Doc. No.

:SOP-001169
Version: 01

IT Operations

Date: Signature:

Author:

Checked:

Released:

SOP-001169 IT Operations Page 1 of 12

Doc. No.:SOP-001169
Version: 01

IT Operations

Contents
IT Operations ..........................................................................................................................1

IT Operations.......................................................................................................................... 2

1.Aim and Purpose...................................................................................................................3

2.Scope.................................................................................................................................... 3

3.Responsibilities.....................................................................................................................3

4.Definitions/Abbreviations.....................................................................................................3
4.1Service............................................................................................................................3
4.2System............................................................................................................................4
4.3Protection Objectives.........................................................................................................4
4.3.1Confidentiality................................................................................................................4
4.3.2Availability....................................................................................................................4
4.3.3Integrity.......................................................................................................................4
4.3.4NoTraceability................................................................................................................5
4.3.5GxP Criticality................................................................................................................5
4.3.61st Level Support...........................................................................................................5
4.3.72nd Level Support..........................................................................................................5
4.3.83rd Level Support...........................................................................................................5
4.4Service Times...................................................................................................................5
4.4.1Office Hours..................................................................................................................5
4.4.2Extended Office Hours.....................................................................................................5
4.4.3Service Hours................................................................................................................5
4.5Operational Level..............................................................................................................5

5.Description........................................................................................................................... 6
5.1Workflow – IT Operations...................................................................................................6
5.2Detailed Description of the Process Steps..............................................................................7
5.2.1Risk Assessment............................................................................................................7
5.2.2Definition of Operational Level..........................................................................................7
5.2.3Service Description.........................................................................................................7
5.2.4Numbering and Archiving Documents................................................................................8
5.3Definition of Operational Levels...........................................................................................9
5.3.1Operating Times...........................................................................................................11

IT Operations ..........................................................................................................................9

6.Associated Relevant Documents..........................................................................................12

IT Operations ........................................................................................................................12
6.1Forms............................................................................................................................12
6.2Lists..............................................................................................................................12
6.3Check Lists.....................................................................................................................12

SOP-001169 IT Operations Page 2 of 12

Doc. No.:SOP-001169
Version: 01

IT Operations
6.4Other.............................................................................................................................12

7.Record of Changes..............................................................................................................12

8.Factors Determining Success..............................................................................................12

SOP-001169 IT Operations Page 3 of 12

Doc. No.:SOP-001169
Version: 01

IT Operations

1. Aim and Purpose

This SOP describes the basic requirements for operating IT services at Dishman. It aims to describe a
framework for mapping the life cycle of a Dishman IT service.
The following items are not part of this SOP and are described in special SOPs:
1. Planning and budgeting
2. Setup and installation of software (SOP-001166 Change Management in IT Chapter 5)
3. Change and configuration management in IT (SOP-001166 Change Management in IT)

Descriptions of systems and risk analyses of services and systems can contain security relevant data and
is thus kept in electronic and paper form accessible to personnel on a need-to-know basis only.

2. Scope

This SOP applies to all employees of Dishman and to external contracting parties entrusted with
developing, operating and maintaining IT services at Dishman.

3. Responsibilities

Process Owner Information Technology

Who What for

IT Maintenance and operation of systems

Creation of F-001953 (Risk Assessment)
Assigning operational level
Expert review of F-001954 (service description)
Distributing/archiving the originals of F-001953 and F-001954
IT security

System Owner/Service Owner Input on assigning operational level

Expert review of F-001953 (Risk Assessment)
Creation of F-001954 (Service Description)

QA Approving F-001953 and F-001954

SOP-001169 IT Operations Page 4 of 12

Doc. No.:SOP-001169
Version: 01

IT Operations

4. Definitions/Abbreviations

4.1 Service

A (productive) service is provided directly by Dishman’s IT department to internal customers (e.g. email
service, SAP, print service). A service is made up of several components that are referred to as a system.

4.2 System

A system refers to a combination of IT infrastructure components (hardware and software). A system is

not directly an IT service, as systems are not supplied directly to customers. Systems are used as an
infrastructure to perform and supply a service.

4.3 Protection Objectives

Protection Objectives are the four areas of data security

- Confidentiality
- Integrity
- Availability
- Traceability.

4.3.1 Confidentiality

Confidentiality means that only specifically authorized persons or departments have access to objects,
information or data.

4.3.2 Availability

Availability refers to ensuring services are available when they are required. This covers general
availability and also the time till data or information is accessible.

4.3.3 Integrity

Integrity refers to information being stored as they were recorded by authorized users at the moment of
recording it. No Traceability
Traceability is the aim of enabling data or information to be regarded as “valid”. Liability (in terms of
concluding a contract) and non-deniability (protection against subsequent denial of authorship) are to be
ensured in this regard in particular.

4.3.4 GxP Criticality

GxP criticality is covered by the protective goals traceability, integrity and availability.

4.3.5 1st Level Support

1st level support is the direct, first point of contact for the end user in the event of IT problems or other
necessary support.

SOP-001169 IT Operations Page 5 of 12

Doc. No.:SOP-001169
Version: 01

IT Operations
4.3.6 2nd Level Support

Resolution of problems that cannot be remedied by 1st level support is delegated by 1st level support to
2nd level support.

4.3.7 3rd Level Support

Resolution of problems that cannot be remedied by 2nd level support is delegated by 2nd level support to
3rd level support. 3rd level support is n general an external expert who is involved as and where
necessary.

4.4 Service Times

Service times are the times during which a service must be available in line with the service level and in
which IT provides support on a best effort basis. Outside Service time IT can be approached but no
guarantee for support exist.

4.4.1 Office Hours

In general office hours run on weekdays from 9:30 a.m. to 6:00 p.m. . Weekend has no office hours in
the India entities.

4.4.2 Extended Office Hours

Extended office hours refers to the office hours of other sites , shift hours and public holidays that are
outside of office hours.

4.4.3 Service Hours

Service hours are hours on weekends and on India statutory holidays (including days between a statutory
holiday and the weekend). Planned maintenance work is generally performed during these times. Service
hours are from Saturday 7:00 PM. to Monday 9.00 AM

4.5 Operational Level

Operational level refers to the classification of a service into one of three different levels (gold, silver,
bronze  See Section Detailed Description of the Process Steps).

SOP-001169 IT Operations Page 6 of 12

Doc. No.:SOP-001169
Version: 01

IT Operations

5. Description

5.1 Workflow – IT Operations

Description Respon-
Flowchart
 Input Output  sible

Risk assessment for all classified IT

software in line with L-002258

 F-001953

Decision on assigning the IT

operational level (OL)

 F-001953

A service description is created for Service Owner

gold and silver services.

 F-001954

This describes the necessary

components to reach the defined
level.

SOP-001169 IT Operations Page 7 of 12

Doc. No.:SOP-001169
Version: 01

IT Operations

5.2 Detailed Description of the Process Steps

5.2.1 Risk Assessment

Form F-001953 (Risk Assessment) is completed by IT to assess the criticality of a service or other IT-
related items and assign the appropriate operational level. Depending on the complexity of the service,
further risk assessments/risk analyses can be performed.
As well as identifying risks, any countermeasures are to be defined as part of the risk assessment.
A risk assessment is performed for software in classes 3 to 5 in line with the software classification.
Software is allocated to services in the software list (see L-002258 (Overview Critical Software)).
Form F-001953 is subsequently released by QA.
The process of working through the countermeasures defined in F-001953 is tracked by IT. Completion of
measures or a reference to related documents is to be documented in F-001953 by IT.

5.2.2 Definition of Operational Level

The operational level for the service is defined by IT and documented in form F-001953. The assigned
operational level must meet the requirements defined as part of the risk assessment.

5.2.3 Service Description

The service is described in form F-001954 (Service Description).

The Service Owner is responsible for creating the service description. The Service Owner can delegate the
creation to other authorised parties. The Service Owner also defines the reviewers of the document.
Form F-001954 is used as an example for creating the document. Depending on the service, additional
sections can be added or omitted and additional related documents created.
Form F-001954 is released by QA subsequent to an appropriate review of all involved IT and business
users. A service description can contain security relevant data and is thus kept in electronic and paper
form accessible to personnel on a need-to-know basis only.

5.2.4 Numbering and Archiving Documents

F-001953 and F-001954 are numbered in line with the valid SOP for document numbering . If no
appropriate numbering can be assigned in line with this SOP, the following procedure is used: Each
completed F-001953/F-001954 is given a unique name in line with the SDXXX000 pattern (e.g. SD for
Description of Service, XXX stands – in general – for the department, I for IT, and a sequential number
for the area)
The originals of F-001953 and F-001954 are archived by IT in the relevant system logs.
On request, QA issues authorized copies – in consultation with IT – and manages the authorized copies in
line with specifications from

SOP-001169 IT Operations Page 8 of 12

Doc. No.:SOP-001169
Version: 01

IT Operations

5.3 Definition of Operational Levels

Action Gold Silver Bronze

Availability Availability during office hours: 99.5% Availability during office hours: 99% Availability during office hours: 95%

Availability during non-office hours: 98% Availability during non-office hours: 95% Availability during non-office hours: 90%
Maintenance Planned changes/maintenance are carried Planned changes/maintenance are carried Planned changes/maintenance are carried out
out during service hours with prior notice. out during service hours. during service hours and non-office hours.

Planned changes/maintenance are carried Planned changes/maintenance are carried out

out during non-office hours with prior notice. during office hours with prior notice.
Service description Required Required Only required for software in classes 3 to 5
Change management Changes are subject to the change Changes are subject to the change Changes are subject to the change management
management process (see SOP-001166) management process (see SOP-001166) process (see SOP-001166)
Backup Backup is performed in line with SOP- Backup is performed in line with SOP- Backup is performed as necessary in line with
001170. Additional requirements can be 001170. Additional requirements can be SOP-001170.
defined in F-001954. defined in F-001954.

SOP-001169 IT Operations Page 9 of 12

Doc. No.:SOP-001169
Version: 01
Action
Technical redundancy
Administrative redundancy
Disaster recovery
Business continuity plan (BCP)
SOP-001169 IT Operations
IT Operations
Gold
The technical infrastructure
has a redundant design to
ensure uptimes.
No single point of failure for
administrators.
Training for all
administrators. Description
of general activities in
documents (e.g.
instructions).
A recovery plan is created to
ensure downtime is
minimized in an emergency.
A BCP must be available to
enable commercial activities
to continue in an
emergency.
Silver Bronze
Individual components can be designed with None available
redundancy built in to ensure uptimes.
Description of general activities in No measures
documents (e.g. instructions).
A recovery plan can be created to ensure No measures
downtime is minimized in an emergency.
A BCP must be available for services with No measures
high or maximum availability to enable
commercial activities to continue in an
emergency.
Page 10 of 12
Doc. No.:SOP-001169
Version: 01

IT Operations

5.3.1 Operating Times

The table below shows the office hours. The information is based on IST (Indian Standard Time)

Office hours
Extended office hours
Service hours

Day\time 12
1 2 3 5 6 7 8 9 11 12 1 2 3 4 5 6 7 8 9 10 11
midn 10 a.m.
a.m. a.m. a.m. a.m. a.m. a.m. a.m. a.m. a.m. noon p.m. p.m. p.m. p.m. p.m. p.m. p.m. p.m. p.m. p.m. p.m.
ight

Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
Sunday

SOP-001169 IT Operations Page 11 of 12

Doc. No.:SOP-001169
Version: 01

IT Operations

6. Associated Relevant Documents

6.1 Forms

F-001953 (Risk Assessment)

F-001954 (Service Description)

6.2 Lists

- L-002258 (Overview Critical Software)

6.3 Check Lists

None

6.4 Other

7. Record of Changes

Version / date Items changed Change Control

8. Factors Determining Success

KPI Description Interval

None --- ---

SOP-001169 IT Operations page 12 of 12