all the shared resources. This includes resources provided by GE and GDC for the use within GE GDC. (i.e. Email, Project Management Tools). This inventory should depict the ownership of the resource being used.

RS 2.0 Establish and manage confidentiality and integrity of GE data on shared

resources

GDC shall perform periodic risk assessment of all shared resources

GDC shall implement logical or systematic data leakage prevention controls for all shared resources.

All data relevant to shared resources must follow the Classification, Confidentiality & IP protection.

Minimum Audit Requirements Inventory of shared resources

Evidence of Access controls in place for all the shared resources


Related Practices Data Classification, Confidentiality, Privacy & IP Protection, Knowledge Management,





8.0 Data Security

GE Data Security is the most important aspect of GDC program and the GE data needs to be protected based on its need for secrecy, sensitivity, or confidentiality. While servicing GE, GDCs will have access to different type of GE data and it is GDC responsibility to protect GE information from disclosure to any unauthorized individual or entity. The practice areas covered in this section outlines minimum requirements for GDCs to maintain Integrity, Confidentiality & Availability of GE data.



FIGURE 11 Data Security Practices and Linkages

8.1 Data Classification, Privacy, Confidentiality & IP

Protection (MATURE)

Any data created/used/handled by GDCs shall be classified and shall be protected using adequate measures as per GE Data Security guidelines. For a period of 7 years following the date of disclosure, the GDC shall not itself use or share with any

third party or sub contractor any GE confidential/restricted information

The purpose of this Practice is to formalize and enforce the practice of securing GE data based on assigned labels of importance and sensitivity

POLICY



100% of GE data/information in any form tagged with appropriate data classification

0 instances of improper access control/unauthorized sharing/USE of GE confidential/restricted data

0 incidents of IP / Data Privacy violations


DCP 1.0 Classify all GE data/information according to GE Data classification guidelines

DCP 2.0 Establish accountability to protect GE Data

DCP 3.0 Protect GE Data/Information according to Classification

DCP 4.0 Manage IP Use & Protection

As a co-owner of this Practice, GE Businesses are responsible for ensuring that all data accessible/shared/processed/created by GDC have correct GE Data classification level tagged to it. The specific responsibilities of GE are

DCP 5.0 Ensure all GE data/information shared with GDC carries correct GE Data classification

DCP 6.0 Provide guidance to GDC to establish correct GE Data classification levels for the data created/used by the GDC during the life of project/relationship - involve Business Data Privacy Leader to identify specific controls that may be required to address country-specific data privacy requirements

GOALS

RESPONSIBILITIES



DCP 7.0 Monitor & manage GDC access to Sensitive data on a need-to-know basis and ensure that access is revoked when no longer needed

DCP 8.0 Identify and treat GDC IP, GE IP in appropriate manner – involve Business Legal teams in appropriate treatment of GDC IP

DCP 1.0 Classify all GE data/information according to GE Data classification

guidelines

―GE data/information" here refers not only to the data provided to the GDC, but data created by the GDC during the life of a project/relationship

Electronic/Non-electronic Data (documents, code, databases, concept papers, reports, media, email and the like) shall be classified and encrypted as per GE data classification guidelines.

In case of documents (irrespective of the nature of the document), all pages shall contain the classification

Correct and consistent classification shall be ensured

Functional Ownership and classification of data shall follow the guidelines below

Classification indicates the type of data. Apart from information that is intended for public disclosure, all other information shall be classified as Internal or Confidential or Restricted based on guidelines below

Internal – non-public information that is specific to an entity with access to a larger group of authorized people consisting of employees and authorized non-employees (examples: Organization Chart, Standards & Guidelines, … to name a few)

Confidential - Information that is sensitive or confidential within an entity and intended for business use only by those with a need-to-know (examples: sensitive personnel information, individually identifiable customer or client information; cost or pricing information, … to name a few)

Restricted - Information that is extremely sensitive or private, of highest value to the entity, and intended for use by named individuals/entity only (examples: strategic plans; intellectual property, financial results prior to release;




individually identifiable medical records; trade-controlled information; files containing clear-text passwords, … to name a few)

Ownership identifies the owner of the data

GE - a significant portion of the data being used or generated in the GE GDC shall be owned by GE and hence tagged as GE Internal, GE Confidential or GE Restricted. Any/All artifact(s) given by GE or are generated / used as part of the GE project/program shall be considered as GE Ownership. This shall include all deliverables/work products (inclusive of code, design documents, process charts, test plans, development plans, KT documents, risk mitigation plans…), responses to RFP, status reports, project management documents, … to name a few

GE <GDC> - a small portion of the data generated in the GE GDC shall have shared ownership between GE and the GDC team and hence tagged as GE <GDC> Internal, GE <GDC> Confidential or GE <GDC> Restricted (examples: GDC Standard Operating Procedures based on GE requirements, GDC specific performance metrics report, … to name a few)

<GDC> - a very small portion of the data generated/used in the GE GDC shall be owned completely by the GDC (examples: GDC Organization’s Financial Information, GDC Employee Performance Report, GDC Organization’s IP, … to name a few)

The below table provides a summary of the permissible 9 Classification possibilities in addition to the PUBLIC classification

GE Confidential/Restricted information may include all information furnished or made available to the GDC orally or in writing by any GE personnel in connection with the overall Program or a specific Task Order, without limitation, non-public Intellectual Property, Deliverables, ideas, concepts, procedures, agreements, notes, summaries, reports, analyses, compilations, studies, lists, charts, surveys and other materials, both written and oral, in whatever form maintained concerning the business of the Company and its customers and/or vendors, including



Material Non Public Information. Confidential Information shall also include, without limitation, any reports, findings, conclusions, recommendations, or reporting data and analysis prepared by GDC for GE’s use

While using GE classification (GE Internal, GE Confidential and GE Restricted), GDC shall adhere to Business specific classification requirements, if explicitly requested to do so. This may involve identification of Business name in the tag (examples: GE Healthcare Confidential, NBCU Restricted)

In cases where GDC receives data/information that are not classified by GE, GDC shall follow exception guidelines for treatment/handling of such data. One or more of the following treatment recommendations may be applied by the GDC

Such unclassified data belonging to GE shall not be stored on any other media except on GE Systems residing in GE Data Centers

Printing of such unclassified data shall not be permitted

In exception scenarios where such data needs to be stored in GDC systems for project needs, GDC shall post such data to Business-specific folders that are configured in GDC configuration systems with appropriate classification and access to named individuals on need to know basis

GDC shall raise an incident / risk alert (as seen appropriate) when unclassified data that is perceived by GDC to be either GE Confidential/GE Restricted is provided to GDC for use/information purpose

DCP 2.0 Establish accountability to protect GE Data

SIA (Secrecy and inventions agreement) shall be signed by every individual GDC resource (inclusive of subcontractors) before granting physical access to GEGDC area. Annual re-acknowledgment shall be done

In case confidential/restricted data pertains to ―GE Personal or financial‖ data or ―GE IP‖ information, additional confidentiality agreements as required by the business shall be signed by individual GDC resources

Every GDC resource shall physically (cannot be digitized) sign the ―Assignment of Rights‖ on an annual basis for work done in prior year. If during the course of the year, a GDC Resource exits GEGDC, he/she shall sign this document for the duration he/she worked with GEGDC in that year. ―Assignment of Rights‖ documents shall carry counter signature by GDC authorized signatory GDC shall have appropriate processes in place to identify projects dealing with confidential/restricted information and educate resources on their responsibility/accountability to adhere to Acceptable Use Guidelines and Non-disclosures



Where controls established by the Business are seen to be inadequate/inappropriate, GDC shall proactively discuss the risks with the Business and recommend appropriate controls to be implemented.

DCP 3.0 Protect GE data/information appropriately according to data

classification level

Data classified as GE Internal/Confidential/Restricted or GE <GDC> Internal/Confidential/Restricted cannot be stored on a non-GE system, shared or used for any purpose other than related to GE GDC

Storage/transmission/Disposal of both physical and electronic data shall be as per GE Data classification guidelines and the business Document Retention Guidelines.

GE Confidential/Restricted information shall be stored in a secured manner on a GE system residing in a GE Data Center with access provided to named individuals within GE GDC Organization, on a need-to-know basis

No GE confidential/restricted data shall be shared in any location with public access (including GE SupportCentral, Libraries, Folders)

Any requirement for storage of GE Confidential/Restricted data on a GDC system or an external (to GE) system shall be explicitly approved by the GE Project Manager and / or GE Business Security Leader

Such data shall be secured in the GDC server room with data level access controls and encryption, where appropriate – such data shall not reside on individual resource systems

Access restrictions for confidential and restricted data shall be built in at the individual artifact and folders or shared repositories that house these artifacts.

Access to restricted/business confidential (where additional agreements are signed for confidentiality) artifacts shall be limited to those with valid SSO Ids, as approved by the Business

Printing of classified documents shall be on secure printers only available within the secured GE GDC area. The controls around printers can include but not be limited to: Pin per print, key card per print, centralized printers.

Notices shall be posted that documents sent for printing shall be removed from the print queue if not printed using the secure print key within a maximum time of 4 hours. Additionally, any printed documents that are left behind at printer stations or unattended on desks or conference rooms for more than 2 hours, shall be shredded



Treating GE Personal Information including information on GE Personnel, its’ Customers, Suppliers, Vendors or other Affiliates (collection/storage/use/protection/disposal) shall be in line with local applicable Privacy laws and compliant to GE policy AUDIT REQUIREMENTS

Use/sharing of GE Confidential/Restricted data shall be in line with the Business approved access list. This norm shall apply for USE/sharing of such data across GE Businesses. Any exceptions to this shall be raised to Business VMO Leader/GE GDC Program Office for approval

Archival of GE Confidential & Restricted data and GE GDC classified data shall be done only if explicitly requested for by the Business and maintained for the specific duration stated by the Business. Such archives shall be maintained in an encrypted form and in a secured location with restricted access to named individuals within GE GDC

Personnel/Classified production data shall be scrambled/unidentified before using in testing environment.

Employee awareness on GE data classification shall be ensured.

Classified data shall be treated appropriately in meetings/tele-conferences

Databases accessed for executing GE engagements shall be assessed for its classification and appropriate classification guidelines shall be applied

GDC shall centrally maintain an inventory of all GE information assets that are accessible by individual GDC resources. The inventory shall at a minimum contain information on the name of the asset, type of asset, storage location, type of access along with the resource details and engagement details (business case for access)

GDC shall ensure that the Access Inventory is accurate and current

GDC shall implement controls to protect accounts with increased rights above a standard user and have processes to protect and manage Highly Privileged Accounts (HPA). At a minimum, HPAs are accounts with the following:

System level administrative or super-user access to devices, applications or databases

Administration of accounts and passwords on a system

Any additional accounts considered by the business or system owner to pose a high risk



GDC shall identify and implement data leakage prevention controls to protect GE data in its operating environment

DCP 4.0 Manage IP Use & Protection

Intellectual Property (IP) shall be defined as any and all Deliverables, work product or results of Services and inventions, innovations, discoveries, designs, plans, models, prototypes, computer programs (including source and object code and documentation), know-how, techniques and specifications (whether patentable or not or copyrightable or not and whether made solely by Contractor or jointly with others) that are conceived, created, developed or discovered directly or indirectly as part of or in connection with any work performed for GE or on behalf of GE

Intellectual Property may belong to GE, GDC or to a third party

Unless otherwise explicitly declared by GDC and agreed upon by GE, any IP that may be used, developed or conceived while working on a GE engagement shall be treated as GE’s property

GDC shall ensure that any identification of a potential IP is notified to GE immediately and appropriate action taken to classify and protect such IP

GDC shall ensure that any and all rights on work done by GDC resources (inclusive of sub-contractors) is assigned to GE

Such assignment of rights shall be carried out at end of Task Orders, where explicitly stated by a Business. In all other cases, such assignment shall be done on

An annual basis for all work carried out from the last assignment date/start date in GE GDC (as applicable) to current date

At GDC Off-boarding point, if the resource is being off-boarded from GE

All such assignments shall be duly verified and validated for accuracy & completeness by the appropriate authorized signatory of the GDC organization and signed off

GDC shall ensure that all such IP are fully documented, classified as GE Restricted and treated as per the classification guidelines for such data.

Where the IP is specific to a Business, GDC shall ensure that the Business name is used in the Classification as GE <Business> Restricted. Where seen appropriate, additional tag of ―GE Proprietary‖ shall be included



Any use/re-production/sharing (in any form) of such an IP shall not be permitted without the explicit written approval of the GE Business Legal (facilitated by GE Business VMO Leader or GE GDC Program Office)

This norm shall apply to sharing of IP across GE Businesses as well

Any proposed use of third party IP or GDC IP shall be declared upfront and clearance obtained from GE Business Legal/Security team (facilitated by GE Project Manager and/or GE Business VMO Leader) for use of such of IP in deliverables to GE

Prior to use of GDC IP or third party IP on GE deliverables, GDC shall ensure verification of the scope and terms of USE. Such terms and scope shall be clearly agreed upon and signed off by all parties involved.

In cases where Joint IP Development is undertaken by GDC with GE and/or with other third parties, GDC shall ensure that the scope and terms of IP development, rights for USE are discussed, documented and complied with

GDC shall educate its resources on proper treatment of IP and ensure that norms around IP use are complied with. Any violations of IP (GE/GDC/third party) shall be treated as a critical incident and handled appropriately

Minimum Audit Requirements Classification of Data stored in GDC systems and on GE Knowledge repositories

Evidence of GE Data Access Inventory being available, accurate and current

Evidence of treatment/handling of Confidential/restricted data being handled/treated as per GE guidelines for treatment of such data

Evidence of Business Legal sign-off for USE of GDC IP/Third Party IP in deliverables to GE

MSA Linkage Sections 4.3, 8

Related Practices GE Knowledge Management, GDC Resource On-boarding/Off-Boarding, Engagement Termination/Closure, Business Divestiture Management, GDC Site Management, Software Governance, Secure Software Delivery




Online Resources Following additional guidelines found at GE GDC Knowledge Center http://supportcentral.ge.com/81973 Policies & Procedures Program Governance Data Security Additional Guidelines

GE Data Classification Guidelines http://libraries.ge.com/download?fileid=16926504101&entity_id=2688000101&sid=101


http://libraries.ge.com/download?fileid=16926504101&entity_id=2688000101&sid=101



8.2 GE Knowledge Management (ELEMENTARY)

Knowledge accumulated by GDC from and about GE engagements, shall be retained in the GE Knowledge Management repository

The purpose of this Practice is to establish appropriate controls to ensure that Intellectual property and knowledge developed/gained during the engagement lifecycle is retained in GE to mitigate long-term operational risks of engagements.

100% engagements to have knowledge repository with complete information required for vendor agnostic seamless operations


GKM 1.0 Establish knowledge management plan for all engagements

GKM 2.0 Manage completeness of engagement knowledge in knowledge repository through-out the life of an engagement

As a key stakeholder, GE is responsible for ensuring that it encourages and validates the GDC use of GE’s Knowledge Management system for completeness, accuracy and effectiveness

GKM 3.0 Be aware of GE Knowledge Repository and ensure appropriate USE of the same for information protection, engagement risk management and effectiveness of delivery

GKM 1.0 Establish knowledge management plan for all engagements

―GE data" here refers not only to the data provided to the GDC, but data created by the GDC during the life of a project/relationship

POLICY

GOALS

RESPONSIBILITIES




Knowledge accumulated by GDC from and about GE engagements, shall be retained in the GE Knowledge Management (KM) repository

GDC shall maintain KM Plan for every GE engagement – the plan shall clearly describe the Knowledge assets that would be applicable to the engagement, KM Repository update Plan, Review Plan, Access rights Management and Assessment of completeness and accuracy of content

GDC shall proactively ensure the adoption and rigor of USE of GE KM across GE GDC

GKM 2.0 Manage completeness of engagement knowledge in knowledge

repository through-out the life of an engagement

GDC shall ensure that the engagement specific KM Plan is signed-off by the Governance Leader of the GDC. Governance Leader can delegate this to named individuals within extended governance team.

GDCs all update the GE KM Repository on a continuous basis and obtain periodic sign-off from the GE Manager for the content and accuracy of the KM.

Transferring data from GE KM to the GDC KM is not permitted without an explicit approval from the GE GDC Program Office

In the event of termination of the GE Task Order, GDC shall transfer any remaining engagement knowledge to the GE KM Repository and ensure completeness of all documentation.

Minimum Audit Requirements Evidence of KM practice across all engagements of GE


Related Practices Data Classification, Confidentiality, Privacy & IP Management, Delivery Management, Engagement Termination/Closure, Business Divestiture Management

eGDC Suite Linkage Knowledge Gateway




9.0 Contractual Management

Contractual Management is an important area with focus on contractual obligations that emanate from the MSA that GDC has with GE. Many of these contractual obligations have been covered in other process areas. The section therefore focuses only on those few practices that are broad based but specific to GE’s MSA and Business-specific contracts with GDC.

FIGURE 12 Contractual Management Practices & Linkages



9.1 Communication & Media Management (MATURE)

External or internal communications, USE, sharing of information related to GE relationship or GDC Organization (inclusive of GE engagement information or GE process) is not permitted without the prior approval of the GE GDC Program Office.

0 instances of unapproved (by GE GDC Program Office) sharing of GE information

0 instances of in-appropriate USE of GE Assets


CMM 1.0 Establish and maintain a verification & approval protocol for sharing of information related to GE

CMM 2.0 Publish guidelines on acceptable USE of GE assets in internal and external communications

As a co-owner of this Practice, GE Businesses are responsible for ensuring that the authorized people handle requests for approval of information sharing in an appropriate manner. The specific responsibilities of GE are

CMM 4.0 Forward requests for sharing of information on GE to Business VMO Leader and GE GDC Program Office – Decision for approval of request shall be taken by GE GDC Program Office in collaboration with GE Business VMO Leader and appropriate Legal teams

POLICY

GOALS

RESPONSIBILITIES



CMM 1.0 Establish & maintain a verification protocol for sharing of information

related to GE

GDC shall ensure the existence of a formal process for review and approval of all requests for publishing / sharing (commonly referred as USE) GE related information

The process shall cater to internal and external USE

The process shall cater to all USE scenarios inclusive of technical papers presentation, technical problem resolution, best practice sharing, media announcements, external client visits, trade shows & conferences, third party surveys, internal Knowledge repositories/portals, newsletters and the like

Requests shall clearly identify the scope of information, scope of USE along with the media of USE and the timelines

As a part of the Verification process, GDC shall ensure that the content is sanitized to prevent potential violations of Contractual obligations, Acceptable USE, Data Classification guidelines

Where the content is seen as specific to GE and may violate the contractual obligations, if used/shared/published, GDC shall ensure appropriate approvals on content and use by authorized GE personnel

As a general guideline, where the information/content is seen as specific to a GE Business (and is likely to compromise on Confidentiality/IP Protection), the GDC’s shall obtain an approval from the GE Business GDC Leader for publishing/sharing of such information (inclusive of seeking technical expertise)

As a general guideline, where the information/content is at the overall GE Relationship or pertains to a broad overview of the practices and processes deployed within GE GDC, GDC shall obtain an approval from the GE GDC Program Office for publishing/sharing of such information

Request for all such approvals shall be presented to GE with a clear business case, intended audience, context and duration of information use, and details of the publishing media. Approvals shall be granted at the discretion of GE GDC Program Office and may contain additional norms/criteria of use




GDC’s shall be responsible for ensuring that the information publishing/use is in line with the approval conditions. Validation of the same is required at periodic intervals (at a minimum once in 6 months)

GDC’s shall be responsible for maintaining records of all approvals and communication with GE

Establish and maintain a proactive detection mechanism to identify unauthorized/unacceptable use (Inclusive of publishing on the internet/media) of GE information and remediate the same. The GDC shall maintain a record all such remediation actions taken.

CMM 2.0 Publish guidelines on acceptable use of GE assets in internal/external

communications

As a general guideline, GDC resources are expected to comply with the Acceptable USE Guidelines

External or internal communication/sharing of information regarding the GE GDC engagements (inclusive of delivery methodologies, technology usage, business process knowledge, process improvement initiatives) is not permitted

External communications/sharing of information – Press Releases, web-site listings, blogs, mass-marketing campaigns, advertisements, technology/business/analyst forum discussions and presentations that include information about GE GDC or GE engagements or GE are not permitted

GE shall not provide endorsements for GDC

Internal communication/sharing of information/USE of GE specific information regarding GE GDC (overall account information or engagement specific information) to non-GEGDC audience is not permitted. Within GE GDC, such information shall be shared only on a need to know basis

GDC resources shall not use the identity of GE GDC in their communication to non-GE world

GE email-id’s of GDC resources shall be used purely for communication within GE and GE GDC - any need for use of a GE email-id beyond the GE and GE GDC Program context shall be pre-approved by GE GDC Program Office / GE Business VMO Leader for the respective Business

Email signatures shall clearly identify the GDC Organization of the resource (example: Patni GE GDC); any request for deviation shall be pre-approved by GE GDC Program Office



No GE related information inclusive of information available on GE intranet unless classified as public shall be shared with non-GE audience

GE logo and typeset cannot be used in any external or internal material/communications

Any need for use of GE information or GE assets beyond GE GDC, shall follow their Review & Approval process. Exception approvals by GE GDC Program Office/GE Business VMO Leaders shall be a part of this GDC Review & approval process

GDC shall ensure adequate awareness of the above guidelines across all GDC resources (inclusive of sub-contractors)

GDCs shall escalate to GE (GDC Program Office) if any deviations from above are observed

Minimum Audit Requirements Evidence of GE/GE GDC Information use requests, review & appropriate action

Evidence of exception approvals from GE GDC Program Office/GE Business VMO Leaders for deviations in USE


Related Practices Practices in Data Security, Delivery Management, Physical Security





9.2 Contractual Performance Reporting (ELEMENTARY)

Contractual performance data shall be reported to GE in a timely and consistent manner in the format as expected by GE. GDC shall be accountable for the integrity of the data being reported to GE

0 misses on reporting contractual performance data

0 data integrity issues in data reported to GE


CPR 1.0 Publish guidelines and operating procedures for every Contractual performance requirement within GE GDC to ensure consistency and validity of data capture, computations (if any), verification and timely reporting

As a co-owner of this Practice, GE Businesses are responsible for verification & validation of data being reported by GDC. The specific responsibility of GE is as shown below

CPR 2.0 Verify data being reported and escalate non-compliance to GDC and GE GDC Program Office

POLICY

GOALS

RESPONSIBILITIES



CPR 1.0 Publish guidelines and operating procedures for every Contractual

performance requirement within GE GDC to ensure consistency and validity

of data capture, computations (if any), verification and timely reporting

Based on the Contractual requirements at the GE GDC Program level and the individual Business or project level, GDC may have reporting requirements.

These reporting requirements may be defined explicitly as a part of the contract/SOW or may have been communicated through other mechanisms inclusive of email, conference calls.

The reporting requirements shall have scope of data being reported along with reporting frequency

At the GE GDC Program level, GDCs are expected to report on Project, Resource and Operations performance as per the Program Reporting Requirements provided in the additional guidelines.

Online reporting of operations data using eGDC Toolset is expected to ensure that data is current (and not accumulated for updates on monthly basis)

Projects data reported in eMeasure is expected to be reported by the 5th business day of every month

Invoice and outstanding data is expected to be updated in the online tools (eInvoice) at a minimum twice a week, if not daily

Manual reports (where explicitly mentioned) shall be submitted to GE by the 10th calendar day of every month

Incidents are expected to be reported to GE GDC Program Office within the stipulated time depending on the material/non-material nature of the incident

Remediation on Security vulnerabilities/incidents shall be completed and reported within the timeframe allocated for specific vulnerabilities

GDC Competencies (in alignment with GE technology stack) shall at a minimum be published on a Quarterly basis




Contract/SoW based or Project Delivery focused performance reporting as per business requirements and as agreed with business project manager shall be published to GE businesses as per agreed frequency

Financial performance of GDC Organization at the GE Engagement level as well as the GDC parent organization level shall be submitted to GE GDC Program Office on a quarterly basis

Anticipated or actual change in ownership or financial status, public listing, change in constitution of the controlling board, mergers and acquisitions, upgrading/downgrading of financial ratings shall be disclosed to GE GDC Program Office, as long as the disclosure does not violate any Security and Exchange Commission rules, regulation or other applicable laws

Merger and Acquisition of the GDC parent organization with any of the known competitors of GE is not permitted without a prior notification to GE GDC Program Office

GDC shall ensure that any data being reported to GE is verified for completeness and accuracy before being reported

Minimum Audit Requirements Evidence of contractual data being published to GE in a timely manner

Evidence of pre-reporting verifications on completeness and accuracy of contractual data being reported to GE

MSA Linkage Section 4.5, 4.7. 4.21, 5.9, 5.20

Related Practices All practices

eGDC Suite Linkage EMeasure, eInvoice, Contacts, eGDC Toolset

Online Resources Program Reporting Requirements - Additional Guidelines



9.3 Working for Competitors (MATURE)

Allocation of GDC resources/sub-contractors that have worked on a GE Task Order, to a project with similar nature of work for a potential GE business competitor, within twelve months of disengagement from GE Task Order is not permitted.

0 instances of resource allocation from GE to engagements with GE’s competitors


WFC 1.0 Establish and maintain a process to identify, assess and treat potential conflict of interest (COI) in allocating resources to non-GE engagements – seek approval from GE for potential COI cases

As a stakeholder of this Practice, GE Businesses are responsible for ensuring that the risks of potential such placements are understood when reviewing GDC requests for placement of resources in potentially conflicting accounts. The specific responsibility of GE is

WFC 2.0 Review/Assess potential COI cases raised by GDC and provide feedback/approval

POLICY

GOALS

RESPONSIBILITIES



WFC 1.0 Establish and maintain a process to identify, assess and treat potential

conflict of interest (COI) in allocating resources to non-GE engagements – seek

approval from GE for potential COI cases

GDC shall ensure that no resource that has been off-boarded from GE is assigned to work on a potentially conflicting engagement with a competitor of GE for a period of 12 months from the date of off boarding of the specific GE engagement.

The scope for this risk assessment includes all the business engagements that the resource worked on in the 12 month period (and not just the last engagement)

The risk assessment will continued to be carried out for a period of 12 months from the date of the last off-boarding from GE

In case resource has to be deployed on any engagement with a potential competitor of a specific GE business from where the resource was off-boarded within the last 12 months, GDC shall perform a detailed risk assessment that identifies the potential conflict and seek an exception approval from the GE Business VMO Leader/GE GDC Program Office. On formal written approval to deploy the resource, GDC may proceed with deployment. If the request is rejected or is not responded to by GE, GDC shall not proceed with deployment of the resource.

If no potential conflicts are seen with the deployment, GDCs may deploy the resources without any prior approval from GE

All resources with less than 2 years of total work experience may be exempted from approval unless the role involves GE business process or application architecture exposure.

The GDCs’ affiliated companies may engage in work or business for GE competitors, provided that such affiliated companies have not received or had access to any GE Information

Sub-contractor organizations (inclusive of special partners to GDCs) shall conform to the stated policy and guidelines on allocating resources to working with competitors of GE

GDC shall maintain evidences of formal assessment of conflict and approvals for deployment




Minimum Audit Requirements Evidence of identification of potential competitors to GE Businesses in the context of the GDC

Parent Organization environment

Evidence of formal assessment of conflict/risk of conflict for deployment into competitor organization

Evidence of approval from GE for deployment in potential conflict scenario


Related Practices Practices of Data Security, Sub-contractor Management

eGDC Suite Linkage Ad-hoc Approvals




10.0 Operations Management



FIGURE 13 Operations Management Practices & Linkages

10.1 Site Communications Infrastructure Management

(ELEMENTARY)

GDC shall maintain appropriate communications infrastructure as required for continued effective operations and delivery from its Certified Sites. This shall include communications technology hardware, software and associated support

services, such as telephones, amenities, and communication facilities like video-conferencing and adequate telephone lines and failure backup facilities. GDC is required to be linked to the Company’s locations via high speed data link(s) connecting to Company’s recommended PoP or Company’s network service provider. GE GDC Network uptime shall be 100%. Sustained network performance shall be as per GE expectations

The Purpose of this Practice is to ensure that GDC adhere to communications infrastructure performance and availability requirements and establishes controls for proactive monitoring & remediation of infrastructure health issues before it impact GE engagements.

100% Redundancy & Validity of all equipments & devices at all GDC sites

0 instances of performance bottlenecks or availability challenges due to inadequate network bandwidth

0 instances of inadequate voice channels for communications

0 impact on GE engagements due to infrastructure performance & availability issues


CIM 1.0 Maintain equipment standards of GOLD Site – ensure redundancy

POLICY

GOALS

RESPONSIBILITIES



CIM 2.0 Manage equipments & network for High performance & availability

CIM 1.0 Maintain equipment standards of GOLD Site – ensure redundancy

A GDC Site supporting multiple businesses or at least 1 critical operation shall be classified as a GOLD Site.

In exception cases, where a Certified Site caters exclusively to a single business with non-critical operations ONLY (identified as a part of Site Certification and signed-off as thus), the Site shall be classified as a SILVER site,

GOLD Sites shall maintain redundancy on network infrastructure (equipments, devices and the link over the last mile). The backup devices and links shall be of same specification as the primary one

In case of SILVER sites, while redundancy is mandatory across all devices, equipments & links, the specifications may be varied for the secondary/backup devices

GDC shall ensure high speed connectivity to GE recommended PoP

The Voice Channels shall be dedicated to GE GDC and redundancy shall be maintained on voice infrastructure

CIM 2.0 Manage Equipments & Networks for High Performance & Availability

GDC shall monitor all equipments for performance to the expected standards

GDC shall ensure that appropriate Health checks are performed on all devices on a periodic basis.

GDC shall have valid maintenance/warranty contracts in place to enable immediate resolution should there be an incident involving any device.

GDC shall proactively monitor end of life of equipments and devices and ensure that no device/equipment which has reached end of life is a part of the GE GDC Infrastructure




Link capacity utilization shall be monitored by GDC on a daily basis. Peak utilization shall not exceed 60% over a fifteen minute time period over a 10-hour day. If threshold is exceeded, GDC shall upgrade capacity

GDC shall have a formal planning & forecast process to assess capacity requirements based on business plan. The process shall take into account the size, the network design (dependencies for other sites needs to be taken into consideration) and the applications being accessed

GDC shall proactively set policies to ensure proper use of network bandwidth for business purpose and monitor bandwidth use

Where GDC introduces new services (Voice or Video) on the network, GDC shall ensure appropriate estimation of bandwidth impact and proactively plan mitigations to avoid impact on Use/Access/Delivery on GE Engagements

GDC shall proactively define performance thresholds that trigger analysis and/or change management process

GDC shall monitor end user (GDC) experience performance of GE applications using appropriate methods. If performance drops to a level where it impacts productivity of GDC users at the site, Root Cause Analysis shall be undertaken for curative action and the appropriate fixes applied

GDC shall ensure adequate phones/dialcoms are made available for project use. The recommended ratio is 1 voice channel for every 4 projects/15 GDC resources

Minimum Audit Requirements Evidence of equipments maintained as per GOLD Site standards

Evidence of equipment health & life monitoring as per plan

Evidence of network bandwidth planning, forecasting & monitoring

MSA Linkage Sections 4.23

Related Practices Incident Management, GDC Site Management

eGDC Suite Linkage Site Equipment Information Report, GDC Site Management, Adhoc Approvals

Online Resources GIS



10.2 GDC Site Management (ELEMENTARY)

GDC shall operate from GE Certified Sites. GDC shall ensure that any extension/de-commission of sites is carried out in compliance with GE Guidelines for secure sites. The policy also applies to GDC Partner sites

The purpose of this practice is to ensure that GDCs operate from certified sites that are fully compliant

0 instances of GE related work being carried out from locations other than GE Certified sites (or GE Sites)

0 violations on Site Compliance


GSM 1.0 Manage New Site Approvals (TG1 to TG4)

GSM 2.0 Manage Site Information

GSM 3.0 Manage Site Certifications (TG5)

GSM 4.0 Manage Site Extensions

GSM 5.0 Manage Site Surrender

As a co-owner of this Practice, GE Businesses are responsible for ensuring that potential risks of USE of unauthorized sites are understood and avoided

GSM 6.0 Prevent risks for GE by not encouraging GDC resources to work from unauthorized locations

POLICY

GOALS

RESPONSIBILITIES



GSM 1.0 Manage New Site Approvals

GDC shall provide off-site services to GE only from GE certified GDC sites

New sites may be planned for within host country (or) in new countries and may be set-up to cater to growth, globalization, de-risk or as a transition from an existing site to a new one

New sites may be Offshore, Nearshore or Proximity sites. Proximity sites are typically those set-up in High cost countries with the objective of providing in-country support to GE Businesses

Offshore and Nearshore sites are by default Regular sites (200+ FTE Operations). Proximity sites may be a small site (up to 50 FTE) or a medium site (> 50 and < 200 FTE)

New sites may be used for broad-based services covering ITO, BPO and Engineering or be used for specific combination of services

New sites may offer regular services or special services like Export Control, NPI, … to name a few. The special services may require a restricted area to be set-up within the scope of the GE GDC

Certification of new sites shall follow a 4 stage Tollgate process – the stages are as follows

TG1 – Business Case for setting up a new GDC site. GDC shall submit a proposal that shall at minimum cover information on justification for a new site supported by appropriate business sponsorships, forecasts for the proposed site, and site strategy in terms of services, people, and technology. GE GDC Program Office may choose to approve the Business Case, which enables the GDC to move to the next tollgate. The Program Office may choose to reject the business case.

TG2 – Compliance to Physical Infrastructure requirements focused on physical security & safety. GDC’s internal audit team shall conduct a physical verification of the site readiness and report the same before GE undertakes physical verification. GE’s clearance of the site’s readiness on physical security & safety is a must to proceed to the next tollgate




If the site is proposed to offer special services requiring restricted access, the guidelines on restricted access sites shall be followed

TG3 – Compliance to Communication Infrastructure requirements and Designing a secure network connection. This phase commences once GE formally approves the TG2. GDC shall ensure that the local network infrastructure is set-up and in compliance with GE’s requirements. GDC shall work with GIS and GE Information Security team to ensure that the network design is secure and the equipments are as per GE’s standards for connectivity to GE network

If the site is proposed to offer special services requiring restricted access, the guidelines for network security on restricted sites shall be followed

TG4 – Network Connectivity sign-off and uplink – the final stage of the 4 step process, this step is used as a validation point to ensure that open actions (if any) associated with the previous stages are completed and risks are mitigated. Based on approval from GE GDC Program Office, the uplink to GE Network is provided

A site is considered ready for Operations once it is TG4 approved by GE

GSM 2.0 Manage Site Information

GDC shall ensure that information related to every one of the Approved sites is updated on GE repository

The information to be maintained current (to be updated as and when changes occur), are

Site Contact List

Site capacity (GE GDC) & Utilization

Site Proxy Information

Equipments & Devices at the Site (Communications Infrastructure) along with specifications, end of life information

Bandwidth subscription

Standard SLA’s for Site recovery

Night Shift work applicability

Information and Evidence on External Certifications related to Physical Infrastructure, Physical Security, EHS and the like, where applicable



GSM 3.0 Manage Site Certifications

GDC shall ensure that all sites that are approved for operations are certified within 3 to 6 months of the approval for operations (TG4 approval date)

Deviations on timelines for Certifications, shall be pre-approved by Program Office

GDC shall plan the TG5 Certification and communicate the same to GE GDC Program Office at least a month prior to the start of the Certification process

The Certification process involves the following steps

A full audit of the Site by the GDC’s Internal Audit team (or) the External Auditor

Post-Audit review with GE

Certification Audit shall cover all practice areas and shall be carried out as a formal audit

GDC Internal Audits team shall be responsible for completing the Self-Certification Audit

Certification Audits may be included into scope of External Audits if the external audits are due within a period of 6 months from the date of site approval

Audits shall additionally focus on closure of all pending action items from the Site Approval process

Audit observations and findings shall be formally reported to GE

GE’s Post-Audit Review of the Site may include one or more of physical site verification, spot audit, Q&A session or a review discussion

Gaps/Deviations shall be reviewed and appropriate action plans agreed upon

GE shall certify the site if there are no major gaps/deviations identified as a part of the Certification Audit

Where major gaps/deviations are found, GE may decide to provide GDC with additional time to fix the challenges and get a re-certification done within a period of 3 months



GSM 4.0 Manage Site Extensions

Site extensions process applies to the following scenarios

New physical area (within the same building or campus of an existing certified site) to be included into GE GDC Program, including temporary arrangements.

Conversion of a part of an existing certified area to an access restricted unit for performing business-sensitive work (Export Control (where applicable), IP development and the like)

GDC Site extensions, if planned, shall follow the same process as a new site set-up (TG1 to TG4)

Site extensions shall be initiated only after the Business case (TG1) is approved

Physical Security readiness (TG2) would be a mandatory requirement for all site extensions

Depending on the scope of the extensions, GE may decide on the need for a Physical Security Verification as well as the Network Security readiness (TG3) and Network Connectivity readiness (TG4) process steps

Where seen as essential process steps, GDC shall follow the guidelines for a new site and complete the TG2, TG3 and TG4 process steps

Where a process step is not seen as essential, GE shall provide a waiver

Site extensions become operational once they are TG4 approved or through the Waiver process, approved for operations

Extended parts of certified sites shall be treated as certified units and would therefore not require a separate Site Certification formality

GSM 5.0 Manage Site Surrender (Full/Partial De-Commissions)

Site surrender process applies to the following scenarios

Full De-commission of existing sites (Site shut down/Site transition)

Partial surrender of existing sites (conversion from GE access restricted to non-GE access)



Conversion of restricted access GE GDC Sites to regular GE GDC Sites (restricted work areas to regular GE GDC work area)

Site surrender shall follow the 3 step Tollgate process involving business case submission (TG1), planning the surrender (TG2) followed by the actual surrender (TG3)

GDC shall submit the Business case for surrender, well in advance of the surrender to enable proper planning. The business case shall clearly articulate the rationale for the decision to surrender fully/partially/convert site status along with assessment of potential impact to GE Businesses and the mitigation plans to minimize impact

Surrender planning shall involve the planning for surrender operations start and end. GDC shall provide tentative dates for transition of delivery & operations, surrender of assets (data/information and physical assets), network infrastructure and finally the physical infrastructure at the site

This plan shall be discussed and agreed upon with GE before the surrender operations commence

GDC shall continuously update GE on the status of the surrender operations. GDC’s internal audit team shall audit every stage of surrender and sign-off on the completion of the surrender activities.

On completion of all the activities associated with the surrender, GDC shall submit to GE a formal surrender report inclusive of the formal Internal Audit report of the site surrender

GE may decide to perform physical verification of surrender operations at the final stage of the surrender or during any of the interim stages

GE’s approval of the site surrender shall be mandatory for the surrender operations to be completed

Minimum Audit Requirements Evidence of individual tollgate approvals for every new site established/in progress, site

extensions, site surrenders

Evidence of internal audit on TG2 prior to submission to GE for physical verification

Evidence of internal audit on Surrender Operations prior to submission to GE

Evidence of exception approvals for commencing operations at site prior to completion of the 4 tollgate process

MSA Linkage



Section 4.25

Related Practices Physical Security, EHS, Systems Management, Business Continuity Management, Supplier Connectivity, Vulnerabilities Management, Engagement Termination/Closure, Data Classification, Confidentiality, Privacy & IP Management

eGDC Suite Linkage New Site Approval

Site Extensions

Site De-Commission

Site Information Management*

Online Resources Additional Guidelines for Site Management



10.3 Assets Governance (ELEMENTARY)

GDC shall be responsible for appropriate usage and controllership for all assets (hardware, software and VPN tokens inclusive of those that are GE supplied) in use towards servicing GE. An updated inventory of all assets shall be maintained.

The purpose of this Practice is to establish controls to track, monitor and report use of all assets and to prevent violation of any Software license usage agreements, improper use of GE supplied assets and other GDC assets used in servicing GE.

100% of assets in GE GDC are tracked, monitored for appropriate use

0 instances of controllership issues or asset loss/damage of GDC / GE Assets


AGN 1.0 Manage assets

AGN 2.0 Manage use of GE provided assets

As a key stakeholder of the practice, GE shall

AGN 3.0 Provide appropriate authorization documentation for temporary USE of GE Asset while assigning the asset to a project/resource

AGN 4.0 Document & track GE Supplied assets allocated to GDC, for proper USE

POLICY

GOALS

RESPONSIBILITIES




AGN 1.0 Manage Assets

GDC shall be responsible for providing its resources with all hardware, software and any other assets that may be required for the delivery of services to GE and as per GE recommended build.

GDC shall maintain an updated inventory of all hardware assets in use by GDC resources, irrespective of the location of use or the ownership of the assets

Assets belonging to GE shall be clearly identified in the inventory

Every Asset shall be uniquely identifiable and traceable to its physical location

Asset properties/characteristics, Asset location, user and use period shall be clearly defined for every asset in the inventory

Shared Assets shall be clearly identifiable

GDC shall establish a formal process for hardware asset movement in/out of GE GDC and asset allocation to GDC resources

GDC shall track physical movement of assets

Asset movement outside of GEGDC area is not permitted as a general rule unless otherwise approved by Asset Governance Leader or an authorized person

Sharing of assets (beyond servers, printers and network equipments) is not permitted. In exception cases, the controls shall be discussed with the GE GDC program office and documented. Any logs/ evidences shall be maintained.

GDC computer systems shall be pre-loaded with GDC coreload that is in line with GE Coreload. GDCs shall also ensure alignment to business specific coreload wherever specified.

The GDC shall procure their own software licenses for the coreload (With the exception of Sophos and WebEx connect)

GDC shall establish and follow a formal process for installation and use of software licenses beyond the standard set of coreload software licenses

Every such installation shall be approved by an appropriate approving authority within the GDC Organization



Software licensed to GDC shall be used only on GDC owned computer systems

GDC shall maintain an inventory of all software licenses deployed on individual GDC systems within GE GDC or in use by GDC resources. Inventory shall clearly identify software type, license ownership, license quantity (entitled and in use)

Physical reconciliation of all assets in use by GE GDC resources or at GDC locations, shall be carried out at a minimum once in 6 months

AGN 2.0 GE Supplied assets governance

In exception cases, where GE provides any asset (hardware, software or other asset) to the GDC for TEMPORARY USE, GDC shall ensure that such assets are tracked and managed appropriately

Every asset (with the exception of VPN Tokens) supplied by GE, shall be received along with appropriate documentation of the approval from GE (business specified authorized person), along with terms of use, surrender and appropriate commercial declarations (where applicable). Terms around usage, location of use, purpose of use, period of use and return shall be explicitly understood

If assets are paid for GE but procured by GDC with the terms of surrender to GE at the end of the USE period, clear documentation shall be maintained between GE, GDC and the vendor (for example, in case of software licenses) on the transferability, terms of transfer inclusive of transfer pricing, legalities and the like.

GDC shall ensure that terms of usage, surrender and end of use process shall be agreed to up-front

Where there is a need to extend the use of these assets beyond the approved use period or extend use beyond originally approved locations/purpose, GDCs shall follow the renewal, change request processes

In cases where GE assets are issued to named resources, exit of resource or completion of engagement, shall lead to surrender and end of use process being initiated. In case of software licenses, such software shall be un-installed before the system is handed over to another resource

GE supplied assets shall be tracked and monitored for its intended use at the approved location from the time the asset comes into GDC custody to the time it is surrendered

Use of the Asset at a location beyond the approved locations shall be done only if the use has been explicitly approved by an authorized GE Manager, in writing



Assets (for example, GE calling cards, where provided by GE) that are permitted for use only from GE Sites, shall not be used by GDC resources for purpose other than GE Business and from authorized locations only

Assets provided for use at GE Site shall be surrendered to GE on completion of engagement at the specified site/business. In case assets are carried back to GDC site, the handling and surrender responsibility lies with the GDC.

GE supplied assets [with exception of VPN Tokens] shall be returned to GE at the end of the approved period of use

Release of asset shall be as agreed with the GE Business and evidence of such agreements and release shall be maintained by GDC

VPN Tokens may be re-issued within the GE GDC as permissible by the GE Business unit. Traceability of such reuse/re-allocations shall be enabled

GE supplied asset usage shall be tracked, monitored and reported to GE as per the reporting requirements indicated by GE GDC Program Office

Minimum Audit Requirements Asset Inventory

Evidence of approval addendums for GE Supplied Assets(with exception of VPN Hard Tokens)

Evidence of extension approvals, external use approvals and surrenders

MSA Linkage Section 4.2, 4.5, 4.6

Related Practices Physical Security, Systems Management, Business Continuity Management, Supplier Connectivity, Vulnerabilities Management, GDC On-boarding/Off-boarding, Engagement Termination/Closure

eGDC Suite Linkage Hardware Assets Management

Software Assets Management

Online Resources Additional Guidelines for GE provided Software Licenses use, GE Software USE Guidelines



10.4 Software Governance (ELEMENTARY)

GDCs shall only use authorized software to service all GE engagements.

The purpose of this Practice is to enforce Software governance compliance in GDCs to prevent any legal risks to GE due to improper and unauthorized use of software

0 incidents of Software license usage agreement violation for all software

0 instances of freeware/shareware/trial-ware/opensource embedded in any product/application delivery to GE

0 instances of any un-authorized software installation and usage


SG 1.0 Establish & manage software installation & usage

SG 2.0 Establish & maintain process for no-cost, low cost software installation use across GE GDC organization (inclusive of use in GE deliverables)

SG 3.0 Restrict software that can pose risk to GE or GEGDC environment

As a co-owner of this Practice, GE Businesses are responsible for ensuring that freeware/shareware/open source is not recommended for installation / use in GDC environment or as a part of GE deliverables. The specific responsibilities are

SG 4.0 Be aware of GE Software USE Guidelines and adhere to GE Guidelines on GDC USE of third party software licensed to GE

SG 5.0 Validate and verify with Software Governance Council on appropriate USE of no-cost, low-cost software in GE applications/software

POLICY

GOALS

RESPONSIBILITIES



SG 1.0 Establish & manage software installation process

Software used in GE engagements shall be either procured by GDC organization or formally approved by GE.

Download and installation of software shall be disabled by default. In case of an exception, GDC information security leader shall approve request for download/installation

Software governance leader for the respective business shall authorize GE Proprietary software use

GDC coreload should be aligned with GE coreload. If the business has additional requirements in terms of coreload, that also shall be incorporated. In case of deviations from GE recommended coreload products; GE GDC Program security leader approval should be obtained

Approval for all non-Coreload software installations shall be time bound

GE GDC security leader shall monitor that personal software is used appropriately

SG 2.0 Establish & maintain process for no-cost, low cost software installation

use across GE GDC organization (inclusive of use in GE deliverables)

Freeware/shareware/spyware/trial-ware/open source shall not be embedded in any product/application delivery to GE. In case of exceptions, GE Business security leader approval shall be obtained and all such use declared to GE GDC Program, for tracking purposes

Any use of Open source / freeware/ shareware software in the GE GDC environment shall be permitted only if such a software has been formally evaluated, security assessed and approved for USE (on a periodic basis) by GDC Security Leader and GDC legal team.

GDC shall ensure that all such low cost, no cost software approved for use in GE GDC environment are re-assessed for potential security vulnerabilities and licensing, on a periodic basis (at least once in 6 months)

In the event that use of such software is required to be discontinued, GDC shall ensure that use of such software is dis-continued and existing installations of such software are removed totally




GDC shall report all such software approved for use in GE GDC environment

SG 3.0 Restrict software that can pose risk to GE or GEGDC environment

Use or installation of any software that can cause risk to GE or GEGDC environment is prohibited. Few such software are listed below:

Spyware

Instant messaging or social networking software like Yahoo, GTalk, MSN etc.

Any tools that are designed to interfere with normal patching or management of your PC or circumvent technology controls in the GE environment.

Non-authorized PC remote control software

Peer—to-peer or other file sharing software

Skype or other voice-chat programs

Hacking tools (password crackers, web site ―fuzzers,‖ packet sniffers, etc)

Use/installation of personal software (e.g. mobile, camera, iPods) in GE/GDC assets shall be done with approval of GEGDC security leader

Installation of unlicensed software /copyright material for e.g. MP3 files videos, stock photography is prohibited to be used in GDC and in any product/application delivery to GE

Minimum Audit Requirements Inventory of Low cost, no cost software used in GE GDC environment

Evidence of assessment records (security and licensing) for such software use in GE GDC

Evidence of process adherence for use of low cost / no cost software in GE deliverables

MSA Linkage Section 4.7, 4.12

Related Practices Systems Management, Supplier Connectivity, Vulnerabilities Management, Secure Software Delivery, Data Classification, Confidentiality, Privacy & IP Management

eGDC Suite Linkage FOSS Repository



Embedded low cost, no cost software Projects Inventory *

Online Resources Software Use Guidelines



10.5 Business Divestiture Management (ELEMENTARY)

Operations associated with a divested business shall be fully and formally separated from GE GDC within the timeframe approved by GE. Such a separation shall lead to the divested business being treated as a non-GE entity

The purpose of this Practice is to ensure that appropriate controls are designed and deployed to enable a divested business to be formally separated while ensuring protection of GE networks, IP and assets from potential non-GE access

Separation of divested business shall be completed on time, as per plan agreed with GE

No IP, information or physical assets belonging to the divested business shall be retained in GE GDC, beyond what is contractually required from a retention perspective

No IP, information or physical assets belonging to GE shall be provided to the divested businesses beyond what is formally approved by GE


BDM 1.0 Plan, implement and track the separation of the divested business from GE GDC

As a co-owner of this Practice, GE Businesses are responsible for the flow of communication to ensure smooth separation of the divested business from GE GDC

BDM 2.0 Provide advance notification to GE GDC Program Office and GDC to ensure adequate time for divestiture based separation planning and timely execution

BDM 3.0 Collaborate with GDC Program Office to ensure that the separation is done in compliance to the Divestiture Agreement between GE and the Divested business

POLICY

GOALS

RESPONSIBILITIES



BDM 1.0 Plan, implement and track the separation of the divested businesses

On receipt of communication from GDC Program Office/GE Business VMO, GDC shall respond to GE GDC Program Office with a high level plan for the separation of the divested business from GE GDC

The high level plan shall at a minimum include the dates for Sign-off by GE Business VMO and the Divested Business on the plan for separation, the transition start and end dates

GDC shall ensure that a detailed transition plan is submitted to GE GDC Program Office at least a month prior to the transition commencement. The detail plan shall cover physical separation, network separation, information separation and reporting isolation

GDC shall review the information separation plan with the GE Business VMO leader and obtain sign-off on the same

GDC shall update GE GDC Program Office on the progress of the transition through the transition phase

On completion of the transition, GDC shall submit a detailed report on the separation as per the Divestiture guidelines

Minimum Audit Requirements Evidence of separation planning and communication with GE GDC Program Office

Evidence of approval from GE Business VMO Leader on Information separation for the divested business

Evidence of separation report submission


Related Practices Physical Security, Systems Management, Business Continuity Management, Supplier Connectivity, Engagement Termination/Closure, Data Classification, Confidentiality, Privacy & IP Management. Assets Governance

eGDC Suite Linkage Business Divestiture Planning & Reporting




Online Resources Additional Guidelines for Divestiture Planning

10.6 No PO, No WORK (ELEMENTARY)

Commencing work engagements (new/renewed/extended/change request) without receipt of a valid PO (hard/soft copy of the actual Purchase Order document) is not permitted.

The purpose of this Practice is to ensure that appropriate controls are designed and deployed at GDC Organization to ensure that engagements are commenced with a valid PO

0 cases of new projects being commenced without a PO

0 cases of renewals being worked on without a PO for more than 30 calendar days


NPW 1.0 Establish PO Management process

As a co-owner of this Practice, GE Businesses are responsible for ensuring that no work is initiated without a valid PO

NPW 2.0 Ensure that PO process is completed and PO shared with GDC before new engagements are commenced or

NPW 3.0 Ensure that PO process is completed and PO shared with GDC within 30 days of the previous PO expiry in case of renewals, extensions and change orders

POLICY

GOALS

RESPONSIBILITIES



NPW 1.0 Establish PO Management process

GDC shall ensure that any work undertaken by them for GE shall be done on the basis of a valid PO

No new project can be initiated without a valid PO

In case of renewals, work can be continued on the engagement for a maximum period of 30 calendar days after the expiry of the PO

In case of businesses that provide short cycle PO’s under a long term SOW, GDC shall collaborate with the business to ensure that early alerts are set up and PO generated to avoid risk of operating without a valid PO

Any requests by GE Managers for continuing on projects without a valid PO shall be escalated to the Global Business VMO. Such work cannot be undertaken unless otherwise approved by the Global CIO or the Global Business VMO Leader, on an exception basis

GDC shall ensure that change requests that impact the effort/schedule of a project beyond the original contracted value/period is formalized

GDC shall report to the GDC Program Office all work undertaken without a PO, irrespective of whether an exceptional approval had been obtained or not

Minimum Audit Requirements Evidence of PO being received before a new project is commenced

Evidence of PO being received within 30 days of contract expiry, in case of a project being renewed

Evidence of exception approval from GE Business VMO Leader for projects that need to be initiated/continued without a valid PO

Evidence of reporting work carried out without a valid PO, to GE GDC Program Office


Related Practices GDC On-boarding/Off-boarding, Contractual Performance Reporting




eGDC Suite Linkage eMeasure


10.7 Invoice & Outstanding Management (ELEMENTARY)

GDC shall manage their invoicing and collections process in a manner that there are no invoices outstanding beyond 150 days

The purpose of this practice is to ensure that GDCs manage their process for invoicing and outstanding collections so as to minimize invoicing errors and outstanding beyond 150 days

0 invoices rejected by GE Business due to invoicing errors

0 invoices outstanding beyond 150 days


IOM 1.0 Establish and maintain robust process to proactively manage Invoicing & Collections tracking

As a co-owner of this Practice, GE Businesses are responsible for ensuring that invoices are verified for completeness and paid in a timely manner. The specific responsibilities of GE are

IOM 2.0 Ensure that Invoices are verified for accuracy and acknowledged on time

IOM 3.0 Ensure that Invoices are paid within the 120 day payment terms (or) if on TPS, with the early payment agreement term with GDC

POLICY

GOALS

RESPONSIBILITIES



IOM 1.0 Establish and maintain robust process to proactively manage Invoicing

& Collections tracking

GDC shall ensure that invoices are raised in a timely manner as per the payment schedules agreed with the business

Invoices shall be checked for completeness and accuracy

Invoices shall be sent to appropriate stakeholder as per the GE Business defined process

GDC shall track invoice acknowledgement and escalate to the GE Business VMO Leader on those invoices which have not been acknowledged within the defined threshold time for a business

Where invoices are not acknowledged due to conflict, GDC shall ensure that the same is documented and taken up for resolution. Such invoices shall be identifiable

GDC shall ensure that invoices that are agreed to be paid through the Early Payment discount term, are clearly marked so and are traceable as such

GDC shall ensure that invoices that are to be paid through service credits (either fully or partly), clearly identify the service credit amount and the associated redemption identification number on the invoice.

GDC shall ensure that payments are tracked and reconciled with invoices. Where payments are made for specific invoices, GDC shall adjust the payment amount to the invoice amount of the specified invoice only. Where a payment is made without any reference to an invoice, GDC shall collaborate with the GE Business VMO Leader for the reconciliation

GDC shall collaborate with GE Business VMO Leader for invoices that are not cleared beyond the 120 days payment terms

Minimum Audit Requirements Invoice Acknowledgement & Payment reconciliation

Service Credit redemption identification mapping to Invoice

MSA Linkage




Appendix A-1

Related Practices Contractual Performance Reporting

eGDC Suite Linkage EMeasure, eInvoice




10.8 Business Continuity Management (MATURE)

Actionable Business Continuity Plan and Disaster Recovery Plan shall be maintained at the GE GDC level as well as at the application level for each GDC location, to ensure continuity of services to GE.

The purpose of this Practice is to identify risks that can impact service continuity to GE and have effective disaster recovery plans to maintain the continuous operation of a business/service in the event of an emergency/contingency situation.

0 impact on project delivery, service levels due to un-preparedness of GDC to react and handle emergency/contingency situation or incident that may potentially impact business continuity on GE engagements


BCM 1.0 Publish & Maintain up-to-date standards for Site-specific recovery

BCM 2.0 Ensure validity and adequacy of DR Site for each of the GDC Sites and publish the same

BCM 3.0 Establish & maintain effective Business continuity & Disaster recovery plans that are current and complete

BCM 3.1 Understand criticality of application being supported/project being delivered and establish & maintain Project specific BC/DR Plan

BCM 4.0 Execute appropriate drills to assess effectiveness of plans and treat risks identified

POLICY

GOALS

RESPONSIBILITIES



BCM 4.1 Execute appropriate drills to assess effectiveness of project level plan and treat risks identified

As a co-owner of this Practice, GE Businesses are responsible for ensuring that they understand the criticality of GDC preparedness to provide continuous operations in case of emergencies. The specific responsibilities of GE are

BCM 5.0 Be aware of GDC Site constraints and GDC BC/DR capabilities and state explicitly BC/DR requirements for critical/high impact applications & projects

BCM 6.0 Ensure appropriate RTO/RPO definition and monitor the effectiveness of the drills and potential risks for your engagement

BCM 1.0 Publish and maintain up-to-date standards for site recovery

GDC shall define for each of its certified GE GDC Sites, the standard operations recovery SLA’s that assure continuity of operations after an incident /disaster that impacts the continuity of operations at the site

SLA’s shall be defined for start of critical services and normal operations

GDC shall clearly define the default set of critical services that shall qualify as ―Critical Services‖

GDC shall publish these standards to GE through the GDC Toolset and also ensure that the standard SLA’s for recovery are a part of its responses to RFP’s from GE

BCM 2.0 Ensure validity and adequacy of DR Site for each of the GDC Sites and

publish the same

GDC shall define the DR Sites applicable for each of its certified GE GDC Sites

A regular site with > 100 FTE shall maintain at a minimum, an intra city and an inter-city DR Site

A small site or a regular site with < 100 FTE shall maintain at a minimum, an intra city or inter-city DR Site

A GDC with more than 500 FTE shall maintain a country DR Site




A GDC may choose to maintain multiple DR Sites for a specific site

A DR Site shall at a minimum be 25 Kms away from the candidate site

A Site named as a DR Site shall by default be a certified GE GDC Site belonging to the GDC or to a partner in the GE GDC Program

In cases where certified sites are not available to be considered as DR Sites, GDC shall propose to GE GDC Program Office, an alternate secure arrangement for a DR Site. On exception approval, such proposals may be implemented by GDC

Where a GDC partner’s site is identified as a DR Site, GDC shall ensure that the DR requirements are identified and agreed upon and a formal contract is signed with the GDC Partner

GDC shall review on a periodic basis (at a minimum once in 3 months), the adequacy of the DR Sites and the capacity at the DR Sites, based on the nature of GE engagements and the SLA’s with GE Businesses on specific engagements

GDC shall ensure validity of DR Site contract, where the DR Site belongs to a GDC Partner

GDC shall publish to GE the DR sites relevant to each of its Certified GDC Site and also ensure that the data published to GE is current and up-to-date

BCM 3.0 Establish & maintain effective Business continuity & Disaster

recovery plans that are current and complete

GDC shall maintain actionable Business Continuity Plan and Disaster Recovery Plan across different levels including Organization, Country, site and engagement

The GE GDC BCP/DRP shall at the minimum meet requirements stated in the GE GDC Guidelines and include application level BC/DR plans

Business Continuity expectations at the individual application level shall be captured explicitly from GE Businesses. This shall be in the form of clearly defined Recovery Time Objectives (RTO), Recovery Point Objective (RPO) and Emergency SLAs.

Infrastructure and resources required towards offsite adequacy and readiness, command center, maps, emergency exists, posters, safe area, Crisis Management Team (CMT), emergency telephone numbers shall be provided

GDC shall ensure identification of critical resources at project level – this shall be done in collaboration with the businesses



A well defined and updated crisis notification protocol shall be set up including stake holders from GE, GDC and local authorities

Detailed Backup and Recovery Procedures shall be maintained at secure offsite locations

Periodic Backup of all data related to conduct of work (assigned by GE) must be carried out in compliance with GE Procedures (where specified) and as per Industry standard (where not explicitly specified by GE)

Backups shall be available at more than one offsite location, in alignment with the DR strategy to ensure availability

The off-site location shall be accessible 24x7 to facilitate disaster recovery

High availability / Multiple sources of retrieval of the following shall be maintained at offsite:

SOPs for various crises

Inventory of the projects along with the project specific BC/DR Plan

Application-specific BC/DR plans must be drawn in collaboration with GE Businesses (100% coverage of work being executed at GDC Site)

BC/DR Plans (Program level and Application-specific) must be available on Support Central Site w/access to Specific GE Businesses and GE GDC Program Office

Plan must be reviewed for current applicability, on a monthly basis

BCM 4.0 Execute appropriate drills to assess effectiveness of plans and treat

risks identified

GDC shall perform different types of tests, inclusive of table top and cold tests, to assess their preparedness for Business Continuity in wake of disasters

Evacuation drills for every site shall be performed at a minimum frequency of once every rolling three months

Evacuation drills shall include all types of scenarios and crises levels

GDC shall assess potential failure points in their plan/preparedness to provide business continuity, within the expected SLA period

Application level BCP/DR shall be tested at a frequency as agreed with business. Effectiveness should be measured against agreed RTO, RPO and other SLAs.



Adequacy of BC/DR shall be validated at every GDC Site (at the minimum once in 3 months) for completeness of planning, feasibility, reliability, consistency of execution – continuity, recovery

Simulations (Validation Tests) must ensure a coverage of minimum 90% of GE GDC Resources and at the minimum of 85% applications (all Mission-Critical applications must be covered)

GDC shall report to GE the results of all BC/DR tests (site and application level tests)

Minimum Audit Requirements Site BC/DR Plans, Application BC/DR Plans

Test/Drill Reports inclusive of Backup Performance & Retrieval

BC/DR Effectiveness Review records

Availability of BC/DR Plan on GE KM Repository

Reporting of BC/DR tests/drills to GE

Standard BC/DR SLAs being published to GE

DR Sites information being published to GE

Backup Process, Storage

MSA Linkage Sections 2.4, 2.18, 4.26, 4.27

Related Practices Physical Security & Safety Practices, Assets Governance, GDC Resource

eGDC Suite Linkage eMeasure, eGDC Toolset (Site Information, BC/DR Plan, Drill Reports)

Online Resources BC/DR Guidelines, GE GDC BC/DR Sample Template, Application BC/DR Template



10.9 Engagement Closure / Termination Management (

ELEMENTARY)

GDC shall ensure appropriate treatment of GE Assets (Information, Access, Software & Hardware) in case of termination/closure of engagements. Retain contractual data for 7 years after termination of contract

The purpose of this Practice is to ensure that GE assets related to the contract being terminated/closed are treated as per GE guidelines/agreement with the concerned GE Business

0 contract violations on treatment of GE assets


ETM 1.0 Manage Engagement Closure/Termination (includes Project level, Business Level or at GDC Program Level)

ETM 2.0 Manage Contractual Data Retention for GE Audit Purpose

As a co-owner of this Practice, GE Businesses are responsible for ensuring that critical assets that are accessed/in custody of GDC are identified and special treatment requirements (if any) are agreed upon, in a formal manner

ETM 3.0 Set expectations on USE and treatment of GE Assets for every engagement

ETM 4.0 Where IP or critical/sensitive information exists as a part of an engagement, verify/audit the GDC treatment of GE Assets on termination/closure

POLICY

GOALS

RESPONSIBILITIES



ETM 1.0 Manage Engagement Closure/Termination

Closure/Termination may occur at project, business or GE MSA level

On closure of one or more engagements, GDC shall ensure that

Resource off-boarding process is followed as per the guidelines associated with GDC resource off-boarding

If there are project /engagement specific documents that have been maintained (like Assignment of Rights or Non-Disclosure Agreements), such documents shall be transferred to an exclusive GE archive that is easily accessible

GE assets (information & physical) associated with the engagement(s) are surrendered/returned to GE. Information assets belonging to GE shall be moved to the GE Knowledge Gateway

If there are engagement specific GE Folders/Libraries maintained by the GDC, all such Folders/Libraries shall be transferred to the GE Business VMO leader

No GE asset shall be retained with the GDC, unless otherwise explicitly approved by GE GDC Program Office or the GE Business VMO Leader

All references (related to the engagements) on the GDC Intranet/Internet site are removed (even though the postings may have been approved by GE GDC Program Office)

The desktops and laptops used in servicing the engagement shall be formatted before they are released to other parts of GDC or to the Parent organization for reuse

If closure of one or more engagements results in a certified site becoming redundant, GDC shall ensure that appropriate actions are taken towards site de-commission, in close collaboration with GE GDC Program Office

Sign-off is obtained from the GE Business VMO Leader on the proper closure/termination of the Project/Business specific engagements




On termination of MSA, GDC shall ensure that they work closely with the GE GDC Program Office to complete the engagement(s) specific closure activities. In addition, GDC shall ensure that

Resource BGC, On-boarding data, Off-Boarding data, Contractual documents, Project financials, invoices, GE payment receipts are archived and maintained for a minimum period of 7 years from the date of termination of contract/MSA

GE software assets (like Sophos, WebEx Connect/Sametime), that are provided to the GDC as a part of their special status with GE, is uninstalled from all the machines and are surrendered to GE. Evidences of such uninstallations shall be maintained.

GE Network access (as a Trusted Third Party) is dis-continued

In cases where the GDC would continue to operate as a third party supplier to the business, GDC shall ensure that the network connectivity is reviewed with the concerned business and GE GDC Program Office to ensure that the connectivity is appropriate to the nature of engagement and level of Governance

Certified sites shall be de-commissioned, unless otherwise approved by GE GDC Program Office to continue operations from a certified site given the continuity of engagements as a Business specific third party supplier

Program Office sponsored SSO Id’s, access shall be surrendered; business sponsored SSO id’s shall be surrendered. In case, the GDC is required to continue on Business specific engagements as a Business third party supplier, a fresh set of SSO id’s would require to be obtained from the concerned business for all resources required to work on the business engagements

Any references (in the GDC organization’s Intranet/Internet sites) to GE as a customer or the organization being a preferred supplier (GDC) to GE shall be removed

The termination activities completion sign-off is obtained from GE GDC Program Office

ETM 2.0 Manage Contractual Data Retention for Audits

GDC shall ensure that all contractual data inclusive of Resource on-boarding information, off-boarding information, contractual acknowledgement documents (AUG, SIA, Spirit & Letter integrity document, Assignment of Rights), Project financials (eMeasure data loads,



SOW’s, PO’s, Invoices, Payment Receipts) are maintained for a period of 7 years from the date of termination of contract (inclusive of closure of engagement level contract)

In case of T&M engagements, the resource timesheet records shall be maintained for a period of 3 years from the completion of the engagement

GDC shall maintain such contractual data as a GE RESTRICTED archive with access to named individuals

GE may choose to audit a GDC on a closed/terminated contract at any point within the 7 year period

Minimum Audit Requirements Evidence of GE Assets surrender and clean-up of GDC systems

Backup Storage

GDC intranet/internet sites

MSA Linkage Sections 2.4, 2.18, 4.26, 4.27

Related Practices Communications & Infrastructure Management, Physical Security & Safety, Data Security, GDC Resource On-boarding & Off-boarding, Non-Solicitation, Communications & Media Management, SSO id Governance, Site Management

eGDC Suite Linkage eMeasure, eGDC Toolset (Site De-commission, Contract Termination*)

Online Resources GDC Termination Checklist



11.0 APPENDIX

11.1 Reporting

Contractual and Operations performance Reporting has now become a part of the eGDC Toolset (GDC Operations Portal) and is therefore not necessarily a monthly reporting exercise but more of a regular discipline of keeping all operational data current. However, there are a few reports that are in the process of being transitioned to eGDC Toolset and would therefore continue to be reported manually, until further notifications.

The below list provides a view of the data that would be reported through eGDC Toolset and those that would continue on manual mode



All manual Reports shall be delivered by the 10th of every month to GE GDC Program Office and the online event based updates are to be submitted to the tool as and when an event occurs. GDC’s shall be responsible for the completeness and correctness of the data reported in the prescribed format.

Online Resources GDC Reporting Requirements

11.2 GE Coreload

All systems on the GE GDC Network are required to be compliant to the GE Coreload requirements on Hardware, General OS and Certified Software. If there are Business specific coreload requirements, GDC shall ensure that such requirements are adhered to

Online Resources GE Standard Coreload

11.3 Additional Scope for External Audits

In order to complete the assessment of the GDC Operating environment, the following additional areas are being included into the scope of the Annual External Audits. The findings from these areas shall not be included for Maturity assessment of the GDC practices

Corporate Governance

Delivery Management

Software Quality Management

Service Quality Management (for RIM, BPO and Engineering Services)

Process Management (Service specific process areas)

gegdc

Documents

Transcript of gegdc