Kia Ict Mgt Policy
-
Upload
jerryapa8640 -
Category
Documents
-
view
215 -
download
0
Transcript of Kia Ict Mgt Policy
-
8/4/2019 Kia Ict Mgt Policy
1/43
1 | P a g e
Kenya Institute of
Administration
[Pick the date]
ICT Policy
-
8/4/2019 Kia Ict Mgt Policy
2/43
Page 2 of 43
Kenya Institute of Administration
ICT SECTION
ICT Policy
-
8/4/2019 Kia Ict Mgt Policy
3/43
3 | P a g e
Table of Contents
Kenya Institute of Administration ...................................................................................... 1ICT SECTION .................................................................................................................... 2
ICT Policy ........................................................................................................................... 2SECTION A ........................................................................................................................ 4Software/Hardware Policy .................................................................................................. 4
Minimum Requirements ................................................................................................. 7
Vision .............................................................................................................................. 9
Mission ............................................................................................................................ 9SECTION B ...................................................................................................................... 10
Information Security Policy .............................................................................................. 10
Violations ...................................................................................................................... 10
Administration .............................................................................................................. 10Contents ........................................................................................................................ 10
Statement of responsibility ........................................................................................... 11M.I.S Head responsibilities ........................................................................................... 11Policy ............................................................................................................................ 12Acceptable use .............................................................................................................. 13
Unacceptable use .......................................................................................................... 13Staff responsibilities...................................................................................................... 13B Email Policy ........................................................................................................... 14
M.I.S responsibilities .................................................................................................... 20
Staff/Participant responsibilities ................................................................................... 20D Passwords Standards policy ................................................................................... 20
SECTION C ...................................................................................................................... 23
ICT Services and Systems Policy ..................................................................................... 23SECTION D ...................................................................................................................... 26Information Systems Security Policy................................................................................ 26
SECTION E ...................................................................................................................... 32
NETWORK / REMOTE ACCESS POLICY ................................................................... 32
Acceptable Use .......................................................................................................... 32Equipment and Tools ................................................................................................. 32Use of personal computers and equipment. ............................................................... 33Violations and Penalties ............................................................................................. 33
SECTION F ...................................................................................................................... 34
ICT SUPPORT POLICY .................................................................................................. 34
SECTION G ...................................................................................................................... 35
Disaster Recovery and Data Backup Policy ..................................................................... 35
SECTION H ...................................................................................................................... 37
Incident Response Policy .................................................................................................. 37SECTION I ....................................................................................................................... 39Misuse of Institution ICT Facilities .................................................................................. 39
SECTION J ....................................................................................................................... 40
Disposal Policy for ICT Equipment .............................................................................. 40
-
8/4/2019 Kia Ict Mgt Policy
4/43
Page 4 of 43
SECTION A
Software/Hardware Policy
Introduction
The presence of a standard policy regarding the use of software and hardware will:
(a) Enhance the uniform performance of the Management Information Systems (M.I.S
Section) in delivering, implementing, and maintaining software and hardware suitable to
the business needs of the Kenya Institute of Administration, as well as other auxiliary
organizations to which M.I.S section provides service, and
(b) Define the duties and responsibilities of Institution Staffs (and Staffs of other auxiliaries
with whom the Institution provides services) who use the aforementioned software and
hardware in the performance of their job duties.
Acceptable use
This section defines what constitutes acceptable use of the Institutions electronic resources,
including software, hardware devices, and network systems. Hardware devices, software
programs, and network systems purchased and provided by the Institution are to be used only for
creating, researching, and processing Institution-related materials, and other tasks necessary for
discharging ones employment duties. By using the Institutions hardware, software, and network
systems you assume personal responsibility for their appropriate use and agree to comply with this
policy and other applicable Institution policies, as well as country laws and regulations.
Violations
Violations may result in disciplinary action in accordance with Institution policy. Failure to observe
these guidelines may result in disciplinary action by the Institution depending upon the type and
severity of the violation, whether it causes any liability or loss to the Institution, and/or the presence
of any repeated violation(s).
Administration
The M.I.S section head is responsible for the administration of this policy. This policy is a living
document and may be modified at any time on the advice of M.I.S section head or the DDFA.
Contents
The topics covered in this document include:
-
8/4/2019 Kia Ict Mgt Policy
5/43
Page 5 of 43
Software Purchasing
Software Licensing
Software Standards
Software Installation
Hardware Purchasing
Hardware Standards
ICT Equipment Disposal
Software
All software acquired for or on behalf of the Institution or developed by Institution Staffs or contract
personnel on behalf of the Institution is and at all times shall remain Institution property. All such
software must be used in compliance with applicable licenses, notices, contracts, and agreements.
Purchasing
All purchasing of Institution software shall be centralized within the M.I.S section to ensure that all
applications conform to corporate software standards and are purchased at the best possible price.
All requests for corporate software must be submitted to the M.I.S section Head through a
committee for approval by. The request must then be sent to the M.I.S section, which will then
review the need for such software, and then determine the standard software that best
accommodates the desired request if M.I.S section determines that such software is needed. The
normal Institution purchasing procedure takes place.
Licensing
Each Staff is individually responsible for reading, understanding, and following all applicable
licenses, notices, contracts, and agreements for software that he or she uses or seeks to use on
Institution computers. If any Staff needs help in interpreting the meaning/application of any such
licenses, notices, contracts and agreements, he/she will contact M.I.S section for assistance.
Unless otherwise provided in the applicable license, notice, contract, or agreement, any duplication
of copyrighted software, except for backup and archival purposes, may be a violation of law. In
addition to violating such laws, unauthorized duplication of software is a violation of the Institutions
Software/Hardware Policy. Only the head of department is allowed/authorized to do the duplication
for backup and archival purpose.
Software standards
-
8/4/2019 Kia Ict Mgt Policy
6/43
Page 6 of 43
The following list shows the standard suite of software installed on Institution computers (excluding
test computers) that is fully supported by the M.I.S Section:
Microsoft Windows XP 2000 / 2003 or higher
Microsoft Outlook 2003 / Outlook Express 2003
Microsoft Office 2003 (Word, Excel, PowerPoint, Access, Photo Editor 3.01, Publisher)
Microsoft Internet Explorer 6.0+
Microsoft Visual Studio 6.0 / .Net
Microsoft SQL Server 2000/2005 or higher
MySQL database community edition or higher
SPSS Ver 10,12,14 or higher
Oracle 9i/10g
Oracle Developer 6/2000
Symantec Antivirus Corporate Edition/McAfee
Adobe Acrobat Reader 5.0,6.0-8.0
WinZip 8.1
Media Player, Real Player One, QuickTime 5.0.2
Nero CD Burning
Where applicable the following software will be installed on Institution computers
Microsoft Visio
Microsoft Project 2002/2003
Publisher 2003-2007
Front Page
Dreamweaver/Fireworks/Flash
PageMaker/Photoshop/Adobe Premiere
Staffs needing software other than those standard suites must request such software from the
M.I.S section. Each request will be considered on a case-by-case basis in conjunction with the
software-purchasing section of this policy.
Software Installation
The M.I.S section is exclusively responsible for installing and supporting all software on Institution
computers. These responsibilities extend to:
-
8/4/2019 Kia Ict Mgt Policy
7/43
Page 7 of 43
Office desktop computers
Institution laptop computers
Computer lab desktop computers
The M.I.S section relies on installation and support to provide software and hardware in good
operating condition to the Participants and Staffs so that they can best accomplish their tasks.
Hardware
All hardware devices acquired by the Institution or developed by it (through its own Staffs or
through those hired by the Institution to develop the hardware devices) is and at all times shall
remain Institution property. All such hardware devices must be used in compliance with applicable
licenses, notices, contracts, and agreements.
Purchasing
All purchasing of Institution computer hardware devices shall be centralized within the M.I.S
section to ensure that all equipment conforms to corporate hardware standards. A committee
composed of the M.I.S Head/DDFA IT/ICT OFFICER/Systems Administrator and two other
members.
All requests for corporate computing hardware devices must be in the annual corporate budget
document and have the DDFA approval. The request must then be sent to the M.I.S section, which
will then review the need for such hardware, and then determine standard hardware that best
accommodates the desired request, if the section determines that such hardware is needed.Hardware standards
The following list shows the minimum hardware configuration for Institution computers (excluding
test computers) that are fully supported by the M.I.S section:
Minimum Requirements
Desktops - provided to Participants and the Institutions administration. NB(Minimum
Requirements)
(Dell Branded/IBM/HP-Compaq/Toshiba)
Or
- Pentium IV, 3.0 GHz, 512 cache Intel Processor
- 512-MB RAM or higher
- 64 SVGA graphics/video card
- 1.44MB 3 floppy drive (A:)
-
8/4/2019 Kia Ict Mgt Policy
8/43
Page 8 of 43
- 80-GB hard drive or higher
- 52x CD-ROM/DVD drive
- 10/100 PCI Ethernet card
- 6 USB ports or more
- Sound card
- Speakers
- Standard 102 or 104-key English keyboard
- USB / PS 2 mouse
- All applicable cables
- 3 years warranty
Laptops
(Dell Branded/IBM/HPCompaq/Toshiba)
or
- Pentium IV, 2.4 GHz Intel Processor
- 512-MB RAM
- Video card with 16 MB RAM
- 1.44MB 3 floppy drive
- 80-GB IDE hard drive- 8x CD-RW/DVD ROM Drive
- 10/100 PCI Ethernet card
- Network card
- 56K internal modem
- 4 USB port
- Sound card
- Speakers
- Standard 102 or 104-key English keyboard
- USB/PS 2 mouse
- Touch Pad
- All applicable cables, including phone
- Carrying case
-
8/4/2019 Kia Ict Mgt Policy
9/43
Page 9 of 43
- Extra power adapter
- 3 years warranty / 1 year on site service
Monitors
- Monitors will be provided for both desktop and laptop systems.
- Minimum 17 viewingarea, 1024 x 768 @ 75 or 85 Hz, .26 mm dot pitch
UPS
o 650 VA or higher of reliable brand
Printers
- Staffs will be given access to appropriate network printers. In some limited cases,
Staffs may be given local printers if deemed necessary by the M.I.S section Head in
consultation with the department.
Staffs needing computer hardware other than what is stated above must request such hardware
from the M.I.S section. Each request will be considered on a case-by-case basis in conjunction
with the hardware-purchasing section of this policy.
Outside equipment
No outside equipment may be plugged into the Institutions network without the M.I.S sections
written permission. The details of any equipment to be allowed must be recorded at the security
door and a copy taken to the DDFAs office
SummaryThis policy is designed to facilitate Kenya Institute of Administration, Participants and Staffs in
maximizing the efficient performance of their studies and job duties respectively. Any deviation
from this strategy will require the M.I.S section to redeploy software and/or hardware solutions.
Full cooperation with this policy is mandatory so that all goals can be met in accordance with the
Institutions business objectives reflected in its Mission and Vision
Vision
To be a mode institution of excellence in management development and capacity building
in the public sector.
Mission
To Improve service delivery in the public sector by providing quality training research andconsultancy service in the Eastern Africa Region.
-
8/4/2019 Kia Ict Mgt Policy
10/43
Page 10 of 43
SECTION B
Information Security Policy
Covering Internet, Email, Viruses, Access codes & Passwords1.1 Introduction
The Internet and Electronic mail (e-mail) are important communication and research tools for KIAnetwork users. This document details standards for the secure use of Internet and e-mail facilitiesfor Institution purposes, including teaching, research and administration.
Computer information systems and networks are an integral part of business of the Kenya Institute
of Administration (the Institution). The Institution has made a substantial investment in human
and financial resources to create these systems.
The enclosed policies and directives have been established in order to:
Protect this investment.
Safeguard the information contained within these systems.
Reduce business and legal risk.
Protect the good name of the Institution.
Violations
Violations may result in disciplinary action in accordance with Institution policy. Failure to observe
these guidelines may result in disciplinary action by the Institution depending upon the type and
severity of the violation, whether it causes any liability or loss to the Institution, and/or the presence
of any repeated violation(s).
Administration
The Management Information Systems Section (M.I.S) head is responsible for the administration of
this policy.
Contents
The topics covered in this document include:
Statement of responsibility
The Internet and e-mail
Computer viruses
-
8/4/2019 Kia Ict Mgt Policy
11/43
Page 11 of 43
Access codes and passwords
Statement of responsibility
General responsibilities pertaining to this policy are set forth below. The following sections list
additional specific responsibilities.
M.I.S Head responsibilities
M.I.S Head and supervisors must:
Ensure that all appropriate personnel are aware of and comply with this policy.
Provide, implementation and support of this policy within their respective departments,
as well as create practices/procedures (specific to their departments) that are
designed to provide reasonable assurance that all Staff observe this policy.
The M.I.S Head must:1. Develop and maintain written procedures necessary to ensure implementation of and
compliance with these policy directives.
2. Provide appropriate support and guidance to assist Staff to fulfill their responsibilities under this
directive.
1.2 Policy Scope
This policy applies to all Institution Staff, Participants and Third parties granted use of Institution
Internet and E-mail facilities.
Third parties are defined as any individual, group contractor, vendor or agent not registered as a
Institution staff member or Participant.
1.3 Data Protection
E-mails fall under the scope of the data protection act. Under this legislation the email originator, all email
recipients and any persons named in the e-mail are entitled to view the information about them and if it is
incorrect they are entitled to have it corrected.
Home or personal use has a domestic exemption from data protection l aw, but the Institution has no such
exemption even for personal e-mails if they originate from the Institution network. In addition, emails can
constitute publication for the purpose of the law of libel.
Additionally any information, which KIA Users collect via the Internet such as personal or financial details
collected via Internet forms or surveys, fall under the Data protection Act.
All users must ensure that the methods of collecting processing and storing information in this way comply
with the Institution policies, the data protection act and any other relevant legislation.
-
8/4/2019 Kia Ict Mgt Policy
12/43
Page 12 of 43
1.4 Copyright
Copyright law stops other people from using and abusing users original work. Users should bear in mind,
therefore, that:
E-mail messages are creative works and therefore are copyrighted.
All e-mail messages sent by a user are copyrighted to the user (or the Institution).
Users do not have to register this copyright - it exists automatically.
When Users post to a public list they do not lose copyright, but the message may be archived
forwarded to other lists or quoted by others.
Messages sent to a list should not be quoted out of context, changed or reworded or misattributed.
Software or files downloaded from the Internet may be protected by copyright restrictions.
1.5 Privacy
Data users must assume that all e-mail or Internet communications are not secure unless encrypted and
they should not send via e-mail any information, which is confidential. Users may not, under any
circumstances, monitor, and intercept or browse other users' e-mail messages unless authorized to do so.
Network and computer operations personnel, or system administrators, may not monitor other users' e-mail
messages other than to the extent that this may occur incidentally in the normal course of their work.
The Institution reserves the right to access and disclose the contents of a user's e-mail messages, in
accordance with its legal and audit obligations, and for legitimate operational purposes. The Institution
reserves the right to demand that encryption keys, where used, be made available so that it is able to fulfill
its right of access to a users e-mail messages in such circumstances.
A Internet Policy
The Internet is a very large, publicly accessible network that has millions of connected users and
organizations worldwide. One popular feature of the Internet is e-mail.
Policy
Access to the Internet is provided to Staff for the benefit of the Institution and its Staff. Staff are
able to connect to a variety of information resources around the world.
Conversely, the Internet is also replete with risks and inappropriate material. To ensure that all
Staff is responsible and productive Internet users and to protect the Institutions interests, the
following guidelines have been established for using the Internet and e-mail.
-
8/4/2019 Kia Ict Mgt Policy
13/43
Page 13 of 43
Acceptable use
Staffs using the Internet are representing the Institution. Staff are responsible for ensuring that the
Internet is used in a safe, effective, ethical, and lawful manner and only in the course of performing
the Staff job.
Unacceptable use
Staff must not use the Internet for purposes that are not Institution-related, illegal, unethical,
inappropriate for a Institution setting, harmful to the Institution, or nonproductive. Examples of
unacceptable use are:
Sending or forwarding chain e-mail, i.e., messages containing instructions to forward the
message to others.
Conducting a personal business using Institution resources.
Transmitting any content that is offensive, harassing, or fraudulent.
Instant messaging and participating in Internet chat rooms.
Downloading or storing of MP3 files anywhere on the network including your personal
directories and/or your local C drive.
Staff responsibilities
A Staff who uses the Internet or Internet e-mail shall:
1. Ensure that all communications are for work-related reasons and that they do not interfere with
his/her productivity.2. Be responsible for the content of all text, audio, or images that (s)he places or sends over the
Internet, and not illegally transmit or receive the same. All communications should have the
Staffs name attached.
3. Not transmit copyrighted materials without permission.
4. Know and abide by all applicable policies dealing with security and confidentiality of records.
5. Run a virus scan on any external files received on diskettes or CDs.
General
All users must adhere to the following when using Institution facilities to connect to the Internet:
Access to the Internet is provided for KIA purposes and must not be abused for personal use.
Commercial use, which is not connected to or approved by the Institution, is strictly prohibited and
will result in disciplinary procedures,
-
8/4/2019 Kia Ict Mgt Policy
14/43
Page 14 of 43
Internet access in Institution is available only via the Institution infrastructure. Users should not
connect to the Internet via a dial-up ISP account on Institution computers connected to the
network.
Users are expected to act ethically and responsibly in their use of the Internet and to comply with
the relevant national legislation, the Institution Information Security policy, regulations and codes of
practice. Users must not post messages on newsgroups or chat areas that are likely to be
considered abusive, offensive or inflammatory by others.
Users must not use the Institution Internet connection to scan or attack other
individuals/devices/organizations. The use of port scanners or other hacking tools unless used as
part of an approved course of study is strictly prohibited.
Users should be aware that the public nature of the Internet dictates that the confidentiality and
integrity of information cannot normally be relied upon.
Where a requirement exists to send or receive confidential or commercially sensitive data over the
Internet, a security mechanism recommended by the IT Security Specialist should be used.
Passwords used for Internet services should not be the same or similar to passwords used for
services accessed within Institution. This is to prevent passwords that grant access to Institution IT
resources being sent out on the Internet in clear text where any Internet user can potentially see
them. Similarly, any username used for the Internet services should not be the same or similar to a
Institution username.
Software copyrights and license conditions must be observed. Only licensed files or software may
be downloaded from the Internet.
All devices connected to the Internet must be equipped with the latest versions of anti-virus
software, which has been both approved and supplied by Institution.
All forms of data received over the Internet should immediately be virus checked.
All forms of data transmitted from Institution over the Internet should be virus checked in advance.
Data, which has been compressed or encrypted, should be decompressed or decrypted as
required before virus checking.
All security incidents involving Internet access must be reported to the M.I.S Office.
B Email Policy
All users must adhere to the following when using Institution E-mail facilities:
Users are expected to act ethically and responsibly in their use of e-mails and to comply with the
relevant national legislation, the Institution Information Security policy, regulations and codes of
practice.
-
8/4/2019 Kia Ict Mgt Policy
15/43
Page 15 of 43
Discrimination, victimization or harassment on the grounds of gender, marital status, family status,
sexual orientation, religious belief, age, disability, race, color, nationality, ethnic or national origin is
against Institution Policy. Users must not bully, hassle or harass other individuals via e-mail. Users
must not send messages that are likely to be considered abusive, offensive or inflammatory by the
recipient/s.
All users should regard all e-mails sent from Institution facilities as first, representing the Institution
and, secondly, representing the individual. Users should be civil and courteous. Users should not
send e-mail, which portrays the Institution in an unprofessional light. The Institution is liable for the
opinions and communications of its staff and Participants. Any e-mail involved in a legal dispute
may have to be produced as evidence in court.
All users should do their best to ensure that email content is accurate, factual and objective
especially in relation to individuals. Users should avoid subjective opinions about individuals or
other organizations.
Users should be aware that e-mails can easily be forwarded to other parties. Users should assume
that anyone mentioned in e-mail could see it or hear about it or he/she may, under data protection
or other law, be entitled to see it.
All users should be aware that. it is possible for the origin of an e-mail to be easily disguised and
for it to appear to come from someone else.
Users must not use a false identity in e-mails.
Users must not create or forward advertisements, chain letters or unsolicited e-mails e.g. SPAM
All users should protect data displayed on their monitor. E.G. by locking their office door or by
locking their workstation or using a screen saver in password-protected mode when leaving their
desk. This is in order to prevent unauthorized individuals from using the workstation to send an
email, which will appear to originate from the user.
All users should exercise caution when providing their e-mail address to others and be aware that
their e-mail address may be recorded on the Internet.
All users should be cautious when opening e-mails and attachments from unknown sources as
they may be infected with viruses.
All users must have up-to-date Institution approved anti-virus software installed and operational on
the computer that they access their email on.
All emails or attachments that are encrypted or compressed should be decrypted or decompressed
and scanned for viruses by the recipient.
-
8/4/2019 Kia Ict Mgt Policy
16/43
Page 16 of 43
Users should be aware that e-mails may be subject to audit by Institution Authorities to ensure that
they meet the requirements of this policy. This applies to message content, attachments and
addressees and to personal e-mails.
As part of the Institutions standard computing and telecommunications practices, email systems
and the systems involved in the transmission and storage of e-mail messages are normally
"backed up" centrally on a routine basis for administrative purposes. The back-up process results
in the copying of data, such as the content of an e-mail message, on to storage media that may be
retained for periods of time and in locations unknown to the originator or recipient of an email. The
frequency and retention of back-up copies vary from system to system. However, this back-up is
for Institution administrative purposes only and it is the users own responsibility to back-up any of
their e-mails they wish to retain for future reference.
All security incidents involving E-mail should be reported to the M.I.S Office.
C Mass Email Policy
Purpose:
This policy reflects the Kenya Institute of Administrations decision to use the Institute assigned staffemail account as the official means of communication with all staff on the KIA campus. The purpose ofthis policy is to provide a definition for mass email; clarification for who can send mass emails; andprocedures for sending mass emails.
This policy does not apply to email originating by means other than through the Mass Email System.
Introduction:
Various offices, organizations and individuals at KIA may request that mass emails be sent to all or partof the Institute community. Mass emails are not authorized except as described herein. However, dueto the nature of email, delivery of mass emails is not guaranteed.
The Mass Email System does not replace individual, sectional, departmental, division or Staff addresslists or mailing lists. These other methods are more appropriate for most announcements. The MassEmail System should only be used when a more limited mailing will not be adequate.
What is mass email?
For the purposes of this policy, mass email shall be considered to be any unsolicited electronic mailingin which the message is sent to members of the Institute community using the KIA e-Mail andGroupwise email addresses. This policy does not apply to individual email-based distribution anddiscussion groups such as listservs or established data bases that serve Institute learners/ clientele.
Types of mass emails:
There are three classes of mass email: Urgent, Formal Notice and Informational. The class of themessage affects both the audience and the distribution schedule. The subject line of the message will
-
8/4/2019 Kia Ict Mgt Policy
17/43
Page 17 of 43
indicate the selected class. Either URGENT:, FORMAL NOTICE:, or INFORMATIONAL: willappear as the prefix in the subject line according to the message classification.
1. Urgent Class
Urgent class is a category of mass emails reserved for highly important, time-sensitive institute
emergency notices, such as security alerts. Messages in this class may be scheduled for immediatedistribution as soon as properly approved.
2. Formal Notice Class
Formal notice class is a category of mass emails reserved for highly important, non-emergencymessages, such as financial or hr reporting requirements. Messages in this class are scheduled for off-peak distribution, after properly approved, between the requested run date and the expiration date ofthe message.
3. Informational Class
Informational class is a category of mass emails covering non-emergency messages related to Institutework or information, other than events. Events should be posted to the institute weekly bulletin or on thewebsite at www.kia.ac.ke/bulletin. Messages in this class are scheduled for off-peak distribution, after
properly approved, between the requested run date and the expiration date of the message.
Who is allowed to send mass emails?
All messages must be approved by the Director or his or her designee associated with the message.
Examples of what isnt acceptable:
Specifically, mass emails should not be used for:
Mailings not related to Institute business or activities.
Mailings in violation of the KIAs Computer and Network Usage Policy.
Political statements, expression of personal opinion, conduct of personal business, unauthorized fundraisingor solicitation (solicitation is defined as any verbal or written effort to raise funds through the sale ofmerchandise/services or through charitable donations as well as to influence opinions or to gain support foran issue or cause).
Notices of houses or other items for sale or rent, requests for rides, lost and found, or commercial
promotions.
Notices of routine, regularly scheduled events. These sorts of events should be communicated throughregular Institute communications Office.
D Anti Virus and Spam Policy
General Policy
http://www.kia.ac.ke/bulletinhttp://www.kia.ac.ke/bulletin -
8/4/2019 Kia Ict Mgt Policy
18/43
Page 18 of 43
1.1 Introduction
Computer viruses (and similar devices) impact productivity, incur financial costs and can result inthe compromise or loss of data and reputation.Viruses can originate from a range of sources, spread rapidly, and require a comprehensiveapproach to ensure the risk they pose is effectively managed. This comprehensive approach
requires the full cooperation of all KIA Staff and Participants.This document is the Institutions Anti-Virus and Anti-Spam Policy and outlines the overallapproach adopted by the Institution as well as individual responsibilities.
1.2 ScopeThis policy applies to all Institution Staff, Participants or Third parties using devices connected totheInstitution network.Third parties are defined as any individual, group contractor, vendor or agent not registered as aInstitution staff member or Participant.Third party Access is defined as all local or remote access to the Institution Network or devicesattached to the Institution Network for any purpose.
1.3 Anti-virus and Anti-Spam MeasuresM.I.S, Network Managers and System Administrators will:
Evaluate, select and deploy anti-virus software on file servers, desktops and laptops toscan for viruses from sources such as Inbound and Outbound E-mail, Floppy disks. E-mails and attachments (inbound). CD-ROMs. Software downloaded from the Internet.
Provide users with a method to reduce the impact of unsolicited or SPAM email in theirInstitution inbox.
1.4 Desktop Anti-virus protection
M.I.S must select an effective desktop anti-virus product. This product must be licensed and madeavailable to all users connecting to the Institution network.
1.5 Gateway Virus ProtectionM.I.S must provide a product to scan Institution email and any other protocols such as FTP orHTTP at the Internet gateway.
2 Roles and Responsibilities
2.1 User ResponsibilityAll KIA network users have a responsibility to:
Protect any device, which they use which connects to the Institution network by ensuringthat they have installed the correct anti-virus product for their area and that it is up-to-date.This relates to Institution owned machines and Users private machines where themachines are used to access the Institution network.
Users must not try to install an unapproved anti-virus product, or try to alter theconfiguration or disable the existing anti-virus product.
Respond to any virus infection detection indicated by their anti-virus software. In the eventthat a user cannot clean or remove an infected file they should inform M.I.S immediately.
-
8/4/2019 Kia Ict Mgt Policy
19/43
Page 19 of 43
Be alert to the possibility of a virus and report any suspicious behaviour M.I.S immediately. Not open suspicious emails or attachments whether solicited or unsolicited from unknown
or unusual sources.
Preserve the PC while awaiting virus investigation. Users must not switch the PC off, or tryto fix it themselves. Additionally users must not try to carry on working but must disconnect
the network cable and leave the workstation until the issue is resolved. Users must scan their hard drives regularly for viruses. Users should scan all software or other content that they download from the Internet for
viruses.
Users should not connect to suspicious websites. Users should exercise caution when accessing web based E-mail including but not limited
to
Hotmail, and Yahoo. Users should be aware that email accessed on these sites has notbeen scanned by the Institution email gateway and may contain viruses.
2.2 The M.I.S, Network Managers & System Administrators & IT Security Officer
The M.I.S, Network Managers & System Administrators must: Evaluate and select suitable anti-virus software products to protect against viruses form
the sources as identified in section 1.2
Provide a central point of contact to Institution users for anti-virus matters. Keep abreast of potential viruses that may affect the Institution. Promote awareness of anti-virus issues amongst users. Monitor systems regularly for devices that do not have anti-virus software installed or have
incorrect anti-virus products or settings.
2.3 M.I.S Helpdesk and User Support groupThe Helpdesk will be responsible for
First-line support, i.e. taking the initial report/s of a virus from the user/s located on theareas of the Institution network managed by the M.I.S.
The report will immediately be checked to ascertain whether or not it is a valid virus. Userswill be reminded of their responsibilities as shown above.
During any incident, the Helpdesk will provide whatever assistance is required to disinfectthe virus and prevent propagation, e.g. keeping people informed, disabling systems etc.
Investigating and resolving any virus incident. Evaluating the situation and making recommendations which may include informing users
of the problem by email alert, intranet, etc. and may include selectively disablinginfrastructure services, (e.g. disabling external mail while keeping internal mail,disconnecting the Institution from Internet) to safeguard critical systems.
Computer viruses
Computer viruses are programs designed to make unauthorized changes to programs and data.
Therefore, viruses can cause destruction of or damage to corporate property.
It is important to know that:
o Computer viruses are much easier to prevent than to cure.
-
8/4/2019 Kia Ict Mgt Policy
20/43
Page 20 of 43
o Defenses against computer viruses include protection against unauthorized access to
computer systems, using only trusted sources for data and programs, and maintaining
virus-scanning software.
M.I.S responsibilities
M.I.S shall:
1. Install and maintain appropriate antivirus software on all computers.
2. Respond to all virus attacks, destroy any virus detected, and document each incident.
Staff/Participant responsibilities
The following applies to all Staff:
1. Staff shall not knowingly introduce a computer virus into Institution computers.
2. Staff shall only load diskettes or CDs with saved files that pertain to Institution business.
3. Incoming diskettes or CDs shall be scanned for viruses before they are read.
4. Any Staff who suspects that his/her workstation has been infected by a virus shall
IMMEDIATELY log off the network and call the M.I.S help desk at ext 115
5. Users shall not disable the automated AntiVirus Download Scan.
E Passwords Standards policy
1 General policy
1.1 Introduction
Usernames and passwords are utilized in KIA to facilitate access to Institution IT resources. Theyalso protect Institution data from access from unauthorized individuals both internally (other staff orParticipants) and externally (hackers).
1.2 Scope.This policy applies to all Institution Staff, Participants, or Third parties who are issued withusernames and passwords for any Institution IT System or device.This policy applies to all network managers, system administrators, application administrators orothers who issue usernames and passwords.This policy applies to all username and password pairs on all devices, systems and applicationsthat are part of the Institution network that provide access to Institution owned information.
1.3 Issue of accounts and passwords.All initial system and application accounts and passwords must be issued from the M.I.S. Once apassword has been issued full responsibility for that account and associated password passes tothe user. The user will be required to change the password to something only He/She knows.
1.4 Password Sharing Prohibition
-
8/4/2019 Kia Ict Mgt Policy
21/43
Page 21 of 43
Regardless of the circumstances, passwords must never be shared or revealed to anyone elsebesides the authorized user. To do so exposes the authorized user to responsibility for actions thatthe other party takes with the password. Where a user is found to have given the use of ausername or password to a third party disciplinary measures will be implemented.
1.5 Writing Passwords Down and Leaving Where Others Could DiscoverPasswords must not be written down and left in a place where unauthorized persons mightdiscover them.
1.6 Password ChangesUsers will be required to change their passwords fortnightly. Passwords changes may berequested in person by the appropriate individual or a trusted party as defined by M.I.S. Noexceptions to this policy are allowed.
1.7 Minimum Password LengthThe length of passwords must always be checked automatically at the time that users construct or
select them. All IT systems must require passwords of at least six (6) characters.
1.8 Complex Passwords RequiredAll computer system users must choose passwords that cannot be easily guessed. For example, acar license plate number, a spouse's name, or an address must not be used. This also means thatpasswords must not be a word found in the dictionary or some other part of speech. For example,proper names, places, and slang must not be used.
1.9 Cyclical Passwords ProhibitedUsers must not construct passwords using a basic sequence of characters that is then partiallychanged based on the date or some other predictable factor. For example, users must not employpasswords like "JANUARY" in January, "FEBRUARY" in February, etc.
1.10 User-Chosen Passwords Must Not Be ReusedUsers must not construct passwords that are identical or substantially similar to passwords thatthey had previously employed.
1.11 Password AgeingPasswords should be changed periodically. Network managers, system administrators orapplication administrators should select an appropriate time frame for changing passwords.
1.12 Limit on Consecutive Unsuccessful Attempts to Enter a PasswordTo prevent password guessing attacks, the number of consecutive attempts to enter an incorrectpassword must be strictly limited. After a defined number of unsuccessful attempts to enter apassword (usually between 3and 8 per hour), the involved user account must be either
(a) Suspended until reset by a system administrator,(b) Temporarily disabled for no less than three (3) minutes, or(c) If dial-up or other external network connections are involved, disconnected.
1.13 Password History
-
8/4/2019 Kia Ict Mgt Policy
22/43
Page 22 of 43
A password history must be maintained for all domain level. This history file should be used toprevent users from reusing passwords. The history file should minimally contain the last 3passwords for each username.
1.14 System Compromise
Whenever an unauthorized party has compromised a system, M.I.S or the relevant networkmanager, system administrator or application administrator must immediately change everypassword on the involved system. Even suspicion of a compromise likewise requires that allpasswords be changed immediately. Under either of these circumstances, a trusted version of theoperating system and all security-related software must also be reloaded. Similarly, under either ofthese circumstances, all recent changes to user and system privileges must be reviewed forunauthorized modifications.
1.15 Storage of Passwords in Readable FormPasswords must not be stored in readable form in batch files, automatic login scripts, softwaremacros, terminal function keys, in computers without access control, or in other locations where
unauthorized persons might discover them.
1.16 Changing Vendor Default PasswordsAll vendor-supplied default passwords e.g. default passwords supplied with routers, switches orsoftware such as operating systems and databases must be changed before any computer orcommunications system is used.
1.17 EncryptionPasswords must always be encrypted when held in storage for any significant period of time orwhen transmitted over communications system.
-
8/4/2019 Kia Ict Mgt Policy
23/43
Page 23 of 43
SECTION C
ICT Services and Systems Policy
IntroductionThis chapter contains policy statements on ICT services and information systems that are of
strategic importance to the Institution. For each of the ICT services and information systems a
concise description of the essential functional requirements is specified. In addition, the
relationship with other initiatives, the most essential resources, the essential implementation
strategies, and the major risks if the proposed system of service is not implemented at the right
point in time are given.
Identified ICT Services and Information Systems
The Institution ICT Policy anticipates the implementation of the following ICT services and
information systems as well as related implementation, operation and management issues:
1. Internal and external E-mail and Access-to-Internet services at all workplaces embodying
general internal and external information provision through Internet/Intranet technology
(Web based information services)
2. Availability of common office applications such as word processing, spreadsheet
processing, access databases, etc. at all workplaces.
3. An integrated Library Information System.
4. An integrated Participants Admission Management System.
5. An integrated Finance Information System.
6. An integrated Human Resource Information System.
NB
The Institution ICT policy does not explicitly include applications supporting teaching processes
(Computer Aided Learning, SPSS) and professional applications to be used in specific educational
and scientific fields, such as CAD/CAM. Neither does it include specific applications for research
purposes. These classes of ICT applications are assumed to be the responsibility of the faculties
concerned. It is however part of the Institution's policy to:
Ensure that all end users are equipped with the necessary level and variety of
skills to facilitate their functions.
In addition, the Institution has addressed the following issues at policy level:
-
8/4/2019 Kia Ict Mgt Policy
24/43
Page 24 of 43
Sustainable management of ICT resources that takes into account the interests of
all users
Policy Summary
It is the Institution Policy to assure availability of all anticipated ICT services/systems at any
workplace in the Institution, and, for selected services, to locations outside the Institution through
Common Network Services. Common Network Services (Network Infrastructure), mainly
comprising physical network infrastructure (wiring, switches, routers, servers, etc) and
communication protocols (TCP/IP), form the collective data transport means for all current and
future ICT services/systems.
1. It is the Institution Policy to assure availability of User-level Data Communication Services
such as E-Mail, Access-to-Internet, Internet/Intranet Services, which actually are major
users of the low-level network services.
2. It is the Institution Policy to promote office computing in all offices. In this text the term
office computing is used for the application of ICT, mostly desktop computers, to support
general office tasks. This applies to lecturers, researchers, managers, as well as to
secretarial and clerical workers. Major office computing applications are: word processing,
electronic mail, spreadsheet processing, document storage and retrieval, desktop
publishing, access-to-internet and intranets.
3. It is the Institution Policy to improve both the efficiency and effectiveness of libraryoperations and services through the implementation of an integrated on-line Library
Information System.
4. It is the Institution Policy to enhance and streamline Participant education related
administrative and managerial processes and to improve academic reporting facilities at
both central and faculty level through the implementation of an integrated Participant
Admission Management System (SAMS).
5. It is the Institution Policy to enhance and streamline financial management processes and
reporting facilities at both central and faculty levels through the implementation of an
integrated Financial Information System. Given the decentralized nature of budgetary
management, it is the Institution Policy to make these functions also available to faculties
and other budget centers. The following functionality is regarded essential to the Institution
financial management information system.
-
8/4/2019 Kia Ict Mgt Policy
25/43
Page 25 of 43
6. It is the Institution Policy to enhance and streamline the human resource management and
administrative processes through the implementation of a Human Resource Information
System (HURIS).
7. It is the Institution Policy in the broadest sense to promote the deployment of ICT in all
areas of education and research through creating technical and organizational
preconditions.
8. It is the Institution Policy to ensure and require that all Participants, academic staff,
administrative and support staff, and managerial staff are trained on a continuing basis to
equip them with the requisite skills to fully exploit the ICT environment in their different
functions
9. It the Institution Policy to ensure sustainable management of the Institution's ICT policy
and resources through the creation of appropriate policy, advisory management and
operational organs that will cater for the broad interests of all users
10. It is the Institution Policy to provide for the growth and financial sustainability of its ICT
resources through appropriate funding and operational mechanisms
1.4 Related requirements
ICT services and systems will become inherent in the Institution's educational, research,
administrative, and managerial processes. Each individual ICT service and system as such places
demands on the:
1. Anticipated data communication infrastructure. For each ICT service or system the
minimum (initial) communication requirements are identified.
2. Staff resources during implementation stage. This will involve Kenya Institute of
Administration staff as well as local and foreign expertise
3. Staff resources during deployment stage. Adequate organizational arrangements have to
be made to ensure that the necessary staff to run/ manage systems is either re-deployed
or recruited in good time.
4. And the operational ICT management environment during and after implementation.
-
8/4/2019 Kia Ict Mgt Policy
26/43
Page 26 of 43
SECTION D
Information Systems Security Policy
Policy Statement
1.1 Information is a critical asset of KIA hereafter referred to as the Institution. Accurate, timely,
relevant, and properly protected information is essential to the success of the Institutions academic
and administrative activities. The Institution is committed to ensuring all accesses to, uses of, and
processing of Institution information is performed in a secure manner.
1.2 Technological Information Systems hereafter referred to as Information Systems play a major
role in supporting the day-to-day activities of the Institution. These Information Systems include butare not limited to all Infrastructure, networks, hardware, and software, which are used to
manipulate, process, transport or store Information owned by the Institution.
1.3 The object of this Information Systems Security Policy and its supporting policies is to define
the security controls necessary to safeguard Institution Information Systems and ensure the
security confidentiality and integrity of the information held therein.
1.4 The Policy provides a framework in which security threats to Institution Information Systems
can be identified and managed on a risk basis and establishes terms of reference, which are to
ensure uniform implementation of Information security controls throughout the Institution.
1.5 The Institution recognizes that failure to implement adequate Information security controls
could potentially lead to:
Financial loss
Irretrievable loss of Important Institution Data
Damage to the reputation of the Institution
Legal consequences
Therefore measures must be in place, which will minimize the risk to the Institution from
unauthorized modification, destruction or disclosure of data, whether accidental or deliberate. This
-
8/4/2019 Kia Ict Mgt Policy
27/43
Page 27 of 43
can only be achieved if all staff and Participants observe the highest standards of ethical, personal
and professional conduct. Effective security is achieved by working with a proper discipline, in
compliance with legislation and Institution policies, and by adherence to approved Institution Codes
of Practice.
1.6 The Information Systems Security Policy and supporting policies apply to all staff and
Participants of the Institution and all other users authorized by the Institution.
1.7 The Information Systems Security Policy and supporting policies do not form part of a formal
contract of employment with the Institution, but it is a condition of employment that employees will
abide by the regulations and policies made by the Institution from time to time. Likewise, the
policies are an integral part of the Regulations for Participants.
1.8 The Information Systems Security Policy and supporting policies relate to use of:
All Institution networks connected to the Institution Backbone
All Institution-owned/leased/rented and on-loan facilities.
To all private systems, owned/leased/rented/on-loan, when connected to the Institution
network directly, or indirectly.
To all Institution-owned/licensed data/programs, on Institution and on private systems. To all data/programs provided to the Institution by sponsors or external agencies.
1.9 The objectives of the Information Systems Security Policy and supporting policies are to:
Ensure that information is created, used and maintained in a secure environment.
Ensure that all of the Institutions computing facilities, programs, data, network and
equipment are adequately protected against loss, misuse or abuse.
Ensure that all users are aware of and fully comply with the Policy Statement and the
relevant supporting policies and procedures.
Create awareness that appropriate security measures must be implemented as part of the
effective operation and support of Information Security.
Ensure that all users understand their own responsibilities for protecting the confidentiality
and integrity of the data they handle.
-
8/4/2019 Kia Ict Mgt Policy
28/43
Page 28 of 43
Ensure all Institution owned assets have an identified owner/administrator.
2 IT Management roles and responsibilities
2.1 The Institution Management
The Institution Management is responsible for approving the IT Security Policy, distributing the
policy to all heads of departments/sections/centers and for supporting the M.I.S in the enforcement
of the policies where necessary.
2.2 Discharging of Policies
The policies will be discharged through nominated individuals, who normally will be the respective
Heads of departments.
2.3 Heads of departments
The Heads of departments are responsible for ensuring that staff, Participants and other persons
authorized to use systems in respective departments are aware of and comply with the associated
supporting policies and procedures.
2.5 The IT Security Officer
The IT Security Officer role will be taken by the Information Systems Manager. He is responsible
for:
Reviewing and updating the Security policy and supporting policies and procedures.
The promotion of the policy throughout Institution.
Periodical assessments of security controls as outlined in the Security Policy andsupporting policies and procedures.
Investigating Security Incidents as they arise.
Maintaining Records of Security Incidents..
Reporting to the Institution Management on the status of security controls within the
Institution.
2.6 The Systems Administrator
The Systems Administrator is responsible for the management of the Institution Network and for
the provision of support and advice to all nominated individuals with responsibility for discharging
the technical aspects of these policies.
2.7 Information Systems Users
-
8/4/2019 Kia Ict Mgt Policy
29/43
Page 29 of 43
It is the responsibility of each individual Information Systems user to ensure his/her understanding
of and compliance with this Policy and the associated Codes of Practice.
All individuals are responsible for the security of Institution Information Systems assigned to them.
This includes but is not limited to infrastructure, networks, hardware and software. Users must
ensure that any access to these assets, which they grant to others, is for Institution use only, is not
excessive and is maintained in an appropriate manner.
2.8 Purchasing, Commissioning, Developing an Information System
All individuals who purchase, commission or develop an Information System for the Institution are
obliged to ensure that this system conforms to necessary security standards as defined in this
Information Security Policy and supporting policies.
Individuals intending to collect, store or distribute data via an Information System must ensure that
they conform to Institution defined policies and all relevant legislation.
2.9 Third Parties
Before any third party users are permitted access to Institution Information Systems, specific
written approval from the IT security Officer is required. Prior to being allowed to work with
Institution Information systems, satisfactory references from reliable sources should be obtained
and verified for all third parties which includes but is not limited to; administrative staff, software
support companies, engineers, cleaners, contract and temporary appointments. Data processing,
service and maintenance contracts should contain an indemnity clause that offers cover in case of
fraud or damage.
2.10 Reporting of Security Incidents
All suspected information security incidents must be reported as quickly as possible through the
appropriate channels. All Institution staff and Participants have a duty to report information security
violations and problems to the IT Security Officer on a timely basis so that prompt remedial action
may be taken. The IT security Officer will be responsible for setting up an Incident Management
Team to deal with all incidents. Records describing all reported information security problems and
violations will be created.
2.11 Security controls
-
8/4/2019 Kia Ict Mgt Policy
30/43
Page 30 of 43
All Institution Information Systems are subject to the information security standards as outlined in
this and related policy documents. No exceptions are permitted unless it can be demonstrated that
the costs of using a standard exceed the benefits, or that use of a standard will clearly impede
Institution activities.
3 Breaches of Security
3.1 Monitoring
The Management Information Systems will monitor network activity and take action/make
recommendations consistent with maintaining the security of Institution information systems.
3.2 Incident Reporting
Any individual suspecting that there has been, or is likely to be, a breach of information systems
security should inform the IT Security Officeror the Institution management immediately who will
advise the Institution on what action should be taken.
4 Policy Awareness and Distribution
4.1 New Staff and Participants
This Policy Statement will be available from the Principals Office on request. It will also be
published on the Institution web site. New staff and Participants will be notified of the relevant
policy documents when they initially request access to the Institution network.
4.2 Existing Staff
Existing staff and Participants of the Institution, authorized third parties and contractors given
access to the
Institution network will be advised of the existence of this policy statement. They will also be
advised of the availability of the associated policies and procedures which are published on the
Institution website.
4.3 Updates
Updates to Policies and procedures will be made periodically.
4.4 Training
Training will be available from Management Information Systems in Information Security
fundamentals.
-
8/4/2019 Kia Ict Mgt Policy
31/43
Page 31 of 43
5 Risk Assessments and Compliance
5.1 Risk Assessment
Risk assessments must be carried out periodically on the business value of the information users
are handling and the information systems security controls currently in place. This is in order to
take into account changes to operating systems, business requirements, and Institution priorities,
as well as relevant legislation and to revise their security arrangements accordingly.
-
8/4/2019 Kia Ict Mgt Policy
32/43
Page 32 of 43
SECTION E
NETWORK / REMOTE ACCESS POLICY
Remote access is a generic term used to describe the accessing of the Kenya Institute ofAdministration. (the Institution) computer network by Staffs not located at a Institution office, such
as those who travel, those who regularly work from home, or those who work both from the office
and from home.
Participation in a remote access program may not be possible for every Staff. Remote access is
meant to be an alternative method of meeting Institution needs. The Institution, in its sole
discretion, may refuse to extend remote access privileges to any Staff or terminate a remote
access arrangement at any time.
Eligibility for remote access to the Institutions computer network may be requested though
respective Heads of department to M.I.S Head and/or the DDFA. Requests must be submitted in
writing, identifying the Staff and his/her remote access needs.
Acceptable Use
Hardware devices, software programs, and network systems purchased and provided by the
Institution for remote access are to be used only for creating, researching, and processing
Institution-related materials in the performance of the Staffs job duties. By using the Institutions
hardware, software and network systems you assume personal responsibility for their appropriate
use and agree to comply with this policy and other applicable Institution policies, as well as all
country laws and regulations
Equipment and Tools
The Institution may provide tools and equipment for remotely accessing the corporate computer
network. This may include computer hardware, software, phone lines, e-mail, voicemail,
connectivity to host applications, and other applicable equipment as deemed necessary.
The use of equipment and software provided by the Institution for remotely accessing the
Institutions computer network is limited to authorized persons and for purposes relating to
Institution business. The Institution will provide for repairs to Institution equipment. When the Staff
uses her/his own equipment, the Staff is responsible for maintenance and repairs his/her
equipment.
-
8/4/2019 Kia Ict Mgt Policy
33/43
Page 33 of 43
Use of personal computers and equipment.
There are likely thousands of possible interactions between the software needed by the remote
user and the average mix of programs on most home computers. Troubleshooting software and
hardware conflicts can take hours, and can result in the need for a complete reinstalling of
operating systems and application software in order to remedy such problems. For that reason the
M.I.S will only provide support for equipment and software provided by the Institution.
The Institution will bear no responsibility for Staffs loss of or damages to personal
equipment/information if the installation or use of any necessary software causes system lockups,
crashes, or complete or partial data loss. The Staff is solely responsible for backing up data on
his/her personal machine before beginning any Institution work. At its discretion, the Institution will
disallow remote access for any Staff using a personal home computer that proves incapable, for
any reason, of:
(a) Working correctly with the Institution-provided hardware, and
(b) Working with the Institution-provided software without repeated problems.
Violations and Penalties
Penalties for violation of the Remote Access Policy will vary depending on the nature and severity
of the specific violation. Any Staff who violates the Remote Access Policy will be subject to:
Disciplinary action including but not limited to reprimand, suspension and/or
termination of employment.
-
8/4/2019 Kia Ict Mgt Policy
34/43
Page 34 of 43
SECTION F
ICT SUPPORT POLICY
1. PURPOSETo provide support services within a structured framework that enables M.I.S to respond to
computing issues in a timely and efficient manner.
2. POLICY
This policy establishes guidelines for a consistent means of providing support/service and
managing any computing issues reported by the commsectiony M.I.S serves. The goal of this
policy is to minimize the possibility of computer downtime and inconvenience to the customer.
Services will be provided to primary customers (which are Auxiliary full time, part time and
Participant and Staff).
3. GUIDELINES
A. Direct all support questions or problems (including training requests) to the help desk (ext.
115). It is assumed that most issues will be reported via telephone, however they may
also be reported in-person or via written memo to M.I.S Help Desk. If necessary, the
support request will be escalated to a member of the technical staff. Customers are asked
not to contact the technical staff directly. It is not our intention to make the technical staff
unavailable or unreachable but rather to utilize their time in a more efficient and productive
manner, allowing them to work on complex and time-consuming problems and projects.
B. Direct all projects and purchase requests to the M.I.S Head. Projects are defined as
proposed plans resulting in changes to or installation of hardware and/or software. This
includes but is not limited to changes affecting functionality, configuration, security issues
and compatibility with computing systems and standards.
C. Direct all website updates and additions to the Webmaster. The Webmaster will evaluate
and implement proposed changes and contact the appropriate technical staff for final
update.
-
8/4/2019 Kia Ict Mgt Policy
35/43
Page 35 of 43
SECTION G
Disaster Recovery and Data Backup Policy
1 General Policy
1.1 IntroductionBack-up procedures, ensuring that both data and software are regularly and securely backed-up, areessential to protect against the loss of that data and software and to facilitate a rapid recovery from any ITfailure. This document outlines guidelines for KIA staff and Participants on backing up Institution Data.
1.2 ScopeThe data backup element of this policy applies to all Staff, Participants and third parties who use IT devicesconnected to the KIA network or who process or store information owned by KIA
All users are responsible for arranging adequate data backup procedures for the data held on IT systems
assigned to themThe disaster recovery procedures in this policy apply to all Network Managers, System Administrators, andApplication Administrators who are responsible for systems or for a collection of data held either remotely ona server or on the hard disk of a computer. The M.I.S is responsible for the backup of data held in centralInstitution databases.
2 Data Backup
2.1 Best Practice Backup ProceduresAll backups must conform to the following best practice procedures:
All data, operating systems and utility files must be adequately and systematically backed up(Ensure this includes all patches, fixes and updates)
Records of what is backed up and to where must be maintained At least three generations of back-up data must be retained at any one time
(grandfather/father/son)
The backup media must be precisely labeled and accurate records must be maintained of backupsdone and to which back-up set they belong.
Copies of the back-up media, together with the back-up record, should be stored safely in a remotelocation, at a sufficient distance away to escape any damage from a disaster at the main site
Regular tests of restoring data/software from the backup copies should be undertaken, to ensurethat they can be relied upon for use in an emergency
2.2 Responsibility for Data backup.Only critical systems are routinely backed up by the M.I.S and the other relevant IT managers and systems
administrators in the current model. The responsibility for backing up data held on the workstations ofindividuals regardless of whether they are owned privately or by the Institution falls entirely to the User.If you are responsible for a collection of data held either remotely on a server or on the hard disk of acomputer, you should consult your departmental system administrator.
2.3 Legal RequirementsUsers when formulating a backup strategy should take the following legal implications into consideration:
Where data held is personal data within the meaning of the Data Protection Act, there is a legalrequirement to ensure that such back-ups are adequate for the purpose of protecting that data
-
8/4/2019 Kia Ict Mgt Policy
36/43
Page 36 of 43
Depending on legal or other requirements, e.g. Financial Regulations, it may be necessary to retainessential business data for a number of years and for some archive copies to be permanentlyretained
Depending on legal or other requirements, e.g. Data Protection Act, Software Licensing, it may benecessary to destroy all backup copies of data after a certain period or at the end of a contract.
2.4 Desktop BackupsThe responsibility for backing up data held on the workstations of individuals regardless of whether they areowned privately or by the Institution falls entirely to the User.
3 Disaster Recovery
3.1 Best Practice Disaster Recovery ProceduresA disaster recovery plan can be defined as the on-going process of planning developing and implementingdisaster recovery management procedures and processes to ensure the efficient and effective resumptionof vital Institution functions in the event of an unscheduled interruption.
All disaster recovery plans must contain the following key elements: Critical Application Assessment
Backup Procedures Recovery Procedures Implementation Procedures Test Procedures Plan Maintenance
3.2 Network Managers, System Administrators, Application AdministratorsNetwork Managers, System Administrators, and Application Administrators who are responsible for systemsor for a collection of data held either remotely on a server or on the hard disk of a computer must ensurethat they have comprehensive, documented and tested disaster backup procedures covers.
-
8/4/2019 Kia Ict Mgt Policy
37/43
Page 37 of 43
SECTION H
Incident Response Policy
1 General policy
1.1 IntroductionIn the event of a security incident occurring, it is important that all Institution employees and Participants areaware of their responsibilities and the procedure by which incidents can be most effectively and efficientlybrought to a satisfactory conclusion. The procedures as defined below are best practice within KIA.Where investigation of a security incident indicates misuse of IT facilities approved disciplinary procedureswill be implemented as defined in this policy.
2 Incident Reporting
2.1 Types of IncidentsThe types of incidents that must be reported include, but are not limited to:
Incidents reported from Systems and Networks (system failures, unusual activity)
Incidents that affect Senior Management (threats, gossip, leaks)
Risk Management (unusual or suspicious behaviour noted in logs or activity reports)
External sources (threats, customer queries, complaints, press)
Incidents observed by network users (on local PCs or servers) All breaches of Institution Security Policy
2.2 Reporting an incident All observed or suspected security incidents; weaknesses or threats should be reported to a NetworkManager or System Administrator or the Institution Management.
In no instance should any user attempt to prove a suspected weakness as this could lead to a potentialmisuse of the system. Where users note that any software does not appear to be working correctly, i.e.according to specification, they should report the matter to the Helpdesk or the local system administrator.Where a user suspects that the malfunction is due to a malicious piece of software e.g. a computer virus,they should stop using the computer, note the symptoms and any messages appearing on the screen andreport the matter to the Helpdesk or the local system administrator.
2.3 DocumentationAt all stages of the incident handling process adequate documentation must be maintained.
2.4 Disabling Accounts/Network ConnectionsThe M.I.S, Network Managers and Systems Administrators may disable user accounts and/or network
connections.2.5 Communication / Control
After validating that an incident has taken place a System Administrator or Network Manager shouldescalate the incident to the DDFA, Faculty of Information Science and Technology for necessary action.
2.6 Obtaining Evidence
-
8/4/2019 Kia Ict Mgt Policy
38/43
Page 38 of 43
It is vital that affected systems should be quickly identified and isolated. Information should be retrieved fromthese systems in the best available manner, with actions being taken by as few people as possible,preferably only the lead incident contact.Incorrect gathering and handling of collected evidence may have serious consequences in the successfulprosecution of an incident. Collected evidence therefore should be handled correctly so as to preserveintegrity and all transfers should be documented and validated. Where possible collected data should
immediately be stored on write-once media. Write-once media is defined as any media such as CD thatonce the data is written to it cannot be edited, amended or appended.
2.7 Preserve ConfigurationThe configuration and contents of all affected systems must be preserved to the greatest extent possible, sothat the issues involved can be demonstrated at a later date. This may be covered by the method ofobtaining evidence but may also involve manual backups of data. This must include all system configurationdata as well as any scripts / data / files stored on the system.
2.8 Query External ResourcesWhere external resources are of use their outputs must always be recorded, preferably on a writeoncemedia. This is particularly important for DNS lookups, whois / rwhois output, etc which may change at a later
date. If personal contact is made with external agencies, details of all conversations / correspondence mustbe recorded in the relevant incident notes.
2.10 Follow-up ActionsThe immediate incident team should draw up a change report detailing further changes required, includingthe priority and impact of each change. Approval for follow-up actions may be given by senior managementor via normal change control process. The lead contact is responsible for tracking follow-up changes.
A detailed incident report must be prepared, including remedial action taken in the short and long term, tohelp restore confidence in the systems affected.
-
8/4/2019 Kia Ict Mgt Policy
39/43
Page 39 of 43
SECTION I
Misuse of Institution ICT Facilities
Where investigation of a security incident indicates misuse of IT facilities approved disciplinary procedureswill be implemented as defined in this policy.
3.1 Staff and Third PartiesWhere Institution Staff members or Third parties are found to have misused Institution IT facilities theInstitution authorities will be informed who will determine what further action should be taken.
3.2 ParticipantsWhere Participants are found to have misused Institution IT facilities the IT Security Officer, NetworkManager or Administrator must inform the DDFA who will determine what further action should be taken.
-
8/4/2019 Kia Ict Mgt Policy
40/43
Page 40 of 43
SECTION J
Disposal Policy for ICT Equipment
Introduction
The Institute in its effort to maximize on the life of the ICT equipment, it willendeavour to favour the extension of the working lives of ICT equipment by:
Replacing equipment only when it is necessary and advantageous to doso
Refurbishing and redeploying equipment to alternative uses, either withinthe Institute or external to it, whenever possible.
Where it is not possible to extend the useful life of ICT equipment, it must be
boarded.
All Institute staff members are responsible for adhering to this policy. Thisdocument sets out information to guide staff and procedures which should befollowed for the disposal of ICT Equipment.
Responsibilities within the Institute
Responsibility for disposal and the documentation of disposal rests with the ICTSection through which the item or equipment was purchased, except where theownership of the item has been formally transferred to another Faculty,
Department or Section.
Where items are used by a Faculty, Department or Section, but rolled out by ITSections (ICT), ICT will take responsibility for ensuring disposal processes arefollowed. Where the Faculty, Department or Section have contributed to thepurchasing cost of a non-standard workstation, or purchased additionalcomponents, ICT will still take responsibility for disposal. The Faculty,Department or Section may remove additional components which they haveadded and paid for prior to returning the item to ICT, provided this does notinvalid the warranty of the equipment.
Institute Financial Regulations
The Institute applies straight-line depreciation to IT Assets annually, no matterwhen during the year the asset has been purchased. Software and PCs aredepreciated over three years, while non-PC based equipment is depreciated overfive years, unless software or hardware has been purchased for use by a project.In such a case, depreciation may be done over the life of the project.
-
8/4/2019 Kia Ict Mgt Policy
41/43
Page 41 of 43
The disposal of IT Assets should consider who the item was funded by andwhether there is any obligation to return the asset, whether this would beinternally within the Institute, or to an agency which externally funded the projectit was purchased for.
The disposal of IT Assets should consider whether the item is fully depreciatedand, if not, make every effort to sell the asset for a value greater or equal to itscurrent residual value on the balance sheet.
Budget holders within the relevant Faculty, Department, or Section must agreethe disposal. Respective Managers are responsible for notifying Finance withinseven days of the asset being disposed of and are responsible for raising invoicerequests with Finance for the sale of any assets. Finance will then adjust thedepreciation for asset accounts on the balance sheet and compute the profit orloss on the disposal.
Warranties
The Institute normally purchases three year warranties for laptops, PCs andmonitors. This makes it unlikely that any such item will be useful for less thanthree years, as the equipment should be repaired or replaced as appropriateduring this period.
Software Licensing
In general, software purchased by the Institute is licensed only to the Institute
and software cannot be sold on. This is because the Institute benefits fromlicensing subsidies which cannot be transferred.
There is one exception and this applies to the operating systems. The operatingsystem purchased with a workstation or PC may be sold on, however, it isimportant to be aware that the purchased operating system may have beenreplaced with the Institutes currently supported standard. Where this is thecase, the operating system supplied is the only one which may be sold on andwould have to be re-installed after the hard disk has been wiped of all data.
There is no obligation to sell the supplied operating system, and the additionalreturn for equipment with the operating system should be weighed up against thecost of staff time to restore the original operating system once drives have beenwiped.
If you require support with understanding any issues related to softwarelicensing, please raise a call with ICTs Service Desk.
Data Protection Act and Data Security
-
8/4/2019 Kia Ict Mgt Policy
42/43
Page 42 of 43
It is the Institutes responsibility to remove any personal data stored on the harddrives of computers. Other data may be confidential and should be removedalso. Just hitting the delete key is not enough to wipe data from hard drives.Specialist software must be used.
The Faculty, Department or Section that owns the asset is responsible forensuring that all data is removed from hard drives before disposing of any ITEquipment, either by sale, donation, or recycling. Drives should be wiped beforeany equipment leaves the Institute.
Responsibilities for Disposal of IT Equipment Once Sold
Those selling second hand or reconditioned equipment are not responsible forthe taking back equipment and dealing with its disposal. However, because ofour environmental rules and regulations, we are required to ensure that those
purchasing second hand equipment are aware that they will be responsible forensuring it is properly re-cycled and have accepted their responsibility to do so inwriting. Asset Records should be updated to reflect who items have been soldto.
Procedures for Disposal
The following outlines the procedures which should be followed when disposingof an ICT Asset.
1. Identify the equipment, serial number, purchase date, order number,budget code and the Faculty, Department or Section which owns the
asset. Confirm the item is out of warranty and fully depreciated.2. If the Faculty, Department or Section has no further use for it, it shouldbe offered to other areas of the Institute who may have alternativeuses they can put the equipment to on campus. If an alternative usecan be found, procedures for transferring the ownership of an asset toanother area of the Institute should be followed and asset andinventory records updated, including notification of Finance.
3. The equipment which can not be of re-use at other areas shall beoffered for sale, either to external agencies, staff or participants. Anestimate of the items value will be required and this may or may notcorrespond to the asset purchase price less depreciation. Recordsshould be kept of who the item has been sold to and their acceptanceof their responsibility to ensure the item is properly recycled when theyeventually dispose of it.
4. If items cannot be sold, then they should be donated to organisationsthat will ensure that they are reused, or refurbished and re-used, andthe useful life of the equipment extended. Records should be kept oftransfer notes fo