Kia Ict Mgt Policy

8/4/2019 Kia Ict Mgt Policy

1/43

1 | P a g e

Kenya Institute of

Administration

[Pick the date]

ICT Policy


2/43

Page 2 of 43

Kenya Institute of Administration

ICT SECTION

ICT Policy


3/43

3 | P a g e

Table of Contents

Kenya Institute of Administration ...................................................................................... 1ICT SECTION .................................................................................................................... 2

ICT Policy ........................................................................................................................... 2SECTION A ........................................................................................................................ 4Software/Hardware Policy .................................................................................................. 4

Minimum Requirements ................................................................................................. 7

Vision .............................................................................................................................. 9

Mission ............................................................................................................................ 9SECTION B ...................................................................................................................... 10

Information Security Policy .............................................................................................. 10

Violations ...................................................................................................................... 10

Administration .............................................................................................................. 10Contents ........................................................................................................................ 10

Statement of responsibility ........................................................................................... 11M.I.S Head responsibilities ........................................................................................... 11Policy ............................................................................................................................ 12Acceptable use .............................................................................................................. 13

Unacceptable use .......................................................................................................... 13Staff responsibilities...................................................................................................... 13B Email Policy ........................................................................................................... 14

M.I.S responsibilities .................................................................................................... 20

Staff/Participant responsibilities ................................................................................... 20D Passwords Standards policy ................................................................................... 20

SECTION C ...................................................................................................................... 23

ICT Services and Systems Policy ..................................................................................... 23SECTION D ...................................................................................................................... 26Information Systems Security Policy................................................................................ 26

SECTION E ...................................................................................................................... 32

NETWORK / REMOTE ACCESS POLICY ................................................................... 32

Acceptable Use .......................................................................................................... 32Equipment and Tools ................................................................................................. 32Use of personal computers and equipment. ............................................................... 33Violations and Penalties ............................................................................................. 33

SECTION F ...................................................................................................................... 34

ICT SUPPORT POLICY .................................................................................................. 34

SECTION G ...................................................................................................................... 35

Disaster Recovery and Data Backup Policy ..................................................................... 35

SECTION H ...................................................................................................................... 37

Incident Response Policy .................................................................................................. 37SECTION I ....................................................................................................................... 39Misuse of Institution ICT Facilities .................................................................................. 39

SECTION J ....................................................................................................................... 40

Disposal Policy for ICT Equipment .............................................................................. 40


4/43

Page 4 of 43

SECTION A

Software/Hardware Policy

Introduction

The presence of a standard policy regarding the use of software and hardware will:

(a) Enhance the uniform performance of the Management Information Systems (M.I.S

Section) in delivering, implementing, and maintaining software and hardware suitable to

the business needs of the Kenya Institute of Administration, as well as other auxiliary

organizations to which M.I.S section provides service, and

(b) Define the duties and responsibilities of Institution Staffs (and Staffs of other auxiliaries

with whom the Institution provides services) who use the aforementioned software and

hardware in the performance of their job duties.

Acceptable use

This section defines what constitutes acceptable use of the Institutions electronic resources,

including software, hardware devices, and network systems. Hardware devices, software

programs, and network systems purchased and provided by the Institution are to be used only for

creating, researching, and processing Institution-related materials, and other tasks necessary for

discharging ones employment duties. By using the Institutions hardware, software, and network

systems you assume personal responsibility for their appropriate use and agree to comply with this

policy and other applicable Institution policies, as well as country laws and regulations.

Violations

Violations may result in disciplinary action in accordance with Institution policy. Failure to observe

these guidelines may result in disciplinary action by the Institution depending upon the type and

severity of the violation, whether it causes any liability or loss to the Institution, and/or the presence

of any repeated violation(s).

Administration

The M.I.S section head is responsible for the administration of this policy. This policy is a living

document and may be modified at any time on the advice of M.I.S section head or the DDFA.

Contents

The topics covered in this document include:


5/43

Page 5 of 43

Software Purchasing

Software Licensing

Software Standards

Software Installation

Hardware Purchasing

Hardware Standards

ICT Equipment Disposal

Software

All software acquired for or on behalf of the Institution or developed by Institution Staffs or contract

personnel on behalf of the Institution is and at all times shall remain Institution property. All such

software must be used in compliance with applicable licenses, notices, contracts, and agreements.

Purchasing

All purchasing of Institution software shall be centralized within the M.I.S section to ensure that all

applications conform to corporate software standards and are purchased at the best possible price.

All requests for corporate software must be submitted to the M.I.S section Head through a

committee for approval by. The request must then be sent to the M.I.S section, which will then

review the need for such software, and then determine the standard software that best

accommodates the desired request if M.I.S section determines that such software is needed. The

normal Institution purchasing procedure takes place.

Licensing

Each Staff is individually responsible for reading, understanding, and following all applicable

licenses, notices, contracts, and agreements for software that he or she uses or seeks to use on

Institution computers. If any Staff needs help in interpreting the meaning/application of any such

licenses, notices, contracts and agreements, he/she will contact M.I.S section for assistance.

Unless otherwise provided in the applicable license, notice, contract, or agreement, any duplication

of copyrighted software, except for backup and archival purposes, may be a violation of law. In

addition to violating such laws, unauthorized duplication of software is a violation of the Institutions

Software/Hardware Policy. Only the head of department is allowed/authorized to do the duplication

for backup and archival purpose.

Software standards


6/43

Page 6 of 43

The following list shows the standard suite of software installed on Institution computers (excluding

test computers) that is fully supported by the M.I.S Section:

Microsoft Windows XP 2000 / 2003 or higher

Microsoft Outlook 2003 / Outlook Express 2003

Microsoft Office 2003 (Word, Excel, PowerPoint, Access, Photo Editor 3.01, Publisher)

Microsoft Internet Explorer 6.0+

Microsoft Visual Studio 6.0 / .Net

Microsoft SQL Server 2000/2005 or higher

MySQL database community edition or higher

SPSS Ver 10,12,14 or higher

Oracle 9i/10g

Oracle Developer 6/2000

Symantec Antivirus Corporate Edition/McAfee

Adobe Acrobat Reader 5.0,6.0-8.0

WinZip 8.1

Media Player, Real Player One, QuickTime 5.0.2

Nero CD Burning

Where applicable the following software will be installed on Institution computers

Microsoft Visio

Microsoft Project 2002/2003

Publisher 2003-2007

Front Page

Dreamweaver/Fireworks/Flash

PageMaker/Photoshop/Adobe Premiere

Staffs needing software other than those standard suites must request such software from the

M.I.S section. Each request will be considered on a case-by-case basis in conjunction with the

software-purchasing section of this policy.

Software Installation

The M.I.S section is exclusively responsible for installing and supporting all software on Institution

computers. These responsibilities extend to:


7/43

Page 7 of 43

Office desktop computers

Institution laptop computers

Computer lab desktop computers

The M.I.S section relies on installation and support to provide software and hardware in good

operating condition to the Participants and Staffs so that they can best accomplish their tasks.

Hardware

All hardware devices acquired by the Institution or developed by it (through its own Staffs or

through those hired by the Institution to develop the hardware devices) is and at all times shall

remain Institution property. All such hardware devices must be used in compliance with applicable

licenses, notices, contracts, and agreements.

Purchasing

All purchasing of Institution computer hardware devices shall be centralized within the M.I.S

section to ensure that all equipment conforms to corporate hardware standards. A committee

composed of the M.I.S Head/DDFA IT/ICT OFFICER/Systems Administrator and two other

members.

All requests for corporate computing hardware devices must be in the annual corporate budget

document and have the DDFA approval. The request must then be sent to the M.I.S section, which

will then review the need for such hardware, and then determine standard hardware that best

accommodates the desired request, if the section determines that such hardware is needed.Hardware standards

The following list shows the minimum hardware configuration for Institution computers (excluding

test computers) that are fully supported by the M.I.S section:

Minimum Requirements

Desktops - provided to Participants and the Institutions administration. NB(Minimum

Requirements)

(Dell Branded/IBM/HP-Compaq/Toshiba)

Or

- Pentium IV, 3.0 GHz, 512 cache Intel Processor

- 512-MB RAM or higher

- 64 SVGA graphics/video card

- 1.44MB 3 floppy drive (A:)


8/43

Page 8 of 43

- 80-GB hard drive or higher

- 52x CD-ROM/DVD drive

- 10/100 PCI Ethernet card

- 6 USB ports or more

- Sound card

- Speakers

- Standard 102 or 104-key English keyboard

- USB / PS 2 mouse

- All applicable cables

- 3 years warranty

Laptops

(Dell Branded/IBM/HPCompaq/Toshiba)

or

- Pentium IV, 2.4 GHz Intel Processor

- 512-MB RAM

- Video card with 16 MB RAM

- 1.44MB 3 floppy drive

- 80-GB IDE hard drive- 8x CD-RW/DVD ROM Drive

- 10/100 PCI Ethernet card

- Network card

- 56K internal modem

- 4 USB port

- Sound card

- Speakers

- Standard 102 or 104-key English keyboard

- USB/PS 2 mouse

- Touch Pad

- All applicable cables, including phone

- Carrying case


9/43

Page 9 of 43

- Extra power adapter

- 3 years warranty / 1 year on site service

Monitors

- Monitors will be provided for both desktop and laptop systems.

- Minimum 17 viewingarea, 1024 x 768 @ 75 or 85 Hz, .26 mm dot pitch

UPS

o 650 VA or higher of reliable brand

Printers

- Staffs will be given access to appropriate network printers. In some limited cases,

Staffs may be given local printers if deemed necessary by the M.I.S section Head in

consultation with the department.

Staffs needing computer hardware other than what is stated above must request such hardware

from the M.I.S section. Each request will be considered on a case-by-case basis in conjunction

with the hardware-purchasing section of this policy.

Outside equipment

No outside equipment may be plugged into the Institutions network without the M.I.S sections

written permission. The details of any equipment to be allowed must be recorded at the security

door and a copy taken to the DDFAs office

SummaryThis policy is designed to facilitate Kenya Institute of Administration, Participants and Staffs in

maximizing the efficient performance of their studies and job duties respectively. Any deviation

from this strategy will require the M.I.S section to redeploy software and/or hardware solutions.

Full cooperation with this policy is mandatory so that all goals can be met in accordance with the

Institutions business objectives reflected in its Mission and Vision

Vision

To be a mode institution of excellence in management development and capacity building

in the public sector.

Mission

To Improve service delivery in the public sector by providing quality training research andconsultancy service in the Eastern Africa Region.


10/43

Page 10 of 43

SECTION B

Information Security Policy

Covering Internet, Email, Viruses, Access codes & Passwords1.1 Introduction

The Internet and Electronic mail (e-mail) are important communication and research tools for KIAnetwork users. This document details standards for the secure use of Internet and e-mail facilitiesfor Institution purposes, including teaching, research and administration.

Computer information systems and networks are an integral part of business of the Kenya Institute

of Administration (the Institution). The Institution has made a substantial investment in human

and financial resources to create these systems.

The enclosed policies and directives have been established in order to:

Protect this investment.

Safeguard the information contained within these systems.

Reduce business and legal risk.

Protect the good name of the Institution.

Violations

Violations may result in disciplinary action in accordance with Institution policy. Failure to observe

these guidelines may result in disciplinary action by the Institution depending upon the type and

severity of the violation, whether it causes any liability or loss to the Institution, and/or the presence

of any repeated violation(s).

Administration

The Management Information Systems Section (M.I.S) head is responsible for the administration of

this policy.

Contents

The topics covered in this document include:

Statement of responsibility

The Internet and e-mail

Computer viruses


11/43

Page 11 of 43

Access codes and passwords

Statement of responsibility

General responsibilities pertaining to this policy are set forth below. The following sections list

additional specific responsibilities.

M.I.S Head responsibilities

M.I.S Head and supervisors must:

Ensure that all appropriate personnel are aware of and comply with this policy.

Provide, implementation and support of this policy within their respective departments,

as well as create practices/procedures (specific to their departments) that are

designed to provide reasonable assurance that all Staff observe this policy.

The M.I.S Head must:1. Develop and maintain written procedures necessary to ensure implementation of and

compliance with these policy directives.

2. Provide appropriate support and guidance to assist Staff to fulfill their responsibilities under this

directive.

1.2 Policy Scope

This policy applies to all Institution Staff, Participants and Third parties granted use of Institution

Internet and E-mail facilities.

Third parties are defined as any individual, group contractor, vendor or agent not registered as a

Institution staff member or Participant.

1.3 Data Protection

E-mails fall under the scope of the data protection act. Under this legislation the email originator, all email

recipients and any persons named in the e-mail are entitled to view the information about them and if it is

incorrect they are entitled to have it corrected.

Home or personal use has a domestic exemption from data protection l aw, but the Institution has no such

exemption even for personal e-mails if they originate from the Institution network. In addition, emails can

constitute publication for the purpose of the law of libel.

Additionally any information, which KIA Users collect via the Internet such as personal or financial details

collected via Internet forms or surveys, fall under the Data protection Act.

All users must ensure that the methods of collecting processing and storing information in this way comply

with the Institution policies, the data protection act and any other relevant legislation.


12/43

Page 12 of 43

1.4 Copyright

Copyright law stops other people from using and abusing users original work. Users should bear in mind,

therefore, that:

E-mail messages are creative works and therefore are copyrighted.

All e-mail messages sent by a user are copyrighted to the user (or the Institution).

Users do not have to register this copyright - it exists automatically.

When Users post to a public list they do not lose copyright, but the message may be archived

forwarded to other lists or quoted by others.

Messages sent to a list should not be quoted out of context, changed or reworded or misattributed.

Software or files downloaded from the Internet may be protected by copyright restrictions.

1.5 Privacy

Data users must assume that all e-mail or Internet communications are not secure unless encrypted and

they should not send via e-mail any information, which is confidential. Users may not, under any

circumstances, monitor, and intercept or browse other users' e-mail messages unless authorized to do so.

Network and computer operations personnel, or system administrators, may not monitor other users' e-mail

messages other than to the extent that this may occur incidentally in the normal course of their work.

The Institution reserves the right to access and disclose the contents of a user's e-mail messages, in

accordance with its legal and audit obligations, and for legitimate operational purposes. The Institution

reserves the right to demand that encryption keys, where used, be made available so that it is able to fulfill

its right of access to a users e-mail messages in such circumstances.

A Internet Policy

The Internet is a very large, publicly accessible network that has millions of connected users and

organizations worldwide. One popular feature of the Internet is e-mail.

Policy

Access to the Internet is provided to Staff for the benefit of the Institution and its Staff. Staff are

able to connect to a variety of information resources around the world.

Conversely, the Internet is also replete with risks and inappropriate material. To ensure that all

Staff is responsible and productive Internet users and to protect the Institutions interests, the

following guidelines have been established for using the Internet and e-mail.


13/43

Page 13 of 43

Acceptable use

Staffs using the Internet are representing the Institution. Staff are responsible for ensuring that the

Internet is used in a safe, effective, ethical, and lawful manner and only in the course of performing

the Staff job.

Unacceptable use

Staff must not use the Internet for purposes that are not Institution-related, illegal, unethical,

inappropriate for a Institution setting, harmful to the Institution, or nonproductive. Examples of

unacceptable use are:

Sending or forwarding chain e-mail, i.e., messages containing instructions to forward the

message to others.

Conducting a personal business using Institution resources.

Transmitting any content that is offensive, harassing, or fraudulent.

Instant messaging and participating in Internet chat rooms.

Downloading or storing of MP3 files anywhere on the network including your personal

directories and/or your local C drive.

Staff responsibilities

A Staff who uses the Internet or Internet e-mail shall:

1. Ensure that all communications are for work-related reasons and that they do not interfere with

his/her productivity.2. Be responsible for the content of all text, audio, or images that (s)he places or sends over the

Internet, and not illegally transmit or receive the same. All communications should have the

Staffs name attached.

3. Not transmit copyrighted materials without permission.

4. Know and abide by all applicable policies dealing with security and confidentiality of records.

5. Run a virus scan on any external files received on diskettes or CDs.

General

All users must adhere to the following when using Institution facilities to connect to the Internet:

Access to the Internet is provided for KIA purposes and must not be abused for personal use.

Commercial use, which is not connected to or approved by the Institution, is strictly prohibited and

will result in disciplinary procedures,


14/43

Page 14 of 43

Internet access in Institution is available only via the Institution infrastructure. Users should not

connect to the Internet via a dial-up ISP account on Institution computers connected to the

network.

Users are expected to act ethically and responsibly in their use of the Internet and to comply with

the relevant national legislation, the Institution Information Security policy, regulations and codes of

practice. Users must not post messages on newsgroups or chat areas that are likely to be

considered abusive, offensive or inflammatory by others.

Users must not use the Institution Internet connection to scan or attack other

individuals/devices/organizations. The use of port scanners or other hacking tools unless used as

part of an approved course of study is strictly prohibited.

Users should be aware that the public nature of the Internet dictates that the confidentiality and

integrity of information cannot normally be relied upon.

Where a requirement exists to send or receive confidential or commercially sensitive data over the

Internet, a security mechanism recommended by the IT Security Specialist should be used.

Passwords used for Internet services should not be the same or similar to passwords used for

services accessed within Institution. This is to prevent passwords that grant access to Institution IT

resources being sent out on the Internet in clear text where any Internet user can potentially see

them. Similarly, any username used for the Internet services should not be the same or similar to a

Institution username.

Software copyrights and license conditions must be observed. Only licensed files or software may

be downloaded from the Internet.

All devices connected to the Internet must be equipped with the latest versions of anti-virus

software, which has been both approved and supplied by Institution.

All forms of data received over the Internet should immediately be virus checked.

All forms of data transmitted from Institution over the Internet should be virus checked in advance.

Data, which has been compressed or encrypted, should be decompressed or decrypted as

required before virus checking.

All security incidents involving Internet access must be reported to the M.I.S Office.

B Email Policy

All users must adhere to the following when using Institution E-mail facilities:

Users are expected to act ethically and responsibly in their use of e-mails and to comply with the

relevant national legislation, the Institution Information Security policy, regulations and codes of

practice.


15/43

Page 15 of 43

Discrimination, victimization or harassment on the grounds of gender, marital status, family status,

sexual orientation, religious belief, age, disability, race, color, nationality, ethnic or national origin is

against Institution Policy. Users must not bully, hassle or harass other individuals via e-mail. Users

must not send messages that are likely to be considered abusive, offensive or inflammatory by the

recipient/s.

All users should regard all e-mails sent from Institution facilities as first, representing the Institution

and, secondly, representing the individual. Users should be civil and courteous. Users should not

send e-mail, which portrays the Institution in an unprofessional light. The Institution is liable for the

opinions and communications of its staff and Participants. Any e-mail involved in a legal dispute

may have to be produced as evidence in court.

All users should do their best to ensure that email content is accurate, factual and objective

especially in relation to individuals. Users should avoid subjective opinions about individuals or

other organizations.

Users should be aware that e-mails can easily be forwarded to other parties. Users should assume

that anyone mentioned in e-mail could see it or hear about it or he/she may, under data protection

or other law, be entitled to see it.

All users should be aware that. it is possible for the origin of an e-mail to be easily disguised and

for it to appear to come from someone else.

Users must not use a false identity in e-mails.

Users must not create or forward advertisements, chain letters or unsolicited e-mails e.g. SPAM

All users should protect data displayed on their monitor. E.G. by locking their office door or by

locking their workstation or using a screen saver in password-protected mode when leaving their

desk. This is in order to prevent unauthorized individuals from using the workstation to send an

email, which will appear to originate from the user.

All users should exercise caution when providing their e-mail address to others and be aware that

their e-mail address may be recorded on the Internet.

All users should be cautious when opening e-mails and attachments from unknown sources as

they may be infected with viruses.

All users must have up-to-date Institution approved anti-virus software installed and operational on

the computer that they access their email on.

All emails or attachments that are encrypted or compressed should be decrypted or decompressed

and scanned for viruses by the recipient.


16/43

Page 16 of 43

Users should be aware that e-mails may be subject to audit by Institution Authorities to ensure that

they meet the requirements of this policy. This applies to message content, attachments and

addressees and to personal e-mails.

As part of the Institutions standard computing and telecommunications practices, email systems

and the systems involved in the transmission and storage of e-mail messages are normally

"backed up" centrally on a routine basis for administrative purposes. The back-up process results

in the copying of data, such as the content of an e-mail message, on to storage media that may be

retained for periods of time and in locations unknown to the originator or recipient of an email. The

frequency and retention of back-up copies vary from system to system. However, this back-up is

for Institution administrative purposes only and it is the users own responsibility to back-up any of

their e-mails they wish to retain for future reference.

All security incidents involving E-mail should be reported to the M.I.S Office.

C Mass Email Policy

Purpose:

This policy reflects the Kenya Institute of Administrations decision to use the Institute assigned staffemail account as the official means of communication with all staff on the KIA campus. The purpose ofthis policy is to provide a definition for mass email; clarification for who can send mass emails; andprocedures for sending mass emails.

This policy does not apply to email originating by means other than through the Mass Email System.

Introduction:

Various offices, organizations and individuals at KIA may request that mass emails be sent to all or partof the Institute community. Mass emails are not authorized except as described herein. However, dueto the nature of email, delivery of mass emails is not guaranteed.

The Mass Email System does not replace individual, sectional, departmental, division or Staff addresslists or mailing lists. These other methods are more appropriate for most announcements. The MassEmail System should only be used when a more limited mailing will not be adequate.

What is mass email?

For the purposes of this policy, mass email shall be considered to be any unsolicited electronic mailingin which the message is sent to members of the Institute community using the KIA e-Mail andGroupwise email addresses. This policy does not apply to individual email-based distribution anddiscussion groups such as listservs or established data bases that serve Institute learners/ clientele.

Types of mass emails:

There are three classes of mass email: Urgent, Formal Notice and Informational. The class of themessage affects both the audience and the distribution schedule. The subject line of the message will


17/43

Page 17 of 43

indicate the selected class. Either URGENT:, FORMAL NOTICE:, or INFORMATIONAL: willappear as the prefix in the subject line according to the message classification.

1. Urgent Class

Urgent class is a category of mass emails reserved for highly important, time-sensitive institute

emergency notices, such as security alerts. Messages in this class may be scheduled for immediatedistribution as soon as properly approved.

2. Formal Notice Class

Formal notice class is a category of mass emails reserved for highly important, non-emergencymessages, such as financial or hr reporting requirements. Messages in this class are scheduled for off-peak distribution, after properly approved, between the requested run date and the expiration date ofthe message.

3. Informational Class

Informational class is a category of mass emails covering non-emergency messages related to Institutework or information, other than events. Events should be posted to the institute weekly bulletin or on thewebsite at www.kia.ac.ke/bulletin. Messages in this class are scheduled for off-peak distribution, after

properly approved, between the requested run date and the expiration date of the message.

Who is allowed to send mass emails?

All messages must be approved by the Director or his or her designee associated with the message.

Examples of what isnt acceptable:

Specifically, mass emails should not be used for:

Mailings not related to Institute business or activities.

Mailings in violation of the KIAs Computer and Network Usage Policy.

Political statements, expression of personal opinion, conduct of personal business, unauthorized fundraisingor solicitation (solicitation is defined as any verbal or written effort to raise funds through the sale ofmerchandise/services or through charitable donations as well as to influence opinions or to gain support foran issue or cause).

Notices of houses or other items for sale or rent, requests for rides, lost and found, or commercial

promotions.

Notices of routine, regularly scheduled events. These sorts of events should be communicated throughregular Institute communications Office.

D Anti Virus and Spam Policy

General Policy
http://www.kia.ac.ke/bulletinhttp://www.kia.ac.ke/bulletin


18/43

Page 18 of 43

1.1 Introduction

Computer viruses (and similar devices) impact productivity, incur financial costs and can result inthe compromise or loss of data and reputation.Viruses can originate from a range of sources, spread rapidly, and require a comprehensiveapproach to ensure the risk they pose is effectively managed. This comprehensive approach

requires the full cooperation of all KIA Staff and Participants.This document is the Institutions Anti-Virus and Anti-Spam Policy and outlines the overallapproach adopted by the Institution as well as individual responsibilities.

1.2 ScopeThis policy applies to all Institution Staff, Participants or Third parties using devices connected totheInstitution network.Third parties are defined as any individual, group contractor, vendor or agent not registered as aInstitution staff member or Participant.Third party Access is defined as all local or remote access to the Institution Network or devicesattached to the Institution Network for any purpose.

1.3 Anti-virus and Anti-Spam MeasuresM.I.S, Network Managers and System Administrators will:

Evaluate, select and deploy anti-virus software on file servers, desktops and laptops toscan for viruses from sources such as Inbound and Outbound E-mail, Floppy disks. E-mails and attachments (inbound). CD-ROMs. Software downloaded from the Internet.

Provide users with a method to reduce the impact of unsolicited or SPAM email in theirInstitution inbox.

1.4 Desktop Anti-virus protection

M.I.S must select an effective desktop anti-virus product. This product must be licensed and madeavailable to all users connecting to the Institution network.

1.5 Gateway Virus ProtectionM.I.S must provide a product to scan Institution email and any other protocols such as FTP orHTTP at the Internet gateway.

2 Roles and Responsibilities

2.1 User ResponsibilityAll KIA network users have a responsibility to:

Protect any device, which they use which connects to the Institution network by ensuringthat they have installed the correct anti-virus product for their area and that it is up-to-date.This relates to Institution owned machines and Users private machines where themachines are used to access the Institution network.

Users must not try to install an unapproved anti-virus product, or try to alter theconfiguration or disable the existing anti-virus product.

Respond to any virus infection detection indicated by their anti-virus software. In the eventthat a user cannot clean or remove an infected file they should inform M.I.S immediately.


19/43

Page 19 of 43

Be alert to the possibility of a virus and report any suspicious behaviour M.I.S immediately. Not open suspicious emails or attachments whether solicited or unsolicited from unknown

or unusual sources.

Preserve the PC while awaiting virus investigation. Users must not switch the PC off, or tryto fix it themselves. Additionally users must not try to carry on working but must disconnect

the network cable and leave the workstation until the issue is resolved. Users must scan their hard drives regularly for viruses. Users should scan all software or other content that they download from the Internet for

viruses.

Users should not connect to suspicious websites. Users should exercise caution when accessing web based E-mail including but not limited

to

Hotmail, and Yahoo. Users should be aware that email accessed on these sites has notbeen scanned by the Institution email gateway and may contain viruses.

2.2 The M.I.S, Network Managers & System Administrators & IT Security Officer

The M.I.S, Network Managers & System Administrators must: Evaluate and select suitable anti-virus software products to protect against viruses form

the sources as identified in section 1.2

Provide a central point of contact to Institution users for anti-virus matters. Keep abreast of potential viruses that may affect the Institution. Promote awareness of anti-virus issues amongst users. Monitor systems regularly for devices that do not have anti-virus software installed or have

incorrect anti-virus products or settings.

2.3 M.I.S Helpdesk and User Support groupThe Helpdesk will be responsible for

First-line support, i.e. taking the initial report/s of a virus from the user/s located on theareas of the Institution network managed by the M.I.S.

The report will immediately be checked to ascertain whether or not it is a valid virus. Userswill be reminded of their responsibilities as shown above.

During any incident, the Helpdesk will provide whatever assistance is required to disinfectthe virus and prevent propagation, e.g. keeping people informed, disabling systems etc.

Investigating and resolving any virus incident. Evaluating the situation and making recommendations which may include informing users

of the problem by email alert, intranet, etc. and may include selectively disablinginfrastructure services, (e.g. disabling external mail while keeping internal mail,disconnecting the Institution from Internet) to safeguard critical systems.

Computer viruses

Computer viruses are programs designed to make unauthorized changes to programs and data.

Therefore, viruses can cause destruction of or damage to corporate property.

It is important to know that:

o Computer viruses are much easier to prevent than to cure.


20/43

Page 20 of 43

o Defenses against computer viruses include protection against unauthorized access to

computer systems, using only trusted sources for data and programs, and maintaining

virus-scanning software.

M.I.S responsibilities

M.I.S shall:

1. Install and maintain appropriate antivirus software on all computers.

2. Respond to all virus attacks, destroy any virus detected, and document each incident.

Staff/Participant responsibilities

The following applies to all Staff:

1. Staff shall not knowingly introduce a computer virus into Institution computers.

2. Staff shall only load diskettes or CDs with saved files that pertain to Institution business.

3. Incoming diskettes or CDs shall be scanned for viruses before they are read.

4. Any Staff who suspects that his/her workstation has been infected by a virus shall

IMMEDIATELY log off the network and call the M.I.S help desk at ext 115

5. Users shall not disable the automated AntiVirus Download Scan.

E Passwords Standards policy

1 General policy

1.1 Introduction

Usernames and passwords are utilized in KIA to facilitate access to Institution IT resources. Theyalso protect Institution data from access from unauthorized individuals both internally (other staff orParticipants) and externally (hackers).

1.2 Scope.This policy applies to all Institution Staff, Participants, or Third parties who are issued withusernames and passwords for any Institution IT System or device.This policy applies to all network managers, system administrators, application administrators orothers who issue usernames and passwords.This policy applies to all username and password pairs on all devices, systems and applicationsthat are part of the Institution network that provide access to Institution owned information.

1.3 Issue of accounts and passwords.All initial system and application accounts and passwords must be issued from the M.I.S. Once apassword has been issued full responsibility for that account and associated password passes tothe user. The user will be required to change the password to something only He/She knows.

1.4 Password Sharing Prohibition


21/43

Page 21 of 43

Regardless of the circumstances, passwords must never be shared or revealed to anyone elsebesides the authorized user. To do so exposes the authorized user to responsibility for actions thatthe other party takes with the password. Where a user is found to have given the use of ausername or password to a third party disciplinary measures will be implemented.

1.5 Writing Passwords Down and Leaving Where Others Could DiscoverPasswords must not be written down and left in a place where unauthorized persons mightdiscover them.

1.6 Password ChangesUsers will be required to change their passwords fortnightly. Passwords changes may berequested in person by the appropriate individual or a trusted party as defined by M.I.S. Noexceptions to this policy are allowed.

1.7 Minimum Password LengthThe length of passwords must always be checked automatically at the time that users construct or

select them. All IT systems must require passwords of at least six (6) characters.

1.8 Complex Passwords RequiredAll computer system users must choose passwords that cannot be easily guessed. For example, acar license plate number, a spouse's name, or an address must not be used. This also means thatpasswords must not be a word found in the dictionary or some other part of speech. For example,proper names, places, and slang must not be used.

1.9 Cyclical Passwords ProhibitedUsers must not construct passwords using a basic sequence of characters that is then partiallychanged based on the date or some other predictable factor. For example, users must not employpasswords like "JANUARY" in January, "FEBRUARY" in February, etc.

1.10 User-Chosen Passwords Must Not Be ReusedUsers must not construct passwords that are identical or substantially similar to passwords thatthey had previously employed.

1.11 Password AgeingPasswords should be changed periodically. Network managers, system administrators orapplication administrators should select an appropriate time frame for changing passwords.

1.12 Limit on Consecutive Unsuccessful Attempts to Enter a PasswordTo prevent password guessing attacks, the number of consecutive attempts to enter an incorrectpassword must be strictly limited. After a defined number of unsuccessful attempts to enter apassword (usually between 3and 8 per hour), the involved user account must be either

(a) Suspended until reset by a system administrator,(b) Temporarily disabled for no less than three (3) minutes, or(c) If dial-up or other external network connections are involved, disconnected.

1.13 Password History


22/43

Page 22 of 43

A password history must be maintained for all domain level. This history file should be used toprevent users from reusing passwords. The history file should minimally contain the last 3passwords for each username.

1.14 System Compromise

Whenever an unauthorized party has compromised a system, M.I.S or the relevant networkmanager, system administrator or application administrator must immediately change everypassword on the involved system. Even suspicion of a compromise likewise requires that allpasswords be changed immediately. Under either of these circumstances, a trusted version of theoperating system and all security-related software must also be reloaded. Similarly, under either ofthese circumstances, all recent changes to user and system privileges must be reviewed forunauthorized modifications.

1.15 Storage of Passwords in Readable FormPasswords must not be stored in readable form in batch files, automatic login scripts, softwaremacros, terminal function keys, in computers without access control, or in other locations where

unauthorized persons might discover them.

1.16 Changing Vendor Default PasswordsAll vendor-supplied default passwords e.g. default passwords supplied with routers, switches orsoftware such as operating systems and databases must be changed before any computer orcommunications system is used.

1.17 EncryptionPasswords must always be encrypted when held in storage for any significant period of time orwhen transmitted over communications system.


23/43

Page 23 of 43

SECTION C

ICT Services and Systems Policy

IntroductionThis chapter contains policy statements on ICT services and information systems that are of

strategic importance to the Institution. For each of the ICT services and information systems a

concise description of the essential functional requirements is specified. In addition, the

relationship with other initiatives, the most essential resources, the essential implementation

strategies, and the major risks if the proposed system of service is not implemented at the right

point in time are given.

Identified ICT Services and Information Systems

The Institution ICT Policy anticipates the implementation of the following ICT services and

information systems as well as related implementation, operation and management issues:

1. Internal and external E-mail and Access-to-Internet services at all workplaces embodying

general internal and external information provision through Internet/Intranet technology

(Web based information services)

2. Availability of common office applications such as word processing, spreadsheet

processing, access databases, etc. at all workplaces.

3. An integrated Library Information System.

4. An integrated Participants Admission Management System.

5. An integrated Finance Information System.

6. An integrated Human Resource Information System.

NB

The Institution ICT policy does not explicitly include applications supporting teaching processes

(Computer Aided Learning, SPSS) and professional applications to be used in specific educational

and scientific fields, such as CAD/CAM. Neither does it include specific applications for research

purposes. These classes of ICT applications are assumed to be the responsibility of the faculties

concerned. It is however part of the Institution's policy to:

Ensure that all end users are equipped with the necessary level and variety of

skills to facilitate their functions.

In addition, the Institution has addressed the following issues at policy level:


24/43

Page 24 of 43

Sustainable management of ICT resources that takes into account the interests of

all users

Policy Summary

It is the Institution Policy to assure availability of all anticipated ICT services/systems at any

workplace in the Institution, and, for selected services, to locations outside the Institution through

Common Network Services. Common Network Services (Network Infrastructure), mainly

comprising physical network infrastructure (wiring, switches, routers, servers, etc) and

communication protocols (TCP/IP), form the collective data transport means for all current and

future ICT services/systems.

1. It is the Institution Policy to assure availability of User-level Data Communication Services

such as E-Mail, Access-to-Internet, Internet/Intranet Services, which actually are major

users of the low-level network services.

2. It is the Institution Policy to promote office computing in all offices. In this text the term

office computing is used for the application of ICT, mostly desktop computers, to support

general office tasks. This applies to lecturers, researchers, managers, as well as to

secretarial and clerical workers. Major office computing applications are: word processing,

electronic mail, spreadsheet processing, document storage and retrieval, desktop

publishing, access-to-internet and intranets.

3. It is the Institution Policy to improve both the efficiency and effectiveness of libraryoperations and services through the implementation of an integrated on-line Library

Information System.

4. It is the Institution Policy to enhance and streamline Participant education related

administrative and managerial processes and to improve academic reporting facilities at

both central and faculty level through the implementation of an integrated Participant

Admission Management System (SAMS).

5. It is the Institution Policy to enhance and streamline financial management processes and

reporting facilities at both central and faculty levels through the implementation of an

integrated Financial Information System. Given the decentralized nature of budgetary

management, it is the Institution Policy to make these functions also available to faculties

and other budget centers. The following functionality is regarded essential to the Institution

financial management information system.


25/43

Page 25 of 43

6. It is the Institution Policy to enhance and streamline the human resource management and

administrative processes through the implementation of a Human Resource Information

System (HURIS).

7. It is the Institution Policy in the broadest sense to promote the deployment of ICT in all

areas of education and research through creating technical and organizational

preconditions.

8. It is the Institution Policy to ensure and require that all Participants, academic staff,

administrative and support staff, and managerial staff are trained on a continuing basis to

equip them with the requisite skills to fully exploit the ICT environment in their different

functions

9. It the Institution Policy to ensure sustainable management of the Institution's ICT policy

and resources through the creation of appropriate policy, advisory management and

operational organs that will cater for the broad interests of all users

10. It is the Institution Policy to provide for the growth and financial sustainability of its ICT

resources through appropriate funding and operational mechanisms

1.4 Related requirements

ICT services and systems will become inherent in the Institution's educational, research,

administrative, and managerial processes. Each individual ICT service and system as such places

demands on the:

1. Anticipated data communication infrastructure. For each ICT service or system the

minimum (initial) communication requirements are identified.

2. Staff resources during implementation stage. This will involve Kenya Institute of

Administration staff as well as local and foreign expertise

3. Staff resources during deployment stage. Adequate organizational arrangements have to

be made to ensure that the necessary staff to run/ manage systems is either re-deployed

or recruited in good time.

4. And the operational ICT management environment during and after implementation.


26/43

Page 26 of 43

SECTION D

Information Systems Security Policy

Policy Statement

1.1 Information is a critical asset of KIA hereafter referred to as the Institution. Accurate, timely,

relevant, and properly protected information is essential to the success of the Institutions academic

and administrative activities. The Institution is committed to ensuring all accesses to, uses of, and

processing of Institution information is performed in a secure manner.

1.2 Technological Information Systems hereafter referred to as Information Systems play a major

role in supporting the day-to-day activities of the Institution. These Information Systems include butare not limited to all Infrastructure, networks, hardware, and software, which are used to

manipulate, process, transport or store Information owned by the Institution.

1.3 The object of this Information Systems Security Policy and its supporting policies is to define

the security controls necessary to safeguard Institution Information Systems and ensure the

security confidentiality and integrity of the information held therein.

1.4 The Policy provides a framework in which security threats to Institution Information Systems

can be identified and managed on a risk basis and establishes terms of reference, which are to

ensure uniform implementation of Information security controls throughout the Institution.

1.5 The Institution recognizes that failure to implement adequate Information security controls

could potentially lead to:

Financial loss

Irretrievable loss of Important Institution Data

Damage to the reputation of the Institution

Legal consequences

Therefore measures must be in place, which will minimize the risk to the Institution from

unauthorized modification, destruction or disclosure of data, whether accidental or deliberate. This


27/43

Page 27 of 43

can only be achieved if all staff and Participants observe the highest standards of ethical, personal

and professional conduct. Effective security is achieved by working with a proper discipline, in

compliance with legislation and Institution policies, and by adherence to approved Institution Codes

of Practice.

1.6 The Information Systems Security Policy and supporting policies apply to all staff and

Participants of the Institution and all other users authorized by the Institution.

1.7 The Information Systems Security Policy and supporting policies do not form part of a formal

contract of employment with the Institution, but it is a condition of employment that employees will

abide by the regulations and policies made by the Institution from time to time. Likewise, the

policies are an integral part of the Regulations for Participants.

1.8 The Information Systems Security Policy and supporting policies relate to use of:

All Institution networks connected to the Institution Backbone

All Institution-owned/leased/rented and on-loan facilities.

To all private systems, owned/leased/rented/on-loan, when connected to the Institution

network directly, or indirectly.

To all Institution-owned/licensed data/programs, on Institution and on private systems. To all data/programs provided to the Institution by sponsors or external agencies.

1.9 The objectives of the Information Systems Security Policy and supporting policies are to:

Ensure that information is created, used and maintained in a secure environment.

Ensure that all of the Institutions computing facilities, programs, data, network and

equipment are adequately protected against loss, misuse or abuse.

Ensure that all users are aware of and fully comply with the Policy Statement and the

relevant supporting policies and procedures.

Create awareness that appropriate security measures must be implemented as part of the

effective operation and support of Information Security.

Ensure that all users understand their own responsibilities for protecting the confidentiality

and integrity of the data they handle.


28/43

Page 28 of 43

Ensure all Institution owned assets have an identified owner/administrator.

2 IT Management roles and responsibilities

2.1 The Institution Management

The Institution Management is responsible for approving the IT Security Policy, distributing the

policy to all heads of departments/sections/centers and for supporting the M.I.S in the enforcement

of the policies where necessary.

2.2 Discharging of Policies

The policies will be discharged through nominated individuals, who normally will be the respective

Heads of departments.

2.3 Heads of departments

The Heads of departments are responsible for ensuring that staff, Participants and other persons

authorized to use systems in respective departments are aware of and comply with the associated

supporting policies and procedures.

2.5 The IT Security Officer

The IT Security Officer role will be taken by the Information Systems Manager. He is responsible

for:

Reviewing and updating the Security policy and supporting policies and procedures.

The promotion of the policy throughout Institution.

Periodical assessments of security controls as outlined in the Security Policy andsupporting policies and procedures.

Investigating Security Incidents as they arise.

Maintaining Records of Security Incidents..

Reporting to the Institution Management on the status of security controls within the

Institution.

2.6 The Systems Administrator

The Systems Administrator is responsible for the management of the Institution Network and for

the provision of support and advice to all nominated individuals with responsibility for discharging

the technical aspects of these policies.

2.7 Information Systems Users


29/43

Page 29 of 43

It is the responsibility of each individual Information Systems user to ensure his/her understanding

of and compliance with this Policy and the associated Codes of Practice.

All individuals are responsible for the security of Institution Information Systems assigned to them.

This includes but is not limited to infrastructure, networks, hardware and software. Users must

ensure that any access to these assets, which they grant to others, is for Institution use only, is not

excessive and is maintained in an appropriate manner.

2.8 Purchasing, Commissioning, Developing an Information System

All individuals who purchase, commission or develop an Information System for the Institution are

obliged to ensure that this system conforms to necessary security standards as defined in this

Information Security Policy and supporting policies.

Individuals intending to collect, store or distribute data via an Information System must ensure that

they conform to Institution defined policies and all relevant legislation.

2.9 Third Parties

Before any third party users are permitted access to Institution Information Systems, specific

written approval from the IT security Officer is required. Prior to being allowed to work with

Institution Information systems, satisfactory references from reliable sources should be obtained

and verified for all third parties which includes but is not limited to; administrative staff, software

support companies, engineers, cleaners, contract and temporary appointments. Data processing,

service and maintenance contracts should contain an indemnity clause that offers cover in case of

fraud or damage.

2.10 Reporting of Security Incidents

All suspected information security incidents must be reported as quickly as possible through the

appropriate channels. All Institution staff and Participants have a duty to report information security

violations and problems to the IT Security Officer on a timely basis so that prompt remedial action

may be taken. The IT security Officer will be responsible for setting up an Incident Management

Team to deal with all incidents. Records describing all reported information security problems and

violations will be created.

2.11 Security controls


30/43

Page 30 of 43

All Institution Information Systems are subject to the information security standards as outlined in

this and related policy documents. No exceptions are permitted unless it can be demonstrated that

the costs of using a standard exceed the benefits, or that use of a standard will clearly impede

Institution activities.

3 Breaches of Security

3.1 Monitoring

The Management Information Systems will monitor network activity and take action/make

recommendations consistent with maintaining the security of Institution information systems.

3.2 Incident Reporting

Any individual suspecting that there has been, or is likely to be, a breach of information systems

security should inform the IT Security Officeror the Institution management immediately who will

advise the Institution on what action should be taken.

4 Policy Awareness and Distribution

4.1 New Staff and Participants

This Policy Statement will be available from the Principals Office on request. It will also be

published on the Institution web site. New staff and Participants will be notified of the relevant

policy documents when they initially request access to the Institution network.

4.2 Existing Staff

Existing staff and Participants of the Institution, authorized third parties and contractors given

access to the

Institution network will be advised of the existence of this policy statement. They will also be

advised of the availability of the associated policies and procedures which are published on the

Institution website.

4.3 Updates

Updates to Policies and procedures will be made periodically.

4.4 Training

Training will be available from Management Information Systems in Information Security

fundamentals.


31/43

Page 31 of 43

5 Risk Assessments and Compliance

5.1 Risk Assessment

Risk assessments must be carried out periodically on the business value of the information users

are handling and the information systems security controls currently in place. This is in order to

take into account changes to operating systems, business requirements, and Institution priorities,

as well as relevant legislation and to revise their security arrangements accordingly.


32/43

Page 32 of 43

SECTION E

NETWORK / REMOTE ACCESS POLICY

Remote access is a generic term used to describe the accessing of the Kenya Institute ofAdministration. (the Institution) computer network by Staffs not located at a Institution office, such

as those who travel, those who regularly work from home, or those who work both from the office

and from home.

Participation in a remote access program may not be possible for every Staff. Remote access is

meant to be an alternative method of meeting Institution needs. The Institution, in its sole

discretion, may refuse to extend remote access privileges to any Staff or terminate a remote

access arrangement at any time.

Eligibility for remote access to the Institutions computer network may be requested though

respective Heads of department to M.I.S Head and/or the DDFA. Requests must be submitted in

writing, identifying the Staff and his/her remote access needs.

Acceptable Use

Hardware devices, software programs, and network systems purchased and provided by the

Institution for remote access are to be used only for creating, researching, and processing

Institution-related materials in the performance of the Staffs job duties. By using the Institutions

hardware, software and network systems you assume personal responsibility for their appropriate

use and agree to comply with this policy and other applicable Institution policies, as well as all

country laws and regulations

Equipment and Tools

The Institution may provide tools and equipment for remotely accessing the corporate computer

network. This may include computer hardware, software, phone lines, e-mail, voicemail,

connectivity to host applications, and other applicable equipment as deemed necessary.

The use of equipment and software provided by the Institution for remotely accessing the

Institutions computer network is limited to authorized persons and for purposes relating to

Institution business. The Institution will provide for repairs to Institution equipment. When the Staff

uses her/his own equipment, the Staff is responsible for maintenance and repairs his/her

equipment.


33/43

Page 33 of 43

Use of personal computers and equipment.

There are likely thousands of possible interactions between the software needed by the remote

user and the average mix of programs on most home computers. Troubleshooting software and

hardware conflicts can take hours, and can result in the need for a complete reinstalling of

operating systems and application software in order to remedy such problems. For that reason the

M.I.S will only provide support for equipment and software provided by the Institution.

The Institution will bear no responsibility for Staffs loss of or damages to personal

equipment/information if the installation or use of any necessary software causes system lockups,

crashes, or complete or partial data loss. The Staff is solely responsible for backing up data on

his/her personal machine before beginning any Institution work. At its discretion, the Institution will

disallow remote access for any Staff using a personal home computer that proves incapable, for

any reason, of:

(a) Working correctly with the Institution-provided hardware, and

(b) Working with the Institution-provided software without repeated problems.

Violations and Penalties

Penalties for violation of the Remote Access Policy will vary depending on the nature and severity

of the specific violation. Any Staff who violates the Remote Access Policy will be subject to:

Disciplinary action including but not limited to reprimand, suspension and/or

termination of employment.


34/43

Page 34 of 43

SECTION F

ICT SUPPORT POLICY

1. PURPOSETo provide support services within a structured framework that enables M.I.S to respond to

computing issues in a timely and efficient manner.

2. POLICY

This policy establishes guidelines for a consistent means of providing support/service and

managing any computing issues reported by the commsectiony M.I.S serves. The goal of this

policy is to minimize the possibility of computer downtime and inconvenience to the customer.

Services will be provided to primary customers (which are Auxiliary full time, part time and

Participant and Staff).

3. GUIDELINES

A. Direct all support questions or problems (including training requests) to the help desk (ext.

115). It is assumed that most issues will be reported via telephone, however they may

also be reported in-person or via written memo to M.I.S Help Desk. If necessary, the

support request will be escalated to a member of the technical staff. Customers are asked

not to contact the technical staff directly. It is not our intention to make the technical staff

unavailable or unreachable but rather to utilize their time in a more efficient and productive

manner, allowing them to work on complex and time-consuming problems and projects.

B. Direct all projects and purchase requests to the M.I.S Head. Projects are defined as

proposed plans resulting in changes to or installation of hardware and/or software. This

includes but is not limited to changes affecting functionality, configuration, security issues

and compatibility with computing systems and standards.

C. Direct all website updates and additions to the Webmaster. The Webmaster will evaluate

and implement proposed changes and contact the appropriate technical staff for final

update.


35/43

Page 35 of 43

SECTION G

Disaster Recovery and Data Backup Policy

1 General Policy

1.1 IntroductionBack-up procedures, ensuring that both data and software are regularly and securely backed-up, areessential to protect against the loss of that data and software and to facilitate a rapid recovery from any ITfailure. This document outlines guidelines for KIA staff and Participants on backing up Institution Data.

1.2 ScopeThe data backup element of this policy applies to all Staff, Participants and third parties who use IT devicesconnected to the KIA network or who process or store information owned by KIA

All users are responsible for arranging adequate data backup procedures for the data held on IT systems

assigned to themThe disaster recovery procedures in this policy apply to all Network Managers, System Administrators, andApplication Administrators who are responsible for systems or for a collection of data held either remotely ona server or on the hard disk of a computer. The M.I.S is responsible for the backup of data held in centralInstitution databases.

2 Data Backup

2.1 Best Practice Backup ProceduresAll backups must conform to the following best practice procedures:

All data, operating systems and utility files must be adequately and systematically backed up(Ensure this includes all patches, fixes and updates)

Records of what is backed up and to where must be maintained At least three generations of back-up data must be retained at any one time

(grandfather/father/son)

The backup media must be precisely labeled and accurate records must be maintained of backupsdone and to which back-up set they belong.

Copies of the back-up media, together with the back-up record, should be stored safely in a remotelocation, at a sufficient distance away to escape any damage from a disaster at the main site

Regular tests of restoring data/software from the backup copies should be undertaken, to ensurethat they can be relied upon for use in an emergency

2.2 Responsibility for Data backup.Only critical systems are routinely backed up by the M.I.S and the other relevant IT managers and systems

administrators in the current model. The responsibility for backing up data held on the workstations ofindividuals regardless of whether they are owned privately or by the Institution falls entirely to the User.If you are responsible for a collection of data held either remotely on a server or on the hard disk of acomputer, you should consult your departmental system administrator.

2.3 Legal RequirementsUsers when formulating a backup strategy should take the following legal implications into consideration:

Where data held is personal data within the meaning of the Data Protection Act, there is a legalrequirement to ensure that such back-ups are adequate for the purpose of protecting that data


36/43

Page 36 of 43

Depending on legal or other requirements, e.g. Financial Regulations, it may be necessary to retainessential business data for a number of years and for some archive copies to be permanentlyretained

Depending on legal or other requirements, e.g. Data Protection Act, Software Licensing, it may benecessary to destroy all backup copies of data after a certain period or at the end of a contract.

2.4 Desktop BackupsThe responsibility for backing up data held on the workstations of individuals regardless of whether they areowned privately or by the Institution falls entirely to the User.

3 Disaster Recovery

3.1 Best Practice Disaster Recovery ProceduresA disaster recovery plan can be defined as the on-going process of planning developing and implementingdisaster recovery management procedures and processes to ensure the efficient and effective resumptionof vital Institution functions in the event of an unscheduled interruption.

All disaster recovery plans must contain the following key elements: Critical Application Assessment

Backup Procedures Recovery Procedures Implementation Procedures Test Procedures Plan Maintenance

3.2 Network Managers, System Administrators, Application AdministratorsNetwork Managers, System Administrators, and Application Administrators who are responsible for systemsor for a collection of data held either remotely on a server or on the hard disk of a computer must ensurethat they have comprehensive, documented and tested disaster backup procedures covers.


37/43

Page 37 of 43

SECTION H

Incident Response Policy

1 General policy

1.1 IntroductionIn the event of a security incident occurring, it is important that all Institution employees and Participants areaware of their responsibilities and the procedure by which incidents can be most effectively and efficientlybrought to a satisfactory conclusion. The procedures as defined below are best practice within KIA.Where investigation of a security incident indicates misuse of IT facilities approved disciplinary procedureswill be implemented as defined in this policy.

2 Incident Reporting

2.1 Types of IncidentsThe types of incidents that must be reported include, but are not limited to:

Incidents reported from Systems and Networks (system failures, unusual activity)

Incidents that affect Senior Management (threats, gossip, leaks)

Risk Management (unusual or suspicious behaviour noted in logs or activity reports)

External sources (threats, customer queries, complaints, press)

Incidents observed by network users (on local PCs or servers) All breaches of Institution Security Policy

2.2 Reporting an incident All observed or suspected security incidents; weaknesses or threats should be reported to a NetworkManager or System Administrator or the Institution Management.

In no instance should any user attempt to prove a suspected weakness as this could lead to a potentialmisuse of the system. Where users note that any software does not appear to be working correctly, i.e.according to specification, they should report the matter to the Helpdesk or the local system administrator.Where a user suspects that the malfunction is due to a malicious piece of software e.g. a computer virus,they should stop using the computer, note the symptoms and any messages appearing on the screen andreport the matter to the Helpdesk or the local system administrator.

2.3 DocumentationAt all stages of the incident handling process adequate documentation must be maintained.

2.4 Disabling Accounts/Network ConnectionsThe M.I.S, Network Managers and Systems Administrators may disable user accounts and/or network

connections.2.5 Communication / Control

After validating that an incident has taken place a System Administrator or Network Manager shouldescalate the incident to the DDFA, Faculty of Information Science and Technology for necessary action.

2.6 Obtaining Evidence


38/43

Page 38 of 43

It is vital that affected systems should be quickly identified and isolated. Information should be retrieved fromthese systems in the best available manner, with actions being taken by as few people as possible,preferably only the lead incident contact.Incorrect gathering and handling of collected evidence may have serious consequences in the successfulprosecution of an incident. Collected evidence therefore should be handled correctly so as to preserveintegrity and all transfers should be documented and validated. Where possible collected data should

immediately be stored on write-once media. Write-once media is defined as any media such as CD thatonce the data is written to it cannot be edited, amended or appended.

2.7 Preserve ConfigurationThe configuration and contents of all affected systems must be preserved to the greatest extent possible, sothat the issues involved can be demonstrated at a later date. This may be covered by the method ofobtaining evidence but may also involve manual backups of data. This must include all system configurationdata as well as any scripts / data / files stored on the system.

2.8 Query External ResourcesWhere external resources are of use their outputs must always be recorded, preferably on a writeoncemedia. This is particularly important for DNS lookups, whois / rwhois output, etc which may change at a later

date. If personal contact is made with external agencies, details of all conversations / correspondence mustbe recorded in the relevant incident notes.

2.10 Follow-up ActionsThe immediate incident team should draw up a change report detailing further changes required, includingthe priority and impact of each change. Approval for follow-up actions may be given by senior managementor via normal change control process. The lead contact is responsible for tracking follow-up changes.

A detailed incident report must be prepared, including remedial action taken in the short and long term, tohelp restore confidence in the systems affected.


39/43

Page 39 of 43

SECTION I

Misuse of Institution ICT Facilities

Where investigation of a security incident indicates misuse of IT facilities approved disciplinary procedureswill be implemented as defined in this policy.

3.1 Staff and Third PartiesWhere Institution Staff members or Third parties are found to have misused Institution IT facilities theInstitution authorities will be informed who will determine what further action should be taken.

3.2 ParticipantsWhere Participants are found to have misused Institution IT facilities the IT Security Officer, NetworkManager or Administrator must inform the DDFA who will determine what further action should be taken.


40/43

Page 40 of 43

SECTION J

Disposal Policy for ICT Equipment

Introduction

The Institute in its effort to maximize on the life of the ICT equipment, it willendeavour to favour the extension of the working lives of ICT equipment by:

Replacing equipment only when it is necessary and advantageous to doso

Refurbishing and redeploying equipment to alternative uses, either withinthe Institute or external to it, whenever possible.

Where it is not possible to extend the useful life of ICT equipment, it must be

boarded.

All Institute staff members are responsible for adhering to this policy. Thisdocument sets out information to guide staff and procedures which should befollowed for the disposal of ICT Equipment.

Responsibilities within the Institute

Responsibility for disposal and the documentation of disposal rests with the ICTSection through which the item or equipment was purchased, except where theownership of the item has been formally transferred to another Faculty,

Department or Section.

Where items are used by a Faculty, Department or Section, but rolled out by ITSections (ICT), ICT will take responsibility for ensuring disposal processes arefollowed. Where the Faculty, Department or Section have contributed to thepurchasing cost of a non-standard workstation, or purchased additionalcomponents, ICT will still take responsibility for disposal. The Faculty,Department or Section may remove additional components which they haveadded and paid for prior to returning the item to ICT, provided this does notinvalid the warranty of the equipment.

Institute Financial Regulations

The Institute applies straight-line depreciation to IT Assets annually, no matterwhen during the year the asset has been purchased. Software and PCs aredepreciated over three years, while non-PC based equipment is depreciated overfive years, unless software or hardware has been purchased for use by a project.In such a case, depreciation may be done over the life of the project.


41/43

Page 41 of 43

The disposal of IT Assets should consider who the item was funded by andwhether there is any obligation to return the asset, whether this would beinternally within the Institute, or to an agency which externally funded the projectit was purchased for.

The disposal of IT Assets should consider whether the item is fully depreciatedand, if not, make every effort to sell the asset for a value greater or equal to itscurrent residual value on the balance sheet.

Budget holders within the relevant Faculty, Department, or Section must agreethe disposal. Respective Managers are responsible for notifying Finance withinseven days of the asset being disposed of and are responsible for raising invoicerequests with Finance for the sale of any assets. Finance will then adjust thedepreciation for asset accounts on the balance sheet and compute the profit orloss on the disposal.

Warranties

The Institute normally purchases three year warranties for laptops, PCs andmonitors. This makes it unlikely that any such item will be useful for less thanthree years, as the equipment should be repaired or replaced as appropriateduring this period.

Software Licensing

In general, software purchased by the Institute is licensed only to the Institute

and software cannot be sold on. This is because the Institute benefits fromlicensing subsidies which cannot be transferred.

There is one exception and this applies to the operating systems. The operatingsystem purchased with a workstation or PC may be sold on, however, it isimportant to be aware that the purchased operating system may have beenreplaced with the Institutes currently supported standard. Where this is thecase, the operating system supplied is the only one which may be sold on andwould have to be re-installed after the hard disk has been wiped of all data.

There is no obligation to sell the supplied operating system, and the additionalreturn for equipment with the operating system should be weighed up against thecost of staff time to restore the original operating system once drives have beenwiped.

If you require support with understanding any issues related to softwarelicensing, please raise a call with ICTs Service Desk.

Data Protection Act and Data Security


42/43

Page 42 of 43

It is the Institutes responsibility to remove any personal data stored on the harddrives of computers. Other data may be confidential and should be removedalso. Just hitting the delete key is not enough to wipe data from hard drives.Specialist software must be used.

The Faculty, Department or Section that owns the asset is responsible forensuring that all data is removed from hard drives before disposing of any ITEquipment, either by sale, donation, or recycling. Drives should be wiped beforeany equipment leaves the Institute.

Responsibilities for Disposal of IT Equipment Once Sold

Those selling second hand or reconditioned equipment are not responsible forthe taking back equipment and dealing with its disposal. However, because ofour environmental rules and regulations, we are required to ensure that those

purchasing second hand equipment are aware that they will be responsible forensuring it is properly re-cycled and have accepted their responsibility to do so inwriting. Asset Records should be updated to reflect who items have been soldto.

Procedures for Disposal

The following outlines the procedures which should be followed when disposingof an ICT Asset.

1. Identify the equipment, serial number, purchase date, order number,budget code and the Faculty, Department or Section which owns the

asset. Confirm the item is out of warranty and fully depreciated.2. If the Faculty, Department or Section has no further use for it, it shouldbe offered to other areas of the Institute who may have alternativeuses they can put the equipment to on campus. If an alternative usecan be found, procedures for transferring the ownership of an asset toanother area of the Institute should be followed and asset andinventory records updated, including notification of Finance.

3. The equipment which can not be of re-use at other areas shall beoffered for sale, either to external agencies, staff or participants. Anestimate of the items value will be required and this may or may notcorrespond to the asset purchase price less depreciation. Recordsshould be kept of who the item has been sold to and their acceptanceof their responsibility to ensure the item is properly recycled when theyeventually dispose of it.

4. If items cannot be sold, then they should be donated to organisationsthat will ensure that they are reused, or refurbished and re-used, andthe useful life of the equipment extended. Records should be kept oftransfer notes fo

Kia Ict Mgt Policy

Documents

Transcript of Kia Ict Mgt Policy