ICT Policy

Kenya Institute of Administration

[Pick the date]

1|Page

Kenya Institute of Administration

ICT SECTION ICT Policy

Page 2 of 43

Table of Contents
Kenya Institute of Administration ...................................................................................... 1 ICT SECTION .................................................................................................................... 2 ICT Policy ........................................................................................................................... 2 SECTION A ........................................................................................................................ 4 Software/Hardware Policy .................................................................................................. 4 Minimum Requirements ................................................................................................. 7 Vision .............................................................................................................................. 9 Mission............................................................................................................................ 9 SECTION B ...................................................................................................................... 10 Information Security Policy .............................................................................................. 10 Violations ...................................................................................................................... 10 Administration .............................................................................................................. 10 Contents ........................................................................................................................ 10 Statement of responsibility ........................................................................................... 11 M.I.S Head responsibilities ........................................................................................... 11 Policy ............................................................................................................................ 12 Acceptable use .............................................................................................................. 13 Unacceptable use .......................................................................................................... 13 Staff responsibilities...................................................................................................... 13 B Email Policy ........................................................................................................... 14 M.I.S responsibilities .................................................................................................... 20 Staff/Participant responsibilities ................................................................................... 20 D Passwords Standards policy ................................................................................... 20 SECTION C ...................................................................................................................... 23 ICT Services and Systems Policy ..................................................................................... 23 SECTION D ...................................................................................................................... 26 Information Systems Security Policy................................................................................ 26 SECTION E ...................................................................................................................... 32 NETWORK / REMOTE ACCESS POLICY ................................................................... 32 Acceptable Use .......................................................................................................... 32 Equipment and Tools ................................................................................................. 32 Use of personal computers and equipment. ............................................................... 33 Violations and Penalties ............................................................................................. 33 SECTION F ...................................................................................................................... 34 ICT SUPPORT POLICY .................................................................................................. 34 SECTION G ...................................................................................................................... 35 Disaster Recovery and Data Backup Policy ..................................................................... 35 SECTION H ...................................................................................................................... 37 Incident Response Policy .................................................................................................. 37 SECTION I ....................................................................................................................... 39 Misuse of Institution ICT Facilities .................................................................................. 39 SECTION J ....................................................................................................................... 40 Disposal Policy for ICT Equipment .............................................................................. 40 3|Page

SECTION A Software/Hardware Policy

Introduction The presence of a standard policy regarding the use of software and hardware will: (a) Enhance the uniform performance of the Management Information Systems (M.I.S Section) in delivering, implementing, and maintaining software and hardware suitable to the business needs of the Kenya Institute of Administration, as well as other auxiliary organizations to which M.I.S section provides service, and (b) Define the duties and responsibilities of Institution Staffs (and Staffs of other auxiliaries with whom the Institution provides services) who use the aforementioned software and hardware in the performance of their job duties. Acceptable use This section defines what constitutes acceptable use of the Institutions electronic resources, including software, hardware devices, and network systems. Hardware devices, software programs, and network systems purchased and provided by the Institution are to be used only for creating, researching, and processing Institution-related materials, and other tasks necessary for discharging ones employment duties. By using the Institutions hardware, software, and network systems you assume personal responsibility for their appropriate use and agree to comply with this policy and other applicable Institution policies, as well as country laws and regulations. Violations Violations may result in disciplinary action in accordance with Institution policy. Failure to observe these guidelines may result in disciplinary action by the Institution depending upon the type and severity of the violation, whether it causes any liability or loss to the Institution, and/or the presence of any repeated violation(s). Administration The M.I.S section head is responsible for the administration of this policy. This policy is a living document and may be modified at any time on the advice of M.I.S section head or the DDFA. Contents The topics covered in this document include: Page 4 of 43

 Software

Software Purchasing Software Licensing Software Standards Software Installation Hardware Purchasing Hardware Standards ICT Equipment Disposal

All software acquired for or on behalf of the Institution or developed by Institution Staffs or contract personnel on behalf of the Institution is and at all times shall remain Institution property. All such software must be used in compliance with applicable licenses, notices, contracts, and agreements. Purchasing All purchasing of Institution software shall be centralized within the M.I.S section to ensure that all applications conform to corporate software standards and are purchased at the best possible price. All requests for corporate software must be submitted to the M.I.S section Head through a committee for approval by. The request must then be sent to the M.I.S section, which will then review the need for such software, and then determine the standard software that best accommodates the desired request if M.I.S section determines that such software is needed. The normal Institution purchasing procedure takes place. Licensing Each Staff is individually responsible for reading, understanding, and following all applicable licenses, notices, contracts, and agreements for software that he or she uses or seeks to use on Institution computers. If any Staff needs help in interpreting the meaning/application of any such licenses, notices, contracts and agreements, he/she will contact M.I.S section for assistance. Unless otherwise provided in the applicable license, notice, contract, or agreement, any duplication of copyrighted software, except for backup and archival purposes, may be a violation of law. In addition to violating such laws, unauthorized duplication of software is a violation of the Institutions Software/Hardware Policy. Only the head of department is allowed/authorized to do the duplication for backup and archival purpose. Software standards

Page 5 of 43

The following list shows the standard suite of software installed on Institution computers (excluding test computers) that is fully supported by the M.I.S Section: Microsoft Windows XP 2000 / 2003 or higher Microsoft Outlook 2003 / Outlook Express 2003 Microsoft Office 2003 (Word, Excel, PowerPoint, Access, Photo Editor 3.01, Publisher) Microsoft Internet Explorer 6.0+ Microsoft Visual Studio 6.0 / .Net Microsoft SQL Server 2000/2005 or higher MySQL database community edition or higher SPSS Ver 10,12,14 or higher Oracle 9i/10g Oracle Developer 6/2000 Symantec Antivirus Corporate Edition/McAfee Adobe Acrobat Reader 5.0,6.0-8.0 WinZip 8.1 Media Player, Real Player One, QuickTime 5.0.2 Nero CD Burning Microsoft Visio Microsoft Project 2002/2003 Publisher 2003-2007 Front Page Dreamweaver/Fireworks/Flash PageMaker/Photoshop/Adobe Premiere

Where applicable the following software will be installed on Institution computers

Staffs needing software other than those standard suites must request such software from the M.I.S section. Each request will be considered on a case-by-case basis in conjunction with the software-purchasing section of this policy. Software Installation The M.I.S section is exclusively responsible for installing and supporting all software on Institution computers. These responsibilities extend to:

Page 6 of 43

Office desktop computers Institution laptop computers Computer lab desktop computers

The M.I.S section relies on installation and support to provide software and hardware in good operating condition to the Participants and Staffs so that they can best accomplish their tasks. Hardware All hardware devices acquired by the Institution or developed by it (through its own Staffs or through those hired by the Institution to develop the hardware devices) is and at all times shall remain Institution property. All such hardware devices must be used in compliance with applicable licenses, notices, contracts, and agreements. Purchasing All purchasing of Institution computer hardware devices shall be centralized within the M.I.S section to ensure that all equipment conforms to corporate hardware standards. A committee composed of the M.I.S Head/DDFA IT/ICT OFFICER/Systems Administrator and two other members. All requests for corporate computing hardware devices must be in the annual corporate budget document and have the DDFA approval. The request must then be sent to the M.I.S section, which will then review the need for such hardware, and then determine standard hardware that best accommodates the desired request, if the section determines that such hardware is needed. Hardware standards The following list shows the minimum hardware configuration for Institution computers (excluding test computers) that are fully supported by the M.I.S section: Minimum Requirements Desktops - provided to Participants and the Institutions administration. NB(Minimum Requirements) (Dell Branded/IBM/HP-Compaq/Toshiba) Or Pentium IV, 3.0 GHz, 512 cache Intel Processor 512-MB RAM or higher 64 SVGA graphics/video card 1.44MB 3 floppy drive (A:) Page 7 of 43

 Laptops

80-GB hard drive or higher 52x CD-ROM/DVD drive 10/100 PCI Ethernet card 6 USB ports or more Sound card Speakers Standard 102 or 104-key English keyboard USB / PS 2 mouse All applicable cables 3 years warranty

(Dell Branded/IBM/HPCompaq/Toshiba) or Pentium IV, 2.4 GHz Intel Processor 512-MB RAM Video card with 16 MB RAM 1.44MB 3 floppy drive 80-GB IDE hard drive 8x CD-RW/DVD ROM Drive 10/100 PCI Ethernet card Network card 56K internal modem 4 USB port Sound card Speakers Standard 102 or 104-key English keyboard USB/PS 2 mouse Touch Pad All applicable cables, including phone Carrying case Page 8 of 43

Extra power adapter 3 years warranty / 1 year on site service Monitors will be provided for both desktop and laptop systems. Minimum 17 viewing area, 1024 x 768 @ 75 or 85 Hz, .26 mm dot pitch o 650 VA or higher of reliable brand

Monitors -

UPS Printers Staffs will be given access to appropriate network printers. In some limited cases, Staffs may be given local printers if deemed necessary by the M.I.S section Head in consultation with the department.

Staffs needing computer hardware other than what is stated above must request such hardware from the M.I.S section. Each request will be considered on a case-by-case basis in conjunction with the hardware-purchasing section of this policy. Outside equipment No outside equipment may be plugged into the Institutions network without the M.I.S sections written permission. The details of any equipment to be allowed must be recorded at the security door and a copy taken to the DDFAs office Summary This policy is designed to facilitate Kenya Institute of Administration, Participants and Staffs in maximizing the efficient performance of their studies and job duties respectively. Any deviation from this strategy will require the M.I.S section to redeploy software and/or hardware solutions. Full cooperation with this policy is mandatory so that all goals can be met in accordance with the Institutions business objectives reflected in its Mission and Vision Vision To be a mode institution of excellence in management development and capacity building in the public sector. Mission To Improve service delivery in the public sector by providing quality training research and consultancy service in the Eastern Africa Region.

Page 9 of 43

SECTION B Information Security Policy

Covering Internet, Email, Viruses, Access codes & Passwords
1.1 Introduction

The Internet and Electronic mail (e-mail) are important communication and research tools for KIA network users. This document details standards for the secure use of Internet and e-mail facilities for Institution purposes, including teaching, research and administration. Computer information systems and networks are an integral part of business of the Kenya Institute of Administration (the Institution). The Institution has made a substantial investment in human and financial resources to create these systems. The enclosed policies and directives have been established in order to: Violations Violations may result in disciplinary action in accordance with Institution policy. Failure to observe these guidelines may result in disciplinary action by the Institution depending upon the type and severity of the violation, whether it causes any liability or loss to the Institution, and/or the presence of any repeated violation(s). Administration The Management Information Systems Section (M.I.S) head is responsible for the administration of this policy. Contents The topics covered in this document include: Statement of responsibility The Internet and e-mail Computer viruses Protect this investment. Safeguard the information contained within these systems. Reduce business and legal risk. Protect the good name of the Institution.

Page 10 of 43

Access codes and passwords

Statement of responsibility General responsibilities pertaining to this policy are set forth below. The following sections list additional specific responsibilities. M.I.S Head responsibilities M.I.S Head and supervisors must: Ensure that all appropriate personnel are aware of and comply with this policy. Provide, implementation and support of this policy within their respective departments, as well as create practices/procedures (specific to their departments) that are designed to provide reasonable assurance that all Staff observe this policy. The M.I.S Head must: 1. Develop and maintain written procedures necessary to ensure implementation of and compliance with these policy directives. 2. Provide appropriate support and guidance to assist Staff to fulfill their responsibilities under this directive.
1.2 Policy Scope This policy applies to all Institution Staff, Participants and Third parties granted use of Institution Internet and E-mail facilities. Third parties are defined as any individual, group contractor, vendor or agent not registered as a Institution staff member or Participant. 1.3 Data Protection E-mails fall under the scope of the data protection act. Under this legislation the email originator, all email recipients and any persons named in the e-mail are entitled to view the information about them and if it is incorrect they are entitled to have it corrected. Home or personal use has a domestic exemption from data protection law, but the Institution has no such exemption even for personal e-mails if they originate from the Institution network. In addition, emails can constitute publication for the purpose of the law of libel. Additionally any information, which KIA Users collect via the Internet such as personal or financial details collected via Internet forms or surveys, fall under the Data protection Act. All users must ensure that the methods of collecting processing and storing information in this way comply with the Institution policies, the data protection act and any other relevant legislation.

Page 11 of 43

1.4 Copyright Copyright law stops other people from using and abusing users original work. Users should bear in mind, therefore, that: E-mail messages are creative works and therefore are copyrighted. All e-mail messages sent by a user are copyrighted to the user (or the Institution). Users do not have to register this copyright - it exists automatically. When Users post to a public list they do not lose copyright, but the message may be archived forwarded to other lists or quoted by others. Messages sent to a list should not be quoted out of context, changed or reworded or misattributed. Software or files downloaded from the Internet may be protected by copyright restrictions.

1.5 Privacy Data users must assume that all e-mail or Internet communications are not secure unless encrypted and they should not send via e-mail any information, which is confidential. Users may not, under any circumstances, monitor, and intercept or browse other users' e-mail messages unless authorized to do so. Network and computer operations personnel, or system administrators, may not monitor other users' e-mail messages other than to the extent that this may occur incidentally in the normal course of their work. The Institution reserves the right to access and disclose the contents of a user's e-mail messages, in accordance with its legal and audit obligations, and for legitimate operational purposes. The Institution reserves the right to demand that encryption keys, where used, be made available so that it is able to fulfill its right of access to a users e-mail messages in such circumstances. A Internet Policy

The Internet is a very large, publicly accessible network that has millions of connected users and organizations worldwide. One popular feature of the Internet is e-mail. Policy Access to the Internet is provided to Staff for the benefit of the Institution and its Staff. Staff are able to connect to a variety of information resources around the world. Conversely, the Internet is also replete with risks and inappropriate material. To ensure that all Staff is responsible and productive Internet users and to protect the Institutions interests, the following guidelines have been established for using the Internet and e-mail.

Page 12 of 43

Acceptable use Staffs using the Internet are representing the Institution. Staff are responsible for ensuring that the Internet is used in a safe, effective, ethical, and lawful manner and only in the course of performing the Staff job. Unacceptable use Staff must not use the Internet for purposes that are not Institution-related, illegal, unethical, inappropriate for a Institution setting, harmful to the Institution, or nonproductive. Examples of unacceptable use are: Sending or forwarding chain e-mail, i.e., messages containing instructions to forward the message to others. Conducting a personal business using Institution resources. Transmitting any content that is offensive, harassing, or fraudulent. Instant messaging and participating in Internet chat rooms. Downloading or storing of MP3 files anywhere on the network including your personal directories and/or your local C drive. Staff responsibilities A Staff who uses the Internet or Internet e-mail shall: 1. Ensure that all communications are for work-related reasons and that they do not interfere with his/her productivity. 2. Be responsible for the content of all text, audio, or images that (s)he places or sends over the Internet, and not illegally transmit or receive the same. All communications should have the Staffs name attached. 3. Not transmit copyrighted materials without permission. 4. Know and abide by all applicable policies dealing with security and confidentiality of records. 5. Run a virus scan on any external files received on diskettes or CDs.
General All users must adhere to the following when using Institution facilities to connect to the Internet: Access to the Internet is provided for KIA purposes and must not be abused for personal use. Commercial use, which is not connected to or approved by the Institution, is strictly prohibited and will result in disciplinary procedures,

Page 13 of 43

Internet access in Institution is available only via the Institution infrastructure. Users should not connect to the Internet via a dial-up ISP account on Institution computers connected to the network.

Users are expected to act ethically and responsibly in their use of the Internet and to comply with the relevant national legislation, the Institution Information Security policy, regulations and codes of practice. Users must not post messages on newsgroups or chat areas that are likely to be considered abusive, offensive or inflammatory by others.

Users must not use the Institution Internet connection to scan or attack other individuals/devices/organizations. The use of port scanners or other hacking tools unless used as part of an approved course of study is strictly prohibited.

Users should be aware that the public nature of the Internet dictates that the confidentiality and integrity of information cannot normally be relied upon. Where a requirement exists to send or receive confidential or commercially sensitive data over the Internet, a security mechanism recommended by the IT Security Specialist should be used. Passwords used for Internet services should not be the same or similar to passwords used for services accessed within Institution. This is to prevent passwords that grant access to Institution IT resources being sent out on the Internet in clear text where any Internet user can potentially see them. Similarly, any username used for the Internet services should not be the same or similar to a Institution username.

Software copyrights and license conditions must be observed. Only licensed files or software may be downloaded from the Internet. All devices connected to the Internet must be equipped with the latest versions of anti-virus software, which has been both approved and supplied by Institution. All forms of data received over the Internet should immediately be virus checked. All forms of data transmitted from Institution over the Internet should be virus checked in advance. Data, which has been compressed or encrypted, should be decompressed or decrypted as required before virus checking. All security incidents involving Internet access must be reported to the M.I.S Office.

Email Policy

All users must adhere to the following when using Institution E-mail facilities: Users are expected to act ethically and responsibly in their use of e-mails and to comply with the relevant national legislation, the Institution Information Security policy, regulations and codes of practice.

Page 14 of 43

Discrimination, victimization or harassment on the grounds of gender, marital status, family status, sexual orientation, religious belief, age, disability, race, color, nationality, ethnic or national origin is against Institution Policy. Users must not bully, hassle or harass other individuals via e-mail. Users must not send messages that are likely to be considered abusive, offensive or inflammatory by the recipient/s.

All users should regard all e-mails sent from Institution facilities as first, representing the Institution and, secondly, representing the individual. Users should be civil and courteous. Users should not send e-mail, which portrays the Institution in an unprofessional light. The Institution is liable for the opinions and communications of its staff and Participants. Any e-mail involved in a legal dispute may have to be produced as evidence in court.

All users should do their best to ensure that email content is accurate, factual and objective especially in relation to individuals. Users should avoid subjective opinions about individuals or other organizations.

Users should be aware that e-mails can easily be forwarded to other parties. Users should assume that anyone mentioned in e-mail could see it or hear about it or he/she may, under data protection or other law, be entitled to see it.

All users should be aware that. it is possible for the origin of an e-mail to be easily disguised and for it to appear to come from someone else. Users must not use a false identity in e-mails. Users must not create or forward advertisements, chain letters or unsolicited e-mails e.g. SPAM All users should protect data displayed on their monitor. E.G. by locking their office door or by locking their workstation or using a screen saver in password-protected mode when leaving their desk. This is in order to prevent unauthorized individuals from using the workstation to send an email, which will appear to originate from the user.

All users should exercise caution when providing their e-mail address to others and be aware that their e-mail address may be recorded on the Internet. All users should be cautious when opening e-mails and attachments from unknown sources as they may be infected with viruses. All users must have up-to-date Institution approved anti-virus software installed and operational on the computer that they access their email on. All emails or attachments that are encrypted or compressed should be decrypted or decompressed and scanned for viruses by the recipient.

Page 15 of 43

Users should be aware that e-mails may be subject to audit by Institution Authorities to ensure that they meet the requirements of this policy. This applies to message content, attachments and addressees and to personal e-mails.

As part of the Institutions standard computing and telecommunications practices, email systems and the systems involved in the transmission and storage of e-mail messages are normally "backed up" centrally on a routine basis for administrative purposes. The back-up process results in the copying of data, such as the content of an e-mail message, on to storage media that may be retained for periods of time and in locations unknown to the originator or recipient of an email. The frequency and retention of back-up copies vary from system to system. However, this back-up is for Institution administrative purposes only and it is the users own responsibility to back-up any of their e-mails they wish to retain for future reference.

All security incidents involving E-mail should be reported to the M.I.S Office.

Mass Email Policy

Purpose:
This policy reflects the Kenya Institute of Administrations decision to use the Institute assigned staff email account as the official means of communication with all staff on the KIA campus. The purpose of this policy is to provide a definition for mass email; clarification for who can send mass emails; and procedures for sending mass emails. This policy does not apply to email originating by means other than through the Mass Email System.

Introduction:
Various offices, organizations and individuals at KIA may request that mass emails be sent to all or part of the Institute community. Mass emails are not authorized except as described herein. However, due to the nature of email, delivery of mass emails is not guaranteed. The Mass Email System does not replace individual, sectional, departmental, division or Staff address lists or mailing lists. These other methods are more appropriate for most announcements. The Mass Email System should only be used when a more limited mailing will not be adequate.

What is mass email?

For the purposes of this policy, mass email shall be considered to be any unsolicited electronic mailing in which the message is sent to members of the Institute community using the KIA e-Mail and Groupwise email addresses. This policy does not apply to individual email-based distribution and discussion groups such as listservs or established data bases that serve Institute learners/ clientele.

Types of mass emails:

There are three classes of mass email: Urgent, Formal Notice and Informational. The class of the message affects both the audience and the distribution schedule. The subject line of the message will

Page 16 of 43

indicate the selected class. Either URGENT:, FORMAL NOTICE:, or INFORMATIONAL: will appear as the prefix in the subject line according to the message classification.

1. Urgent Class
Urgent class is a category of mass emails reserved for highly important, time-sensitive institute emergency notices, such as security alerts. Messages in this class may be scheduled for immediate distribution as soon as properly approved.

2. Formal Notice Class

Formal notice class is a category of mass emails reserved for highly important, non-emergency messages, such as financial or hr reporting requirements. Messages in this class are scheduled for offpeak distribution, after properly approved, between the requested run date and the expiration date of the message.

3. Informational Class
Informational class is a category of mass emails covering non-emergency messages related to Institute work or information, other than events. Events should be posted to the institute weekly bulletin or on the website at www.kia.ac.ke/bulletin. Messages in this class are scheduled for off-peak distribution, after properly approved, between the requested run date and the expiration date of the message.

Who is allowed to send mass emails?

All messages must be approved by the Director or his or her designee associated with the message. Examples of what isnt acceptable: Specifically, mass emails should not be used for: Mailings not related to Institute business or activities. Mailings in violation of the KIAs Computer and Network Usage Policy. Political statements, expression of personal opinion, conduct of personal business, unauthorized fundraising or solicitation (solicitation is defined as any verbal or written effort to raise funds through the sale of merchandise/services or through charitable donations as well as to influence opinions or to gain support for an issue or cause). Notices of houses or other items for sale or rent, requests for rides, lost and found, or commercial promotions. Notices of routine, regularly scheduled events. These sorts of events should be communicated through regular Institute communications Office. D Anti Virus and Spam Policy

General Policy

Page 17 of 43

1.1 Introduction

Computer viruses (and similar devices) impact productivity, incur financial costs and can result in the compromise or loss of data and reputation. Viruses can originate from a range of sources, spread rapidly, and require a comprehensive approach to ensure the risk they pose is effectively managed. This comprehensive approach requires the full cooperation of all KIA Staff and Participants. This document is the Institutions Anti-Virus and Anti-Spam Policy and outlines the overall approach adopted by the Institution as well as individual responsibilities. 1.2 Scope This policy applies to all Institution Staff, Participants or Third parties using devices connected to the Institution network. Third parties are defined as any individual, group contractor, vendor or agent not registered as a Institution staff member or Participant. Third party Access is defined as all local or remote access to the Institution Network or devices attached to the Institution Network for any purpose. 1.3 Anti-virus and Anti-Spam Measures M.I.S, Network Managers and System Administrators will: Evaluate, select and deploy anti-virus software on file servers, desktops and laptops to scan for viruses from sources such as Inbound and Outbound E-mail, Floppy disks. Emails and attachments (inbound). CD-ROMs. Software downloaded from the Internet. Provide users with a method to reduce the impact of unsolicited or SPAM email in their Institution inbox. 1.4 Desktop Anti-virus protection M.I.S must select an effective desktop anti-virus product. This product must be licensed and made available to all users connecting to the Institution network. 1.5 Gateway Virus Protection M.I.S must provide a product to scan Institution email and any other protocols such as FTP or HTTP at the Internet gateway. 2 Roles and Responsibilities 2.1 User Responsibility All KIA network users have a responsibility to: Protect any device, which they use which connects to the Institution network by ensuring that they have installed the correct anti-virus product for their area and that it is up-to-date. This relates to Institution owned machines and Users private machines where the machines are used to access the Institution network. Users must not try to install an unapproved anti-virus product, or try to alter the configuration or disable the existing anti-virus product. Respond to any virus infection detection indicated by their anti-virus software. In the event that a user cannot clean or remove an infected file they should inform M.I.S immediately. Page 18 of 43

Be alert to the possibility of a virus and report any suspicious behaviour M.I.S immediately. Not open suspicious emails or attachments whether solicited or unsolicited from unknown or unusual sources. Preserve the PC while awaiting virus investigation. Users must not switch the PC off, or try to fix it themselves. Additionally users must not try to carry on working but must disconnect the network cable and leave the workstation until the issue is resolved. Users must scan their hard drives regularly for viruses. Users should scan all software or other content that they download from the Internet for viruses. Users should not connect to suspicious websites. Users should exercise caution when accessing web based E-mail including but not limited to Hotmail, and Yahoo. Users should be aware that email accessed on these sites has not been scanned by the Institution email gateway and may contain viruses.

2.2 The M.I.S, Network Managers & System Administrators & IT Security Officer The M.I.S, Network Managers & System Administrators must: Evaluate and select suitable anti-virus software products to protect against viruses form the sources as identified in section 1.2 Provide a central point of contact to Institution users for anti-virus matters. Keep abreast of potential viruses that may affect the Institution. Promote awareness of anti-virus issues amongst users. Monitor systems regularly for devices that do not have anti-virus software installed or have incorrect anti-virus products or settings. 2.3 M.I.S Helpdesk and User Support group The Helpdesk will be responsible for First-line support, i.e. taking the initial report/s of a virus from the user/s located on the areas of the Institution network managed by the M.I.S. The report will immediately be checked to ascertain whether or not it is a valid virus. Users will be reminded of their responsibilities as shown above. During any incident, the Helpdesk will provide whatever assistance is required to disinfect the virus and prevent propagation, e.g. keeping people informed, disabling systems etc. Investigating and resolving any virus incident. Evaluating the situation and making recommendations which may include informing users of the problem by email alert, intranet, etc. and may include selectively disabling infrastructure services, (e.g. disabling external mail while keeping internal mail, disconnecting the Institution from Internet) to safeguard critical systems. Computer viruses Computer viruses are programs designed to make unauthorized changes to programs and data. Therefore, viruses can cause destruction of or damage to corporate property. It is important to know that: o Computer viruses are much easier to prevent than to cure. Page 19 of 43

o Defenses against computer viruses include protection against unauthorized access to computer systems, using only trusted sources for data and programs, and maintaining virus-scanning software. M.I.S responsibilities M.I.S shall: 1. Install and maintain appropriate antivirus software on all computers. 2. Respond to all virus attacks, destroy any virus detected, and document each incident. Staff/Participant responsibilities The following applies to all Staff: 1. Staff shall not knowingly introduce a computer virus into Institution computers. 2. Staff shall only load diskettes or CDs with saved files that pertain to Institution business. 3. Incoming diskettes or CDs shall be scanned for viruses before they are read. 4. Any Staff who suspects that his/her workstation has been infected by a virus shall IMMEDIATELY log off the network and call the M.I.S help desk at ext 115 5. Users shall not disable the automated AntiVirus Download Scan. E Passwords Standards policy

1 General policy

1.1 Introduction Usernames and passwords are utilized in KIA to facilitate access to Institution IT resources. They also protect Institution data from access from unauthorized individuals both internally (other staff or Participants) and externally (hackers). 1.2 Scope. This policy applies to all Institution Staff, Participants, or Third parties who are issued with usernames and passwords for any Institution IT System or device. This policy applies to all network managers, system administrators, application administrators or others who issue usernames and passwords. This policy applies to all username and password pairs on all devices, systems and applications that are part of the Institution network that provide access to Institution owned information. 1.3 Issue of accounts and passwords. All initial system and application accounts and passwords must be issued from the M.I.S. Once a password has been issued full responsibility for that account and associated password passes to the user. The user will be required to change the password to something only He/She knows. 1.4 Password Sharing Prohibition

Page 20 of 43

Regardless of the circumstances, passwords must never be shared or revealed to anyone else besides the authorized user. To do so exposes the authorized user to responsibility for actions that the other party takes with the password. Where a user is found to have given the use of a username or password to a third party disciplinary measures will be implemented. 1.5 Writing Passwords Down and Leaving Where Others Could Discover Passwords must not be written down and left in a place where unauthorized persons might discover them. 1.6 Password Changes Users will be required to change their passwords fortnightly. Passwords changes may be requested in person by the appropriate individual or a trusted party as defined by M.I.S. No exceptions to this policy are allowed. 1.7 Minimum Password Length The length of passwords must always be checked automatically at the time that users construct or select them. All IT systems must require passwords of at least six (6) characters. 1.8 Complex Passwords Required All computer system users must choose passwords that cannot be easily guessed. For example, a car license plate number, a spouse's name, or an address must not be used. This also means that passwords must not be a word found in the dictionary or some other part of speech. For example, proper names, places, and slang must not be used. 1.9 Cyclical Passwords Prohibited Users must not construct passwords using a basic sequence of characters that is then partially changed based on the date or some other predictable factor. For example, users must not employ passwords like "JANUARY" in January, "FEBRUARY" in February, etc. 1.10 User-Chosen Passwords Must Not Be Reused Users must not construct passwords that are identical or substantially similar to passwords that they had previously employed. 1.11 Password Ageing Passwords should be changed periodically. Network managers, system administrators or application administrators should select an appropriate time frame for changing passwords. 1.12 Limit on Consecutive Unsuccessful Attempts to Enter a Password To prevent password guessing attacks, the number of consecutive attempts to enter an incorrect password must be strictly limited. After a defined number of unsuccessful attempts to enter a password (usually between 3and 8 per hour), the involved user account must be either (a) Suspended until reset by a system administrator, (b) Temporarily disabled for no less than three (3) minutes, or (c) If dial-up or other external network connections are involved, disconnected. 1.13 Password History Page 21 of 43

A password history must be maintained for all domain level. This history file should be used to prevent users from reusing passwords. The history file should minimally contain the last 3 passwords for each username. 1.14 System Compromise Whenever an unauthorized party has compromised a system, M.I.S or the relevant network manager, system administrator or application administrator must immediately change every password on the involved system. Even suspicion of a compromise likewise requires that all passwords be changed immediately. Under either of these circumstances, a trusted version of the operating system and all security-related software must also be reloaded. Similarly, under either of these circumstances, all recent changes to user and system privileges must be reviewed for unauthorized modifications. 1.15 Storage of Passwords in Readable Form Passwords must not be stored in readable form in batch files, automatic login scripts, software macros, terminal function keys, in computers without access control, or in other locations where unauthorized persons might discover them. 1.16 Changing Vendor Default Passwords All vendor-supplied default passwords e.g. default passwords supplied with routers, switches or software such as operating systems and databases must be changed before any computer or communications system is used. 1.17 Encryption Passwords must always be encrypted when held in storage for any significant period of time or when transmitted over communications system.

Page 22 of 43

SECTION C ICT Services and Systems Policy

Introduction This chapter contains policy statements on ICT services and information systems that are of strategic importance to the Institution. For each of the ICT services and information systems a concise description of the essential functional requirements is specified. In addition, the relationship with other initiatives, the most essential resources, the essential implementation strategies, and the major risks if the proposed system of service is not implemented at the right point in time are given. Identified ICT Services and Information Systems The Institution ICT Policy anticipates the implementation of the following ICT services and information systems as well as related implementation, operation and management issues: 1. Internal and external E-mail and Access-to-Internet services at all workplaces embodying general internal and external information provision through Internet/Intranet technology (Web based information services) 2. Availability of common office applications such as word processing, spreadsheet processing, access databases, etc. at all workplaces. 3. An integrated Library Information System. 4. An integrated Participants Admission Management System. 5. An integrated Finance Information System. 6. An integrated Human Resource Information System. NB The Institution ICT policy does not explicitly include applications supporting teaching processes (Computer Aided Learning, SPSS) and professional applications to be used in specific educational and scientific fields, such as CAD/CAM. Neither does it include specific applications for research purposes. These classes of ICT applications are assumed to be the responsibility of the faculties concerned. It is however part of the Institution's policy to: Ensure that all end users are equipped with the necessary level and variety of skills to facilitate their functions. In addition, the Institution has addressed the following issues at policy level: Page 23 of 43

Sustainable management of ICT resources that takes into account the interests of all users

Policy Summary It is the Institution Policy to assure availability of all anticipated ICT services/systems at any workplace in the Institution, and, for selected services, to locations outside the Institution through Common Network Services. Common Network Services (Network Infrastructure), mainly comprising physical network infrastructure (wiring, switches, routers, servers, etc) and communication protocols (TCP/IP), form the collective data transport means for all current and future ICT services/systems. 1. It is the Institution Policy to assure availability of User-level Data Communication Services such as E-Mail, Access-to-Internet, Internet/Intranet Services, which actually are major users of the low-level network services. 2. It is the Institution Policy to promote office computing in all offices. In this text the term office computing is used for the application of ICT, mostly desktop computers, to support general office tasks. This applies to lecturers, researchers, managers, as well as to secretarial and clerical workers. Major office computing applications are: word processing, electronic mail, spreadsheet processing, document storage and retrieval, desktop publishing, access-to-internet and intranets. 3. It is the Institution Policy to improve both the efficiency and effectiveness of library operations and services through the implementation of an integrated on-line Library Information System. 4. It is the Institution Policy to enhance and streamline Participant education related administrative and managerial processes and to improve academic reporting facilities at both central and faculty level through the implementation of an integrated Participant Admission Management System (SAMS). 5. It is the Institution Policy to enhance and streamline financial management processes and reporting facilities at both central and faculty levels through the implementation of an integrated Financial Information System. Given the decentralized nature of budgetary management, it is the Institution Policy to make these functions also available to faculties and other budget centers. The following functionality is regarded essential to the Institution financial management information system. Page 24 of 43

6. It is the Institution Policy to enhance and streamline the human resource management and administrative processes through the implementation of a Human Resource Information System (HURIS). 7. It is the Institution Policy in the broadest sense to promote the deployment of ICT in all areas of education and research through creating technical and organizational preconditions. 8. It is the Institution Policy to ensure and require that all Participants, academic staff, administrative and support staff, and managerial staff are trained on a continuing basis to equip them with the requisite skills to fully exploit the ICT environment in their different functions 9. It the Institution Policy to ensure sustainable management of the Institution's ICT policy and resources through the creation of appropriate policy, advisory management and operational organs that will cater for the broad interests of all users 10. It is the Institution Policy to provide for the growth and financial sustainability of its ICT resources through appropriate funding and operational mechanisms 1.4 Related requirements ICT services and systems will become inherent in the Institution's educational, research, administrative, and managerial processes. Each individual ICT service and system as such places demands on the: 1. Anticipated data communication infrastructure. For each ICT service or system the minimum (initial) communication requirements are identified. 2. Staff resources during implementation stage. This will involve Kenya Institute of Administration staff as well as local and foreign expertise 3. Staff resources during deployment stage. Adequate organizational arrangements have to be made to ensure that the necessary staff to run/ manage systems is either re-deployed or recruited in good time. 4. And the operational ICT management environment during and after implementation.

Page 25 of 43

SECTION D
Information Systems Security Policy
Policy Statement

1.1 Information is a critical asset of KIA hereafter referred to as the Institution. Accurate, timely, relevant, and properly protected information is essential to the success of the Institutions academic and administrative activities. The Institution is committed to ensuring all accesses to, uses of, and processing of Institution information is performed in a secure manner. 1.2 Technological Information Systems hereafter referred to as Information Systems play a major role in supporting the day-to-day activities of the Institution. These Information Systems include but are not limited to all Infrastructure, networks, hardware, and software, which are used to manipulate, process, transport or store Information owned by the Institution. 1.3 The object of this Information Systems Security Policy and its supporting policies is to define the security controls necessary to safeguard Institution Information Systems and ensure the security confidentiality and integrity of the information held therein. 1.4 The Policy provides a framework in which security threats to Institution Information Systems can be identified and managed on a risk basis and establishes terms of reference, which are to ensure uniform implementation of Information security controls throughout the Institution. 1.5 The Institution recognizes that failure to implement adequate Information security controls could potentially lead to: Financial loss Irretrievable loss of Important Institution Data Damage to the reputation of the Institution Legal consequences

Therefore measures must be in place, which will minimize the risk to the Institution from unauthorized modification, destruction or disclosure of data, whether accidental or deliberate. This

Page 26 of 43

can only be achieved if all staff and Participants observe the highest standards of ethical, personal and professional conduct. Effective security is achieved by working with a proper discipline, in compliance with legislation and Institution policies, and by adherence to approved Institution Codes of Practice. 1.6 The Information Systems Security Policy and supporting policies apply to all staff and Participants of the Institution and all other users authorized by the Institution. 1.7 The Information Systems Security Policy and supporting policies do not form part of a formal contract of employment with the Institution, but it is a condition of employment that employees will abide by the regulations and policies made by the Institution from time to time. Likewise, the policies are an integral part of the Regulations for Participants. 1.8 The Information Systems Security Policy and supporting policies relate to use of: All Institution networks connected to the Institution Backbone All Institution-owned/leased/rented and on-loan facilities. To all private systems, owned/leased/rented/on-loan, when connected to the Institution network directly, or indirectly. To all Institution-owned/licensed data/programs, on Institution and on private systems. To all data/programs provided to the Institution by sponsors or external agencies.

1.9 The objectives of the Information Systems Security Policy and supporting policies are to: Ensure that information is created, used and maintained in a secure environment. Ensure that all of the Institutions computing facilities, programs, data, network and equipment are adequately protected against loss, misuse or abuse. Ensure that all users are aware of and fully comply with the Policy Statement and the relevant supporting policies and procedures. Create awareness that appropriate security measures must be implemented as part of the effective operation and support of Information Security. Ensure that all users understand their own responsibilities for protecting the confidentiality and integrity of the data they handle. Page 27 of 43

Ensure all Institution owned assets have an identified owner/administrator.

2 IT Management roles and responsibilities 2.1 The Institution Management The Institution Management is responsible for approving the IT Security Policy, distributing the policy to all heads of departments/sections/centers and for supporting the M.I.S in the enforcement of the policies where necessary. 2.2 Discharging of Policies The policies will be discharged through nominated individuals, who normally will be the respective Heads of departments. 2.3 Heads of departments The Heads of departments are responsible for ensuring that staff, Participants and other persons authorized to use systems in respective departments are aware of and comply with the associated supporting policies and procedures. 2.5 The IT Security Officer The IT Security Officer role will be taken by the Information Systems Manager. He is responsible for: Reviewing and updating the Security policy and supporting policies and procedures. The promotion of the policy throughout Institution. Periodical assessments of security controls as outlined in the Security Policy and supporting policies and procedures. Investigating Security Incidents as they arise. Maintaining Records of Security Incidents.. Reporting to the Institution Management on the status of security controls within the Institution. 2.6 The Systems Administrator The Systems Administrator is responsible for the management of the Institution Network and for the provision of support and advice to all nominated individuals with responsibility for discharging the technical aspects of these policies. 2.7 Information Systems Users Page 28 of 43

It is the responsibility of each individual Information Systems user to ensure his/her understanding of and compliance with this Policy and the associated Codes of Practice. All individuals are responsible for the security of Institution Information Systems assigned to them. This includes but is not limited to infrastructure, networks, hardware and software. Users must ensure that any access to these assets, which they grant to others, is for Institution use only, is not excessive and is maintained in an appropriate manner. 2.8 Purchasing, Commissioning, Developing an Information System All individuals who purchase, commission or develop an Information System for the Institution are obliged to ensure that this system conforms to necessary security standards as defined in this Information Security Policy and supporting policies. Individuals intending to collect, store or distribute data via an Information System must ensure that they conform to Institution defined policies and all relevant legislation. 2.9 Third Parties Before any third party users are permitted access to Institution Information Systems, specific written approval from the IT security Officer is required. Prior to being allowed to work with Institution Information systems, satisfactory references from reliable sources should be obtained and verified for all third parties which includes but is not limited to; administrative staff, software support companies, engineers, cleaners, contract and temporary appointments. Data processing, service and maintenance contracts should contain an indemnity clause that offers cover in case of fraud or damage. 2.10 Reporting of Security Incidents All suspected information security incidents must be reported as quickly as possible through the appropriate channels. All Institution staff and Participants have a duty to report information security violations and problems to the IT Security Officer on a timely basis so that prompt remedial action may be taken. The IT security Officer will be responsible for setting up an Incident Management Team to deal with all incidents. Records describing all reported information security problems and violations will be created. 2.11 Security controls Page 29 of 43

All Institution Information Systems are subject to the information security standards as outlined in this and related policy documents. No exceptions are permitted unless it can be demonstrated that the costs of using a standard exceed the benefits, or that use of a standard will clearly impede Institution activities. 3 Breaches of Security 3.1 Monitoring The Management Information Systems will monitor network activity and take action/make recommendations consistent with maintaining the security of Institution information systems. 3.2 Incident Reporting Any individual suspecting that there has been, or is likely to be, a breach of information systems security should inform the IT Security Officer or the Institution management immediately who will advise the Institution on what action should be taken. 4 Policy Awareness and Distribution 4.1 New Staff and Participants This Policy Statement will be available from the Principals Office on request. It will also be published on the Institution web site. New staff and Participants will be notified of the relevant policy documents when they initially request access to the Institution network. 4.2 Existing Staff Existing staff and Participants of the Institution, authorized third parties and contractors given access to the Institution network will be advised of the existence of this policy statement. They will also be advised of the availability of the associated policies and procedures which are published on the Institution website. 4.3 Updates Updates to Policies and procedures will be made periodically. 4.4 Training Training will be available from Management Information Systems in Information Security fundamentals.

Page 30 of 43

5 Risk Assessments and Compliance

5.1 Risk Assessment Risk assessments must be carried out periodically on the business value of the information users are handling and the information systems security controls currently in place. This is in order to take into account changes to operating systems, business requirements, and Institution priorities, as well as relevant legislation and to revise their security arrangements accordingly.

Page 31 of 43

SECTION E NETWORK / REMOTE ACCESS POLICY

Remote access is a generic term used to describe the accessing of the Kenya Institute of Administration. (the Institution) computer network by Staffs not located at a Institution office, such as those who travel, those who regularly work from home, or those who work both from the office and from home. Participation in a remote access program may not be possible for every Staff. Remote access is meant to be an alternative method of meeting Institution needs. The Institution, in its sole discretion, may refuse to extend remote access privileges to any Staff or terminate a remote access arrangement at any time. Eligibility for remote access to the Institutions computer network may be requested though respective Heads of department to M.I.S Head and/or the DDFA. Requests must be submitted in writing, identifying the Staff and his/her remote access needs. Acceptable Use Hardware devices, software programs, and network systems purchased and provided by the Institution for remote access are to be used only for creating, researching, and processing Institution-related materials in the performance of the Staffs job duties. By using the Institutions hardware, software and network systems you assume personal responsibility for their appropriate use and agree to comply with this policy and other applicable Institution policies, as well as all country laws and regulations Equipment and Tools The Institution may provide tools and equipment for remotely accessing the corporate computer network. This may include computer hardware, software, phone lines, e-mail, voicemail, connectivity to host applications, and other applicable equipment as deemed necessary. The use of equipment and software provided by the Institution for remotely accessing the Institutions computer network is limited to authorized persons and for purposes relating to Institution business. The Institution will provide for repairs to Institution equipment. When the Staff uses her/his own equipment, the Staff is responsible for maintenance and repairs his/her equipment. Page 32 of 43

Use of personal computers and equipment. There are likely thousands of possible interactions between the software needed by the remote user and the average mix of programs on most home computers. Troubleshooting software and hardware conflicts can take hours, and can result in the need for a complete reinstalling of operating systems and application software in order to remedy such problems. For that reason the M.I.S will only provide support for equipment and software provided by the Institution. The Institution will bear no responsibility for Staffs loss of or damages to personal equipment/information if the installation or use of any necessary software causes system lockups, crashes, or complete or partial data loss. The Staff is solely responsible for backing up data on his/her personal machine before beginning any Institution work. At its discretion, the Institution will disallow remote access for any Staff using a personal home computer that proves incapable, for any reason, of: (a) Working correctly with the Institution-provided hardware, and (b) Working with the Institution-provided software without repeated problems. Violations and Penalties Penalties for violation of the Remote Access Policy will vary depending on the nature and severity of the specific violation. Any Staff who violates the Remote Access Policy will be subject to: Disciplinary action including but not limited to reprimand, suspension and/or termination of employment.

Page 33 of 43

SECTION F ICT SUPPORT POLICY

1. PURPOSE To provide support services within a structured framework that enables M.I.S to respond to computing issues in a timely and efficient manner. 2. POLICY This policy establishes guidelines for a consistent means of providing support/service and managing any computing issues reported by the commsectiony M.I.S serves. The goal of this policy is to minimize the possibility of computer downtime and inconvenience to the customer. Services will be provided to primary customers (which are Auxiliary full time, part time and Participant and Staff). 3. GUIDELINES A. Direct all support questions or problems (including training requests) to the help desk (ext. 115). It is assumed that most issues will be reported via telephone, however they may also be reported in-person or via written memo to M.I.S Help Desk. If necessary, the support request will be escalated to a member of the technical staff. Customers are asked not to contact the technical staff directly. It is not our intention to make the technical staff unavailable or unreachable but rather to utilize their time in a more efficient and productive manner, allowing them to work on complex and time-consuming problems and projects. B. Direct all projects and purchase requests to the M.I.S Head. Projects are defined as proposed plans resulting in changes to or installation of hardware and/or software. This includes but is not limited to changes affecting functionality, configuration, security issues and compatibility with computing systems and standards. C. Direct all website updates and additions to the Webmaster. The Webmaster will evaluate and implement proposed changes and contact the appropriate technical staff for final update.

Page 34 of 43

SECTION G Disaster Recovery and Data Backup Policy

1 General Policy 1.1 Introduction Back-up procedures, ensuring that both data and software are regularly and securely backed-up, are essential to protect against the loss of that data and software and to facilitate a rapid recovery from any IT failure. This document outlines guidelines for KIA staff and Participants on backing up Institution Data. 1.2 Scope The data backup element of this policy applies to all Staff, Participants and third parties who use IT devices connected to the KIA network or who process or store information owned by KIA All users are responsible for arranging adequate data backup procedures for the data held on IT systems assigned to them The disaster recovery procedures in this policy apply to all Network Managers, System Administrators, and Application Administrators who are responsible for systems or for a collection of data held either remotely on a server or on the hard disk of a computer. The M.I.S is responsible for the backup of data held in central Institution databases. 2 Data Backup 2.1 Best Practice Backup Procedures All backups must conform to the following best practice procedures: All data, operating systems and utility files must be adequately and systematically backed up (Ensure this includes all patches, fixes and updates) Records of what is backed up and to where must be maintained At least three generations of back-up data must be retained at any one time (grandfather/father/son) The backup media must be precisely labeled and accurate records must be maintained of backups done and to which back-up set they belong. Copies of the back-up media, together with the back-up record, should be stored safely in a remote location, at a sufficient distance away to escape any damage from a disaster at the main site Regular tests of restoring data/software from the backup copies should be undertaken, to ensure that they can be relied upon for use in an emergency 2.2 Responsibility for Data backup. Only critical systems are routinely backed up by the M.I.S and the other relevant IT managers and systems administrators in the current model. The responsibility for backing up data held on the workstations of individuals regardless of whether they are owned privately or by the Institution falls entirely to the User. If you are responsible for a collection of data held either remotely on a server or on the hard disk of a computer, you should consult your departmental system administrator. 2.3 Legal Requirements Users when formulating a backup strategy should take the following legal implications into consideration: Where data held is personal data within the meaning of the Data Protection Act, there is a legal requirement to ensure that such back-ups are adequate for the purpose of protecting that data

Page 35 of 43

Depending on legal or other requirements, e.g. Financial Regulations, it may be necessary to retain essential business data for a number of years and for some archive copies to be permanently retained Depending on legal or other requirements, e.g. Data Protection Act, Software Licensing, it may be necessary to destroy all backup copies of data after a certain period or at the end of a contract.

2.4 Desktop Backups The responsibility for backing up data held on the workstations of individuals regardless of whether they are owned privately or by the Institution falls entirely to the User. 3 Disaster Recovery 3.1 Best Practice Disaster Recovery Procedures A disaster recovery plan can be defined as the on-going process of planning developing and implementing disaster recovery management procedures and processes to ensure the efficient and effective resumption of vital Institution functions in the event of an unscheduled interruption. All disaster recovery plans must contain the following key elements: Critical Application Assessment Backup Procedures Recovery Procedures Implementation Procedures Test Procedures Plan Maintenance 3.2 Network Managers, System Administrators, Application Administrators Network Managers, System Administrators, and Application Administrators who are responsible for systems or for a collection of data held either remotely on a server or on the hard disk of a computer must ensure that they have comprehensive, documented and tested disaster backup procedures covers.

Page 36 of 43

SECTION H Incident Response Policy

1 General policy 1.1 Introduction In the event of a security incident occurring, it is important that all Institution employees and Participants are aware of their responsibilities and the procedure by which incidents can be most effectively and efficiently brought to a satisfactory conclusion. The procedures as defined below are best practice within KIA. Where investigation of a security incident indicates misuse of IT facilities approved disciplinary procedures will be implemented as defined in this policy. 2 Incident Reporting 2.1 Types of Incidents The types of incidents that must be reported include, but are not limited to: Incidents reported from Systems and Networks (system failures, unusual activity) Incidents that affect Senior Management (threats, gossip, leaks) Risk Management (unusual or suspicious behaviour noted in logs or activity reports) External sources (threats, customer queries, complaints, press) Incidents observed by network users (on local PCs or servers) All breaches of Institution Security Policy 2.2 Reporting an incident All observed or suspected security incidents; weaknesses or threats should be reported to a Network Manager or System Administrator or the Institution Management. In no instance should any user attempt to prove a suspected weakness as this could lead to a potential misuse of the system. Where users note that any software does not appear to be working correctly, i.e. according to specification, they should report the matter to the Helpdesk or the local system administrator. Where a user suspects that the malfunction is due to a malicious piece of software e.g. a computer virus, they should stop using the computer, note the symptoms and any messages appearing on the screen and report the matter to the Helpdesk or the local system administrator. 2.3 Documentation At all stages of the incident handling process adequate documentation must be maintained. 2.4 Disabling Accounts/Network Connections The M.I.S, Network Managers and Systems Administrators may disable user accounts and/or network connections . 2.5 Communication / Control After validating that an incident has taken place a System Administrator or Network Manager should escalate the incident to the DDFA, Faculty of Information Science and Technology for necessary action. 2.6 Obtaining Evidence

Page 37 of 43

It is vital that affected systems should be quickly identified and isolated. Information should be retrieved from these systems in the best available manner, with actions being taken by as few people as possible, preferably only the lead incident contact. Incorrect gathering and handling of collected evidence may have serious consequences in the successful prosecution of an incident. Collected evidence therefore should be handled correctly so as to preserve integrity and all transfers should be documented and validated. Where possible collected data should immediately be stored on write-once media. Write-once media is defined as any media such as CD that once the data is written to it cannot be edited, amended or appended. 2.7 Preserve Configuration The configuration and contents of all affected systems must be preserved to the greatest extent possible, so that the issues involved can be demonstrated at a later date. This may be covered by the method of obtaining evidence but may also involve manual backups of data. This must include all system configuration data as well as any scripts / data / files stored on the system. 2.8 Query External Resources Where external resources are of use their outputs must always be recorded, preferably on a writeonce media. This is particularly important for DNS lookups, whois / rwhois output, etc which may change at a later date. If personal contact is made with external agencies, details of all conversations / correspondence must be recorded in the relevant incident notes. 2.10 Follow-up Actions The immediate incident team should draw up a change report detailing further changes required, including the priority and impact of each change. Approval for follow-up actions may be given by senior management or via normal change control process. The lead contact is responsible for tracking follow-up changes. A detailed incident report must be prepared, including remedial action taken in the short and long term, to help restore confidence in the systems affected.

Page 38 of 43

SECTION I Misuse of Institution ICT Facilities

Where investigation of a security incident indicates misuse of IT facilities approved disciplinary procedures will be implemented as defined in this policy. 3.1 Staff and Third Parties Where Institution Staff members or Third parties are found to have misused Institution IT facilities the Institution authorities will be informed who will determine what further action should be taken. 3.2 Participants Where Participants are found to have misused Institution IT facilities the IT Security Officer, Network Manager or Administrator must inform the DDFA who will determine what further action should be taken.

Page 39 of 43

SECTION J
Disposal Policy for ICT Equipment Introduction The Institute in its effort to maximize on the life of the ICT equipment, it will endeavour to favour the extension of the working lives of ICT equipment by: Replacing equipment only when it is necessary and advantageous to do so Refurbishing and redeploying equipment to alternative uses, either within the Institute or external to it, whenever possible.

Where it is not possible to extend the useful life of ICT equipment, it must be boarded. All Institute staff members are responsible for adhering to this policy. This document sets out information to guide staff and procedures which should be followed for the disposal of ICT Equipment. Responsibilities within the Institute Responsibility for disposal and the documentation of disposal rests with the ICT Section through which the item or equipment was purchased, except where the ownership of the item has been formally transferred to another Faculty, Department or Section. Where items are used by a Faculty, Department or Section, but rolled out by IT Sections (ICT), ICT will take responsibility for ensuring disposal processes are followed. Where the Faculty, Department or Section have contributed to the purchasing cost of a non-standard workstation, or purchased additional components, ICT will still take responsibility for disposal. The Faculty, Department or Section may remove additional components which they have added and paid for prior to returning the item to ICT, provided this does not invalid the warranty of the equipment.

Institute Financial Regulations The Institute applies straight-line depreciation to IT Assets annually, no matter when during the year the asset has been purchased. Software and PCs are depreciated over three years, while non-PC based equipment is depreciated over five years, unless software or hardware has been purchased for use by a project. In such a case, depreciation may be done over the life of the project. Page 40 of 43

The disposal of IT Assets should consider who the item was funded by and whether there is any obligation to return the asset, whether this would be internally within the Institute, or to an agency which externally funded the project it was purchased for. The disposal of IT Assets should consider whether the item is fully depreciated and, if not, make every effort to sell the asset for a value greater or equal to its current residual value on the balance sheet. Budget holders within the relevant Faculty, Department, or Section must agree the disposal. Respective Managers are responsible for notifying Finance within seven days of the asset being disposed of and are responsible for raising invoice requests with Finance for the sale of any assets. Finance will then adjust the depreciation for asset accounts on the balance sheet and compute the profit or loss on the disposal. Warranties The Institute normally purchases three year warranties for laptops, PCs and monitors. This makes it unlikely that any such item will be useful for less than three years, as the equipment should be repaired or replaced as appropriate during this period. Software Licensing In general, software purchased by the Institute is licensed only to the Institute and software cannot be sold on. This is because the Institute benefits from licensing subsidies which cannot be transferred. There is one exception and this applies to the operating systems. The operating system purchased with a workstation or PC may be sold on, however, it is important to be aware that the purchased operating system may have been replaced with the Institutes currently supported standard. Where this is the case, the operating system supplied is the only one which may be sold on and would have to be re-installed after the hard disk has been wiped of all data. There is no obligation to sell the supplied operating system, and the additional return for equipment with the operating system should be weighed up against the cost of staff time to restore the original operating system once drives have been wiped. If you require support with understanding any issues related to software licensing, please raise a call with ICTs Service Desk. Data Protection Act and Data Security Page 41 of 43

It is the Institutes responsibility to remove any personal data stored on the hard drives of computers. Other data may be confidential and should be removed also. Just hitting the delete key is not enough to wipe data from hard drives. Specialist software must be used. The Faculty, Department or Section that owns the asset is responsible for ensuring that all data is removed from hard drives before disposing of any IT Equipment, either by sale, donation, or recycling. Drives should be wiped before any equipment leaves the Institute. Responsibilities for Disposal of IT Equipment Once Sold Those selling second hand or reconditioned equipment are not responsible for the taking back equipment and dealing with its disposal. However, because of our environmental rules and regulations, we are required to ensure that those purchasing second hand equipment are aware that they will be responsible for ensuring it is properly re-cycled and have accepted their responsibility to do so in writing. Asset Records should be updated to reflect who items have been sold to. Procedures for Disposal The following outlines the procedures which should be followed when disposing of an ICT Asset. 1. Identify the equipment, serial number, purchase date, order number, budget code and the Faculty, Department or Section which owns the asset. Confirm the item is out of warranty and fully depreciated. 2. If the Faculty, Department or Section has no further use for it, it should be offered to other areas of the Institute who may have alternative uses they can put the equipment to on campus. If an alternative use can be found, procedures for transferring the ownership of an asset to another area of the Institute should be followed and asset and inventory records updated, including notification of Finance. 3. The equipment which can not be of re-use at other areas shall be offered for sale, either to external agencies, staff or participants. An estimate of the items value will be required and this may or may not correspond to the asset purchase price less depreciation. Records should be kept of who the item has been sold to and their acceptance of their responsibility to ensure the item is properly recycled when they eventually dispose of it. 4. If items cannot be sold, then they should be donated to organisations that will ensure that they are reused, or refurbished and re-used, and the useful life of the equipment extended. Records should be kept of transfer notes for items disposed of and Asset and Inventory records updated. Page 42 of 43

5.

6.

7.

Should no organisations or charities be interested in the item, the goods may be given away. As per the sale of an item, those taking such items must agree to ensure they are recycled when eventually disposed of and records of who these goods have been transferred to must be kept. If no one can be found who wants to use the item, then the equipment may be cannibalised for spares. Arrangements for the components not required for spares should still be made. If the item is not useful for spares, then it should be boarded.

Page 43 of 43