Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out
Get this document free

IT Operations Policy IT 0400 21 Oct 2011 rev 6

VIEWS: 10 PAGES: 6

									                                                                                Policy Number: IT0400     Revision: 6.0
                                                                                           Effective Date: 23 June 2008
                                                                                           Last Reviewed: 21 Oct 2011




                                         OPERATIONS POLICY


1.     PURPOSE AND SCOPE .............................................................................. 2
2.     IT OPERATIONS POLICY MANAGEMENT ................................................. 2
3.     IT OPERATIONS BACKUP PRACTICES .................................................... 2
4.     APPLICATION DEVELOPMENT.................................................................. 4
5.     DISASTER RECOVERY ............................................................................... 5
6.     HELP DESK.................................................................................................. 5
     6.1   Detection of Errors in Systems and Applications ................................... 5
     6.2   Transaction Processing Monitoring ........................................................ 5




                                                        Page 1 of 6
                                                         Policy Number: IT0400     Revision: 6.0
                                                                    Effective Date: 23 June 2008
                                                                    Last Reviewed: 21 Oct 2011




1.    PURPOSE AND SCOPE

To document IT Operations within the overall IT structure at AtriCure in relationship to
the Sarbanes-Oxley compliant systems.

The systems and applications addressed in this document are those that are considered
to be covered by the Sarbanes-Oxley Act, see the Security Narrative.



2.    IT OPERATIONS POLICY MANAGEMENT

This document is considered the IT Operations Policy and is the corporate policy used
to address modification to AtriCure IT systems and applications by employees, vendors,
and contractors. It is approved by IT Management and reviewed for appropriateness at
least on an annual basis. The policies are updated as needed, and the changes must
be approved by management prior to being placed into production. This and other
policies and procedures are provided to all members of the IT department through its
Intranet site, and email, when changes and revisions are made (IT 4-1-1 and IT-4-2-1).



3.    IT OPERATIONS BACKUP PRACTICES

This policy documents formal IT Operations management procedures that are in place
to address all in-scope network, hardware, and applications. A schedule has been
formally documented for regularly backing up computer files, including master files,
transaction files, application programs, systems software and database software.
Backups are completed on a daily, weekly and monthly basis, as detailed below.

      a.      Daily – Differential backups will be performed Monday through
      Thursday night; the only exception to the daily backup schedule is if the
      month end backup falls on one of those days. The tapes will remain
      onsite.

      b.     Weekly – Full backup of all server systems will be performed Friday
      night. The backup tapes will then be taken offsite the following business
      day. The weekly backup will be retained for a minimum of four or five
      weeks.


                                        Page 2 of 6
                                                           Policy Number: IT0400     Revision: 6.0
                                                                      Effective Date: 23 June 2008
                                                                      Last Reviewed: 21 Oct 2011

      c.     Month End – Financial and FDA regulated data will be fully backed
      up at the end of the month. At completion of the month end backup the
      tapes will be stored offsite for their mandated seven (7) year retention
      period (IT 4-3-1).

Logging of Backup Procedures is as follows:

      1.1    Backup jobs are scheduled using the Backup Exec software.

      If a backup job schedule must be changed, this is documented within the
      Backup Log, and must indicate the new schedule, the reason for the
      change, the staff member who made the change, and the appropriate
      approval by IT Management.

      1.2    Backup jobs are run at their scheduled time.

      1.3   Backup jobs are then checked the following business day for
      completion.

      If a backup job fails or is incomplete, this information is sent to specified IT
      staff via email. The results of backup jobs are checked for completion the
      following business day by one assigned IT staff member. The results of
      the backup job are noted in a log; in the case of a failed or incomplete job,
      the log must document the incident and resolution and IT management is
      notified.

      1.4   On the following business day after the month end or weekly
      backup jobs the backup tapes are to be removed from the tape library and
      taken offsite for storage (IT 4-3-2).

      A quarterly tape audit is conducted to ensure completeness and integrity
      of backups and a log of this is maintained by the IT Department Manager.
      (IT 4-3-3).

Off-site backup tape storage practices are as follow:

AtriCure stores tape media at an off-site location that is protected by environmental and
physical access controls. On-site environmental and physical access controls are in
place to safeguard tape media. On the first business day of the week, unless there are
cirmcumstances that have occurred that moves this to another day of the which will be
documented as to why, an IT Staff member retrieves the backup tapes from the off-site
data center. When the backup tapes are removed from the tape library and taken
offsite for retention, they are transported in a fireproof box by an IT staff member. The

                                        Page 3 of 6
                                                           Policy Number: IT0400     Revision: 6.0
                                                                      Effective Date: 23 June 2008
                                                                      Last Reviewed: 21 Oct 2011

tapes must be transferred to the retention site within the same business day they were
prepared for transport, or unless other arrangements have been made which are
documented. The backup tapes are not left in the transporting vehicle for any reason, as
extreme temperatures could cause permanent damage to the tapes. The off-site
backup tape storage provider, Cintas, comes to pickup and drops off next week's tapes.
Documentation signed by both AtriCure and Cintas is retained, verifying the backup
tape barcode numbers for tapes being sent off-site and tapes that are received (IT 4-4-
1). Tapes are sent off-site for a period of four to five weeks, one year for monthly
backups, and for a period of seven years for annual backups. AtriCure personnel has
24/7 access to Cintas backup tapes.

Only the IT Director, IT Department Manager, and the System Administrator have the
authority to recall or initiate a tape recall from the off-site backup tape vendor. File
restores and tapes are only recalled during an emergency or similar situation that
warrants a recall (IT 4-4-2).

Backup Data Retention Policy:


       1.6    Weekly
              Tapes are part of the Media Set Rotation Media Set 1 – 5, tapes
       are to be removed from the tape library and taken offsite for a retention
       time of at least four (4) to five (5) weeks.

       1.7    Monthly
              Tapes are to be labeled with the month and year of the month end
       backup job are to be removed from the tape library and taken offsite for a
       retention time of at least seven (7) years per regulatory guidelines.
       (IT 4-5-1)


4.     APPLICATION DEVELOPMENT

New application systems are acquired and developed with management’s approval of
all decisions to purchase or develop application systems in order to ensure that such
purchases and developments are consistent with the organization systems plans and
strategies as defined by management (IT 4-10-1).

Management approves the results of the conversion of data (e.g., balancing and
reconciliation activities) from the old application system or data structure to the new,
and monitors that the conversion is performed in accordance with established
conversion policies and procedures (IT 4-10-2).


                                        Page 4 of 6
                                                           Policy Number: IT0400     Revision: 6.0
                                                                      Effective Date: 23 June 2008
                                                                      Last Reviewed: 21 Oct 2011




5.     DISASTER RECOVERY

SP DCN 627 Disaster Recovery documents the process for preparing for and
recovering from a disaster that may incapacitate the computing services in varying
levels of severity. The document provides for the testing of the disaster recovery plan
(IT 4-6-1). Two Disaster Recovery kits are maintained. One kit is located at the off-site
storage facility while the second kit is located on the AtriCure campus (IT-4-6-2). All of
the servers at the off-site data center are connected to a battery-powered UPS system
and a diesel generator to maintain power during periodic power interruptions (IT-4-6-3).


6.     HELP DESK
6.1    Detection of Errors in Systems and Applications

End users are responsible for reporting issues to IT. End users notify IT for application
issues. Logs are used to assist in problem resolution. Problem resolution will be
captured in the Computer Event Log and/or the Help Desk software. Where and if
resolutions are documented will be determined by IT based on the complexity of the
issue and the resolution.

In general, upon detection of a problem with a computer system, application or data, the
user reports the problem to the IT Help Desk. The Help Desk may receive trouble
reports via e-mail, phone or in person requests. The trouble reports are documented
within Help Desk software, including resolution when applicable.

Once a significant issue has been resolved, it is documented in the appropriate
computer event log and/or Help Desk software.

IT has turned logging on for critical functions. Logs files are sized to allow IT to review
data on a monthly basis or when users report problems.


6.2    Transaction Processing Monitoring

Most computer operations have been pushed to the user community. There are limited
IT General Controls around operations. The only batch processing that is conducted is
through the back up jobs which are run on a nightly basis through Backup Exec
Application.



                                         Page 5 of 6
                                                 Policy Number: IT0400     Revision: 6.0
                                                            Effective Date: 23 June 2008
                                                            Last Reviewed: 21 Oct 2011




Revision History:


 Revision      Date    Description of changes                  Approved By
    001      8/13/07   Initial Release                       R. Hagedorn
    002     9/25/07    Change IT Manager to IT Department R. Hagedorn
                       Manager
    003     9/27/07    Modified Revision History Heading  R. Hagedorn
    004     6/23/08    Annual Review no change               R. Hagedorn
    005     9/13/08    Minor changes to Off-site backup R. Hagedorn
                       tape storage practices on pg 3.
                       Corrected the tape audit from semi-
                       annual to quarterly which is also on
                       pg .
    006     7/7/09     Annual Review. No changes made, R. Sharp
                       except modified date on above entry
                       to reflect correct year.
    006     7/6/10     Annual Review
    006     10/21/2011 Annual Review




                                   Page 6 of 6

								
To top