VIRTUAL PRIVATE NETWORK (VPN) POLICY

NATIONAL BANK OF ETHIOPIA

VPN Policy

VERSION: 1.0

BY
 JULY, 20181. Table of
Contents

1. Table of Contents 2X

2. Property Information 3X

3. Document Control 4X

3.1. Information 4X

3.2. Revision History 4X

3.3. Review, Verification and Approval 4X

3.4. Distribution List 4X

4. Policy Overview 5X

4.1. Purpose 5X

4.2. Scope 5X

4.3. Terms and Definitions 6X

4.4. Change, Review and Update 7X

4.5. Enforcement / Compliance 7X

4.6. Waiver 7X

4.7. Relevant Documents 8X

4.8. Ownership 8X

5. Policy Statements 9X
2. Property Information

This document is the property information of National Bank of Ethiopia. The content of this document is
Confidential and intended only for the valid recipients. This document is not to be distributed, disclosed,
published or copied without National Bank of Ethiopia written permission.
3. Document Control

3.1. Information

Title

Classification

Version

Status

Virtual Private Network (VPN) Policy

Confidential

1.0

3.2. Revision History

Version

Author(s)

Issue Date
Changes

0.1

NBE ICT Security Team

July , 2018

Creation
0.2
0.3
1.0

3.3. Review, Verification and Approval

Name
Title

Date
3.4. Distribution List

Copy #

Recipients

Location
4. Policy Overview

The purpose of this policy is to provide guidelines for Remote Access IPSec or Virtual Private

Network (VPN) connections to the National Bank of Ethiopia.

4.1. Purpose

National Bank of Ethiopia VPN connection allows users to connect directly to the National Bank of
Ethiopia network through the Internet. In order to allow this connectivity, secure connection issues,
performance issues, and bandwidth utilization criteria must be addressed.

4.2. Scope

The policy statements written in this document are applicable to all National Bank of Ethiopia VPN Users
at all levels of sensitivity; including:

VPN Admins
Executives

Staff

Contractors

All other individuals and groups who have been granted access to National Bank of Ethiopia ICT
Network and information through VPN access.
4.3. Terms and Definitions

Table 11 provides definitions of the common terms used in this document.X

Term

Definition

Accountability

A security principle indicating that individuals shall be able to be identified

and to be held responsible for their actions.

Asset

Information

that has value

to the

organization such as forms, media,

networks, hardware, software and information system.

Availability

The state of an asset or a service of being accessible and usable upon demand

by an authorized entity.
Confidentiality

An asset or a service is not made available or disclosed to unauthorized

individuals, entities or processes.

Control

A means of

managing risk,

including

policies, procedures, and

guidelines

which can be of administrative, technical, management or legal nature.

Guideline

A description that

clarifies

what shall be

done and how, to achieve the

objectives set out in policies.

The preservation of confidentiality, integrity, and availability of information.

Information Security

Additionally, other properties such as authenticity, accountability, non-

repudiation and reliability can also be involved.

Integrity

Maintaining and assuring the accuracy and consistency of asset over its entire

life-cycle.
Software designed to disrupt computer operation, gather sensitive

Malware (Malicious)

information,

or

gain

access

to

private

computer

systems

(e.g., virus or Trojan horse).

A plan of action to guide decisions and actions. The policy process in clues

Policy

the identification of different alternatives such as programs or spending

priorities, and choosing among them on the basis of the impact they will have.
Risk

A combination of

the consequences of

an event

(including changes in

circumstances) and the associated likelihood of occurrence.

An equipment or interconnected system or subsystems of equipment that is

System

used in the acquisition, storage, manipulation, management, control, display,

switching, interchange, transmission or reception of data and that includes

computer software, firmware and hardware.

Table 1: Terms and Definitions
4.4. Change, Review and Update

This policy shall be reviewed once every year unless the owner considers an earlier review necessary to
ensure that the policy remains current. Changes of this policy shall be exclusively performed by the
Information Security Officer and approved by management. A change log shall be kept current and be
updated as soon as any change has been made.

4.5. Enforcement / Compliance

Compliance with this policy is mandatory and it is to be reviewed periodically by the Information
Security Officer. All National Bank of Ethiopia units shall ensure continuous compliance monitoring
within their area.

In case of ignoring or infringing the information security directives, National Bank of Ethiopia
environment could be harmed (e.g., loss of trust and reputation, operational disruptions or legal
violations), and the fallible persons will be made responsible resulting in disciplinary or corrective actions
(e.g., dismissal) and could face legal investigations.

A correct and fair treatment of employees who are under suspicion of violating security directives (e.g.,
disciplinary action) has to be ensured. For the treatment of policy violations, Management and Human
Resources Department have to be informed and deal with the handling of policy violations.

4.6. Waiver
Information security shall consider exceptions on an individual basis. For an exception to be approved, a
business case outlining the logic behind the request shall accompany the request. Exceptions to the policy
compliance requirement shall be authorized by the Information Security Officer and approved by the ICT
Directorate. Each waiver request shall include justification and benefits attributed to the waiver.

The policy waiver period has maximum period of 4 months, and shall be reassessed and re-approved, if
necessary for maximum three consecutive terms. No policy shall be provided waiver for more than three
consecutive terms.
4.7. Relevant Documents

The following are all relevant policies and procedures to this policy:

Information Security Policy

Human Resource Security Policy

Access Control Policy

Compliance Policy

Password Policy

Ownership
This document is owned and maintained by the National Bank of Ethiopia. 5. Policy
Statements

Approved Bank members and authorized third parties (Contractors, etc...) may utilize the benefits of
VPNs, which are a "user managed" service. This means that the user is responsible for selecting an
Internet Service Provider (ISP), coordinating installation, installing any required software, and paying
associated fees.

Additionally,

In order to obtain VPN Access, a change request must approved by ICT management board, filled with
request justification, email and users contact details, resources to access (including IP addresses and Port
no) and duration of access required

It is the responsibility of users with VPN privileges to ensure that unauthorized users are not allowed
access to National Bank of Ethiopia internal networks.

VPN use is to be controlled using either a one-time password authentication such as a token device or a
public/private key system with a strong passphrase.

When actively connected to the corporate network, VPNs will force all traffic to and from the PC over the
VPN tunnel: all other traffic will be dropped.

Dual (split) tunneling is not permitted; only one network connection is allowed. Exception must be
through ICT board request and with directorate of ICT’s approval.

VPN gateways will be set up and managed by Bank network and security teams.
All computers connected to Bank internal networks via VPN or any other technology must use the most
up-to-date anti-virus software; this includes personal computers.

VPN users will be automatically disconnected from National Bank of Ethiopia network after 15 minutes
of inactivity. The user must then logon again to reconnect to the network. Pings or other artificial network
processes are not to be used to keep the connection open.

The VPN concentrator is limited to connection time of 72 hours or time specified by ICT management
board.

Users must configure their machines to comply with Banks VPN and Network policies.

Users are required to download the VPN client software from Bank VPN gateway in order to activate
their VPN account.
Any exception to the policy must be approved by the National Bank of Ethiopia Management Board in
advance.

Support will only be provided for VPN clients approved by National Bank of Ethiopia Information
Technology Services.

Users found to have violated the VPN Access Policy may be subject to loss of privileges of services and
be subject to disciplinary action.

This policy is to be periodically reviewed and amended by Bank management board.

If you have any questions related to the use of the National Bank of Ethiopia VPN, please contact the
National Bank of Ethiopia Help Desk. X

-------------------------------------------------------- End of Document

-------------------------------------------------