IN123 ICT Policies and Guidelines OIM KARLA

INTERNATIONAL ORGANIZATION FOR MIGRATION
Document Title: ICT Policies and Guidelines
Document Type: Instruction
Character: Compliance with this Instruction is mandatory
Control No.: IN/123 Rev. 1
Document Owner: Information and Communications Technology Division (ICT)
Status: Active
Date of entry into force: 14 November 2017
Replaces – for Archive Replaced by: IN/123 IT Policies and Guidelines (2012)
Summary: This document is a compilation of relevant ICT Policies and Guidelines that govern the
management and use of ICT resources throughout the Organization. It also provides direction and
INSTRUCTION
guidance on the principles to be applied for maintaining the integrity and confidentiality of the
information and data stored in IOM ICT resources. This Instruction applies to all IOM staff members,
non-staff members (such as consultants, interns, short-term hourly contract holders), external service
providers and any other individuals or entities that are authorized to access to and/or use IOM ICT
resources in the performance of their duties.
Keywords: ICT policy, IT security, confidentiality, compliance, ICT resources, acceptable usage,
access request, account, password, remote access, email, internet, social media, software, application
systems, service providers.
Location: https://intranetportal/Pages/ControlNo.aspx?controlNo=IN/00123
Annex A – ICT Confidentiality and Conflict of Interest Agreement - https://intranetportal/Pages/ControlNo.aspx?controlNo=FRM/00056
Annex B – Third Party Access Request Form - https://intranetportal/Pages/ControlNo.aspx?controlNo=FRM/00079
Annex C1 – Account Management - User Account Creation Form - https://intranetportal/Pages/ControlNo.aspx?controlNo=FRM/00043
Annex C2 – Account Management - Account Transfer-Update Form - https://intranetportal/Pages/ControlNo.aspx?controlNo=FRM/00082
Annex C3 – Account Management - Account Deletion Form - https://intranetportal/Pages/ControlNo.aspx?controlNo=FRM/00044
Annex C4 – Account Management - E-mail Distribution List DL - Shared Mailbox Form -
https://intranetportal/Pages/ControlNo.aspx?controlNo=FRM/ICT/00001
Initiated Information and Communications Technology Division

Coordinated ACO, HRM, MCD, OIG, LEG
Authorized Bernardo Mariano, Director ICT / Chief Information Officer
(CIO)
Approved ODG, DRM
Distribution All ICT Staff Worldwide, All Missions Worldwide, All
Departments in Geneva, MAC, PAC, Regional Directors, SLO
Heads, COMs and Heads of Office
Table of Contents
Introduction...............................................................................................................................3
Section 01 - Information Security Policy................................................................................... 5
Section 02 - ICT resources Policy .......................................................................................... 11
Section 03 - Acceptable Use Policy ....................................................................................... 12
Section 04 - Account and Password Management Policy ...................................................... 14
Section 05 - Mobile and Remote Access Policy ..................................................................... 18
Section 06 – E-mail Policy......................................................................................................20
Section 07 - Internet Usage Policy ......................................................................................... 24
Section 08 - Social Media Policy ............................................................................................ 26
Section 09 - Software Policy .................................................................................................. 28
Section 10 - Application Systems Development Policy .......................................................... 30
Section 11 - Physical and Operational Security Policy ........................................................... 32
Section 12 – Business Continuity Management Policy .......................................................... 35
Section 13 - Management of External Service Providers ....................................................... 36
Section 14 - Electronic Data Destruction Policy ..................................................................... 38
Section 15 - Encryption Controls Policy ................................................................................. 41
Section 16 - Information Security Incident Management Policy ............................................. 43
Section 17 - Information and Data Classification Policy ......................................................... 45
Section 18 - Cloud Computing Services Policy ...................................................................... 48
Section 19 - Removable Media Policy.................................................................................... 53
Section 20 – IT Risk Management Policy............................................................................... 55
Annex A – ICT Confidentiality and Conflict of Interest Agreement ......................................... 56
Annex B – Third Party Access Request Form ........................................................................ 58
Annex C1 – Account Management - User Account Creation Form ........................................ 60
Annex C2 – Account Management - Account Transfer/Update Form .................................... 61
Annex C3 – Account Management - Account Deletion Form ................................................. 62
Annex C4 – Account Management - E-mail Distribution List (DL) / Shared Mailbox Form .... 63
Introduction
This Instruction provides a foundation for the Organization to facilitate an open, yet secure,
information-sharing environment to the benefit of all users. This will, in turn, advance IOM’s
commitment to preserve the confidentiality, integrity and availability of IOM ICT resources.
This Instruction covers all IOM ICT resources in its broadest sense and includes technical
infrastructure, telecommunication systems, software, hardware and all related components, as
well as desktops, laptops, mobile phones, tablets and other portable media equipment
assigned by the Organization. It specifically aims to:
a. Enhance the uniform performance of the ICT Division in delivering, implementing, and
maintaining ICT systems suitable to fulfill the business needs of the Organization;
b. Define the duties and responsibilities of individuals and entities that are authorized
access to and/or use the IOM ICT resources in the performance of their duties; and
c. Provide the basis for the Organization to build the necessary internal standards and
processes for complying with the Policies and Guidelines outlined in this Instruction.
Scope and Naming Conventions

This Instruction applies to all of the following, irrespective of their location:
• IOM staff members
• Non-staff members (such as consultants, interns, short-term hourly contract holders)
• External service providers
• Any other individuals or entities that are authorized to access to and/or use IOM ICT
resources in the performance of their duties
For the purposes of this Instruction, IOM staff members together with non-staff members
would be referred to as internal users; while external service providers and any other
individual or entity authorized to access IOM ICT resources would be referred to as external
users. Furthermore, Users and /or All Users refers to both internal and external users.
This Instruction is divided in two parts: Part 1 (sections 1 to 8) is directed at All Users; Part 2
(sections 9 to 20) focuses more on accountability and technological aspects and is directed
at IOM Directors of Departments and Offices at HQ, of Administrative Centers and of
Regional Offices as well as Chiefs of Mission in Country Offices and Heads of Offices
(hereafter referred to as Directors/Chiefs/Heads) and their delegates; as well as all ICT
personnel (internal or external users) that provide ICT services to IOM and/or are involved
in the creation, maintenance, transmission, and handling of IOM ICT systems and the
information and data stored therein (hereafter referred to as ICT Staff).
For the purposes of this instruction, an IOM Organizational Unit refers to functional
business areas with a specific scope (accounting, procurement, human resources, ICT,
project development, etc.) regardless of location (Headquarters/MAC/PAC/RO/CO/Sub-
Office/etc.).
References to ICT Resources includes technical infrastructure, telecommunication systems,
software, hardware and all related components, as well as workstations (desktops/laptops),
mobile devices (phones/tablets) and other portable equipment.
In this policy, information (processed data) and data (unprocessed information) is used in a
broad sense and includes fully, partially, unprocessed, interpreted, organized, or structured
information and data.
Exceptions
Request for any exception to the application of the Policies and Guidelines in this Instruction
must be submitted in writing with justification to the Director ICT / Chief Information Officer
(CIO) for review. A request for an exception will only be granted if justified and for a limited
period of time, after the ICT Division coordinates with other relevant IOM organizational units,
conducts a risk assessment, and provided the security risks are low and the user requesting
the exception assumes full responsibility for all risks involved.
3
Non-Compliance
All users should be aware of the contents of this Instruction and must, to the extent applicable,
comply with it. The obligation to respect this Instruction will continue to be valid even after the
user’s contract of employment or service with IOM.
Any breach of this Instruction must be reported immediately to the Director ICT / Chief
Information Officer (CIO), who will coordinate with the Ethics and Conduct (ECO) Office, and
the Office of Legal Affairs (LEG), as appropriate.
Non-compliance with this Instruction by IOM staff members will be investigated and may result
in disciplinary action, in accordance with the IOM Staff Regulations and Rules. Any breach by
non-staff members or external users may result in termination of their contract of employment
or service with IOM, without prejudice to any remedy available to IOM in law or in equity.
Policies Review
IOM, through the ICT Division, will review this Instruction periodically. Questions and feedback
on this Instruction and/or its application should be sent to ICTPolicySupport@iom.int at the ICT
Division.
4
Section 01 - Information Security Policy
Version 2.0
Last updated on October 2017
IOM recognizes the importance of information security and the ICT Division acknowledges the
obligation to ensure appropriate security of all ICT data, systems, equipment, and processes
under its ownership and control. This obligation is shared by all users.
This section provides the framework for protecting IOM ICT resources against unacceptable
security risks and aims at ensuring that appropriate physical and technological security
measures are applied in a systematic manner throughout the Organization.
1.1 Information Security Principles

All users must comply with this Instruction when accessing and/or using IOM ICT resources.
This will help the Organization to identify, manage and minimize security risks.
The information security principles in this Instruction also apply to paper records printed from
or accessed through IOM ICT resources. The information security principles are:
Principle 1 – Authenticity
Authenticity is assurance that a message, transaction or other exchange of information
is from the source it claims to be from. Authenticity involves proof of identity and is
required to ensure the safe exchange of information and data and to verify that it comes
from a trustworthy and genuine source.
Principle 2: Availability
Availability is a characteristic that applies to ICT resources. System availability relates
to the full functionality of ICT systems and its components. Proper functionality of ICT
systems is required for the efficient operation of the Organization. All IOM ICT
resources should be readily available, accessible and usable when needed by an
authorized user.
Principle 3: Confidentiality
Confidentiality means to ensure that information and data is not made available or
disclosed to unauthorized entities and individuals. It refers to the privacy and
confidential treatment of sensitive, personal, corporate and proprietary information of
IOM and its staff, project beneficiaries, donors, vendors and partners.
All information and data that comes into the knowledge or possession of any user
including ICT Staff, while working for or on behalf of IOM, should be kept confidential
and disclosed only to authorized users. This obligation shall survive the termination or
expiration of the user’s contract and/or service with IOM.
All users are required to ensure the confidentiality and protection of IOM’s information
and data, in full compliance with the relevant organizational regulations and policies.
ICT staff who are granted administrator rights to workstations, file servers and/or e-mail
servers are required to sign a standard ICT confidentiality agreement (Refer to ‘ICT
Confidentiality and Conflict of Interest Agreement’, Annex A). Failure by relevant ICT
staff to sign Annex A will not alleviate them from their obligations under this Instruction
and its Annexes.
For external users, a confidentiality clause is included in their contract or service
agreement, and where appropriate, it will be supplemented by signing a Non-
Disclosure Agreement (Refer to section 13).
5
Principle 4: Integrity
Integrity means to protect the accuracy and completeness of information and data, and
the methods that are used to process and manage it. Users should take reasonable
and necessary precautions to preserve the integrity of IOM ICT resources and to
prevent unauthorized modification and tampering that could affect the integrity, quality,
accuracy and completeness of the information and data stored in IOM ICT resources.
1.2 Information security management framework

The ICT Division is committed to maintaining information security standards and effective
information security management practices. It is IOM’s policy to review the purlieus or
dimensions of security practices that significantly mitigate the risks of unauthorized and
undetected access/intrusion across the Organization’s entire ICT infrastructure.
IOM will conform to a comprehensive Information Security Management System (ISMS)
framework using a continual improvement approach based on the International Standard
ISO/IEC 27001, which includes cross-references to ISO/IEC 27002 Code of Practice in order
to effectively protect ICT resources throughout the Organization.
To maintain an acceptable level of security, the ICT Division will periodically conduct a review
of the following in IOM’s ISMS:
Purlieus 1: Resistance / Tolerance / Abuse:
• Physical Security
• Firewalls
• VPNs
• Intrusion Detection and Prevention (IDS/IPS)
• E-mail Filtering
• Web Content Filtering
• Web Services’ Exposure (i.e. HTTP, HTTPS, DNS, SMTP, Proxy, Reverse Proxy, etc.)
• Super user accounts and accounts with elevated system privileges
• Security Authentication and Authorization
• Wireless Management
Purlieus 2: Internal and/or external vulnerability assessments for:
• Servers
• Workstations (desktops/laptops)
• Mobile devices (phones, tablets)
• Passwords
• Modems / Routers / Switches (active components)
• Wireless Networks
• Anti-Virus Protection
• Regular Software/OS Security Patches (provided by all vendors)
Purlieus 3: Policies and guidelines:
• Security Policies and Guidelines
• Security Awareness Strategies
1.3 Data sensitivity and classification

Electronic records should be classified according to their level of sensitivity and they should
be clearly marked prior to transferring it to authorized persons or saving it in electronic storage
areas. Access to electronic records should be limited only to authorized users.
The guidelines in the IOM Data Protection Manual (MA/88) should be followed when classifying
electronic records containing personal data of IOM beneficiaries. Please refer to Section 17 in
this document.
6
1.4 Authorization
Access to IOM ICT resources and the information and data stored therein is privileged and
should be restricted to authorized individuals. Users require explicit authorization to access
and/or use IOM ICT resources and electronic records. Custodians of ICT systems and data
(refer to section 2) should only grant such authorization for the purpose of the duties assigned
to the user.
1.5 Access control

Suitable access controls shall be implemented to prevent unauthorized access to IOM ICT
resources and electronic records, and also to make sure that authorized access is possible.
Authorized users will have a unique identification name (user account) and password allowing
access to IOM ICT resources and electronic records, which shall be the primary credentials
used to manage access to IOM ICT resources and electronic records.
1.6 Information Privacy and Personal Data

Within compliance to Section 2.1, IOM will respect the confidentiality of the information and
data it holds, and acknowledge the rights of all users to information privacy. All users are
responsible for respecting the privacy and dignity of individuals and the collection and
processing of personal data should be carried out in accordance the IOM Standards of Conduct
(IN/15), IOM Data Protection Principles (IN/138) and other relevant IOM policies, regulations
and rules governing data protection, confidentiality and information privacy.
1.6.1 Personal data of IOM staff members and job candidates

Any request to collect personal data of IOM staff members and job candidates must be
approved in advance by HRM, who will coordinate with LEG and ICT Divisions as required.
The Directors/ Chiefs/Heads requesting to collect such personal data should specify the
following information in writing: (a) user intending to collect the personal data (internal or
external user), (b) specified business purpose, (c) the concerned IOM staff members and/or
job candidates, (d) type of personal data to be collected, (e) categories of data required to
meet the specified purpose, (f) archiving period, and (g) date of deletion and its modalities.
1.6.2 Personal data of project beneficiaries

The relevant service area/regional thematic specialist must endorse the project document
covering the collection and processing of personal data of project beneficiaries, and the
contract/agreement must be reviewed and approved by LEG or the Directions/Chiefs/Heads,
as appropriate (refer to Delegation of Authority for Concluding Contracts and Agreements,
IN/99). All users must ensure that the personal data of project beneficiaries is collected,
received, used, transferred and stored in accordance with the IOM Data Protection Principles
(IN/138).
1.6.3 Data protection and privacy statement

As required, an IOM Data Protection and Privacy Statement will be displayed with the terms
and conditions governing usage of ICT systems and applications that are used to collect,
process, transfer, and store personal data for IOM business purposes. The use of such
systems and applications by authorized users will confirm the user’s agreement to its terms
and conditions.
1.6.4 Destruction of data

When ICT systems, equipment and portable devices are disposed of, or re-assigned to a
different user, the responsible ICT Staff must ensure that previous personal and IOM data
stored on the system or device is destroyed, and that it cannot be retrieved by the new user
who is not authorized to access such information. Refer to Section 14 in this document.
7
1.7 Exceptions to information privacy
Within compliance to Section 2.1, IOM shall take reasonable steps to respect the right to
information privacy. However, IOM reserves the right to make exceptions if competing interests
of the Organization override a user’s right to information privacy. Such organizational interests
should be justified and proportionate to, or appropriately balanced with, a user’s right to
information privacy. Requests for access to IOM ICT resources for such purposes are
hereinafter called “third party” access requests.
1.7.1 Third party Access Requests

A third-party access request to access a specific user account, e-mail account, personal data
and/or other electronic documents or communications stored in IOM ICT resources, without
the consent of the user, must be duly authorized by the Director General, who may delegate
the matter to the Chief of Staff.
Third party access requests shall only be granted for a limited period of time and for the justified
and compelling reason(s) restricted to:
(a) Access requests for operational needs: Such requests will only be assessed when the user
is unavailable or absent for a prolonged time. The user must be contacted for prior written
authorization, which must be granted solely for work-related requirements that cannot await
the user’s return. If the user denies consent unreasonably, the Director General reserves the
right to authorize such access if it is necessary, justified for a specific operational need, and in
the interests of the Organization. In such event, IOM will notify the concerned user of the
access request and authorization granted.
(b) Alleged misconduct or other alleged violation of IOM policies, regulations and rules: All
users should be aware that third party access for the purpose of fact-finding, for alleged
misconduct or other alleged violation of IOM policies, regulations and rules can occur. In such
event, IOM will notify the concerned user, unless it suspects that the user may destroy
evidence supporting the alleged misconduct or violation.
1.7.2 Third party Access request procedure

Third party access requests will be assessed with the utmost care to ensure that the interests
of the Organization are balanced with the right to information privacy.
An access request must be submitted in advance of such access, for written approval by the
Director General through the Chief of Staff, or the Chief of Staff directly as the delegated
authority. The purpose of the particular access request must be clearly stated with justification
in the prescribed form (Refer to ‘Third party Access Request Form’, Annex B).
The process for access request is as follows:
a. The access request form must include the following information: (a) specified purpose
and justification of the request, (b) details of the concerned user, (c) a clear description
of the nature of the information needed, (e) access period, (f) details of the individuals
requiring access, and (g) designated IOM staff member appointed to monitor the
access process;
b. All individuals requiring access and the designated IOM staff member must sign the
access request form confirming confidentiality of any information and data, including
personal data, which comes into their knowledge or possession during the access
process;
c. Upon receipt of full justification, and if in the interest of the Organization, the Director
General may authorize access for the specified purpose and approve the access
request;
d. Once approved, access shall be limited to specific categories of information that are
necessary to meet the specified purpose of the access request;
e. The authorized individuals and the designated IOM staff member directly approved by
the Director General must exercise discretion and respect the privacy and dignity of the
concerned user;
8
f. The designated IOM staff member shall monitor the access process to ensure that only
the necessary information and/or data copied to a separate media is made available to
those authorized and associated with the specified purpose;
g. Where access to a user account is granted, the user will be informed about such
access, unless specifically instructed to the contrary by the Director General.
Only information directly related to the specified purpose that necessitated the access request
should be disclosed, subject to the obligation to report any irregular practices, wrongdoing or
misconduct (Refer to Policy on Reporting Irregular Practices, Wrongdoing and Misconduct,
IN/142). The ICT Division will keep a record of access requests.
1.8 Blocking or Restricting User’s Access

IOM reserves the right to block or restrict a user’s access to IOM ICT resources for justified
and compelling reasons, including the prevention of any prohibited activities under this
Instruction if it is sufficiently justified.
The Director ICT / Chief Information Officer (CIO) is authorized to block or restrict access of a
particular user as appropriate, after the approval of the Chief of Staff who shall coordinate with
HRM/LEG/OIG as applicable. In such event, IOM will notify the user prior to blocking or
restricting access. However, no prior notification is required if it is suspected that the user may
destroy evidence supporting an alleged misconduct or violation of IOM policies regulations and
rules.
Blocking or restricting of the user’s access may be temporary and can be lifted upon written
authorization by the Chief of Staff, after IOM takes appropriate action, or earlier if deemed
appropriate by the Chief of Staff.
1.9 Access Requests by external users to IOM ICT Resources

Access requests by service providers and other external users will only be allowed for specified
purposes and in accordance with relevant IOM policies, regulations and rules governing data
protection, confidentiality and information privacy.
External users seeking access to or requesting disclosure of any confidential information and
data must submit a written request to IOM with justification. The access request must include
the specified purpose, type and categories of information and data needed, and the safeguards
to be taken to protect the information and data.
Access and disclosure to external users will be limited to non-personal statistical information
and data. Any request that includes access and disclosure of personal data, will require the
explicit consent of the individual concerned, and should comply with the regulations on the
Information Privacy and Personal Data section in this document.
A data sharing / Non-Disclosure agreement approved by LEG shall be signed by the recipient
prior to IOM disclosing any information and data to external entities. After the specific purpose
is fulfilled, and upon termination of their service or mandate, the provided access must be
immediately discontinued.
1.10 Protecting the confidentiality, Integrity and availability of ICT resources

The ICT Division will implement appropriate security measures to maintain the technical
integrity and proper performance of IOM ICT resources.
Users of ICT systems and electronic records must not engage in any activities that disrupt the
correct operation of IOM ICT resources or that could potentially cause data loss or
unauthorized disclosure.
ICT staff must not use their skills and knowledge to circumvent access controls and security
measures.
9
ICT staff who is granted privileged access rights must sign a standard IOM ICT confidentiality
agreement (Refer to ‘ICT Confidentiality and Conflict of Interest Agreement’, Annex A) because
they may have special privileged access to user accounts, e-mail account, personal data
and/or other electronic documents or communications stored in IOM ICT resources. Failure to
sign the agreement will not alleviate the ICT staff from their obligations under this Instruction.
1.11 Monitoring of ICT Resources

The ICT Division will perform regular technical monitoring of ICT resources to ensure system
health, performance and compliance with ICT Standards and Policies. This includes
troubleshooting, technical diagnostics and statistical analysis, performance tuning and
compiling aggregated data to monitor acceptable use of IOM ICT resources.
10
Section 02 - ICT resources Policy
Version 2.0
All IOM ICT resources must be used for the organizational purpose for which they are intended.
The organization’s ICT Policies establish guidelines and general principles for initiating,
implementing, maintaining, and improving ICT service support management in the
Organization and to help build confidence in ICT-related inter-organizational activities and
processes.
The ICT Division will conform to sound management processes and adhere to industry-
standards and best practices, specifically aimed at managing ICT services and providing an
effective and timely delivery of information technology services to the entire Organization.
The ICT Service Management processes of IOM will adhere to and incorporate best practices
from International Standards such as ISO/IEC 20000 for IT Service Management, the
“Information Technology Infrastructure Library” (ITIL), and the PRINCE2 Project Management
Method.
2.1 Ownership
IOM shall retain ownership of all ICT resources assigned to users throughout the Organization.
All information and data created, stored and/or processed for IOM business purposes shall be
owned by IOM and intellectual property rights of all ICT applications and systems developed
by users during the scope of their contract of employment or service shall vest in IOM.
2.2 Roles and Responsibilities

ICT Division: The ICT Division is the system custodian of all strategic, corporate and global
ICT systems and applications. The ICT Division is also responsible for managing the design,
development, deployment and maintenance of all ICT applications and systems throughout
the Organization.
IOM Departments: The Departments are responsible for collaborating with the ICT Division, in
particular, when new ICT applications and systems are developed to ensure that such systems
meet relevant ICT standards, integration requirements and operational standards.
IOM Field Offices, Regional Offices and Administrative Centers: Field offices, Regional Offices
and Administrative Centers are responsible for local ICT resources and are the custodians of
local systems.
Users: The users are the custodians of IOM ICT resources assigned to them by IOM. For
information security reasons, users should not leave their workstation unattended and logged-
on. Computers and laptops must always be shut down, logged off or password-protected with
screensaver (automatic after 5 minutes) before users walk away from their workstations. Other
portable devices should be protected with a PIN or security code.
2.3 Infrastructure and Services Planning

IOM Organizational Units must undertake Infrastructure and Services planning at least once a
year, to ensure that current and forecasted ICT needs are covered accordingly.
IN/88 ICT Standards and Guidelines (refer to Section 1.4 ICT Purchases) provides guidance
for procurement of hardware and software, ICT inventory management and asset
decommissioning in line with organizational regulations.
11
Section 03 - Acceptable Use Policy
Version 2.0
IOM ICT resources are strategic assets of the Organization and are made available for users
to fulfill their responsibilities related to IOM business purposes. Use of ICT resources shall in
all cases be in accordance with the provisions set out in this policy.
By using the Organization’s ICT resources, each user agrees to comply with this policy and
other applicable ICT standards and policies, as well as applicable country laws and
regulations.
3.1 Appropriate Use

Efficient and appropriate use of IOM ICT resources is necessary to ensure that these resources
are used optimally for the organizational purposes for which they were intended, and in a way
that does not interfere with an individual’s right to information privacy.
All users shall only access, retain or distribute information and data belonging to the
Organization in accordance with all applicable policies, regulations, rules and
directives/guidelines.
3.2 Limited Personal Use

IOM ICT resources must be used for the purpose of the assigned duties of the user and only
to the extent to which they are authorized to use it. Limited personal use of ICT resources is
permitted, provided such use:
a. Does not interfere with the duties and responsibilities of the user or other users;
b. Does not interfere with the normal operation of the ICT resources;
c. Will not adversely affect the performance of the ICT resources or give rise to undue
expense to the Organization;
d. Is consistent with the IOM Standards of Conduct (IN/15);
e. Is not in breach of the IOM Staff Regulations and Rules;
f. Is not in breach of the ICT Policies and Guidelines or other IOM policies, regulations
and rules;
g. Is performed with due diligence and care and with the reasonable expectation that it
would not compromise the interests or the reputation of the Organization.
Personal use of IOM ICT resources is not a right, but only a privilege, and may be modified or
withdrawn at any time depending on the needs of the Organization.
There is no guarantee of privacy of personal data during such usage. Users should be aware
that when using IOM ICT resources, including for processing or storing personal data, it will be
at the user’s own responsibility and risk.
IOM shall not be responsible for any loss, including inadvertent access to such personal
records. In any event, it is the user’s sole responsibility to ensure backup of their personal
records, including personal data.
For third-party access to ICT resources and to user’s personal records, including personal data
in ICT resources, Sections 1.6 and 1.6.1 of this Instruction apply.
3.3 Prohibited Use

Users must not utilize IOM ICT resources for any purpose that conflicts with the interests or
reputation of the Organization. Unauthorized access and use of IOM ICT resources is
prohibited, as is any intrusion or use that constitutes illegal activity. Other prohibited activities
include, but are not limited to:
12
a. Activities that maliciously interfere with the ability of other users to access or use IOM
ICT resources;
b. Disclosing or transferring IOM information and data intended for use only within the
Organization, including confidential information and personal data of IOM staff
members, beneficiaries, vendors and partners;
c. Circumventing a computer system’s access controls and using privileged access to
assist unauthorized persons to access IOM ICT resources and the information and data
stored therein;
d. Intentionally destroying or damaging IOM ICT resources and deleting, suppressing,
modifying or tampering with IOM ICT resources and IOM information and data, without
the required authorization;
e. Disabling a computer system’s security protection settings, including Anti-Virus and
browser controls for malicious purposes;
f. Establishing, without approval, connections to blocked Internet sites, third party or peer-
to-peer file sharing, or publishing unapproved Internet web pages;
g. Deriving any direct or indirect benefit or using IOM ICT resources, including computer
systems, facilities or products for personal and/or third-party gain;
h. Installing or using computer systems, hardware and software not licensed by IOM, nor
approved by the ICT Division or using/copying software or files in a manner inconsistent
with applicable license agreements or intellectual property rights. This prohibition
includes the storage or sharing of audio or video files (i.e. MP3, WMA, MP4, AVI, etc.)
that are not required for IOM business purposes;
i. Participating in “chain messages”, chats, file sharing or other activities where the
content or audience does not support the goals and objectives of IOM;
j. Accessing, viewing, storing, or transmitting sexually explicit images, text, cartoons,
jokes, or any other form of sexually explicit material, or failing to immediately delete
such material upon receipt;
k. Using IOM ICT resources for purposes inconsistent with IOM’s values, such as, threats
or intimidation, discrimination or hate speech, trafficking in firearms or illegal drugs,
violence, games or gambling;
l. Use ICT resources to attempt to, or assist other users to, commit any of the activities
prohibited under this Instruction or engage in any activities that violate the IOM
Standards of Conduct, IOM Staff Regulations and other IOM policies, regulations and
rules.
13
Section 04 - Account and Password Management Policy
Version 2.0
This Policy defines the modalities for user account creation, management, transfer and
closure; and establishes the rules for password management. It aims to protect the
authenticity, integrity and confidentiality of user accounts and consequently minimize the risk
of unauthorized access and disruption to IOM’s ICT systems and services.
4.1 Account Management

All users who require access to IOM network, systems, and data for their assigned duties, must
be previously authorized do so. Once authorization is granted by the relevant supervisor, ICT
Staff will create a unique user account and credentials to facilitate access.
4.1.1 Authorized access

Internal users
IOM Staff Members will have the following IOM network services made available for use:
• User Folder with a recommended maximum limit of 5 GB;
• Necessary permissions to shared and department Folders, as applicable;
• Access to IOM e-mail, IOM Intranet and Internet;
Upon request, they may also be granted access to the following services:
• VPN access to e-mail and network resources;
• Access to IOM Corporate Applications (e.g. PRISM, MiMOSA, iGATOR, etc.) as
required, subject to prior approval by the relevant supervisor for the specific
application-based roles.
Non-Staff Members will only be given access to the specified services requested on the
Account Creation Form (Annex C1), by the hiring supervisor.
IOM staff members on SLWOP will only be granted access to Intranet and IOM e-mail through
Webmail for the duration of their special leave without pay. They will not have access to any
of the other IOM network services, and will be removed from all e-mail distribution lists related
to their previous duties.
External users
Ex-IOM staff members (including retirees) will have no IOM user account and no access to
IOM e-mail, internal network resources and services. They should receive relevant information
from IOM through their personal e-mail accounts.
External users may be granted user accounts for the duration of their duty, contract or service
agreement with IOM for work-related purposes, with prior approval from the Director ICT / Chief
Information Officer (CIO) or the Senior Information Security Officer (SISO) as his delegated
staff. Access will be strictly limited to the approved IOM ICT resources only, while remote
access will not be granted by default. All external users must have the necessary written
approval from their relevant IOM supervisor to access any of the IOM network services that
are available to IOM staff members and other authorized individuals working for IOM. Prior to
creating user accounts, the external users must sign an IOM non-disclosure agreement to
supplement their contract or service provider agreement. Sub-contracted Project Auditors are
not eligible for this type of privileged access nor to direct access to information.
4.1.2 User account creation

The ICT Staff will only create a user account after written authorization is obtained from the
relevant Director/Chief/Head.
14
As a corollary to the user account, an e-mail account/mailbox and membership(s) to relevant
e-mail distribution list(s) should also be created, whenever necessary (Refer to ‘Account
Creation Form’, Annex C1) as requested in the account creation authorization document.
New user accounts created for external users must have an expiration date corresponding to
the duration of the contract of employment or service, as provided by the requestor of the
account.
4.1.3 Unique user identification

Each user will be assigned a unique user identification (username) created in accordance with
the ICT Standards (IN/88) and the Standard Naming Conventions (IN/22). For IOM staff
members on SLWOP, the user account will be modified with the addition of “(SLWOP)” at the
end of their username. For external users “(EXT)” will be added at the end of the standard
username.
Control of account access will be by the username and a password. All users are responsible
for ensuring that their password is kept confidential and not shared with anyone, not even with
ICT staff. At no time should any user permit another person to gain access to IOM computer
systems through the use of their username and password, unless limited access is authorized
in advance for operational needs.
Service accounts are sometimes created for particular IOM business purposes. The attributes
of such accounts will be set to meet the requirements of the service for which the account is
created. Refer to ICT Standards (IN/88) for additional technical details on service accounts.
4.1.4 User account transfer

Transfer of user accounts is required when users are reassigned from one geographical
location to another. Similarly, when the role of the staff members and other internal users
change, authorizations and e-mail distribution lists memberships will have to be updated, to
reflect the new access requirements associated with the changed role.
In order to ensure smooth operations and business continuity, users must notify the relevant
ICT Staff at least 10 working days prior to relocating to a different duty station.
Users with active credentials allowing them access to IOM ICT resources, must submit an
Account Transfer Form, (Refer to ‘Account Transfer Form’, Annex C2) to ensure that their
existing access to the IOM ICT resources is adjusted accordingly. Users should archive their
work-related electronic records and handover all work related files to their supervisors (refer
to Guidelines on Handover Notes, IN/75), prior to completion of the Account Transfer Form.
4.1.5 User account disabling and deletion

As part of the IOM separation procedures, the supervisor of the outgoing user or an authorized
HR/Admin staff, must submit an Account Deletion Form (Refer to ‘Account Deletion Form’,
Annex C3) to ICT Staff at least 5 working days prior to the expiration of the user’s contract of
employment and service.
User accounts will be disabled as of the date of separation and will be deleted after one month.
Users should archive their work-related electronic records and handover all relevant work-
related files to their supervisors (Refer to Guidelines on Handover Notes, IN/75) and indicate
as such in the Account Deletion Form. By signing the form, users also certify that they did not
retain any information and data, apart from personal documents/files, unless duly authorized
and approved by their Director/Chief/Head as appropriate, in advance.
In addition, as part of the user account maintenance and housekeeping procedures, accounts
will be disabled and/or deleted according to the following rules:
a. For any user account that is inactive for 120 days (4 months), the user will receive a
notification from the ICT Division that his/her account will be deleted when unused for
180 days (6 months), unless the user responds within 30 days.
15
b. To avoid account disabling or deletion, users should ensure utilization of their accounts
within the 4-6 months period.
c. As part of periodic housekeeping tasks, all accounts marked for deletion will be
validated with HRM before deletion. For external users, the relevant IOM supervisor
will be notified.
4.2 Passwords
Passwords are a critical element in protecting access to IOM ICT resources and must be
carefully selected. Users should keep passwords confidential and should not share it with
anyone, not even with ICT Staff. Precautions should be taken against deceptive techniques
that may be used by unauthorized persons who intend to breach access controls. For example,
the intruder will send an e-mail to the user (commonly referred as phishing), from a source
looking deceptively reliable, asking for user credentials.
Weak passwords may expose IOM to high security risks, including internal and external threats
to IOM network systems, impersonation of users, unauthorized access and use of confidential
information and data, as well as loss or theft of valuable electronic records. Therefore, IOM
requires that users choose a password that is sufficiently complex and difficult for others to
make an educated guess as to what the user has chosen. User passwords will be automatically
forced to meet the standards as specified below.
If a user suspects or believes that another person has, by some means, gained access to
his/her credentials (username or password), the user must report the incident as per section
16 of this Instruction, and immediately change his/her password.
4.2.1 Password display

Passwords will never echo or display in any readable form when they are typed on the screen
of the login device.
4.2.2 Password length

Passwords must be at least seven characters in length. Any attempt to create or change a
password to lower than the prescribed length, will be rejected, and the user will immediately
be prompted to enter a password again.
4.2.3 Password complexity

Complexity requirements for passwords make it difficult for hackers to crack passwords when
trying to steal information and data from valid user accounts. Password complexity is the use
of upper-case and lower-case letters plus numbers or special characters. Passwords can
contain the following characters and should to abide by the below standards:
• At least one English upper-case characters (A through Z);
• At least one English lower-case characters (a through z);
• At least one Base 10 digits (0 to 9) or Non-alphanumeric characters (for example: !, $, #,
%)
If a password is disclosed or compromised in any way, the user must immediately set a new
password.
4.2.4 Password age

Passwords should be changed regularly and will not be allowed to exceed the maximum age
of 180 days (6 months), upon which the user will be given fourteen (14) days advance-notice
to change the current password before it expires.
Exceptions to this rule can only be approved by the Director ICT / Chief Information Officer
(CIO) or the Senior Information Security Officer (SISO) as the delegated staff.
16
4.2.5 Password history
Users must have used three (3) different passwords before being able to use an old password
again. Avoiding the use of old passwords continually aims to enhance password security.
4.2.6 Account lockout threshold

Accounts will be locked after six (6) invalid log-on attempts, thereafter the user will be locked
out of his/her user account. If locked out, the user will have to wait for 30 minutes to be able to
log-on again. Alternatively, the user can immediately request assistance from the relevant ICT
Staff or from ICT Global User Support (support-ict@iom.int) to unlock the user account. This
security setting aims to protect passwords from brute-force attacks by hackers, who use
exhaustive key search methods to break access codes, in an attempt to steal identity
information of users and to gain unauthorized access to IOM ICT resources and to the IOM
network system.
17
Section 05 - Mobile and Remote Access Policy
Version 2.0
IOM recognizes the need for users to connect to, and access IOM network and systems while
out of the office to meet IOM’s business needs. This policy provides guidelines for such remote
access, and also describes the security controls that are necessary to minimize information
security risks affecting the IOM network system when using laptops and/or other portable
equipment for remote access. It also complements the IOM Policy on Home-Based Work
(IN/146) and IN/76 Mobile devices (phones, tablets) usage guidelines for Field and
Headquarters.
5.1 Workstations provided for Remote Access

For the purpose of business continuity or IT Security reasons, IOM may grant users remote
access to IOM network and systems. Other than the laptops and/or other portable equipment
provided for official business, the ICT Division will not provide a desktop for home-based work,
nor will it provide or pay for the user’s external connection to the IOM network system from
outside office locations, unless otherwise agreed. Any software to be installed on the user’s
private desktop, laptop and other portable equipment will be at the user’s own cost, unless
otherwise agreed.
5.2 Services and Support for Remote Access

Remote access users should not expect the same level of functionality or access to all the IOM
network services that they would normally have inside IOM premises, and will only be
authorized to use the IOM network services that they specifically need to access remotely. ICT
Staff will provide basic support for remote users especially in the case of Home-Based Work
(refer to IN/146) on a best-effort basis.
Users of laptops supplied by IOM will be provided access to IOM network via Web based
secured services (webmail or Outlook Web Access - OWA) or via a secure protocol (VPN).
Users connecting via their personal computers (desktop, laptop) will only be allowed to connect
via OWA.
Connection of portable devices must comply with the guidelines outlined in the Mobile devices
(phones, tablets) usage guidelines for Field and Headquarters (IN/76).
5.3 IOM Laptops and/or Other Portable Equipment
5.3.1 Usage
Off-site computer usage, whether at home or at another nominated location, is restricted to
IOM business purposes and subject to compliance with this Instruction. Such equipment must
only be used as authorized and should not be used by other individuals such as family or
friends.
5.3.2 Physical security

Laptops and/or other portable equipment such as mobile devices (phones/tablets) are
essential business tools. However, their portability makes them particularly vulnerable to
physical damage, loss or theft. The impact of IT security breaches on such equipment, includes
not just their replacement value, but also the value of IOM information and data stored on them
or accessible through them.
Users are responsible for ensuring that laptops and/or other portable equipment is kept
secure and in their possession at all times, wherever they are located (outside or inside IOM
premises).
18
5.3.3 Information security and appropriate use
Portable devices should not be used to store confidential or secret information and personal
data of project beneficiaries, unless unavoidable. In such cases, when a user keeps
confidential or secret information and personal data on portable devices, the respective device
and/or important files contained in it should be encrypted and password-protected to avoid
unauthorized access if the device was lost or stolen.
Users must obtain approval from the ICT Division prior to using any unsupported devices to
connect to IOM ICT services (Refer to ICT Standards IN/88 and IN/76). All personal electronic
devices on which IOM data are likely to be stored must be approved by the ICT Division and
must be password or PIN protected. For cases of authorized utilization of unsupported devices,
the user has the responsibility for maintaining the confidentiality, security and integrity of IOM
data and network, and not to expose it to undue risks, which in the case of unsupported devices
can be high.
All incidents of loss or theft of any portable devices should be reported as per section 16 of
this Instruction.
5.3.4 Malware protection for workstations (desktop/laptop)

Any workstation (desktop/laptop) supplied by IOM to access IOM network and systems, must
be secured with the latest operating system security patches, and must have adequate
protection against malicious software. The ICT Division may run checks against remotely
connected workstations and will disconnect any inadequately secured or unprotected devices.
Users should ensure that the following conditions are met:
a. The anti-virus software must be up-to-date at all times. The simplest way of doing this
is to log-on to the IOM network and allow the automatic update process to run. Users
unable to regularly connect to the IOM network, should contact ICT Global User
Support (support-ict@iom.int) for alternatives to obtain the necessary software
updates;
b. Users should virus-scan any files or attachments downloaded from the Internet or from
other sources such as CD/DVD-ROMS, USB hard disks and memory sticks, network
files, and e-mail attachments or files received from unknown sources;
c. Users should be especially careful to use virus-scan when creating files to be sent out,
this includes e-mail attachments and data on other media (CD/DVD, USB devices,
etc.);
d. Users should not upload or save files or data to the IOM network if it is suspected that
their computers might become infected with virus or malware;
e. Virus-scans on workstations are configured to happen automatically, but users are
encouraged to initiate manual scans.
Any suspected virus, malware infection or threat should be reported as per Section 16 of this
Instruction.
5.3.5 Backups
Users should ensure that backup of their work-related data is done regularly. To ensure this,
they should store the data on their designated network drives (or make daily/weekly copies to
network drives, if stored on the workstation’s local drive), which is backed up by ICT on a daily
basis in compliance with IN/88 ICT Standards and Guidelines.
5.3.6 Software installations

Users of IOM ICT equipment should comply with the necessary safeguards for software
installation as per this Instruction. In particular, users should not download, install or use
unauthorized software on their workstations. The installation of unauthorized remote access
software is not permitted. Please refer to IN/88 ICT Standards and Guidelines for the
organizational tools for this purpose, and the list of approved software titles.
19
Section 06 – E-mail Policy
Version 2.0
Electronic mail (E-mail) has become a vital, effective and efficient tool for business
communications. However, when inadequately used, it can become a considerable waste of
resources. Like any business transaction, e-mail in the organizational context should be
treated as a professional and formal method of correspondence. All messages sent by users
through the organizational e-mail system are official IOM documents, unless clearly marked
as private. This policy provides guidelines for the proper use of e-mail.
6.1 Mailbox Creation and Deletion

Upon authorization of the Account Creation Form (refer to Section 4 - Account and Password
Management Policy), each authorized user will be assigned an e-mail address with an
associated mailbox in the IOM messaging system.
Users leaving the Organization, upon completing the Account Deletion form, will have their
mailbox deleted according to the user account deletion rules defined in Section 4.1.5 of the
Account and Password Management Policy. Users in the process of separation from the
organization, should complete the necessary forms prior to departure, to ensure proper
archiving and handover of all official data in their mailboxes and workstations (refer to section
4.1.6, and IN/75 Guidelines on Handover Notes issued by HRM).
Mailboxes are assigned to individuals. In some instances, shared mailboxes will be created for
cases like Department mailboxes, which will have access permissions for more than one user.
6.2 E-mail Distribution Lists

Global and local e-mail distribution lists are created by ICT Staff upon request, in compliance
with IN/22 Standard Naming Conventions. Distribution list owners will be responsible for the
membership maintenance of distribution lists.
A user may only be included in an e-mail distribution list upon request and approval of the
distribution list owner. Users that are transferred to other functions or location, must be
removed from e-mail distribution lists no longer relevant to their new duties or location.
ICT will regularly monitor e-mail distribution lists that are not active and proceed with deletion
after 6 months of inactivity.
6.3 E-mail Security and Authenticity

The authenticity of e-mail accounts should be preserved and users should apply strict access
controls because they are responsible for all e-mails sent from their e-mail account. E-mail
correspondence should be limited to recipients who are carefully chosen and confidential
indicators, codes, or encryption tools should be used to protect the transmission of secret and
confidential information, as well as personal data of project beneficiaries.
Users must not use another user’s unattended computer to send e-mails or find any other
method to send a message that does not clearly identify the individual as the sender. Certain
users may be granted permission to send e-mails on behalf of those users, but such e-mails
should be clearly identified as being sent by the individual and must be signed on behalf of the
account holder. When sending messages from shared mailboxes, users must always identify
themselves.
6.4 Virus and Spam Protection

It is the policy of the Organization to scan all incoming e-mails for viruses. Messages containing
any form of malicious software will be deleted from the system automatically, without
notification to the sender or intended recipient.
20
As a precaution, the ICT Division runs an Anti-SPAM engine with specified blocking rules in
order to avoid SPAM. Suspicious e-mails are blocked and a notification is sent to the user who
can unlock the message if it is believed to originate from a reliable source. Nonetheless, the
Anti-SPAM engine may not capture all SPAM messages in 100% of the cases. Users should
be aware that very few legitimate messages may be classified as SPAM, but only in rare
occasions. If known business-related messages are not delivered, users should check their
quarantine messages folder. If the expected message is not there, please contact ICT Global
User Support (support-ict@iom.int).
It is the responsibility of the particular user and the relevant ICT Staff to ensure that proper
security settings are implemented on each workstation (Refer to ICT Standards and
Guidelines, IN/88). As with any other types of software that runs over a network system, e-mail
users have the responsibility to follow sound IT security practices. E-mail users must be aware
of the following:
a. Be alert to suspicious messages and refrain from opening e-mails originating from
unfamiliar sources;
b. Attachments can contain viruses and other malware. Users should only open
attachments from known and trusted correspondents or sources. Suspicious
attachments should be reported to ICT Global User Support (support-ict@iom.int).
6.5 Disclaimer
All outgoing IOM e-mails have the following automatic disclaimer:
“This email message is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. If this email has been sent to you by error, please notify
the sender immediately and then delete the email from your system. Any views expressed in
this message are those of the individual sender, except where the sender specifically states
them to be the views of the Organization.”
E-mail users must keep this disclaimer on all IOM outgoing messages to protect the interests
of the Organization.
6.6 Prohibited use of e-mail

E-mail accounts are created for IOM business purposes. The use of IOM e-mail for operating
a personal business or for any undertaking that offers personal gain is unacceptable. Users
must not use e-mail for prohibited activities as outlined in Section 3 of this Instruction.
6.7 Guiding Principles on e-mail use

It is important that users are aware that the Organization’s e-mail is a business communication
tool which should be used in a responsible, effective and lawful manner. Users should keep in
mind the following basic principles when composing and sending e-mails:
6.7.1 Role of e-mail

In principle, e-mail is an electronic communication tool that is used to exchange messages.
Compared to the traditional mail, it is similar to memoranda, letters or documents distributed
to individuals or small groups.
6.7.2 Message content

E-mail messages should be concise and simple. Whenever possible, the message should be
written directly in the e-mail body and not as an attachment. When a need arises to send
personal data of project beneficiaries through e-mail, it should be protected by confidentiality
indicators, codes or encryption in separate attachments (IOM Data Protection Manual MA/88,
Security Principle). Some IOM recipients, particularly in the field missions, encounter major
problems in downloading large messages due to the local telecommunication facilities. Users
should therefore refrain from including superfluous graphical items beyond official IOM
signature blocks when required.
21
6.7.3 Recipients of e-mail and outgoing messages
E-mail distribution lists should be used selectively and messages should only be addressed to
recipients who have a direct interest in the content of the message. It is required to avoid too
many addresses in the TO list, particularly when actions are requested, because unless
specifically noted in the body of the message, it creates confusion about who should take
action. When replying to a message, the Reply to All should be avoided if it is not necessary
and the address list should be modified to include only those concerned.
For outgoing messages, the subject line of the e-mail should be clear and should relate to the
content of the message. Users should sign the message as the sender, even if it is sent from
a department mailbox or another user account, and the IOM website address should be
included with the signature as required.
6.7.4 E-mail option tools

With Microsoft Outlook, users have a wide variety of optional tools at their disposal, such as
deliver, read receipt, importance or sensitivity of the message, and the option of flagging
messages (i.e. for review, reply, or follow-up). When appropriate, these tools may be used with
caution, especially the “High” importance option, which should be reserved for urgent
messages, because if used too often, it will detract from the importance of the message. The
read receipt notification should only be used if required.
6.7.5 E-mail Attachments

E-mail attachments should be opened and sent with care, since viruses use e-mail as a
channel to attack, spread and infect network systems. Users should apply caution even when
receiving messages from known senders. Users should avoid sending “chain messages” with
suspicious attachments and should be aware of e-mail hoaxes.
6.7.6 Cleaning/organizing mailboxes

Users should keep their mailbox organized and delete non-essential messages over 30 days
old. Messages to be retained should be moved to personal folders or archived in electronic
storage areas. Organizing mailboxes regularly will facilitate the management of the information
stored therein. Some of these tasks might be automated by creating rules (see “Rules and
Alerts” option in Outlook’s “Tools” menu).
6.7.7 Mailbox size and messages size

Users should note that mailboxes have a maximum size to allow for an acceptable level of
storage space on IOM messaging servers. For cases where the limit of the mailbox capacity
is reached, the user will not be able to send new messages until the mailbox size is reduced.
In order to avoid congestion of the IOM e-mail system, limits will be defined by ICT for the size
of outgoing and incoming messages. Users should keep the size of messages as small as
possible, and avoid including unnecessary items such as images or icons.
6.7.8 Reducing the size of e-mails

Large messages should be avoided as much as possible. Different techniques can be used to
keep the size of messages with attachments below the limits (compress files with WinZip,
convert documents to PDF format when suitable). Users should consult with their ICT Staff on
appropriate methods for sharing large files, rather than sending them through e-mail.
6.7.9 Handling of secret, confidential and personal data on e-mails

Users should be aware of the risks of sending e-mails that infringe upon data protection,
confidentiality and information privacy rights. The content, e-mail recipients and any possible
implications of an outgoing message should be considered before sending it.
22
Sensitive information and personal data transmitted via e-mail over the Internet is not safe. It
may be read by unintended recipients, and malicious third parties could potentially intercept
and manipulate e-mail traffic.
Therefore, users should not use e-mail to transfer sensitive information and personal data,
such as credentials (username/passwords), personal data and case-specific details of project
beneficiaries, social security numbers or bank account numbers; without the necessary IT
security safeguards such as encryption. Users should limit e-mail recipients on a need-to-know
basis and, where appropriate, use confidentiality indicators, disclaimers, encryption, codes or
pseudonyms; to protect confidentiality during e-mail transmission.
Users should not respond to any request from an unknown sender to disclose any information
and data. Such disclosure requests should be escalated to the ICT Division
(ICTDivision@iom.int) for guidance.
6.7.10 E-mail etiquette

The IOM Staff Regulations and Rules and the IOM Standards of Conduct (IN/15) apply to the
use of e-mail. All e-mails should be professional and courteous.
Users must not create and send e-mails that in any way compromise IOM’s image and
credibility. This includes sending “chain messages”, defamatory notes, harassment, publishing
personal views and opinions, or derogatory and discriminatory comments on race, gender,
religion, national origin, marital status, sexual orientation, age, physical disability or political
convictions.
All users should carefully consider how the recipient might interpret a message before
composing or sending the message. Responses to e-mails should not be emotional and it is
prudent to occasionally save the reply message without sending it, wait a few hours, and read
it again before sending it.
6.7.11 Proper use of e-mail

E-mails should not be used as a publication system. Other tools such as the IOM Intranet is a
better platform for publication.
E-mails should not be used to send notifications of office closure or holidays to All Missions;
and instead post it on the IOM Intranet.
23
Section 07 - Internet Usage Policy
Version 2.0
The internet, which has grown exponentially over the past years, has become an important
tool to support IOM’s work, and facilitates information dissemination. While IOM recognizes
the internet as an indispensable tool in its day-to-day work, it is important to set standards on
its acceptable, proper and efficient use via the IOM network system.
Every user is expected to use the internet in a responsible manner and consistent with the IOM
Staff Regulations and Rules and the IOM Standards of Conduct (IN/15).
7.1 Privacy
The internet is in the public domain. Users should be aware that all information posted on the
internet will be available to the general public, therefore privacy cannot be expected. Users
should also comply with IOM’s Social Media Policy (Section 8 of this Instruction) when using
social media for personal or business purposes.
7.2 National Legislation

In some countries, national legislation imposes various types of limitations or restrictions on
access to the Internet, or renders its access illegal. In the event that national laws prevent
access to the internet, or in case of any doubts relating to the permissible usage of the internet,
users should contact the ICT Division and LEG.
7.3 Acceptable Internet Use via IOM network

Access to the internet via the IOM network system represents an organizational resource and
service that must be treated as such. In this regard, the internet should be predominantly used
for work-related activities and any occasional personal use thereof shall remain limited.
Accessing the internet via the IOM network for personal use is at the user’s own responsibility
and risk, and such access should never take priority over the user’s work.
Users must refrain from using the Internet for the following purposes:
a. Engaging in activities that could bring discredit to the Organization;
b. Pursuing private commercial activities or profit-making ventures;
c. Obtaining or viewing sexually explicit material and other unacceptable material;
d. Engaging in prohibited discriminatory activities or any other prohibited activity as
outlined in relevant sections of the IOM ICT Policies and Guidelines.
Section 3 of this Instruction applies to access or use of the internet, whether personal or for
work.
7.4 Website Disclaimer

Users should not establish or publish IOM websites or internet web pages without the prior
approval of the ICT Division and the Media and Communications Division (MCD). The use of
Disclaimers or Terms and Conditions for organizational or project websites must be approved
by LEG and MCD.
7.5 Copyright and Licenses

Users are responsible for complying with copyright and licenses that apply to software, files,
graphics, documents, messages or other material that can be downloaded or copied from the
internet. Therefore, users should read relevant copyright and licensing provisions. In case of
copyright or licensing conditions attached to the material, users shall contact LEG and ICT
Divisions. Moreover, users must be aware of security issues which may be attached to certain
internet files, prior to downloading or copying files from the internet.
24
7.6 Virus scan
Users are responsible for ensuring that all files downloaded from the internet are scanned for
viruses or malware in order to avoid infecting and damaging IOM’s network system (refer to
Section 6.4. of this Instruction).
7.7 Internet Bandwidth

In the interest of other IOM users and in order to avoid network congestion, users should refrain
from excessively accessing certain services such as:
a. Streaming and accessing multimedia audio or video content such as Internet radio,
news video feeds, or movie trailers without clear IOM business purposes;
b. Push or web casting including active desktops and screen savers or various stock and
news tickers;
c. Social media or similar tools that may consume bandwidth to the extent of adversely
affecting the performance of other corporate applications or systems.
7.8 Internet monitoring and filtering solutions

Monitoring and filtering solutions are implemented to ensure that the Internet is used in a safe
and responsible manner, without exposing IOM internal networks to Internet borne risks. The
ICT Division will install industry-standard website filtering devices and services at the Internet
gateway of IOM network segments, to ensure that Internet threats to the internal networks are
reduced. These solutions use regularly-updated databases of malicious and dangerous
websites, and block them from being accessed to protect IOM users and network. The ICT
Division shall periodically review and implement changes to its monitoring and filtering
solutions, with relevant updates published through IN/88 ICT Standards and Guidelines.
The ICT Division shall filter or block access to Internet websites and protocols that are deemed
inappropriate for IOM’s corporate environment using the filtering solutions stated above. The
following are some of the protocols and categories of websites that shall be blocked:
a. Advertisements and Pop-Ups;
b. Gambling;
c. Hacking;
d. Illegal drugs;
e. Peer-to-peer file sharing;
f. Dating websites;
g. SPAM, Phishing and Fraud;
h. Spyware;
i. Tasteless and Offensive Content, Violence, Intolerance and Hate Speech.
Users may access blocked sites with special authorization if it is appropriate and necessary
for IOM business purposes. For cases where users need access to a protocol or website that
is blocked by default, they must submit a request for approval of their Director/Chief/Head, as
appropriate, for review by the ICT Division. Subject to technical feasibility and an assessment
of possible risks, the ICT Division will either unblock the site or make other suitable provisions
for supporting the requestor’s business needs.
25
Section 08 - Social Media Policy
Version 2.0
The continuing evolution of the Internet has profoundly changed the way people communicate
today. This is also increasingly evident in the context of migration. Social media platforms
(such as Facebook, Twitter, Instagram, YouTube, etc.) create a dynamic opportunity for IOM
communications and can add value to IOM’s work.
This policy sets standards on the official use of social media for institutional communications
and outreach purposes, and augments the “Social Media Guidelines” from the Media and
Communications Division (MCD), which can be found on IOM’s Intranet under “Manuals and
Guidelines” (https://intranetportal/Pages/HQ_ICP_MCD.aspx). Users are advised to refer to
the guidelines issued by MCD for appropriate use of social media with IOM official accounts.
8.1 IOM official use of social media

IOM understands that a flexible approach is necessary while using social media for
communications, because social media continues to evolve and it is impossible to anticipate
all circumstances and associated risks. This Instruction thus provides initial basic guidance, is
limited to acceptable use and best practices, and outlines responsibilities for users when using
social media for IOM business purposes.
8.2 Personal use of social media

While this section focuses on the use of social media platforms for IOM business purposes
(using IOM official accounts), it also serves as guidance for personal use of social media (using
private accounts).
When using social media, users need to be particularly mindful that they are expected to
adhere to the IOM Standards of Conduct (IN/15), to exercise integrity, loyalty, independence,
impartiality and comply with organizational regulations.
8.3 Business use of social media

IOM recognizes the valuable contributions that social media can make to advance its
objectives as the leading inter-governmental organization working in the migration field.
Specifically, IOM recognizes the rapidly growing use of social media for fundraising,
awareness raising, advocacy, communications and knowledge sharing.
8.4 Responsibilities
MCD is responsible for all social media accounts that are created or used for IOM official
business purposes. All users should coordinate with and obtain approval by MCD prior to
creating a social media account in the name of IOM. Users should immediately report to the
ICT and MCD Divisions, if they encounter an unauthorized IOM website or social media
account on the internet.
8.5 Copyright
All users should always respect copyrights and intellectual property rights while using third
party contents on social media. As a general rule, users should assume that all materials (text,
photos, videos, etc.) obtained from the Internet are copyright protected. The use of any such
materials requires prior written authorization from the copyright owner. Please contact LEG for
clearance should there be any conditions attached to the authorization by the copyright owner.
The copyright of photos and videos taken by internal users, related to the exercise of their
duties, belongs to IOM.
26
IOM shall assume copyright of all photos and videos taken by external users or other
authorized individuals and entities working for, or on behalf of IOM, unless agreed otherwise
in writing. Users should respect IOM’s copyright of all material posted on or linked to social
media platforms.
8.6 Security and Privacy

Users should be aware that all social media exchanges are effectively public and can be visible
to everyone worldwide. It is possible to use privacy controls to limit access to sensitive
information, but such controls are only a deterrent, and not an absolute protection. Users
should be aware of automatic opt-in features of some social media platforms and should review
the privacy settings on the social media platform prior to creating an account.
Many social media platforms allow some form of control over who can see the information
posted by users. To maintain security and privacy, users should:
a. Not post sensitive, internal and confidential information of the Organization, and when
in doubt, users should contact LEG or the custodian of the information;
b. Not post misleading and offensive material or misrepresent the Organization;
c. Not post personal data of individuals without their prior consent, including that of project
beneficiaries and IOM staff members, such as home addresses, date of birth or other
sensitive personal information and data;
d. Be careful when posting photographs and videos and always ensure that the prior
consent of the individuals portrayed in the images is obtained before posting the
photographs or videos;
e. Be aware of security and safety concerns and never post security sensitive information
such as location, travel itineraries, routes and times of convoys of IOM staff and project
beneficiaries;
f. Make sure to read and follow office-specific security requirements as regards to social
media, and when in doubt, users should always check with the Staff Security Unit
(SSU);
g. Where appropriate, implement security measures and review current techniques to
combat viruses, SPAM, hacking and phishing (identity theft);
h. Use applications that allow users to edit their posts, and which offer convenient delete
functions to remove content, and consider whether there are options to use simple tools
for removing social media accounts completely;
i. Where applicable, consider restricting bulk downloads. Always respect copyright laws
and cite sources;
j. Promote strong authentication and access-controls by checking privacy settings
regularly.
27
Section 09 - Software Policy
Version 2.0
This policy sets standards regarding software purchasing, licensing and installation on any of
IOM’s computing devices, operated within the IOM network system locally or remotely.
9.1 Software usage

Computer software programs purchased and provided by the Organization are to be used for
creating, researching, and processing IOM-related materials, and other tasks necessary for
performing work-related activities of the user.
9.2 Software Property

All software developed for IOM is, and at all times shall remain, IOM property. Users should
not modify IOM-developed applications without authorization from the ICT Division.
Ownership of all software licenses acquired by IOM shall be governed by the license
agreement between IOM and the vendor concerned. All such software must be used in
compliance with applicable licenses, notices, contracts and agreements.
9.3 Software Purchasing

All software purchasing is centralized within the ICT Division. All software purchase requests
must be submitted to IT Procurement (itprocurement@iom.int) stating the number of required
licenses and the project code to charge the purchase.
It is the responsibility of the Directors/Chiefs/Heads, as well as Project Managers, to

appropriately budget for the required software licenses and ICT components, as stated in the
budget preparation instructions/guidelines issued by the Budget Division.
9.4 Software Standards

The ICT Standards (IN/88) outline information regarding hardware and software configuration
of desktop computers, laptops, printers and servers and the standard suite of software
platforms on which software utilization and development can be undertaken.
Any intended deviation(s) from these standards must first be approved by the Director ICT /
Chief Information Officer (CIO). A request must be sent outlining the reasons and justification
for requesting a deviation.
ICT shall publish a yearly catalog of software applications and solutions, where organizational
business requirements should be covered. Evaluation of software solutions should be
coordinated with the ICT Division and the usage of freeware software is not permitted.
9.5 Software Licensing

It is the responsibility of the Directors/Chiefs/Heads to ensure all the software used and
installed in their relevant IOM Organizational Unit is appropriately licensed as stated in the ICT
Standards (IN/88). Users must not install IOM licensed software on personal workstations
(desktop/laptop), unless a prior written authorization was obtained from the Director ICT / Chief
Information Officer (CIO).
It is the responsibility of the ICT Division to ensure that all software used to support corporate
applications and applications that are centralized, are appropriately licensed and maintained.
28
Each user is responsible for reading, understanding, and following all applicable licenses,
notices, contracts, and agreements for software that he/she uses or seeks to use.
Users needing help in interpreting the meaning/application of any such licenses, notices,
contracts and agreements, may contact the ICT Division for assistance
(ITProcurement@iom.int). Unless otherwise provided in the applicable license, notice,
contract, or agreement; any duplication of copyright software, except when authorized by the
ICT Division, is not allowed.
29
Section 10 - Application Systems Development Policy
Version 2.0
This policy sets standards for the development and maintenance of application systems
throughout the Organization which can be: (a) corporate applications used across the
Organization (such as PRISM, Mimosa, etc.); (b) specific project or office applications, which
are used for particular needs and by a limited number of users, such as an IOM Organizational
Unit.
10.1 Application System development authorization

Application systems development in IOM will be driven by IOM’s business needs. Application
systems users will collaborate with the ICT Division to complete a detailed assessment of the
proposed solution, including functional, technical, risk assessment, qualitative and financial
aspects.
Where Commercially-Off-The-Shelf (COTS) applications or cloud solutions are available and
meet the business requirements, ‘buying and deploying’ will be the preferred choice in
coordination with IT Procurement (ITProcurement@iom.int). Where COTS applications are not
available, the options of in-house development and outsourced development can be explored
and a choice can be made after a comprehensive cost-benefit analysis and a risk assessment
(refer to IN/213, and Section 20 in this Instruction) have been conducted. The ICT Division will
review the resulting analysis and may approve application system development, in house or
outsourced, as appropriate.
For all cases, due coordination with and approval by the ICT Division is mandatory, to avoid
adversely affecting production environments or existing systems and services.
10.2 System development and implementation

When the decision is to develop an application system, the relevant Director/Chief/Head will
be responsible for ensuring that the following requirements are met:
a. Application systems should be developed with the full and active involvement of
representatives of the requesting IOM organizational unit during the software
development and deployment activities;
b. A clear and accurate statement of the IOM business purpose, project scope, risk plan
and verifiable requirements, should be created for new systems and significant change
activities, prior to development efforts;
c. A project plan, with defined deliverables, must be documented and used to manage
software development or package selection activities;
d. Internally developed applications with a measurable development cost exceeding the
capitalization threshold established by IOM, will need to be capitalized in IOM`s
financial accounts. As part of the project planning process, the IOM Organizational Unit
developing the application must coordinate with ICT and ACO on related administrative
requirements.
e. A detailed design should be prepared and maintained that meets the specified business
requirements, identifies interactions with other systems, and satisfies control principles
associated with systems security, data management, and service continuity;
f. Procedures for the thorough testing of the application system must be established,
which will not adversely affect production environments;
g. ICT Division Guidelines for appropriate testing of the application system must be
followed, including necessary test plans, personnel involved in the tests and how the
results will be reported;
h. Only application systems verifiable as authorized, tested, and approved for production,
and having met all other requirements and reviews necessary for commissioning, will
be placed in production;
30
i. User manuals and technical support documentation must be developed and regularly
maintained;
j. Training should be provided to users of the application systems (end-users), as
coordinated with the relevant ICT Staff or the development team;
k. If purchased, the application system must be installed according to the terms defined
by the conditions of purchase;
l. Access credentials (username/password) built into any application systems code
should have minimum privileges sufficient to conclude the function and, where
applicable, all such credentials must be hashed (encrypted);
m. All IOM application systems must have a level of access control and security defined,
depending upon the nature and sensitivity of the information provided. Where
appropriate, encryption and confidentiality indicators/disclaimers should be used to
protect sensitive information and in accordance with Section 17 of this Instruction;
n. All application systems or tools to be purchased by IOM to support business processes,
must be secured by an appropriate support contract with the software manufacturer or
authorized support vendor in close coordination with the ICT Division
(ITProcurement@iom.int);
o. A process must be developed, documented, and implemented to manage application
systems releases and change activities;
p. Procedures must exist to ensure proper version control, distribution, and tracking of
application systems;
q. Previous versions of application systems and supporting documentation describing
changes must be retained by the relevant ICT Staff to meet business and regulatory
requirements;
r. The ICT Division will maintain an inventory of the existing application systems or
Software library, with their characteristics (purpose, responsible ICT Staff, end-users,
etc.).
10.3 Application systems retirement

A periodical review of the existing portfolio of IOM Application Systems will be undertaken by
the ICT Division, to determine when an application system is no longer required for an IOM
business function, resulting in the application system’s retirement, through an established
process to ensure adequate data protection and archiving, documentation of lessons learned
and proper project closure.
31
Section 11 - Physical and Operational Security Policy
Version 2.0
This policy outlines physical and operational security measures that are needed to protect
IOM’s ICT resources and the information and data stored therein.
11.1 ICT Systems Operation

ICT Staff are trained personnel responsible for documenting ICT operating procedures for all
ICT systems under their responsibility and are responsible for maintaining the systems in
accordance with manufacturers’ instructions and/or standard operating procedures. They
evaluate the risks to system disruptions and take necessary actions to prevent system
disruptions.
All internal ICT systems deployed are assigned to an ICT unit and/or ICT Staff that is
responsible for system administration.
Approved system configuration guides must be established and maintained by the assigned
ICT unit and/or ICT Staff, who is responsible for monitoring and compliance. The assigned ICT
unit and/or ICT Staff may evaluate exceptions where appropriate.
Operating system configuration should be in accordance with the following standards:
1. The most recent security patches must be installed on the system as soon as possible;
2. Servers should be physically located in an access-controlled and secured
environments per this Instruction;
3. All security-related events in ICT systems must be logged and audit trails must be
saved and retained for an agreed duration. If the relevant ICT unit and/or ICT staff is
aware of any security-related events, it must be reported without delay to the relevant
supervisor who will advise a suitable course of action;
4. The processing and handling of systems, information and data; must ensure
confidentiality, integrity, and availability;
5. Patching or updating schedules for servers or application systems must be planned
taking into account inter-dependencies with other systems or operational needs (i.e.
server backups not run before other processes have been completed). Such schedules
must ensure integrity of data and must take into considerations the business availability
requirements wherever possible;
6. Backups must be performed regularly and retained in accordance with the ICT
standards (IN/88) to ensure appropriate protection of data;
7. All backup media must be protected and securely stored according to the physical and
environmental security guidelines as per IN/88 and this Instruction;
8. Procedures for handling errors in information and data processing should be defined
by the data owners as applicable;
9. Before any system utility is developed, approval must be obtained from the Director
ICT / Chief Information Officer (CIO). All utilities must be registered in the systems
library maintained by the ICT Division;
10. Detailed procedures for system startup, shutdown and recovery after an unexpected
event must be documented and made available by the ICT Division to the relevant ICT
Staff;
11. All servers must automatically lock the logon screen within 5 minutes of inactivity from
keyboard or pointing devices.
32
11.2 Anti-virus and anti-spyware
The relevant ICT Staff should:
a. Ensure that all servers have an updated anti-virus installed which should offer real-time
scanning and protection to files, documents, e-mail attachments, and ICT systems and
applications compliant with IN/88;
b. Ensure that mailbox servers have either an external or an internal anti-virus scanning
application that scans all e-mail destined to and from the mailbox server;
c. Ensure that all servers must have an anti-spyware application installed.
11.3 Change control

IOM must have a change control process through which all changes to the ICT environment
will be logged. All changes will be documented and before being approved, a detailed testing
plan will be completed, with a reliable rollback plan as needed.
11.4 Service Providers

Agreements with service providers may be established to secure services for managing ICT
systems where required and approved. Prior to entering into any contract with service
providers, a detailed risk assessment should be undertaken with the ICT Division (refer to
IN/213, and Section 20 in this Instruction). Prior to signature, the service agreement must have
been approved by LEG as per IN/99. The service agreement must clearly indicate what levels
of services are provided. During the lifetime of the agreement, the performance of the service
provider must be evaluated and reported through channels managing contracts or agreements.
All IT-specific service provider agreements will be adequately covered by relevant
confidentiality and Non-Disclosure agreements.
11.5 Capacity planning

The ICT Division maintains a capacity planning program for all its servers, data storage and
network requirements. Any new application will be assessed based on resource needs and the
requirements will be entered into the capacity plan by the ICT Division.
11.6 Physical and Environmental protection

IOM protects ICT resources from physical tampering, destruction, theft or unauthorized access
by ensuring that effective physical and technological security measures are put in place at
each location. This also complements the Business Continuity Plan (refer to section 12 of this
Instruction).
All ICT resources (in particular computing assets and facilities in Data Centers / Server Rooms)
at Headquarters and in all the missions and field offices, regional offices and administrative
centres worldwide need to be adequately secured from the risks of heat, fire, electrical, and
water damage, commensurate with the level of risk associated with the room.
In some cases such as small field offices, equipment (telecommunication systems, servers,
network routers and switches) may be kept in a secure enclosure to ensure that unauthorized
individuals cannot access the IOM ICT resources and the information and data stored therein.
All Data Centers / Server Rooms must be protected with secure power sockets and redundant
power sources. All backup media must be protected and stored in a secured fire proof vault
outside the Data Centre. IOM, while providing for the physical security of its ICT resources, will
also consider any associated environmental safety and security that needs to be put in place.
Proper fire protection must be provided, ensuring all power and wire/cable installations
conform to electrical and fire safety standards and regulations, and all equipment is duly
equipped with portable “waterless” fire extinguishers and have proper fire-exits.
33
11.7 Unauthorized access
Equipment at Data Centers / Server Rooms at Headquarters and in all the missions and field
offices worldwide need to be adequately secured from unauthorized access. All Data Centers
/ Server Rooms must be protected with electronic access controls and cameras monitored by
security personnel. The physical location/room in an office handling or processing information
and data deemed secret or confidential or the desk, drawer or cabinet must be adequately
secured from any unauthorized access.
Access to IOM Data Centers / Server Rooms and data-processing facilities are to be controlled
strictly based on a “need to access” basis. Such access may be logged for security reasons.
Third-party access to IOM Data Centers / Server Rooms and data-processing facilities will be
restricted for authorized third-party services and all such access will be logged. Third-party
services will not be allowed such access, unless accompanied by responsible IOM personnel
for the entire duration of such access.
34
Section 12 – Business Continuity Management Policy
Version 1.0
The continuity of IOM business processes is essential to the efficient functioning of the
Organization. Each Department/Regional Office/ Field Office/ Administrative Centre is
responsible for ensuring that business continuity plans are in place to protect their business
processes from any disruption, in accordance with IN/174 Business Continuity Planning (BCP)
Guidelines and in adherence to ISO 22301 the International Business Continuity Standard.
For cases where business processes involve computer systems, procedures must be in place
to ensure that no data is lost and that the systems can be recovered in an acceptable
timeframe.
IOM has a process in place to facilitate business continuity in the event of a significant
disruption to IOM network and systems at Central Hubs (Geneva, Manila, Panama), with
Disaster Recovery procedures that will:
a. Address the implications of a range of disruptions, from extended power outages and
other possible disastrous situations, to small incidents (minor power outages or
virus/malware attacks), which could be significant in terms of disruption and data loss
to the Organization;
b. As part of the overall IOM Business Continuity Plans, define and document the ICT
actions to be taken in the event of a disruption, and define and document ICT plans for
recovery;
c. Identify and categorize, by importance to the business, the business needs for recovery
of all computer systems;
d. Establish the infrastructure to support business continuity and procedures for
periodically reviewing, testing, and updating contingency plans. Such tests of
contingency plans will verify that computing applications can be recovered in the
timeframe required by the business;
e. Ensure procedures and protocols are in place for the management of back-up media,
information and materials required to restore and operate critical computing
environments. Such materials must be stored offsite and be ready for access by
authorized personnel;
f. Define ICT escalation procedures specifying the mobilization and briefing procedures
to be followed in the event of an incident.
The ICT Business Continuity Plan documents the situations in which certain actions will be
taken, the procedures required by the IOM Organizational Unit impacted by the outage, and
the actions ICT will undertake to restore the business systems.
Business Continuity Plans must be tested at least once a year, and reviewed periodically (at
least twice a year) to ensure they reflect updated scenarios.
35
Section 13 - Management of External Service Providers
Version 2.0
IOM will require the services of external service providers to supplement resources for short-
term, limited-duration projects or for specific tasks. Providing these individuals with access to
the IOM ICT resources, brings with it specific risks that must be mitigated.
13.1 Risk Analysis

Before engaging external service providers or undertaking outsourcing activities, the IT
security risks associated with the proposed activity must be subject to a Business Impact
Analysis (BIA) carried out by the IOM signatories of the contract to be signed with the third-
party. Refer to IN/213 and Section 20 in this Instruction.
Directors/Chiefs/Heads have to ensure that the ICT solution proposed by the service provider
is adequate for today’s IOM needs and scalable for the lifetime of the solution.
13.2 Contracts and Service agreements

All external service provider contracts must be done in accordance with relevant IOM
instructions (Refer to IN/73 Guidelines for Difference between Individuals and Service
Providers, and IN/168 IOM Procurement Manual). Managers must verify invoices received
from the external service providers, review and confirm successful performance of the services
rendered prior to making any payment.
13.2.1 Service agreement

All service agreements to be signed with external service providers, as well as outsourcing of
services with such entities, must follow the Delegation of Authority for Concluding Contracts
and Agreements (Refer to IN/99). Where appropriate, the service agreements must be sent to
LEG for review and approval prior to signature.
Besides IOM standard clauses for service agreements, the service agreements should include
clearly defined and measurable outcomes of the work to be provided, procedures to verify
performance, and penalties for non-performance. Service providers must agree to IOM’s right
to request replacement of its employees if IOM believes that the individuals are not performing
their duties in accordance with the service provider contract, or if the individual constitutes a
risk to IOM ICT resources or contravenes this Instruction and any other policy, rules or
procedures of IOM.
External service providers must have a signed Service Agreement to ensure amongst others,
compliance with the confidentiality provisions contained in it, and additionally sign a Non-
Disclosure Agreement when their duties would entail access to stored IOM information and
data.
13.2.2 Non-disclosure agreement

Prior to disclosing any confidential information or data stored in IOM ICT resources to external
service providers, LEG must be contacted for assistance to ensure that all external service
providers comply with the requirement of a service agreement and a Non-disclosure
agreement as applicable. The Non-disclosure agreement will supplement the service
agreement and must be sent to LEG for review and approval.
13.3 Access limitations

Access controls will be implemented by the ICT Division, to ensure that access of external
service providers is restricted to the particular area of work to be undertaken, as approved by
IOM.
36
13.4 Compliance
Appropriate management and monitoring solutions will be put in place to regularly review the
performance of the external service provider to ensure compliance with this Instruction and
any other policies, rules or procedures of IOM.
Any violation of IOM ICT Policies and Guidelines by external service providers, may result in
immediate termination of their contract with IOM, without prejudice to any remedy available to
IOM in law or in equity.
13.5 Financial and technical viability assessment

The financial and technical viability of any service provider, must be evaluated in compliance
with regulations outlined on IN/168 (IOM Procurement Manual), and must be assessed by the
ICT Division in conjunction with relevant IOM organizational units, as applicable, on a periodic
basis (recommendation is yearly) and/or as required, by an independent assessor/evaluator.
Central ICT outsourced services will be subject to a review by the ICT Division periodically.
13.6 Extranet connections

Connections from external service providers that require access to IOM ICT resources fall
under this Instruction. This Instruction does not cover connections to the Internet Service
Providers (ISPs) that provide Internet access for IOM or to the Public Switched Telephone
Network.
All extranet connection requests between external service providers and IOM shall be granted
only when required for the duties specified in the relevant Service Agreement, with a signed
Non-disclosure agreement as applicable.
All extranet connection requests, and any subsequent access changes, must be accompanied
by a valid written justification and approved in advance by the relevant Director/Chief/Head
and submitted to the ICT Division. All access requests will be subject to an IT security review
by the ICT Division. Changes to extranet connections are to be implemented via a corporate
change management process.
When extranet access is no longer required, the relevant IOM Organizational Unit must notify
the ICT Staff responsible for that extranet connection about the required access termination.
The ICT Division must conduct a review on an annual basis to ensure that all existing extranet
connections are still needed and, if so, that the access provided meets the needs of the
requested connection.
37
Section 14 - Electronic Data Destruction Policy
Version 1.0
IOM increasingly collects, organizes, disseminates and manages large amounts of data that,
according to its category and sensitivity, may need to be retained or archived for a specified
time, indefinitely, or may become unnecessary or irrelevant. Some data will need to be
destroyed in compliance with prevalent best practices, and in order to comply with relevant
Instructions. Data destruction for the purpose of this Instruction, is the process of removing
information from media (the material in which information is stored) in a way that it can no
longer be retrievable or readable.
In most cases, simply deleting digital records of data will be insufficient to remove the
information contained therein, but specific methods of disposal need to be used in order to
decrease the likelihood of the information being recoverable. Likewise, the specific data
destruction methods should be based on the underlying classification of the data.
Media sanitization is the process applied to data to make its retrieval unlikely for a given level
of effort. Current best practices for data and media sanitization are software-based techniques,
laboratory-based techniques and methods that render the media unusable (such as physical
destruction).
Before donation or sale of IOM computers or ICT equipment, it is particularly important to
ensure the destruction of all electronic data in them.
14.1 Containers of electronic data for destruction or media sanitization

Data must be securely erased from, but not limited to, the following:
• Network devices (switches, routers, firewalls)
• Workstations’ (laptops or desktops) hard drives
• Servers hard drives
• Hardware appliances storage (i.e. Riverbed appliance, McAfee Web Gateway, etc.)
• Smartphones and tablets (Windows Mobile, iOS, Android)
• USB/removable media (i.e. USB drives, Firewire, memory cards/sticks, CD/DVD, etc.)
• Magnetic media (Tape drives)
• Office equipment (printers, copiers, faxes, multifunction devices)
• Printed materials containing sensitive data (please refer to Section 17 Information
Classification Policy). Otherwise known as hard copy media, it is considered a physical
representation of information.
14.2 Data destruction initiation

Data must be securely erased from the above-listed containers of electronic data, upon
reaching the data’s lifecycle expiration (in compliance with IN/5 IOM Guidelines and Regulation
on the Disposal of records and documents), and before equipment disposal, sale or donation.
Existing backup procedures should be applied for cases where data would be re-used or
transferred, while enforcing data destruction policies for cases of data containers to be
replaced under warranty, and before any maintenance under service agreements with third
parties.
ICT staff must ensure that equipment for disposal, for donation, for warranty replacement or
external service, does not contain secret or confidential data.
38
Extreme caution should be exercised before undertaking data destruction procedures. It is an
irreversible process and should only be performed by qualified staff with previous written
authorization from the relevant Director/Chief/Head.
14.3 Sanitization of office equipment (printers, copiers, faxes and multi-function

devices)
A reset to factory default settings is mandatory. Some of these devices are equipped with hard
drives containing not only configuration parameters, but log files and possibly historical data.
For equipment of these type to be disposed of, the internal hard drives should be sanitized
according to the procedures in Section 14.8 of this policy.
14.4 Sanitization of magnetic media (tape drives)

Sanitization of this type of media should be done by software-based overwriting of data, with
overwriting verification enabled.
14.5 Sanitization of network devices/appliances

Network devices and appliances subject to electronic data destruction require as a minimum,
a full manufacturer’s reset to factory default settings.
Some hardware and firmware versions allow purge capabilities, providing a higher level of
assurance, but should be used with caution.
14.6 Data deletion

Information classified as public or for internal use (please refer to Section 17 of this Instruction)
can be cleared by simple deletion methods such as file-erase or drive formatting.
For secret and confidential data, simple deletion of data (erasing files, formatting disk drives)
is not sufficient or effective, and exposes the data to possible undeletion through file recovery
utilities.
Refer to Section 14.8 below for recommended techniques to ensure a secure erase.
14.7 Data deletion on Mobile Phones and Tablets

Organization-owned mobile phone and tablets that will no longer be used, to be disposed or
reassigned, should be reset to factory default status, ensuring that no data is contained on the
device’s internal memory or external (SD card) memory.
Specific steps depend on the device’s operating system (Windows Mobile, iOS, and Android)
and the process can be done with ICT Staff assistance.
Factory reset is currently the only method available for data destruction on mobile devices
(phones/tablets).
14.8 Data Destruction on hard drives and portable USB removable media
Destruction of electronic data can be achieved through software-based tools that perform
overwriting techniques on the information, making it unrecoverable.
Depending on the device type, some manufacturers offer secure erase, overwrite or
sanitization commands and utilities that perform the required sanitization outside of the
operating’s system level.
The usage of organization-approved software and written authorization (according to the
procedures in Section 14.2 of this Instruction) is mandatory.
39
14.9 Physical destruction of data containers
When physical destruction of a data container is required, environmental and safety factors
must be prioritized, by only using industry-accepted solutions.
Printed materials (considered a representation of information, as per section 14.1 in this
Instruction) containing confidential or secret data, when no longer needed, should be
destroyed using crosscut paper shredders, ensuring that the resulting pieces are small enough
to render reconstruction impossible. For an additional layer of assurance, shredding of material
containing information classified as confidential or secret, can be destroyed mixed with non-
sensitive material.
Physical destruction of optical media (CD/DVD) should be done with caution. When resources
make it possible and the number of CDs/DVDs is large, optical media shredders should be
used. Some crosscut paper shredders have additional capabilities for shreding of CD/DVD.
40
Section 15 - Encryption Controls Policy
Version 1.0
This policy sets standards in regards to encryption and encryption key management required
for maintaining the confidentiality and integrity of IOM's data, when data encryption is used as
an information protection control. It applies to all devices, physical or virtual where IOM data is
classified as Confidential or Secret.
15.1 Scope
Encryption is defined as a cryptographic process aimed at enhancing the security of and
protection of electronic data, by converting readable information into unintelligible information.
As a result, encryption becomes an effective tool against the threat of unauthorized access to
data. However, it is important to highlight that data encryption must never be used alone, but
in conjunction with other controls, such as access control, authentication and authorization.
Data encryption implementations should be proportional to the classification of data to be
protected (please refer to Section 17 of this Instruction) and applies to all IOM ICT systems
and networks.
15.2 Requirements
Encryption of data in transit: Any data classified as Confidential or Secret must be transmitted
via encrypted communication channels, even when being transmitted inside IOM’s network.
Data classified as Restricted / Internal use must be transmitted via encrypted communication
while traversing public networks.
Encryption of data at rest: Any data classified as Confidential or Secret, and having a required
need for confidentiality and/or integrity, must be encrypted at rest in systems and/or databases
and/or portable media. When the implementation of encryption at rest or in transit is not
possible, mitigation controls must be put in place. These controls must combine business
practices and technology.
15.3 Encryption Services
Symmetric key algorithms: The following algorithms shall be used for encrypting Confidential
and Secret information.
• Advanced Encryption Standard (AES) (128, 192, or 256 bit)
• Triple-DES Encryption Algorithm (TDEA) (56, 112 or 168 bits)
Asymmetric key algorithms: The following algorithms shall be used for encrypting Confidential
and Secret information.
• Digital Signature Standard (DSS) - Digital Signature Algorithm (DSA) (1024, 2048,
3072 bits)
• RSA (2048 or 3072 bits)
• The Elliptic Curve Digital Signature Standard (ECDSA) (minimum 384 bit)
Secure Hash Standard (SHS): The following algorithms shall be used when hashing operation
is required:
• SHA-1: Should only be accepted when required for legacy systems, but should not be
used for new implementations.
• SHA-2 (SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256)
• SHA-3 (SHA3-256, SHA3-384, SHA3-512, SHAKE128 and SHAKE256)
41
15.4 Encryption Key Management
Proper encryption key management is critical to prevent unauthorized disclosure or
irretrievable loss of data.
Cryptographic private or shared keys, cryptographic secrets, or authentication secrets or
hashes aimed to protected data, will be classified as Confidential as per Section 17 of this
Instruction.
All application owners, where data is being encrypted at rest or in transit, must implement an
encryption key management plan, to ensure data can be decrypted when access is necessary.
Backup or other strategies must be implemented to enable decryption.
The encryption key management plan must address ways for handling the compromise or
suspected compromise of encryption keys, and the destruction or revocation of encryption
keys that are no longer in use.
All symmetric encryption keys used on systems associated with Confidential or Secret data
must be randomly generated according to industry standards.
Where symmetric encryption is used to protect data:
• Master keys shall be changed at least once per year.
• Data encrypting keys shall be changed once per session or every 24 hours.
When asymmetric encryption is used, the operational period of asymmetric keys associated
with a public key certificate are defined by the encryption key management plan.
Encryption keys shall be stored within an encrypted key store or an otherwise encrypted form
using approved algorithms; or the keys may be stored on a security token (e.g., a smart card).
The encryption keys shall never leave the device if stored on a security token.
Encryption keys are classified as confidential information, with strict accessibility restrictions.
Owner(s) of data protected via encryption services, shall explicitly assign responsibility for the
encryption key management that should be used to protect this data. If keys are transmitted
electronically, they shall be sent in encrypted form. The exchange of keys should employ
encryption with a stronger algorithm than that used to encrypt data protected by the keys.
Encryption keys that are compromised, lost or stolen; entail a security incident and must be
reported immediately to the ICT Division (ICTDivision@iom.int) as outlined in Section 16 of
this Instruction. The key shall be revoked or destroyed and a new key generated. Key re-
assignments shall require re-encryption of the data.
15.5 Certificate Authorities

Encryption keys generated by an IOM Certificate Authority (CA) Server used to control access
to certificates, or used by the CA to perform functions, shall be stored on Hardware Security
Modules (HSM). All HSMs used within IOM shall adhere to recognized standards such as FIPS
140-2.
IOM CAs should account for all CA administrator functions in detail. No single CA administrator
shall obtain full access to the whole CA encryption keys.
42
Section 16 - Information Security Incident Management Policy
Version 1.0
For the purposes of this policy, an observable occurrence in an ICT system at a particular point
in time, is considered an event. As such, when an adverse event, or the significant threat of an
adverse event, entail actual or possible damage to the organization’s ICT infrastructure or
information assets; IOM considers it an information security incident.
Suspected and observed information security incidents must be reported immediately to the
ICT Division (ICTDivision@iom.int), where information regarding security incidents is to be
considered confidential as per Section 17 of this Instruction.
16.1 Incident types and severity levels

Information security incidents include, but are not limited to:
• Loss or theft of information/data on ICT infrastructure and systems;
• Failed or successful attempts to gain unauthorized access to ICT infrastructure and
systems or activities to exploit unidentified vulnerabilities;
• Unauthorized transfer of confidential or secret information or data to individuals or
organizations;
• Attempted or successful installation of malicious software (such as malware) or
unlicensed software on IOM workstations or devices;
• Unauthorized changes to configuration, information or data on ICT infrastructure or
systems;
• Unwanted disruptions, system malfunctions, or denial of service to ICT infrastructure
or systems;
• Improper usage or violation of acceptable use of ICT infrastructure or systems.
Information security incidents should be initially categorized according to estimated severity
level, to help evaluate their impact and the extent to which incident response actions are
required. The incident severity levels are as follows:
• High: Incidents that have a severe impact on ICT infrastructure or services;
• Medium: Incidents that have (or the potential of) a significant impact on ICT
infrastructure or services;
• Low: Incidents that have a potential of, or minimal impact to ICT infrastructure and
services.
16.2 Roles and responsibilities
This Instruction specifies the responsibilities of different IOM entities on how to respond to,
and report an information security incident.
a. All users of ICT resources, to the extent they have authorized access to information
resources, are responsible for reporting information security events immediately.
b. ICT Staff providing technical support, administration and maintenance of ICT
infrastructure and services, to the extent they have privileged access to systems, are
to ensure regular monitoring of systems performance, system logs and maintain
updated configuration management and documentation to ensure rapid response and
mitigation as required.
43
c. The Senior Information Security Officer (SISO), in close coordination with the Director
ICT / Chief Information Officer (CIO), is responsible for evaluating and categorizing
security incidents, as well as coordinating response, mitigation and protection activities.
d. When information security incidents data suggest possible breach of IOM regulations
or suspected fraud by IOM staff, the SISO shall prepare a confidential incident report
to the Director ICT / Chief Information Officer (CIO) for further endorsement or
escalation to the Ethics and Conduct Office (ECO) as applicable.
e. For information security incidents of high severity, or on the recommendation of the
SISO, the Director ICT / Chief Information Officer (CIO) may instruct disconnection of
ICT systems or services in IOM Data Centers / Server Rooms or affected IOM offices,
to prevent further expansion of the threat or incident.
f. Upon identified information security incidents, the ICT Division shall propose and
undertake the necessary adjustments to security protocols and security protections to
prevent future instances of the incident.
16.3 Reporting and Handling

Some information security events are reported automatically by ICT systems such as firewalls,
Intrusion Prevention Systems (IPS), Anti-Virus solutions, Secure Internet Access Gateways,
Secure E-Mail Gateways; and will be categorized and reported on directly by the relevant ICT
Staff to their technical manager.
Any suspected or observed information security incidents must be reported immediately to the
ICT Division (ICTDivision@iom.int) for the attention of the SISO. Incidents involving the loss
or theft of IOM devices such as laptops, mobile phones, or removable media; should be
immediately reported to immediate supervisor with copy to ICT Global User Support (support-
ict@iom.int) for any required technical assistance.
When an information security incident has been reported, the SISO or his/her delegated staff
will review the information provided and determine the severity, impact and priority of actions
for the incident. The SISO will then recommend to the Director ICT / Chief Information Officer
(CIO) the required next steps and procedures.
Response to the information security incident must reflect the following priorities:
a. Protection of IOM user’s safety, IOM data and ICT systems;
b. Containment and Mitigation of the threat the incident might cause;
c. Preservation of evidence/logs for further evaluation or investigation;
d. Restoration of IOM data and IT systems.
As part of the initial response, physical custody of an ICT device or removable media involved
in the information security incident may be required for further technical evaluation. ICT
systems and equipment that are disconnected from the network have to be left intact in their
running state for further forensic investigation.
16.4 Involvement of External Parties

The SISO will provide the necessary confidential information to the Director ICT / Chief
Information Officer (CIO) for the necessary coordination with other IOM organizational units in
the following cases:
• When information security incident data suggests the involvement of individuals or
institutions outside of IOM;
• When there is an indication that the information security incident requires
communication with external parties or stakeholders for troubleshooting or resolution.
• When information security incidents are to be reported as part of donor reporting
requirements.
44
Section 17 - Information and Data Classification Policy
Version 1.0
This policy provides guidance on the information and data classification process, describing
the different classification levels and by whom and how they should be applied. In this policy,
information (processed data) and data (unprocessed information) is used in a broad sense and
includes fully, partially, unprocessed, interpreted, organized, or structured information and
data.
Information and data classification procedures are required as the basis for information
security decisions in the organization, to allocate adequate resources for information
protection.
17.1 Applicability and Objectives

When classifying information and data in the process of protecting it, it is important to consider
the following principles of information security: confidentiality, integrity and availability.
Loss of confidentiality would entail the unauthorized disclosure of information, loss of integrity
represents the unauthorized modification of the information, and loss of availability is the
disruption of access to the information. As such, information and data classification should
consider the mentioned principles and the associated risks (no risk, low, moderate, high risk)
that unauthorized access or use would cause.
Data classification informs the standards for data security.
17.2 Responsibilities
Migration Data Sets
As per IN/253, Data Stewards are responsible for the classification of data sets under their
responsibility.
Other Data Sets, Organizational and other documents
Organizational documents of worldwide applicability (instructions/policies/etc.), that have not
been otherwise already classified through other rules or by agreements with external parties,
will be classified by Directors/Chiefs/Heads. Classification of all other documents will be
assigned by the respective author or, in the case of a file, the individual who created the file
(herewith referred to as “Information and Data Creators”). In the case of a file, the
classification given to the file must align to the information classification of data in that file.
Directors/Chiefs/Heads, as well as information and data creators are responsible for choosing
the appropriate classification level and applying the classification criteria (see below,
“Classification Levels”). In doing so, they need to consider the potential consequences of
unintended disclosure and how those may compromise IOM’s interests.
The Directors/Chiefs/Heads as well as the information and data creators are further
responsible for labelling or otherwise identifying the information or data in a way that allows
easy recognition of the classification, and for applying the safeguards in accordance with the
classification level and as defined herein.
All users are required to comply with the classification and implications described herein.
45
17.3 Classification Levels
All Information and data should be assigned to one of the following classification levels:
• Public
• Restricted / Internal Use
• Confidential
• Secret
17.3.1 Public
Information and data should be classified as “Public” when it is intended for unrestricted use,
can be distributed to the public without restriction, poses no risk in case of unauthorized use,
and has no adverse impact on IOM’s mission, safety, finances, or reputation. Information and
data that has been classified as “Public” can be shared with any third-party.
17.3.2 Restricted / Internal Use

Information and data are “Restricted / Internal Use” if it is for internal IOM business use only.
Content can freely be shared amongst authorized internal users. In case of unauthorized use,
there is a low risk for IOM.
17.3.3 Confidential
Information and data must be classified “Confidential” if it is sensitive, internal to IOM and that
if disclosed could negatively impact IOM activities. In case of unauthorized use, there is a
moderate risk for IOM. Access shall be limited to one individual or a well-defined group of
individuals. The Directors/Chiefs/Heads as well as information and data creators must define
the information distribution list.
Considering the confidential nature of information and data in this category, recipients shall
exercise good judgment and, when in doubt, consult with the information and data owner
before copying, forwarding or otherwise sharing the Information with someone else.
Users who accidently come across information and data which has been classified as
“Confidential”, must not use the content and immediately contact the Directors/Chiefs/Heads
or the information and data creator to inform about the situation.
17.3.4 Secret
Information and data classified as “Secret” is reserved to highly sensitive instances intended
for limited, specific use by individuals with a legitimate need to know. In case of unauthorized
use, there is a high risk for IOM. Specific handling procedures shall be established on a case-
by-case basis and indicated specifically.
17.4 Scope
All Migration Data Sets, other datasets, organizational documents and other documents
created by users are subject to classification, irrespective of format or whether they are in
electronic or paper form. Classification of migration data sets is governed by IN/253.
Given the frequency and nature of internal electronic communications, it would be impractical
to classify each of them. Consequently, internal electronic communications will be considered
“Restricted / Internal Use”, unless they are intended to communicate confidential information
in which they should be classified as “Confidential” accordingly.
Information and data that is not classified, would be automatically considered “Restricted /
Internal Use”, with the exception of data from Migrant Applications Unit (MAU) applications or
PRISM, which are to be treated as “Confidential”.
Information and data classified as “public” must be labelled accordingly and specifically.
46
17.5 Declassification
Unless otherwise provided for in other rules or agreements with external parties;
Directors/Chiefs/Heads under whose control the information or data is, may declassify or lower
a previously-assigned classification if:
• Consultation was done with the originator (internal or external)
• No date or event for declassification was specified
• The reasons that caused it to be classified originally, have changed or no longer exist
47
Section 18 - Cloud Computing Services Policy
Version 1.0
Cloud computing services and technologies entail a dedicated, customizable and quickly
scalable pool of computing resources for the provision of ICT infrastructure, applications and
services. This represents a valuable opportunity for IOM to optimize and leverage ICT
infrastructure and services deployment, but has associated risks that must be addressed and
mitigated.
For the purposes of this policy, a cloud computing service is any third-party-managed ICT
solution that exists outside of IOM, accessible over the internet, for storing or processing
information. The service is considered to be outside of IOM if not hosted in IOM data centers /
server rooms.
This policy outlines a set of mandatory controls and regulations that must be followed to secure
adequate and unified cloud services deployment strategies in the organization.
18.1 Governance Structure for Cloud Computing Services

Only cloud computing services that are approved by the ICT Division, and where a contractual
agreement (including information security requirements) exists between IOM and the service
provider may be used to store, transfer or otherwise process IOM data.
All new Cloud Computing Services must be fully compliant with this policy before its intended
use. All existing Cloud Computing Services (contracted before the publication of this policy)
must become compliant before 1st July 2018.
18.1.1 Cloud Computing Services Governance Body

This is a cross-functional governance body consisting of ICT and LEG Divisions. This
governance body’s role is, with due regard to paragraphs 18.2 to 18.5 of this Instruction, to
evaluate Cloud Computing Services initiatives to be implemented, monitor compliance and
efficiency in safeguarding IOM’s interests and provisions of this Instruction. This governance
body is chaired and managed by the ICT Division. An ICT Division technical team will track
and monitor all Cloud Computing Services that are within the organization’s scope against the
required control framework, and is the main source of information for cloud computing services
policy compliance.
18.1.2 Service Owner

The Service Owner is the designated official from the IOM Organizational Unit requiring the
Cloud Computing Service, who will ensure compliance with the relevant regulations, and is to
own the risks associated with the Cloud Computing Service being requested. The ICT Division
will provide functional support in this context.
18.1.3 Cloud Computing Services Functional Administrator (CSFA)

The Cloud Computing Service Functional Administrator is a staff of the ICT Division,
responsible for overseeing the designated Cloud Computing Service, ensuring compliance
with the relevant technical and performance requirements. The CSFA will ensure daily/weekly
monitoring and weekly/monthly reporting on the cloud computing service performance and
utilization.
18.1.4 Cloud Security Alliance (CSA)
The CSA is the world’s leading organization dedicated to defining and raising awareness of
best practices to help ensure a secure cloud computing environment. It is highly recommended
that all Cloud Computing Service deployments are evaluated through the CSA Questionnaire
(https://cloudsecurityalliance.org/group/consensus-assessments/).
48
18.2 IT Risk Management for Cloud Computing Services
In compliance with organizational regulations on Risk Management (IN/213) and IT Risk
Management Policy in this Instruction, an assessment of Cloud Computing Services risk must
be done before implementation and as outlined herewith.
18.2.1 Business Impact Analysis

As part of the IT Risk Assessment process, every Cloud Computing Service must have a
Business Impact Analysis (BIA), to determine and evaluate the potential effects and impact of
an interruption of Cloud Computing Services to critical business operations. The BIA is
required since IT security incidents can have a serious impact on IOM business and should
therefore be assessed adequately. The BIA must be completed by the Cloud Service
Functional Administrator (CSFA), together with the Business Owner and SISO.
The BIA will categorize the Cloud Computing Service by impact level into Major, Significant,
Moderate or Negligible categories and will be used to determine the appropriate controls as
specified in Section 18.6 of this Instruction.
18.2.2 Cloud Computing Services Risk Assessment

A risk assessment must be performed under the lead of the Cloud Computing Service
Functional Administrator (CSFA) for each Cloud Computing Service. The risk assessment
consists of a Business Impact Analysis (BIA) and an assessment of the likelihood of events
occurring within the Cloud Computing Service. The assessment of likelihood must be done
against the set of cloud deliverables as defined in the Cloud Controls Framework. This covers
both controls on the IOM side as well as those on the Cloud Service Provider.
• The Cloud Computing Service IT Risk Assessment determines the controls that are
applicable.
• The Assessment of the degree of implementation of the controls determines the
likelihood
All risks must be mitigated through relevant controls, in coordination with the Service Owner
as defined in Section 18.1.2.
The Cloud Computing Services IT Risk Assessment must be performed at a minimum twice a
year, or when mandated or triggered by events such as changes in legislation, and signed-off
by the Service Owner.
18.3 Parameters for the selection of Cloud Computing Services

Risks related to cloud computing services include the possibility that IOM’s privileges and
immunities and the inviolability of its archives, data and information are not respected and
cannot be effectively protected. Moreover, in regards to personal data, there is a risk of
infringement of privacy rights.
The decision of when to use cloud computing services can only be taken by the ICT Division
on a case-by-case basis, wherein the following criteria will be used:
• Costs: While initial investments for cloud services may not be high, costs are borne
throughout the implementation period as utilization increases.
• Classification of the information and data to be stored on the cloud:
• Public: Cloud Computing Services can be used.
• Restricted / Internal Use: Cloud Computing Services can be used only after an IT risk
assessment has been done, concluding that the benefits outweigh the risks.
Identified risks need to be mitigated, and the risk assessment must be repeated
every 6 months.
• Confidential: Cloud Computing Services cannot be used.
• Secret: Cloud Computing Services cannot be used.
49
• Donor considerations: If IOM agreed to specific donor requirements or restrictions
regarding the implementation of the service, or where to store the data.
• Implementation timelines: Cloud Computing Services often allow for quick availability
and scalability or expansion of the contracted services.
• Availability and planning: Current technological trends offer a variety of cloud
computing solutions, where an implementation strategy must be done accordingly in
consultation with the ICT Division.
18.4 Contractual requirements for Cloud Computing Services

In compliance with IN/99, LEG must review contracts including those related to cloud
computing services. All Cloud Computing Service contracts must be reviewed by LEG, SISO,
Procurement and Service Management, to ensure that it sufficiently protects IOM’s interests.
For Cloud Services that are free of charge, the contract is the Terms and Conditions or End
User License Agreement or as negotiated between the parties.
When sending the relevant contract to LEG, it needs to be clearly marked as Cloud Computing
Solution services contract, and must include:
• A precise description of responsibilities of each party, related to service management,
including provision for penalty for the service provider if services are not provided.
• Cloud computing services must comply with IOM IT security standards.
• Data must be encrypted.
• IOM has the possibility to audit and verify at any time the situation of its data.
• Servers must be in a country where IOM has sufficient privileges and immunities, so
that IOM can invoke them if required.
• The cloud computing service provider has to immediately inform IOM of any
Government entity or third-party trying to obtain access to the data, any security
breaches, requests for access to IOM data from authorities or other entities, etc. so that
IOM can handle the request directly and not the service provider.
• Possibility for IOM to terminate contract at any time.
• Upon termination or expiry of the contract, the service provider will transfer data to IOM
and effectively delete the data from the cloud and provide a proof/certificate of it.
Contracts must be administered as defined by the procedure applicable for the relevant IOM
Organizational Unit, and must be aligned with the Software Asset Management best practices.
18.5 Operational Regulations for Cloud Computing Services
18.5.1 Cloud Computing Services Inventory

All Cloud Computing Services used by IOM shall be logged into a Cloud Computing Service
Inventory to be maintained by the ICT Division, and will be the single source of Cloud
Computing Services information.
18.5.2 Evaluating Cloud Computing Services Requirements

The IOM Organizational Unit shall discuss their Cloud Computing Service requirements with
the local ICT team or directly with the ICT Division, in consultation with their relevant
Procurement unit.
Once the cloud computing service requirements have been evaluated and agreed, the relevant
ICT Unit must request endorsement from the Cloud Computing Service Governance Body, and
only then proceed with the usual procurement process.
50
18.5.3 Authorized Cloud Computing Services
Only Cloud Computing Services approved by the ICT Division can be used for any deployment.
Authorization by ICT Division is also necessary for the utilization of “free” cloud computing
services for cases such as team-collaboration or cloud-based file sharing for IOM business
purposes.
18.5.4 Cloud Computing Services Usage

All Cloud Computing Services must be used within the terms of their usage agreement. Cloud
Computing Services contracts and/or related documents such as Terms and Conditions or End
User License Agreements describe the terms under which the Cloud Computing Service can
be used; its actual utilization must be verified regularly to confirm compliance with the terms of
the agreement.
The utilization of Cloud Computing Services and information processed through it, must
comply with all other organizational regulations and IOM ICT Policies and Standards as
applicable.
18.5.5 Cloud Computing Services Compliance Evidence

All documentary evidence in the form of documents, e-mails or other format that is related to
the implementation of cloud controls must be stored and made accessible to IOM authorized
parties that require it, for future/possible audit or reporting requirements.
18.5.6 Decommissioning Cloud Computing Services

Cloud Computing Services that are no longer required shall be terminated according to the
underlying service contract, the relevant ICT Unit needs to ensure that all institutional data has
been backed up before subsequently removing IOM’s data from the Cloud Computing Service.
18.6 Cloud Computing Services Control Framework

The applicable controls listed below are to be selected by the ICT Division based on a Business
Impact Analysis (BIA) for the required cloud computing service to be implemented:
• Cloud Security Alliance (CSA) Questionnaire
(https://cloudsecurityalliance.org/group/consensus-assessments/).
• Cloud Provider Organization Maturity - ISO 27001 certificate plus the statement of
applicability, SSAE 16, SOC 2 report, etc. from the company responsible for the
service being procured. IOM requires evidence that the Cloud Service provider is
doing their due diligence on what regards security controls and not transferring them
completely to the hosting provider;
• Hosting Provider Organization Maturity - ISO 27001 plus the statement of
applicability, SOC 1, SOC 2, and SOC 3 report, etc. A report that can attest that the
hosting provider where the solution is being hosted, has the adequate controls in
place.
• Penetration Test Report – An executive summary report with the number of
vulnerabilities found and their criticality followed by the mitigation timelines for the
application being procured. The penetration report has to be provided at least once a
year.
• Encryption of Confidential Data in motion over Public Network. A report from Qualys
SSLLabs with a minimum grade of B.
• Encryption of Confidential Data over provider private network
• Account life cycle Management – An IOM internal document describing how accounts
will be managed inside the solution
• Cloud Master Agreement Contract
51
The below matrix summarizes the required evaluation:
Data over provider private

Encryption of Confidential
Encryption of Confidential
Cloud Master Agreement

Penetration Test Report
Organization Maturity
Organization Maturity
Service Management
CSA Questionnaire
Account Life Cycle
IT Security Annex
Hosting Provider
Liability Clause
Cloud Provider
Data in Motion
Management
Exit Clause
Contract
k
Annex
Business
Impact
t
Negligible X X X1 X1 X X X
Moderate X1 X X X X X1 X1 X X X
Significant X1 X X X X X X X1 X1 X X X
Major X1 X X X X X X X1 X1 X X X
X1 - Only applicable sections of the document
18.6.1 Management of User Accounts for Cloud Computing Services

Identity and Access Management (IAM) solutions must be implemented for all Cloud
Computing Services, to strengthen IT security procedures. Furthermore, full compliance with
ICT User Account Management Policies and Standards is mandatory for Cloud Computing
Services implementation.
If the implementation of IAM solutions is technically not feasible, this needs to be documented
in the IT Risk Assessment and signed-off by the Service Owner, with exceptions documented
accordingly.
18.6.2 Encryption of Login Credentials

All Cloud Computing Services must encrypt data, including username and password, when
transmitted over public networks.
52
Section 19 - Removable Media Policy
Version 1.0
Removable media provides added flexibility for transporting electronic data within devices. At
the same time, this also presents an increased risk of virus/malware infection and data loss,
given the possibilities that such media will be connected to other workstations and networks
outside of the organization.
This policy sets standards related to the utilization of removable media, its acceptable uses
and security precautions that must be observed when using such devices.
19.1 Scope
This policy applies to any removable media device being connected to an IOM workstation
(desktop or laptop), server, mobile device (phone/tablet), and other types of USB-enabled
devices. The items and connectivity options listed below are collectively referred to as
“removable media” for the purposes of this policy.
This policy applies to removable media devices such as (but not limited to):
• External hard drives (USB, thunderbolt, solid-state-drive)
• USB memory sticks / USB Flash Drives
• Memory cards such as SD / SSD / SM / MM / CF Cards
• External optical media such as CD/DVD drives
• Mobile telephones/smartphones and tablets
• Digital cameras or digital media players (audio/video)
• Personal Computer Memory Card International Association (PCMCIA) devices such
as hard disks, network cards, and others
The connection of removable media devices can be any of the following ways:
• Through dedicated cable connection (i.e. USB, or Lightning cable)
• Through Wireless connection such as Wi-Fi, Bluetooth, or infrared
• Through any other remote or physical connection
19.2 Removable Media Usage

Furthermore, it is the user’s sole responsibility to ensure that removable media connected to
IOM networks or devices is free from security threats such as virus or malware.
Removable media can be used for the following type of information as per Section 17 of this
Instruction:
• Public
• Restricted / internal use
The usage of removable media for information classified as confidential is highly discouraged,
and not permitted for information classified as secret.
Users must exercise due care to protect removable media against theft, damage or loss and
must immediately report such events to the relevant ICT Staff or to the ICT Division.
The ICT Division reserves the right to temporarily or permanently disable the use of removable
media devices, physically or logically for a user or a particular group of users, when business
requirements or external regulations deem it necessary.
53
19.3 Encryption and Erasure
For the utilization of removable media, it is mandatory to use data encryption in full compliance
with the provisions outlined on Section 15 of this Instruction, as well as full compliance with
Section 14.
19.4. Personal removable media

The utilization of personal removable media in IOM workstations or networks is highly
discouraged. For exceptional cases where no IOM removable media is available, and a
personal removable media device is used instead; the removable media owner acknowledges
the organization’s right to access, erase or modify the personal removable media device
contents as needed, if it is believed there is a virus or malware infection, or if the device poses
a security risk to the organization’s ICT infrastructure.
54
Section 20 – IT Risk Management Policy
Version 1.0
As outlined on IN/213 Management of Risk in IOM, the organization emphasizes risk-related

considerations when making decisions and creating or responding to changes. In this regard,
this policy for IT Risk Management encompasses the management and implementation of ICT
Assets (for the purpose of this policy: infrastructure, resources, applications and services), and
should be an underlying element whenever ICT projects and initiatives are proposed, planned
or developed.
20.1 IT Risk Management Methods and Controls

For IT Risk Management, the ICT Division will adhere to the principles under the International
Standard ISO/IEC 27005 Information Security Risk Management, alongside the ISACA Risk
IT Framework, to facilitate an end-to-end view of possible risks related to the implementation
of ICT services and solutions, with available risk management strategies.
IT Risk Management is organic and progressive, which entails continuous iterative process of
identifying threats, vulnerabilities, and countermeasures (controls) through the lifetime of ICT
solutions and services. Identified controls must aid risk mitigation without compromising
productivity, cost, effectiveness, and by maintaining the value of the ICT asset being protected
against risk.
Conceptualization and implementation of IT Security controls must be approved by the SISO,
while the daily monitoring and operationalization of ICT controls rests with the relevant ICT
Staff of the respective IOM Organizational Unit, with overall guidance and support by the ICT
Division.
20.2 IT Risk Management Principles

• Mitigation measures for identified risks should always be aligned with organizational
business objectives and in full compliance with IN/213 Management of Risk in IOM.
Furthermore, controls should be adequate from a cost-benefit perspective, duly
approved by the relevant manager, clearly communicated to relevant stakeholders, and
with responsibility and accountability structures in place.
• ICT assets or solutions acquired commercially or developed in-house, should be
adequate for today’s IOM needs, scalable for the lifetime of the asset/solution, and
safeguarded against any IT security risks.
• As part of the IT Risk Management process, a Business Impact Analysis (BIA) must be
undertaken to determine and evaluate the potential effects and impact that the
implementation of the intended products or services may have on the stability of
existing ICT services and systems.
• In cases where IOM requires the services of third-party individuals or entities with
specialized IT skills and knowledge, access to ICT resources should be strictly limited
within the scope of their functions, closely monitored and immediately discontinued
upon completion of the task.
• All ICT Projects will be subject to the risk tolerances defined by the relevant Project
Board and those defined for the organization.
• IT risks must be considered at all stages of ICT Projects, and recorded in the Project’s
Risk Register maintained by the Project Manager.
• The impact of each ICT activity on production/live systems should be guarded against
identified risk areas, with rollback plans established and communicated to relevant
stakeholders.
55
Annex A – ICT Confidentiality and Conflict of Interest Agreement
The ICT Division will be responsible for identifying staff with administrator rights for
workstations, file servers and e-mail servers. A record of signed agreements will be maintained
by ICT and HRM.
INFORMATION TECHNOLOGY AND COMMUNICATION
CONFIDENTIALITY AND CONFLICT OF INTEREST AGREEMENT
1. I hereby acknowledge that within the scope of my work I will have access to different types of
information and data that is proprietary to the International Organization for Migration (IOM). I
recognize the critical importance of protecting the privacy of individuals and securing the
confidentiality of all organizational records and undertake to protect and secure IOM data and
information which comes into my knowledge or possession.
2. I understand that I may be granted privileged access to or custody of Information and
Communications Technology (ICT) computing systems, applications, databases, network
monitoring tools or other equipment that may contain records and information that are
confidential in nature. I acknowledge that I may be entrusted with such privileged access and
encounter or have access to sensitive, confidential or proprietary information whether or not it
is labeled or identified as such.
3. I hereby undertake to ensure that my conduct and usage of ICT resources will always be in
accordance with the provisions of the ICT Policies and guidelines issued by IOM from time to
time and I shall uphold the integrity and confidentiality of ICT systems and data belonging to
IOM.
4. I acknowledge the sensitive and confidential nature of information concerning persons
employed by IOM, donors, vendors, partners, beneficiaries and other members of the IOM
community. I understand and agree that this information may only be disclosed with proper
authorization from my supervisor and in the exercise of my designated duties.
5. I hereby undertake that I shall use IOM ICT systems only for the purpose for which it is intended
and only to the extent I am authorized to use it. I agree not to use any privileged access or
information and data available to me in the course of my duties to engage in any activity that
conflicts with the interests of IOM.
6. Specifically, with respect to IOM’s computing systems, networks, records, files, e-mail and other
information, I agree that I shall treat all such information strictly confidential and that I shall
respect the privacy of users and the integrity of the systems and the related physical resources.
7. I further agree not to independently contract to perform or provide information technology
services to other external entities while employed by IOM or to use IOM’s resources in the
delivery of privately contracted services. I understand IOM’s resources include time, equipment,
computers, systems, tools, software, telephone, e-mail or other items that are provided by or
acquired through my employment relationship with IOM.
8. I understand and agree that my failure to comply with the terms of this agreement will have
consequences and may result in appropriate action taken against me by IOM including
immediate termination of my contract, depending upon the infraction’s severity, evidence of my
intentions, and the sensitivity and scope of the information compromised.
9. I understand and agree that my obligation to comply with this agreement shall survive the
termination of my employment with IOM. I also agree that, when my employment with the IOM
ends, I will not keep in my possession any documents, records, files, computer programmes,
hardware/software, other IOM assets or copies thereof, and I shall not recreate or deliver to
anyone else, any confidential, sensitive, or proprietary information that I acquired while
employed by the International Organization for Migration, whether or not it is labeled as such.
56
10. In addition, and more specifically, I shall:
a. access, copy and store data or information solely in the performance of my job
responsibilities, limiting perusal of contents and actions taken to the least necessary to
accomplish the specified task.
b. when providing direct services to users, copy and store data or information only with the
user’s consent, only to complete a specified task, and only to copy and store user data
for long enough to complete the specified task.
c. not engage in identity misuse of any form, impersonate another user or, knowingly, or
through gross negligence cause another person to use the identity that does not belong
to the person concerned. In particular, I will not intrude into ICT systems under other
users’ custody without their knowledge or explicit authorization.
d. not seek personal benefit or permit others to benefit personally from any data or
information that has come into my knowledge or possession during my work assignments.
e. not make or permit unauthorized use of any information in IOM’s information systems or
records.
f. not enter, change, delete or add data to any information system or file outside of the scope
of my job responsibilities.
g. not intentionally or knowingly include or cause to be included in any record or report, a
false, inaccurate or misleading entry.
h. not intentionally or knowingly alter or delete or cause to be altered or deleted from any
records, report or information system, a true and correct entry.
i. not release IOM data and information in my custody, other than what is required for the
completion of my job responsibilities.
j. not communicate, transfer, exhibit, or divulge the contents of any record, file or
information system to any person or entity, unless explicitly authorized by my supervisor.
k. not use my technical knowledge to circumvent controls imposed on IOM ICT systems and
assets (including, but not limited to connecting any non-IOM ICT resources to the IOM
Network or loading non-IOM ICT data onto any IOM ICT resources) unless it is in full
compliance with Sections 1.6 and 1.6.1 of this document.
l. take every reasonable precaution to prevent unauthorized access to any passwords, user
identifications, or other information that may be used to access IOM information systems
or records.
m. limit access to information contained in or obtained from the systems to authorized
persons.
n. report any incidents of my non-compliance with the terms of this agreement to my
supervisor.
By signing this agreement, I certify that I have read and understood the contents of this agreement and
declare that I shall fully comply with all aspects of this agreement.
Signature ______________________ City ______________________ Date __________________
Full Name (please print) ____________________________________________________________
Current Position / Title _____________________________________________________________
57
Annex B – Third Party Access Request Form
THIRD PARTY ACCESS REQUEST FORM
MAILBOXES AND/OR USER FILES
This form is to be used for requesting third party access to a user’s mailbox and/or other electronic documents
and communications (user files). The Conditions for Third-Party Access Requests as outlined in section 1.7.1
of this Instruction shall apply.
I. Details of the account and data to which access is required (the person requiring access to complete).
Name of Account Holder: ______________________ Username of Account Holder: _________________
E-mail address: __________________________ Department/Mission: __________________________
Access Requested (select as applicable):
Mailbox [ ] ___________________________________________________________________________
Special requirements (sender, recipient, subject, etc.):___________________________________
User files [ ] ___________________________________________________________________________
Special requirements (file, folder name, etc.):__________________________________________
Period requiring access: From ____/_______/________ To: _____/______/_________

(dd/mm/yyyy) (dd/mm/yyyy)
IOM-issued mobile device [ ] IOM-issued removable media [ ]
Specified purpose and justification for requesting access:

_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Description of the nature of the information and data needed to meet the specified purpose(s):
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
II. Details of the person requesting access (the person requiring access to complete).
First Name: _________________ Last Name: _________________ E-Mail Address_____________________
Department/Duty Station: ________________________Position/Title: ________________________________
I confirm that I have read and agree to comply with the conditions as per this Instruction governing my access
to another user’s information and data:
Signed: ________________________________ City: ______________________ Date: ___________

(dd/mm/yyyy)
58
III. To be completed by the requestor’s Director/Chief/Head and sent to the DGO/Chief of Staff for approval.
I agree to the request by the staff member named in Section II to access the e-mailbox and/ or user files of the
person named in Section I for the reasons and period specified above. I confirm that such access is necessary
and in the interests of IOM.
Signed: ________________________________ Name: ______________________ Date: __________

(dd/mm/yyyy)
IV. The following person is designated to monitor the access (the person monitoring access to complete).
First Name: _________________ Last Name: _________________ E-Mail Address_____________________
Department/Duty Station: ________________________Position/Title: ________________________________
I confirm that I have read and agree to comply with the conditions as per this Instruction governing my monitoring
of the access to another user’s data.
Signed: ________________________________ City: ______________________ Date: ___________

(dd/mm/yyyy)
V. Authorization from the Director General.
Yes [ ], I authorize the staff member designated in Section II to access, and the person designated in Section
IV to monitor the access of the mailbox and/or user files as specified in Section I of this form.
AND/OR
Yes [ ], I authorize the Director ICT / Chief Information Officer (CIO) to provide the required access detailed in
Section I to the staff member in Section II and the designated person in Section IV for the stated duration.
(Please forward the original form to ICT Division for action)
No [ ]. Comments/special instructions:_________________________________________________________
Signed: _________________________ Full Name: _____________________________ Date: ___________

(dd/mm/yyyy)
Actioned by (Full Name): ___________________________ Signature: __________________ Date: __________
Original to be kept by ICT Division at Headquarters
59
Annex C1 – Account Management - User Account Creation Form
Please send a scanned/signed version of this form to your local ICT Support if available, HQ users to Global User Support Geneva
and others to ICT Global User Support (support-ict@iom.int); copying the Unit’s Supervisor. Please submit this form at least three
working days before the new user’s entry on duty.
Type of user (please choose one only):

Staff Member Intern Consultant Other (specify):
User’s Entry on Duty Date (day-month-year):
User’s Contract Expiry Date (day-month-year): (Unless ICT is notified in advance of contract extension, the
account will be disabled automatically on the day after the contract expiration)
General information:
PRISM Personnel Number:
First Name:
Last Name:
Job Title/Function:
Duty station / Department / Unit:
Supervisor's Name:
User’s computer available? At user’s desk With procurement/admin In process
Requested date of set-up:
Office location and telephone extension:
Name of replaced staff (when applicable):
Network Account
Network Drive Access Applications Needed
(drive(s) or folder(s) the user should have access to)
PRISM PRIMA
MiMOSA iGator
Amadeus UKTB
RMI LTS
Others (specify)
Membership
Distribution list(s) membership:
Access to specific shared mailboxes:
Requested by (Supervisor): Date: Signature:
Authorized by (Director/Chief/Head): Date: Signature:
ICT Unit internal use only Date: Done by:
60
Annex C2 – Account Management - Account Transfer/Update Form
working days before the required readiness date.
Transfer to a different duty station? Yes No Account profile/role update? Yes No
Requested date of transfer/update (day-month-year):
Current username data:

Username: Domain (AS/EU/IOMINT):
New/Updated data:
First Name: Last Name:
New Domain (AS/EU/IOMINT): New E-mail address? Yes No
New Job Title/Function: New Duty Station/Dept.:
New Supervisor's Name: New Office Tel./Ext.:
Network Account (selections below will replace all previous access rights)
Network Drive Access Applications Needed
(drive(s) or folder(s) the user should have access to)
PRISM PRIMA
MiMOSA iGator
Amadeus UKTB
RMI LTS
Others (please specify)
E-Mail Account (selections below will replace all previous memberships/access)
Distribution list(s) membership:
Access to specific shared mailboxes:
Mailbox reduced to 10 MB prior transfer? Yes No
Remarks:
By signing this form, the user confirms that all necessary work-related files have been duly handed over to his/her
supervisor or successor.
Requested by: Date: Signature:
Approved by (current supervisor): Date: Signature:
ICT Unit internal use only Date: Done by:
61
Annex C3 – Account Management - Account Deletion Form
working days before separation date.
Type of user (please choose one only):

Staff Member Intern Consultant Other (specify):
Date of Separation (day-month-year):
General Information:
First Name: Last Name:
Username: Domain (AS/EU/IOMINT):
Job Title/Function:
Duty station / Department / Unit:
Supervisor's Name and E-mail:
Remarks:
Upon the effective date of separation, the user’s network and e-mail accounts will be disabled for all
access, and the associated workstation will be wiped-out for re-deployment.
One (1) month after the effective separation date, the user’s network and e-mail accounts will be deleted
irreversibly.
By signing this form, I confirm that I have duly handed over all my work related files to my supervisor or successor and
certify that I shall not retain any IOM information and data, which came to my knowledge and possession while employed
by IOM.
Staff member: Date: Signature:
Approved by (current supervisor): Date: Signature:
ICT Unit internal use only Date Done by:
62
Annex C4 – Account Management - E-mail Distribution List (DL) / Shared Mailbox Form
working days before the required readiness date.
Date Requested (day-month-year) Date of Expiration (day-month-year)
NEW E-mail Distribution List / Shared Mailbox:

Display Name:
E-mail Address:
DL/Mailbox owner’s Name/E-mail:
Request type (select one): Shared Mailbox (*) OR E-mail DL
(*) Authorized users for Shared Mailbox:
UPDATE/CONVERT:
E-mail DL / Shared Mailbox name:
Update Display name / E-mail to:
Update Owner to (Name/E-mail):
Convert: E-mail DL to Shared Mailbox OR Shared Mailbox to E-mail DL
ADD authorized user(s): _______________________________________
Update Shared Mailbox Access: REMOVE authorized user(s): _______________________________________
IOM E-mail Distribution Lists do not accept incoming messages from non-IOM senders. Exceptions to
this would only be attended on a case-by-case basis and must be properly justified to the Head Global
User Support for consideration of approval providing details below:
________________________________________________________________________________
________________________________________________________________________________
Remarks:
Upon the E-mail DL’s/Mailbox expiration date, the associated E-mail address will no longer exist, and messages
sent to that address will receive a Non-Deliverable-Notice to the sender(s).
Requests for extension of the expiration date should be sent in advance to ICT Global User Support (support-
ict@iom.int) attaching a scanned copy of this initial creation form duly signed.
By signing this form, I confirm that the requested E-mail DL/Mailbox will be used for IOM business purposes, in
compliance with relevant ICT Policies and Standards.
Requested by: Date: Signature:
Unit Supervisor’s approval: Date: Signature:
ICT unit internal use only Date Done by:
63

IN123 ICT Policies and Guidelines OIM KARLA

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IN123 ICT Policies and Guidelines OIM KARLA

Uploaded by

Copyright:

Available Formats

INTERNATIONAL ORGANIZATION FOR MIGRATION

Document Title: ICT Policies and Guidelines

Document Type: Instruction

Character: Compliance with this Instruction is mandatory

Control No.: IN/123 Rev. 1

Document Owner: Information and Communications Technology Division (ICT)

Date of entry into force: 14 November 2017

Initiated Information and Communications Technology Division

Scope and Naming Conventions

1.1 Information Security Principles

1.2 Information security management framework

1.3 Data sensitivity and classification

1.5 Access control

1.6 Information Privacy and Personal Data

1.6.1 Personal data of IOM staff members and job candidates

1.6.2 Personal data of project beneficiaries

1.6.3 Data protection and privacy statement

1.6.4 Destruction of data

1.7.1 Third party Access Requests

1.7.2 Third party Access request procedure

1.8 Blocking or Restricting User’s Access

1.9 Access Requests by external users to IOM ICT Resources

1.10 Protecting the confidentiality, Integrity and availability of ICT resources

1.11 Monitoring of ICT Resources

2.2 Roles and Responsibilities

2.3 Infrastructure and Services Planning

3.1 Appropriate Use

3.2 Limited Personal Use

3.3 Prohibited Use

4.1 Account Management

4.1.1 Authorized access

4.1.2 User account creation

4.1.3 Unique user identification

4.1.4 User account transfer

4.1.5 User account disabling and deletion

4.2.1 Password display

4.2.2 Password length

4.2.3 Password complexity

4.2.4 Password age

4.2.6 Account lockout threshold

5.1 Workstations provided for Remote Access

5.2 Services and Support for Remote Access

5.3 IOM Laptops and/or Other Portable Equipment

5.3.2 Physical security

5.3.4 Malware protection for workstations (desktop/laptop)

5.3.6 Software installations

6.1 Mailbox Creation and Deletion

6.2 E-mail Distribution Lists

6.3 E-mail Security and Authenticity

6.4 Virus and Spam Protection

6.6 Prohibited use of e-mail

6.7 Guiding Principles on e-mail use

6.7.1 Role of e-mail

6.7.2 Message content

6.7.4 E-mail option tools

6.7.5 E-mail Attachments

6.7.6 Cleaning/organizing mailboxes

6.7.7 Mailbox size and messages size

6.7.8 Reducing the size of e-mails

6.7.9 Handling of secret, confidential and personal data on e-mails

6.7.10 E-mail etiquette

6.7.11 Proper use of e-mail

7.2 National Legislation

7.3 Acceptable Internet Use via IOM network

Signature __ City Date