ICT Policy

Kenya Institute of Administration
[Pick the date]

1|Page

Kenya Institute of Administration

ICT SECTION ICT Policy

Page 2 of 43

Table of Contents
Kenya Institute of Administration ...................................................................................... 1 ICT SECTION .................................................................................................................... 2 ICT Policy ........................................................................................................................... 2 SECTION A ........................................................................................................................ 4 Software/Hardware Policy .................................................................................................. 4 Minimum Requirements ................................................................................................. 7 Vision .............................................................................................................................. 9 Mission............................................................................................................................ 9 SECTION B ...................................................................................................................... 10 Information Security Policy .............................................................................................. 10 Violations ...................................................................................................................... 10 Administration .............................................................................................................. 10 Contents ........................................................................................................................ 10 Statement of responsibility ........................................................................................... 11 M.I.S Head responsibilities ........................................................................................... 11 Policy ............................................................................................................................ 12 Acceptable use .............................................................................................................. 13 Unacceptable use .......................................................................................................... 13 Staff responsibilities...................................................................................................... 13 B Email Policy ........................................................................................................... 14 M.I.S responsibilities .................................................................................................... 20 Staff/Participant responsibilities ................................................................................... 20 D Passwords Standards policy ................................................................................... 20 SECTION C ...................................................................................................................... 23 ICT Services and Systems Policy ..................................................................................... 23 SECTION D ...................................................................................................................... 26 Information Systems Security Policy................................................................................ 26 SECTION E ...................................................................................................................... 32 NETWORK / REMOTE ACCESS POLICY ................................................................... 32 Acceptable Use .......................................................................................................... 32 Equipment and Tools ................................................................................................. 32 Use of personal computers and equipment. ............................................................... 33 Violations and Penalties ............................................................................................. 33 SECTION F ...................................................................................................................... 34 ICT SUPPORT POLICY .................................................................................................. 34 SECTION G ...................................................................................................................... 35 Disaster Recovery and Data Backup Policy ..................................................................... 35 SECTION H ...................................................................................................................... 37 Incident Response Policy .................................................................................................. 37 SECTION I ....................................................................................................................... 39 Misuse of Institution ICT Facilities .................................................................................. 39 SECTION J ....................................................................................................................... 40 Disposal Policy for ICT Equipment .............................................................................. 40 3|Page

SECTION A Software/Hardware Policy
Introduction The presence of a standard policy regarding the use of software and hardware will: (a) Enhance the uniform performance of the Management Information Systems (M.I.S Section) in delivering, implementing, and maintaining software and hardware suitable to the business needs of the Kenya Institute of Administration, as well as other auxiliary organizations to which M.I.S section provides service, and (b) Define the duties and responsibilities of Institution Staffs (and Staffs of other auxiliaries with whom the Institution provides services) who use the aforementioned software and hardware in the performance of their job duties. Acceptable use This section defines what constitutes “acceptable use” of the Institution‟s electronic resources, including software, hardware devices, and network systems. Hardware devices, software programs, and network systems purchased and provided by the Institution are to be used only for creating, researching, and processing Institution-related materials, and other tasks necessary for discharging one‟s employment duties. By using the Institution‟s hardware, software, and network systems you assume personal responsibility for their appropriate use and agree to comply with this policy and other applicable Institution policies, as well as country laws and regulations. Violations Violations may result in disciplinary action in accordance with Institution policy. Failure to observe these guidelines may result in disciplinary action by the Institution depending upon the type and severity of the violation, whether it causes any liability or loss to the Institution, and/or the presence of any repeated violation(s). Administration The M.I.S section head is responsible for the administration of this policy. This policy is a living document and may be modified at any time on the advice of M.I.S section head or the DDFA. Contents The topics covered in this document include: Page 4 of 43

he/she will contact M. and agreements for software that he or she uses or seeks to use on Institution computers. understanding.S section determines that such software is needed. and agreements. The request must then be sent to the M. Unless otherwise provided in the applicable license.I. In addition to violating such laws. notices. If any Staff needs help in interpreting the meaning/application of any such licenses.I.S section. Software standards Page 5 of 43 . may be a violation of law. unauthorized duplication of software is a violation of the Institution‟s Software/Hardware Policy. contract. All such software must be used in compliance with applicable licenses. Purchasing All purchasing of Institution software shall be centralized within the M.I. and then determine the standard software that best accommodates the desired request if M. or agreement. notices. which will then review the need for such software. except for backup and archival purposes.       Software Software Purchasing Software Licensing Software Standards Software Installation Hardware Purchasing Hardware Standards ICT Equipment Disposal All software acquired for or on behalf of the Institution or developed by Institution Staffs or contract personnel on behalf of the Institution is and at all times shall remain Institution property.I. contracts.S section Head through a committee for approval by.S section for assistance. contracts. any duplication of copyrighted software. notice. contracts and agreements. and following all applicable licenses. Licensing Each Staff is individually responsible for reading.I. Only the head of department is allowed/authorized to do the duplication for backup and archival purpose. All requests for corporate software must be submitted to the M. notices.S section to ensure that all applications conform to corporate software standards and are purchased at the best possible price. The normal Institution purchasing procedure takes place.

0.01. QuickTime 5.0 / .2 Nero CD Burning Microsoft Visio Microsoft Project 2002/2003 Publisher 2003-2007 Front Page Dreamweaver/Fireworks/Flash PageMaker/Photoshop/Adobe Premiere Where applicable the following software will be installed on Institution computers Staffs needing software other than those standard suites must request such software from the M.14 or higher Oracle 9i/10g Oracle Developer 6/2000 Symantec Antivirus Corporate Edition/McAfee Adobe Acrobat Reader 5. Excel.0. PowerPoint. Photo Editor 3.I. Real Player One. Each request will be considered on a case-by-case basis in conjunction with the software-purchasing section of this policy.Net Microsoft SQL Server 2000/2005 or higher MySQL database community edition or higher SPSS Ver 10.I.S section is exclusively responsible for installing and supporting all software on Institution computers.S section.The following list shows the standard suite of software installed on Institution computers (excluding test computers) that is fully supported by the M.I.12. Access.0+ Microsoft Visual Studio 6.0 WinZip 8. These responsibilities extend to: Page 6 of 43 .S Section:                      Microsoft Windows XP 2000 / 2003 or higher Microsoft Outlook 2003 / Outlook Express 2003 Microsoft Office 2003 (Word.0-8.1 Media Player. Publisher) Microsoft Internet Explorer 6. Software Installation The M.6.

NB(Minimum Requirements) (Dell Branded/IBM/HP-Compaq/Toshiba) Or Pentium IV.0 GHz. notices.I. The request must then be sent to the M.I.S Head/DDFA IT/ICT OFFICER/Systems Administrator and two other members. A committee composed of the M. 3. which will then review the need for such hardware.I. and then determine standard hardware that best accommodates the desired request. Hardware All hardware devices acquired by the Institution or developed by it (through its own Staffs or through those hired by the Institution to develop the hardware devices) is and at all times shall remain Institution property. if the section determines that such hardware is needed. 512 cache Intel Processor 512-MB RAM or higher 64 SVGA graphics/video card 1. contracts.provided to Participants and the Institutions administration. All such hardware devices must be used in compliance with applicable licenses. Hardware standards The following list shows the minimum hardware configuration for Institution computers (excluding test computers) that are fully supported by the M.44MB 3 ½” floppy drive (A:) Page 7 of 43 .S section relies on installation and support to provide software and hardware in good operating condition to the Participants and Staffs so that they can best accomplish their tasks.S section to ensure that all equipment conforms to corporate hardware standards. and agreements.I. All requests for corporate computing hardware devices must be in the annual corporate budget document and have the DDFA approval.   Office desktop computers Institution laptop computers Computer lab desktop computers The M.S section: Minimum Requirements  Desktops .S section.I. Purchasing All purchasing of Institution computer hardware devices shall be centralized within the M.

2. including phone Carrying case Page 8 of 43 .4 GHz Intel Processor 512-MB RAM Video card with 16 MB RAM 1. Laptops 80-GB hard drive or higher 52x CD-ROM/DVD drive 10/100 PCI Ethernet card 6 USB ports or more Sound card Speakers Standard 102 or 104-key English keyboard USB / PS 2 mouse All applicable cables 3 years warranty (Dell Branded/IBM/HPCompaq/Toshiba) or Pentium IV.44MB 3 ½” floppy drive 80-GB IDE hard drive 8x CD-RW/DVD ROM Drive 10/100 PCI Ethernet card Network card 56K internal modem 4 USB port Sound card Speakers Standard 102 or 104-key English keyboard USB/PS 2 mouse Touch Pad All applicable cables.

Staffs needing computer hardware other than what is stated above must request such hardware from the M. . Participants and Staffs in maximizing the efficient performance of their studies and job duties respectively. The details of any equipment to be allowed must be recorded at the security door and a copy taken to the DDFA‟s office Summary This policy is designed to facilitate Kenya Institute of Administration. Outside equipment No outside equipment may be plugged into the Institution‟s network without the M. Staffs may be given local printers if deemed necessary by the M.S section to redeploy software and/or hardware solutions.I. Mission To Improve service delivery in the public sector by providing quality training research and consultancy service in the Eastern Africa Region.26 mm dot pitch o 650 VA or higher of reliable brand Monitors -   UPS Printers Staffs will be given access to appropriate network printers. Minimum 17” viewing area.S section.S section Head in consultation with the department.I. Full cooperation with this policy is mandatory so that all goals can be met in accordance with the Institution‟s business objectives reflected in its Mission and Vision Vision To be a mode institution of excellence in management development and capacity building in the public sector.S section‟s written permission. Page 9 of 43 .I. Any deviation from this strategy will require the M. Each request will be considered on a case-by-case basis in conjunction with the hardware-purchasing section of this policy. Extra power adapter 3 years warranty / 1½ year on site service Monitors will be provided for both desktop and laptop systems.I. In some limited cases. 1024 x 768 @ 75 or 85 Hz.

This document details standards for the secure use of Internet and e-mail facilities for Institution purposes.1 Introduction The Internet and Electronic mail (e-mail) are important communication and research tools for KIA network users. Contents The topics covered in this document include:    Statement of responsibility The Internet and e-mail Computer viruses Protect this investment.I. Protect the good name of the Institution.S) head is responsible for the administration of this policy. The enclosed policies and directives have been established in order to:     Violations Violations may result in disciplinary action in accordance with Institution policy. Computer information systems and networks are an integral part of business of the Kenya Institute of Administration (“the Institution”). and/or the presence of any repeated violation(s). Administration The Management Information Systems Section (M. research and administration. Viruses. Safeguard the information contained within these systems. whether it causes any liability or loss to the Institution. Reduce business and legal risk. The Institution has made a substantial investment in human and financial resources to create these systems. Access codes & Passwords 1. Page 10 of 43 . including teaching. Failure to observe these guidelines may result in disciplinary action by the Institution depending upon the type and severity of the violation.SECTION B Information Security Policy Covering Internet. Email.

Additionally any information. Under this legislation the email originator.S Head responsibilities M. Develop and maintain written procedures necessary to ensure implementation of and compliance with these policy directives.3 Data Protection E-mails fall under the scope of the data protection act. which KIA Users collect via the Internet such as personal or financial details collected via Internet forms or surveys. 2. Access codes and passwords Statement of responsibility General responsibilities pertaining to this policy are set forth below.I. emails can constitute publication for the purpose of the law of libel. Provide appropriate support and guidance to assist Staff to fulfill their responsibilities under this directive. 1.I. all email recipients and any persons named in the e-mail are entitled to view the information about them and if it is incorrect they are entitled to have it corrected. implementation and support of this policy within their respective departments. Third parties are defined as any individual. Home or personal use has a “domestic exemption” from data protection law. the data protection act and any other relevant legislation. fall under the Data protection Act. vendor or agent not registered as a Institution staff member or Participant. group contractor. M.S Head and supervisors must:   Ensure that all appropriate personnel are aware of and comply with this policy. but the Institution has no such exemption even for personal e-mails if they originate from the Institution network. The M.S Head must: 1. 1.I. In addition. All users must ensure that the methods of collecting processing and storing information in this way comply with the Institution policies. Provide. The following sections list additional specific responsibilities. Participants and Third parties granted use of Institution Internet and E-mail facilities. Page 11 of 43 .2 Policy Scope   This policy applies to all Institution Staff. as well as create practices/procedures (specific to their departments) that are designed to provide reasonable assurance that all Staff observe this policy.

The Institution reserves the right to demand that encryption keys. To ensure that all Staff is responsible and productive Internet users and to protect the Institution‟s interests. Staff are able to connect to a variety of information resources around the world. in accordance with its legal and audit obligations.it exists automatically. under any circumstances. where used. or system administrators. Users should bear in mind. and for legitimate operational purposes. but the message may be archived forwarded to other lists or quoted by others. that:       E-mail messages are creative works and therefore are copyrighted. Users do not have to register this copyright . publicly accessible network that has millions of connected users and organizations worldwide. The Institution reserves the right to access and disclose the contents of a user's e-mail messages. Policy Access to the Internet is provided to Staff for the benefit of the Institution and its Staff.4 Copyright Copyright law stops other people from using and abusing users original work. When Users post to a public list they do not lose copyright. Conversely.5 Privacy Data users must assume that all e-mail or Internet communications are not secure unless encrypted and they should not send via e-mail any information. the Internet is also replete with risks and inappropriate material. A Internet Policy The Internet is a very large.1. and intercept or browse other users' e-mail messages unless authorized to do so. Messages sent to a list should not be quoted out of context. therefore. All e-mail messages sent by a user are copyrighted to the user (or the Institution). One popular feature of the Internet is e-mail. the following guidelines have been established for using the Internet and e-mail. be made available so that it is able to fulfill its right of access to a user‟s e-mail messages in such circumstances. may not monitor other users' e-mail messages other than to the extent that this may occur incidentally in the normal course of their work. 1. Users may not. Software or files downloaded from the Internet may be protected by copyright restrictions. changed or reworded or misattributed. which is confidential. Network and computer operations personnel. monitor. Page 12 of 43 .

All communications should have the Staff‟s name attached. is strictly prohibited and will result in disciplinary procedures.. 5. audio. or fraudulent.Acceptable use Staffs using the Internet are representing the Institution. or nonproductive. inappropriate for a Institution setting. Run a virus scan on any external files received on diskettes or CD‟s. 4. Be responsible for the content of all text. or images that (s)he places or sends over the Internet.e. Staff responsibilities A Staff who uses the Internet or Internet e-mail shall: 1. 2. 3. Conducting a personal business using Institution resources. Not transmit copyrighted materials without permission. Downloading or storing of MP3 files anywhere on the network – including your „personal‟ directories and/or your local „C‟ drive. illegal. Ensure that all communications are for work-related reasons and that they do not interfere with his/her productivity. Commercial use. harassing. Transmitting any content that is offensive. Staff are responsible for ensuring that the Internet is used in a safe. effective. and lawful manner and only in the course of performing the Staff‟ job. Examples of unacceptable use are:      Sending or forwarding chain e-mail. which is not connected to or approved by the Institution. General All users must adhere to the following when using Institution facilities to connect to the Internet:   Access to the Internet is provided for KIA purposes and must not be abused for personal use. Page 13 of 43 . messages containing instructions to forward the message to others. i. ethical. Instant messaging and participating in Internet “chat” rooms. Know and abide by all applicable policies dealing with security and confidentiality of records. unethical. Unacceptable use Staff must not use the Internet for purposes that are not Institution-related. and not illegally transmit or receive the same. harmful to the Institution.

Users should not connect to the Internet via a dial-up ISP account on Institution computers connected to the network. the Institution Information Security policy. offensive or inflammatory by others.S Office. Internet access in Institution is available only via the Institution infrastructure. which has been compressed or encrypted. B Email Policy All users must adhere to the following when using Institution E-mail facilities:  Users are expected to act ethically and responsibly in their use of e-mails and to comply with the relevant national legislation. Data.       Software copyrights and license conditions must be observed. regulations and codes of practice. All forms of data received over the Internet should immediately be virus checked. All devices connected to the Internet must be equipped with the latest versions of anti-virus software. which has been both approved and supplied by Institution. Similarly. This is to prevent passwords that grant access to Institution IT resources being sent out on the Internet in clear text where any Internet user can potentially see them. All forms of data transmitted from Institution over the Internet should be virus checked in advance. The use of port scanners or other hacking tools unless used as part of an approved course of study is strictly prohibited.  Users are expected to act ethically and responsibly in their use of the Internet and to comply with the relevant national legislation. Page 14 of 43 . Users must not post messages on newsgroups or chat areas that are likely to be considered abusive. the Institution Information Security policy.  Users must not use the Institution Internet connection to scan or attack other individuals/devices/organizations. Where a requirement exists to send or receive confidential or commercially sensitive data over the Internet. any username used for the Internet services should not be the same or similar to a Institution username. Passwords used for Internet services should not be the same or similar to passwords used for services accessed within Institution.I. Only licensed files or software may be downloaded from the Internet.    Users should be aware that the public nature of the Internet dictates that the confidentiality and integrity of information cannot normally be relied upon. should be decompressed or decrypted as required before virus checking. All security incidents involving Internet access must be reported to the M. regulations and codes of practice. a security mechanism recommended by the IT Security Specialist should be used.

ethnic or national origin is against Institution Policy. Users must not bully. victimization or harassment on the grounds of gender. All users must have up-to-date Institution approved anti-virus software installed and operational on the computer that they access their email on.g. E. All emails or attachments that are encrypted or compressed should be decrypted or decompressed and scanned for viruses by the recipient. The Institution is liable for the opinions and communications of its staff and Participants. Users must not create or forward advertisements. representing the Institution and.     All users should be aware that. be entitled to see it. Users should not send e-mail. Users must not send messages that are likely to be considered abusive. secondly. All users should be cautious when opening e-mails and attachments from unknown sources as they may be infected with viruses. under data protection or other law. disability. Page 15 of 43 . Users should assume that anyone mentioned in e-mail could see it or hear about it or he/she may. marital status. family status. representing the individual.G. nationality. which portrays the Institution in an unprofessional light. age. color. by locking their office door or by locking their workstation or using a screen saver in password-protected mode when leaving their desk. hassle or harass other individuals via e-mail. factual and objective especially in relation to individuals. sexual orientation. Users must not use a false identity in e-mails. Users should be civil and courteous. chain letters or unsolicited e-mails e.  All users should regard all e-mails sent from Institution facilities as first. This is in order to prevent unauthorized individuals from using the workstation to send an email.     All users should exercise caution when providing their e-mail address to others and be aware that their e-mail address may be recorded on the Internet.  All users should do their best to ensure that email content is accurate. religious belief. offensive or inflammatory by the recipient/s. it is possible for the origin of an e-mail to be easily disguised and for it to appear to come from someone else. SPAM All users should protect data displayed on their monitor. Users should avoid subjective opinions about individuals or other organizations. race.  Users should be aware that e-mails can easily be forwarded to other parties. Discrimination. Any e-mail involved in a legal dispute may have to be produced as evidence in court. which will appear to originate from the user.

email systems and the systems involved in the transmission and storage of e-mail messages are normally "backed up" centrally on a routine basis for administrative purposes. The back-up process results in the copying of data. The Mass Email System does not replace individual.  All security incidents involving E-mail should be reported to the M.  As part of the Institution‟s standard computing and telecommunications practices. This applies to message content. This policy does not apply to email originating by means other than through the Mass Email System. C Mass Email Policy Purpose: This policy reflects the Kenya Institute of Administration‟s decision to use the Institute assigned staff email account as the official means of communication with all staff on the KIA campus. due to the nature of email. departmental. organizations and individuals at KIA may request that mass emails be sent to all or part of the Institute community. The class of the message affects both the audience and the distribution schedule. The Mass Email System should only be used when a more limited mailing will not be adequate. attachments and addressees and to personal e-mails. Formal Notice and Informational. division or Staff address lists or mailing lists. such as the content of an e-mail message. However. The frequency and retention of back-up copies vary from system to system. sectional. Mass emails are not authorized except as described herein. clarification for who can send mass emails.I. What is mass email? For the purposes of this policy. This policy does not apply to individual email-based distribution and discussion groups such as listservs or established data bases that serve Institute learners/ clientele. this back-up is for Institution administrative purposes only and it is the user‟s own responsibility to back-up any of their e-mails they wish to retain for future reference. Types of mass emails: There are three classes of mass email: Urgent. delivery of mass emails is not guaranteed. and procedures for sending mass emails. These other methods are more appropriate for most announcements. The purpose of this policy is to provide a definition for mass email. Introduction: Various offices. Users should be aware that e-mails may be subject to audit by Institution Authorities to ensure that they meet the requirements of this policy. mass email shall be considered to be any unsolicited electronic mailing in which the message is sent to members of the Institute community using the KIA e-Mail and Groupwise email addresses.S Office. The subject line of the message will Page 16 of 43 . on to storage media that may be retained for periods of time and in locations unknown to the originator or recipient of an email. However.

Mailings in violation of the KIA‟s Computer and Network Usage Policy. or commercial promotions. Formal Notice Class Formal notice class is a category of mass emails reserved for highly important. Examples of what isn‟t acceptable: Specifically. after properly approved.kia. between the requested run date and the expiration date of the message. Notices of routine. Either “URGENT:”. Notices of houses or other items for sale or rent. Messages in this class are scheduled for off-peak distribution. Messages in this class are scheduled for offpeak distribution.indicate the selected class. requests for rides. non-emergency messages. unauthorized fundraising or solicitation (solicitation is defined as any verbal or written effort to raise funds through the sale of merchandise/services or through charitable donations as well as to influence opinions or to gain support for an issue or cause). 2. time-sensitive institute emergency notices. between the requested run date and the expiration date of the message. Political statements. “FORMAL NOTICE:”. D Anti Virus and Spam Policy General Policy Page 17 of 43 . Who is allowed to send mass emails? All messages must be approved by the Director or his or her designee associated with the message.ac. 1. Urgent Class Urgent class is a category of mass emails reserved for highly important.ke/bulletin. These sorts of events should be communicated through regular Institute communications Office. conduct of personal business. regularly scheduled events. such as security alerts. other than events. after properly approved. such as financial or hr reporting requirements. Messages in this class may be scheduled for immediate distribution as soon as properly approved. 3. Informational Class Informational class is a category of mass emails covering non-emergency messages related to Institute work or information. or “INFORMATIONAL:” will appear as the prefix in the subject line according to the message classification. Events should be posted to the institute weekly bulletin or on the website at www. mass emails should not be used for: Mailings not related to Institute business or activities. expression of personal opinion. lost and found.

or try to alter the configuration or disable the existing anti-virus product. 2 Roles and Responsibilities 2. This relates to Institution owned machines and Users private machines where the machines are used to access the Institution network. This document is the Institution‟s Anti-Virus and Anti-Spam Policy and outlines the overall approach adopted by the Institution as well as individual responsibilities. 1.I. which they use which connects to the Institution network by ensuring that they have installed the correct anti-virus product for their area and that it is up-to-date. Floppy disks.I.1.5 Gateway Virus Protection M. Page 18 of 43 . Viruses can originate from a range of sources.S. This product must be licensed and made available to all users connecting to the Institution network. and require a comprehensive approach to ensure the risk they pose is effectively managed. Third party Access is defined as all local or remote access to the Institution Network or devices attached to the Institution Network for any purpose. Software downloaded from the Internet.4 Desktop Anti-virus protection M. vendor or agent not registered as a Institution staff member or Participant. incur financial costs and can result in the compromise or loss of data and reputation. In the event that a user cannot clean or remove an infected file they should inform M. This comprehensive approach requires the full cooperation of all KIA Staff and Participants.S must provide a product to scan Institution email and any other protocols such as FTP or HTTP at the Internet gateway.S must select an effective desktop anti-virus product. 1. Participants or Third parties using devices connected to the Institution network.I. select and deploy anti-virus software on file servers. Third parties are defined as any individual.3 Anti-virus and Anti-Spam Measures M. 1.  Respond to any virus infection detection indicated by their anti-virus software.2 Scope This policy applies to all Institution Staff.1 Introduction Computer viruses (and similar devices) impact productivity. CD-ROMs. Emails and attachments (inbound). 1.  Users must not try to install an unapproved anti-virus product. Network Managers and System Administrators will:  Evaluate.S immediately. desktops and laptops to scan for viruses from sources such as Inbound and Outbound E-mail.1 User Responsibility All KIA network users have a responsibility to:  Protect any device.I. group contractor.  Provide users with a method to reduce the impact of unsolicited or SPAM email in their Institution inbox. spread rapidly.

Users will be reminded of their responsibilities as shown above. Network Managers & System Administrators must:  Evaluate and select suitable anti-virus software products to protect against viruses form the sources as identified in section 1. disconnecting the Institution from Internet) to safeguard critical systems. viruses can cause destruction of or damage to corporate property. Users should exercise caution when accessing web based E-mail including but not limited to Hotmail. the Helpdesk will provide whatever assistance is required to disinfect the virus and prevent propagation.        Be alert to the possibility of a virus and report any suspicious behaviour M. Users must not switch the PC off.2  Provide a central point of contact to Institution users for anti-virus matters. 2.I.  The report will immediately be checked to ascertain whether or not it is a valid virus.e.I. etc. Computer viruses Computer viruses are programs designed to make unauthorized changes to programs and data. Preserve the PC while awaiting virus investigation. i.I. Additionally users must not try to carry on working but must disconnect the network cable and leave the workstation until the issue is resolved. Users should scan all software or other content that they download from the Internet for viruses.g.S.2 The M.  Monitor systems regularly for devices that do not have anti-virus software installed or have incorrect anti-virus products or settings. keeping people informed.S. Users should not connect to suspicious websites.S immediately.S. Users must scan their hard drives regularly for viruses. (e. intranet. e.S Helpdesk and User Support group The Helpdesk will be responsible for  First-line support. or try to fix it themselves.  Evaluating the situation and making recommendations which may include informing users of the problem by email alert.g. Page 19 of 43 .I. Therefore. taking the initial report/s of a virus from the user/s located on the areas of the Institution network managed by the M.  Keep abreast of potential viruses that may affect the Institution.3 M.  Investigating and resolving any virus incident. disabling systems etc. Network Managers & System Administrators & IT Security Officer The M.  During any incident. Users should be aware that email accessed on these sites has not been scanned by the Institution email gateway and may contain viruses.I. disabling external mail while keeping internal mail. Not open suspicious emails or attachments whether solicited or unsolicited from unknown or unusual sources.  Promote awareness of anti-virus issues amongst users. It is important to know that: o Computer viruses are much easier to prevent than to cure. 2. and may include selectively disabling infrastructure services. and Yahoo.

Incoming diskettes or CD‟s shall be scanned for viruses before they are read. 1. Users shall not disable the automated AntiVirus Download Scan.I.S shall: 1. system administrators. destroy any virus detected. and maintaining virus-scanning software.4 Password Sharing Prohibition Page 20 of 43 . Once a password has been issued full responsibility for that account and associated password passes to the user. They also protect Institution data from access from unauthorized individuals both internally (other staff or Participants) and externally (hackers). Staff shall only load diskettes or CD‟s with saved files that pertain to Institution business. Staff shall not knowingly introduce a computer virus into Institution computers.I.o Defenses against computer viruses include protection against unauthorized access to computer systems.1 Introduction Usernames and passwords are utilized in KIA to facilitate access to Institution IT resources.S. This policy applies to all username and password pairs on all devices.S help desk at ext 115 5. M. Any Staff who suspects that his/her workstation has been infected by a virus shall IMMEDIATELY log off the network and call the M. and document each incident. 3. E Passwords Standards policy 1 General policy 1. 1. application administrators or others who issue usernames and passwords. or Third parties who are issued with usernames and passwords for any Institution IT System or device.I. systems and applications that are part of the Institution network that provide access to Institution owned information. Participants. Respond to all virus attacks.I. 4. 1.3 Issue of accounts and passwords. This policy applies to all network managers. Staff/Participant responsibilities The following applies to all Staff: 1. 2. using only trusted sources for data and programs. This policy applies to all Institution Staff.2 Scope. Install and maintain appropriate antivirus software on all computers. All initial system and application accounts and passwords must be issued from the M.S responsibilities M. The user will be required to change the password to something only He/She knows. 2.

users must not employ passwords like "JANUARY" in January.Regardless of the circumstances.I. 1.8 Complex Passwords Required All computer system users must choose passwords that cannot be easily guessed. system administrators or application administrators should select an appropriate time frame for changing passwords.S. Passwords changes may be requested in person by the appropriate individual or a trusted party as defined by M. For example. 1. "FEBRUARY" in February.10 User-Chosen Passwords Must Not Be Reused Users must not construct passwords that are identical or substantially similar to passwords that they had previously employed. After a defined number of unsuccessful attempts to enter a password (usually between 3and 8 per hour). a spouse's name.9 Cyclical Passwords Prohibited Users must not construct passwords using a basic sequence of characters that is then partially changed based on the date or some other predictable factor. 1.12 Limit on Consecutive Unsuccessful Attempts to Enter a Password To prevent password guessing attacks.11 Password Ageing Passwords should be changed periodically. the number of consecutive attempts to enter an incorrect password must be strictly limited. a car license plate number. Where a user is found to have given the use of a username or password to a third party disciplinary measures will be implemented. disconnected. passwords must never be shared or revealed to anyone else besides the authorized user.6 Password Changes Users will be required to change their passwords fortnightly. (b) Temporarily disabled for no less than three (3) minutes. 1. 1. 1. or (c) If dial-up or other external network connections are involved. Network managers. 1. 1.5 Writing Passwords Down and Leaving Where Others Could Discover Passwords must not be written down and left in a place where unauthorized persons might discover them. and slang must not be used. For example. To do so exposes the authorized user to responsibility for actions that the other party takes with the password. No exceptions to this policy are allowed.13 Password History Page 21 of 43 . This also means that passwords must not be a word found in the dictionary or some other part of speech. proper names. etc. For example. the involved user account must be either (a) Suspended until reset by a system administrator. 1. All IT systems must require passwords of at least six (6) characters.7 Minimum Password Length The length of passwords must always be checked automatically at the time that users construct or select them. places. or an address must not be used.

system administrator or application administrator must immediately change every password on the involved system.14 System Compromise Whenever an unauthorized party has compromised a system. Under either of these circumstances. 1.15 Storage of Passwords in Readable Form Passwords must not be stored in readable form in batch files. switches or software such as operating systems and databases must be changed before any computer or communications system is used. default passwords supplied with routers.g. or in other locations where unauthorized persons might discover them. terminal function keys. software macros. automatic login scripts. The history file should minimally contain the last 3 passwords for each username.S or the relevant network manager. under either of these circumstances. Page 22 of 43 . Similarly. 1. Even suspicion of a compromise likewise requires that all passwords be changed immediately.17 Encryption Passwords must always be encrypted when held in storage for any significant period of time or when transmitted over communications system. all recent changes to user and system privileges must be reviewed for unauthorized modifications. 1.I. in computers without access control. This history file should be used to prevent users from reusing passwords. M. 1.16 Changing Vendor Default Passwords All vendor-supplied default passwords e.A password history must be maintained for all domain level. a trusted version of the operating system and all security-related software must also be reloaded.

5. spreadsheet processing. An integrated Human Resource Information System. at all workplaces. In addition. and the major risks if the proposed system of service is not implemented at the right point in time are given. such as CAD/CAM. SPSS) and professional applications to be used in specific educational and scientific fields. 3. Internal and external E-mail and Access-to-Internet services at all workplaces embodying general internal and external information provision through Internet/Intranet technology (Web based information services) 2. An integrated Library Information System. Identified ICT Services and Information Systems The Institution ICT Policy anticipates the implementation of the following ICT services and information systems as well as related implementation. etc. the most essential resources. the Institution has addressed the following issues at policy level: Page 23 of 43 . In addition. For each of the ICT services and information systems a concise description of the essential functional requirements is specified. the essential implementation strategies. Availability of common office applications such as word processing. These classes of ICT applications are assumed to be the responsibility of the faculties concerned. Neither does it include specific applications for research purposes. 6. It is however part of the Institution's policy to:  Ensure that all end users are equipped with the necessary level and variety of skills to facilitate their functions. the relationship with other initiatives.SECTION C ICT Services and Systems Policy Introduction This chapter contains policy statements on ICT services and information systems that are of strategic importance to the Institution. 4. An integrated Finance Information System. access databases. operation and management issues: 1. NB The Institution ICT policy does not explicitly include applications supporting teaching processes (Computer Aided Learning. An integrated Participants Admission Management System.

and. form the collective data transport means for all current and future ICT services/systems. it is the Institution Policy to make these functions also available to faculties and other budget centers. managers. It is the Institution Policy to assure availability of User-level Data Communication Services such as E-Mail. Common Network Services (Network Infrastructure). It is the Institution Policy to promote office computing in all offices. It is the Institution Policy to improve both the efficiency and effectiveness of library operations and services through the implementation of an integrated on-line Library Information System. 3. Sustainable management of ICT resources that takes into account the interests of all users Policy Summary It is the Institution Policy to assure availability of all anticipated ICT services/systems at any workplace in the Institution. The following functionality is regarded essential to the Institution financial management information system. Access-to-Internet. Page 24 of 43 . to locations outside the Institution through Common Network Services. This applies to lecturers. servers. researchers. etc) and communication protocols (TCP/IP). Major office computing applications are: word processing. It is the Institution Policy to enhance and streamline Participant education related administrative and managerial processes and to improve academic reporting facilities at both central and faculty level through the implementation of an integrated Participant Admission Management System (SAMS). which actually are major ´users´ of the low-level network services. Given the decentralized nature of budgetary management. mostly desktop computers. 1. routers. document storage and retrieval. switches. mainly comprising physical network infrastructure (wiring. access-to-internet and intranets. Internet/Intranet Services. as well as to secretarial and clerical workers. to support general office tasks. for selected services. desktop publishing. In this text the term office computing is used for the application of ICT. 2. 5. electronic mail. 4. spreadsheet processing. It is the Institution Policy to enhance and streamline financial management processes and reporting facilities at both central and faculty levels through the implementation of an integrated Financial Information System.

and managerial processes. It the Institution Policy to ensure sustainable management of the Institution's ICT policy and resources through the creation of appropriate policy. 7. administrative and support staff. 2. research. and managerial staff are trained on a continuing basis to equip them with the requisite skills to fully exploit the ICT environment in their different functions 9. Each individual ICT service and system as such places demands on the: 1. administrative. And the operational ICT management environment during and after implementation. Page 25 of 43 . It is the Institution Policy to enhance and streamline the human resource management and administrative processes through the implementation of a Human Resource Information System (HURIS).4 Related requirements ICT services and systems will become inherent in the Institution's educational. This will involve Kenya Institute of Administration staff as well as local and foreign expertise 3. Adequate organizational arrangements have to be made to ensure that the necessary staff to run/ manage systems is either re-deployed or recruited in good time. It is the Institution Policy to provide for the growth and financial sustainability of its ICT resources through appropriate funding and operational mechanisms 1. Anticipated data communication infrastructure.6. Staff resources during deployment stage. academic staff. For each ICT service or system the minimum (initial) communication requirements are identified. It is the Institution Policy in the broadest sense to promote the deployment of ICT in all areas of education and research through creating technical and organizational preconditions. It is the Institution Policy to ensure and require that all Participants. advisory management and operational organs that will cater for the broad interests of all users 10. Staff resources during implementation stage. 8. 4.

networks. whether accidental or deliberate.1 Information is a critical asset of KIA hereafter referred to as „the Institution‟. and properly protected information is essential to the success of the Institution‟s academic and administrative activities.SECTION D Information Systems Security Policy Policy Statement 1. and software. transport or store Information owned by the Institution. 1. which are to ensure uniform implementation of Information security controls throughout the Institution. 1. These Information Systems include but are not limited to all Infrastructure. and processing of Institution information is performed in a secure manner. Accurate. timely. which are used to manipulate. 1.3 The object of this Information Systems Security Policy and its supporting policies is to define the security controls necessary to safeguard Institution Information Systems and ensure the security confidentiality and integrity of the information held therein. relevant. hardware.5 The Institution recognizes that failure to implement adequate Information security controls could potentially lead to:     Financial loss Irretrievable loss of Important Institution Data Damage to the reputation of the Institution Legal consequences Therefore measures must be in place. destruction or disclosure of data.2 Technological Information Systems hereafter referred to as „Information Systems‟ play a major role in supporting the day-to-day activities of the Institution. This Page 26 of 43 . process. uses of. which will minimize the risk to the Institution from unauthorized modification.4 The Policy provides a framework in which security threats to Institution Information Systems can be identified and managed on a risk basis and establishes terms of reference. The Institution is committed to ensuring all accesses to. 1.

Ensure that all users understand their own responsibilities for protecting the confidentiality and integrity of the data they handle. 1.6 The Information Systems Security Policy and supporting policies apply to all staff and Participants of the Institution and all other users authorized by the Institution. data. when connected to the Institution network directly. or indirectly. To all private systems. misuse or abuse. and by adherence to approved Institution Codes of Practice. Effective security is achieved by working with a proper discipline. 1. Ensure that all of the Institution‟s computing facilities. 1. personal and professional conduct. Ensure that all users are aware of and fully comply with the Policy Statement and the relevant supporting policies and procedures. the policies are an integral part of the Regulations for Participants.8 The Information Systems Security Policy and supporting policies relate to use of:      All Institution networks connected to the Institution Backbone All Institution-owned/leased/rented and on-loan facilities. Create awareness that appropriate security measures must be implemented as part of the effective operation and support of Information Security.can only be achieved if all staff and Participants observe the highest standards of ethical. in compliance with legislation and Institution policies.7 The Information Systems Security Policy and supporting policies do not form part of a formal contract of employment with the Institution. Page 27 of 43 . To all Institution-owned/licensed data/programs. Likewise. but it is a condition of employment that employees will abide by the regulations and policies made by the Institution from time to time. on Institution and on private systems. programs. 1. To all data/programs provided to the Institution by sponsors or external agencies. used and maintained in a secure environment.9 The objectives of the Information Systems Security Policy and supporting policies are to:      Ensure that information is created. network and equipment are adequately protected against loss. owned/leased/rented/on-loan.

6 The Systems Administrator The Systems Administrator is responsible for the management of the Institution Network and for the provision of support and advice to all nominated individuals with responsibility for discharging the technical aspects of these policies.1 The Institution Management The Institution Management is responsible for approving the IT Security Policy.3 Heads of departments The Heads of departments are responsible for ensuring that staff.5 The IT Security Officer The IT Security Officer role will be taken by the Information Systems Manager.S in the enforcement of the policies where necessary. 2.. 2. Participants and other persons authorized to use systems in respective departments are aware of and comply with the associated supporting policies and procedures.7 Information Systems Users Page 28 of 43 . Investigating Security Incidents as they arise. Periodical assessments of security controls as outlined in the Security Policy and supporting policies and procedures. who normally will be the respective Heads of departments. Reporting to the Institution Management on the status of security controls within the Institution. He is responsible for:       Reviewing and updating the Security policy and supporting policies and procedures. The promotion of the policy throughout Institution. 2 IT Management roles and responsibilities 2.2 Discharging of Policies The policies will be discharged through nominated individuals. 2.I. 2. 2. Maintaining Records of Security Incidents. distributing the policy to all heads of departments/sections/centers and for supporting the M. Ensure all Institution owned assets have an identified owner/administrator.

is not excessive and is maintained in an appropriate manner. 2. Individuals intending to collect.It is the responsibility of each individual Information Systems user to ensure his/her understanding of and compliance with this Policy and the associated Codes of Practice. Records describing all reported information security problems and violations will be created. All individuals are responsible for the security of Institution Information Systems assigned to them. The IT security Officer will be responsible for setting up an Incident Management Team to deal with all incidents. 2. satisfactory references from reliable sources should be obtained and verified for all third parties which includes but is not limited to. cleaners. Prior to being allowed to work with Institution Information systems. Commissioning. All Institution staff and Participants have a duty to report information security violations and problems to the IT Security Officer on a timely basis so that prompt remedial action may be taken. hardware and software.11 Security controls Page 29 of 43 .9 Third Parties Before any third party users are permitted access to Institution Information Systems.10 Reporting of Security Incidents All suspected information security incidents must be reported as quickly as possible through the appropriate channels.8 Purchasing. contract and temporary appointments. Developing an Information System All individuals who purchase. commission or develop an Information System for the Institution are obliged to ensure that this system conforms to necessary security standards as defined in this Information Security Policy and supporting policies. This includes but is not limited to infrastructure. 2. is for Institution use only. Data processing. service and maintenance contracts should contain an indemnity clause that offers cover in case of fraud or damage. engineers. specific written approval from the IT security Officer is required. store or distribute data via an Information System must ensure that they conform to Institution defined policies and all relevant legislation. which they grant to others. administrative staff. software support companies. Users must ensure that any access to these assets. 2. networks.

authorized third parties and contractors given access to the Institution network will be advised of the existence of this policy statement. 3 Breaches of Security 3. It will also be published on the Institution web site.All Institution Information Systems are subject to the information security standards as outlined in this and related policy documents. New staff and Participants will be notified of the relevant policy documents when they initially request access to the Institution network.1 New Staff and Participants This Policy Statement will be available from the Principal‟s Office on request.4 Training Training will be available from Management Information Systems in Information Security fundamentals. Page 30 of 43 .2 Incident Reporting Any individual suspecting that there has been. 4. 4. 4. They will also be advised of the availability of the associated policies and procedures which are published on the Institution website.2 Existing Staff Existing staff and Participants of the Institution. a breach of information systems security should inform the IT Security Officer or the Institution management immediately who will advise the Institution on what action should be taken. 3. or that use of a standard will clearly impede Institution activities.3 Updates Updates to Policies and procedures will be made periodically. No exceptions are permitted unless it can be demonstrated that the costs of using a standard exceed the benefits.1 Monitoring The Management Information Systems will monitor network activity and take action/make recommendations consistent with maintaining the security of Institution information systems. 4 Policy Awareness and Distribution 4. or is likely to be.

business requirements. and Institution priorities. Page 31 of 43 .1 Risk Assessment Risk assessments must be carried out periodically on the business value of the information users are handling and the information systems security controls currently in place. This is in order to take into account changes to operating systems. as well as relevant legislation and to revise their security arrangements accordingly.5 Risk Assessments and Compliance 5.

When the Staff uses her/his own equipment. and other applicable equipment as deemed necessary. software and network systems you assume personal responsibility for their appropriate use and agree to comply with this policy and other applicable Institution policies. Remote access is meant to be an alternative method of meeting Institution needs. software programs. (“the Institution”) computer network by Staffs not located at a Institution office. The Institution will provide for repairs to Institution equipment. voicemail. The Institution.S Head and/or the DDFA. This may include computer hardware. those who regularly work from home. researching. or those who work both from the office and from home. Requests must be submitted in writing. software. the Staff is responsible for maintenance and repairs his/her equipment. Acceptable Use Hardware devices. Participation in a remote access program may not be possible for every Staff.I. phone lines. The use of equipment and software provided by the Institution for remotely accessing the Institution‟s computer network is limited to authorized persons and for purposes relating to Institution business. and network systems purchased and provided by the Institution for remote access are to be used only for creating. By using the Institution‟s hardware. as well as all country laws and regulations Equipment and Tools The Institution may provide tools and equipment for remotely accessing the corporate computer network. in its sole discretion. Eligibility for remote access to the Institution‟s computer network may be requested though respective Heads of department to M. such as those who travel. Page 32 of 43 . connectivity to host applications. and processing Institution-related materials in the performance of the Staff‟s job duties. identifying the Staff and his/her remote access needs. may refuse to extend remote access privileges to any Staff or terminate a remote access arrangement at any time.SECTION E NETWORK / REMOTE ACCESS POLICY Remote access is a generic term used to describe the accessing of the Kenya Institute of Administration. e-mail.

suspension and/or termination of employment. crashes.Use of personal computers and equipment.S will only provide support for equipment and software provided by the Institution. and can result in the need for a complete reinstalling of operating systems and application software in order to remedy such problems. Violations and Penalties Penalties for violation of the Remote Access Policy will vary depending on the nature and severity of the specific violation. the Institution will disallow remote access for any Staff using a personal home computer that proves incapable. There are likely thousands of possible interactions between the software needed by the remote user and the average mix of programs on most home computers. Any Staff who violates the Remote Access Policy will be subject to:  Disciplinary action including but not limited to reprimand.I. Page 33 of 43 . and (b) Working with the Institution-provided software without repeated problems. Troubleshooting software and hardware conflicts can take hours. for any reason. or complete or partial data loss. For that reason the M. At its discretion. of: (a) Working correctly with the Institution-provided hardware. The Institution will bear no responsibility for Staff‟s loss of or damages to personal equipment/information if the installation or use of any necessary software causes system lockups. The Staff is solely responsible for backing up data on his/her personal machine before beginning any Institution work.

however they may also be reported in-person or via written memo to M. configuration. C. This includes but is not limited to changes affecting functionality.S Help Desk. 115). GUIDELINES A.S serves. the support request will be escalated to a member of the technical staff. Direct all projects and purchase requests to the M. allowing them to work on complex and time-consuming problems and projects.I. Projects are defined as proposed plans resulting in changes to or installation of hardware and/or software. Direct all support questions or problems (including training requests) to the help desk (ext. B. It is not our intention to make the technical staff unavailable or unreachable but rather to utilize their time in a more efficient and productive manner. It is assumed that most issues will be reported via telephone. The goal of this policy is to minimize the possibility of computer downtime and inconvenience to the customer. Customers are asked not to contact the technical staff directly. security issues and compatibility with computing systems and standards. Services will be provided to primary customers (which are Auxiliary full time. Direct all website updates and additions to the Webmaster. part time and Participant and Staff). POLICY This policy establishes guidelines for a consistent means of providing support/service and managing any computing issues reported by the commsectiony M.S to respond to computing issues in a timely and efficient manner.I. If necessary.I.S Head. 3. 2.SECTION F ICT SUPPORT POLICY 1.I. The Webmaster will evaluate and implement proposed changes and contact the appropriate technical staff for final update. Page 34 of 43 . PURPOSE To provide support services within a structured framework that enables M.

are essential to protect against the loss of that data and software and to facilitate a rapid recovery from any IT failure. System Administrators. there is a legal requirement to ensure that such back-ups are adequate for the purpose of protecting that data Page 35 of 43 . Only critical systems are routinely backed up by the M.I.2 Scope The data backup element of this policy applies to all Staff. Participants and third parties who use IT devices connected to the KIA network or who process or store information owned by KIA All users are responsible for arranging adequate data backup procedures for the data held on IT systems assigned to them The disaster recovery procedures in this policy apply to all Network Managers. together with the back-up record. to ensure that they can be relied upon for use in an emergency 2.2 Responsibility for Data backup. operating systems and utility files must be adequately and systematically backed up (Ensure this includes all patches. The responsibility for backing up data held on the workstations of individuals regardless of whether they are owned privately or by the Institution falls entirely to the User. The M. fixes and updates)  Records of what is backed up and to where must be maintained  At least three generations of back-up data must be retained at any one time (grandfather/father/son)  The backup media must be precisely labeled and accurate records must be maintained of backups done and to which back-up set they belong. and Application Administrators who are responsible for systems or for a collection of data held either remotely on a server or on the hard disk of a computer.SECTION G Disaster Recovery and Data Backup Policy 1 General Policy 1.1 Introduction Back-up procedures. If you are responsible for a collection of data held either remotely on a server or on the hard disk of a computer.  Copies of the back-up media. This document outlines guidelines for KIA staff and Participants on backing up Institution Data. should be stored safely in a remote location.S and the other relevant IT managers and systems administrators in the current model. you should consult your departmental system administrator.I.3 Legal Requirements Users when formulating a backup strategy should take the following legal implications into consideration:  Where data held is personal data within the meaning of the Data Protection Act. 2 Data Backup 2.S is responsible for the backup of data held in central Institution databases. 1. at a sufficient distance away to escape any damage from a disaster at the main site  Regular tests of restoring data/software from the backup copies should be undertaken. 2. ensuring that both data and software are regularly and securely backed-up.1 Best Practice Backup Procedures All backups must conform to the following best practice procedures:  All data.

Data Protection Act.4 Desktop Backups The responsibility for backing up data held on the workstations of individuals regardless of whether they are owned privately or by the Institution falls entirely to the User.2 Network Managers. System Administrators.1 Best Practice Disaster Recovery Procedures A disaster recovery plan can be defined as the on-going process of planning developing and implementing disaster recovery management procedures and processes to ensure the efficient and effective resumption of vital Institution functions in the event of an unscheduled interruption.g. 2. Application Administrators Network Managers. System Administrators. it may be necessary to destroy all backup copies of data after a certain period or at the end of a contract. Software Licensing. 3 Disaster Recovery 3. and Application Administrators who are responsible for systems or for a collection of data held either remotely on a server or on the hard disk of a computer must ensure that they have comprehensive. All disaster recovery plans must contain the following key elements: • Critical Application Assessment • Backup Procedures • Recovery Procedures • Implementation Procedures • Test Procedures • Plan Maintenance 3.  Depending on legal or other requirements. it may be necessary to retain essential business data for a number of years and for some archive copies to be permanently retained Depending on legal or other requirements. Page 36 of 43 . Financial Regulations.g. e. documented and tested disaster backup procedures covers. e.

1 Introduction In the event of a security incident occurring.1 Types of Incidents The types of incidents that must be reported include. Where a user suspects that the malfunction is due to a malicious piece of software e. gossip. they should report the matter to the Helpdesk or the local system administrator. unusual activity)  Incidents that affect Senior Management (threats. 2. customer queries.I. according to specification. Network Managers and Systems Administrators may disable user accounts and/or network connections . they should stop using the computer. note the symptoms and any messages appearing on the screen and report the matter to the Helpdesk or the local system administrator. The procedures as defined below are best practice within KIA.S. In no instance should any user attempt to prove a suspected weakness as this could lead to a potential misuse of the system. Faculty of Information Science and Technology for necessary action. leaks)  Risk Management (unusual or suspicious behaviour noted in logs or activity reports)  External sources (threats. weaknesses or threats should be reported to a Network Manager or System Administrator or the Institution Management.g. a computer virus. i.5 Communication / Control After validating that an incident has taken place a System Administrator or Network Manager should escalate the incident to the DDFA. complaints. 2.6 Obtaining Evidence Page 37 of 43 .2 Reporting an incident All observed or suspected security incidents. but are not limited to:  Incidents reported from Systems and Networks (system failures. 2 Incident Reporting 2. 2.e. press)  Incidents observed by network users (on local PC‟s or servers)  All breaches of Institution Security Policy 2. 2.3 Documentation At all stages of the incident handling process adequate documentation must be maintained.SECTION H Incident Response Policy 1 General policy 1.4 Disabling Accounts/Network Connections The M. Where investigation of a security incident indicates misuse of IT facilities approved disciplinary procedures will be implemented as defined in this policy. it is important that all Institution employees and Participants are aware of their responsibilities and the procedure by which incidents can be most effectively and efficiently brought to a satisfactory conclusion. Where users note that any software does not appear to be working correctly.

Write-once media is defined as any media such as CD that once the data is written to it cannot be edited. details of all conversations / correspondence must be recorded in the relevant incident notes.It is vital that affected systems should be quickly identified and isolated. preferably on a writeonce media. Where possible collected data should immediately be stored on write-once media. Collected evidence therefore should be handled correctly so as to preserve integrity and all transfers should be documented and validated. preferably only the lead incident contact.10 Follow-up Actions The immediate incident team should draw up a change report detailing further changes required. This may be covered by the method of obtaining evidence but may also involve manual backups of data. amended or appended. etc which may change at a later date. whois / rwhois output. Information should be retrieved from these systems in the best available manner. A detailed incident report must be prepared. The lead contact is responsible for tracking follow-up changes. This must include all system configuration data as well as any scripts / data / files stored on the system. If personal contact is made with external agencies. Incorrect gathering and handling of collected evidence may have serious consequences in the successful prosecution of an incident. including the priority and impact of each change.8 Query External Resources Where external resources are of use their outputs must always be recorded. This is particularly important for DNS lookups. Page 38 of 43 .7 Preserve Configuration The configuration and contents of all affected systems must be preserved to the greatest extent possible. to help restore confidence in the systems affected. 2. so that the issues involved can be demonstrated at a later date. 2. Approval for follow-up actions may be given by senior management or via normal change control process. with actions being taken by as few people as possible. 2. including remedial action taken in the short and long term.

3.2 Participants Where Participants are found to have misused Institution IT facilities the IT Security Officer.SECTION I Misuse of Institution ICT Facilities Where investigation of a security incident indicates misuse of IT facilities approved disciplinary procedures will be implemented as defined in this policy. Page 39 of 43 . 3. Network Manager or Administrator must inform the DDFA who will determine what further action should be taken.1 Staff and Third Parties Where Institution Staff members or Third parties are found to have misused Institution IT facilities the Institution authorities will be informed who will determine what further action should be taken.

This document sets out information to guide staff and procedures which should be followed for the disposal of ICT Equipment. The Faculty. Department or Section may remove additional components which they have added and paid for prior to returning the item to ICT. while non-PC based equipment is depreciated over five years. All Institute staff members are responsible for adhering to this policy. ICT will still take responsibility for disposal. Where items are used by a Faculty. provided this does not invalid the warranty of the equipment. unless software or hardware has been purchased for use by a project. Department or Section. Responsibilities within the Institute Responsibility for disposal and the documentation of disposal rests with the ICT Section through which the item or equipment was purchased. it will endeavour to favour the extension of the working lives of ICT equipment by:   Replacing equipment only when it is necessary and advantageous to do so Refurbishing and redeploying equipment to alternative uses. Department or Section. either within the Institute or external to it. Where the Faculty. but rolled out by IT Sections (ICT). Where it is not possible to extend the useful life of ICT equipment. Department or Section have contributed to the purchasing cost of a non-standard workstation. Institute Financial Regulations The Institute applies straight-line depreciation to IT Assets annually. it must be boarded. except where the ownership of the item has been formally transferred to another Faculty. or purchased additional components. Software and PCs are depreciated over three years. no matter when during the year the asset has been purchased. In such a case. depreciation may be done over the life of the project.SECTION J Disposal Policy for ICT Equipment Introduction The Institute in its effort to maximize on the life of the ICT equipment. Page 40 of 43 . whenever possible. ICT will take responsibility for ensuring disposal processes are followed.

Where this is the case. Department. software purchased by the Institute is licensed only to the Institute and software cannot be sold on. Warranties The Institute normally purchases three year warranties for laptops. PCs and monitors. please raise a call with ICT’s Service Desk. This makes it unlikely that any such item will be useful for less than three years.The disposal of IT Assets should consider who the item was funded by and whether there is any obligation to return the asset. Respective Managers are responsible for notifying Finance within seven days of the asset being disposed of and are responsible for raising invoice requests with Finance for the sale of any assets. The disposal of IT Assets should consider whether the item is fully depreciated and. make every effort to sell the asset for a value greater or equal to its current residual value on the balance sheet. it is important to be aware that the purchased operating system may have been replaced with the Institute’s currently supported standard. if not. however. Data Protection Act and Data Security Page 41 of 43 . There is one exception and this applies to the operating systems. There is no obligation to sell the supplied operating system. The operating system purchased with a workstation or PC may be sold on. or to an agency which externally funded the project it was purchased for. Budget holders within the relevant Faculty. as the equipment should be repaired or replaced as appropriate during this period. the operating system supplied is the only one which may be sold on and would have to be re-installed after the hard disk has been wiped of all data. whether this would be internally within the Institute. If you require support with understanding any issues related to software licensing. This is because the Institute benefits from licensing subsidies which cannot be transferred. and the additional return for equipment with the operating system should be weighed up against the cost of staff time to restore the original operating system once drives have been wiped. Finance will then adjust the depreciation for asset accounts on the balance sheet and compute the profit or loss on the disposal. Software Licensing In general. or Section must agree the disposal.

2. Asset Records should be updated to reflect who items have been sold to. we are required to ensure that those purchasing second hand equipment are aware that they will be responsible for ensuring it is properly re-cycled and have accepted their responsibility to do so in writing. Specialist software must be used. Confirm the item is out of warranty and fully depreciated. or recycling.It is the Institute’s responsibility to remove any personal data stored on the hard drives of computers. Department or Section which owns the asset. Procedures for Disposal The following outlines the procedures which should be followed when disposing of an ICT Asset. Identify the equipment. procedures for transferring the ownership of an asset to another area of the Institute should be followed and asset and inventory records updated. order number. Department or Section has no further use for it. because of our environmental rules and regulations. either to external agencies. An estimate of the item’s value will be required and this may or may not correspond to the asset purchase price less depreciation. including notification of Finance. Department or Section that owns the asset is responsible for ensuring that all data is removed from hard drives before disposing of any IT Equipment. budget code and the Faculty. Records should be kept of transfer notes for items disposed of and Asset and Inventory records updated. Drives should be wiped before any equipment leaves the Institute. then they should be donated to organisations that will ensure that they are reused. If an alternative use can be found. 3. 4. purchase date. staff or participants. serial number. 1. The equipment which can not be of re-use at other areas shall be offered for sale. Page 42 of 43 . donation. either by sale. If the Faculty. The Faculty. Responsibilities for Disposal of IT Equipment Once Sold Those selling second hand or reconditioned equipment are not responsible for the taking back equipment and dealing with its disposal. Other data may be confidential and should be removed also. Records should be kept of who the item has been sold to and their acceptance of their responsibility to ensure the item is properly recycled when they eventually dispose of it. or refurbished and re-used. However. and the useful life of the equipment extended. If items cannot be sold. Just hitting the delete key is not enough to wipe data from hard drives. it should be offered to other areas of the Institute who may have alternative uses they can put the equipment to on campus.

Arrangements for the components not required for spares should still be made. those taking such items must agree to ensure they are recycled when eventually disposed of and records of who these goods have been transferred to must be kept. If the item is not useful for spares. Page 43 of 43 . then the equipment may be cannibalised for spares. the goods may be given away. then it should be boarded. If no one can be found who wants to use the item. As per the sale of an item. Should no organisations or charities be interested in the item. 7.5. 6.

Sign up to vote on this title
UsefulNot useful