Professional Documents
Culture Documents
IN123 ICT Policies and Guidelines OIM KARLA
IN123 ICT Policies and Guidelines OIM KARLA
Status: Active
Replaces – for Archive Replaced by: IN/123 IT Policies and Guidelines (2012)
Summary: This document is a compilation of relevant ICT Policies and Guidelines that govern the
management and use of ICT resources throughout the Organization. It also provides direction and
INSTRUCTION
guidance on the principles to be applied for maintaining the integrity and confidentiality of the
information and data stored in IOM ICT resources. This Instruction applies to all IOM staff members,
non-staff members (such as consultants, interns, short-term hourly contract holders), external service
providers and any other individuals or entities that are authorized to access to and/or use IOM ICT
resources in the performance of their duties.
Keywords: ICT policy, IT security, confidentiality, compliance, ICT resources, acceptable usage,
access request, account, password, remote access, email, internet, social media, software, application
systems, service providers.
Location: https://intranetportal/Pages/ControlNo.aspx?controlNo=IN/00123
Annex A – ICT Confidentiality and Conflict of Interest Agreement - https://intranetportal/Pages/ControlNo.aspx?controlNo=FRM/00056
Annex B – Third Party Access Request Form - https://intranetportal/Pages/ControlNo.aspx?controlNo=FRM/00079
Annex C1 – Account Management - User Account Creation Form - https://intranetportal/Pages/ControlNo.aspx?controlNo=FRM/00043
Annex C2 – Account Management - Account Transfer-Update Form - https://intranetportal/Pages/ControlNo.aspx?controlNo=FRM/00082
Annex C3 – Account Management - Account Deletion Form - https://intranetportal/Pages/ControlNo.aspx?controlNo=FRM/00044
Annex C4 – Account Management - E-mail Distribution List DL - Shared Mailbox Form -
https://intranetportal/Pages/ControlNo.aspx?controlNo=FRM/ICT/00001
Introduction...............................................................................................................................3
Section 01 - Information Security Policy................................................................................... 5
Section 02 - ICT resources Policy .......................................................................................... 11
Section 03 - Acceptable Use Policy ....................................................................................... 12
Section 04 - Account and Password Management Policy ...................................................... 14
Section 05 - Mobile and Remote Access Policy ..................................................................... 18
Section 06 – E-mail Policy......................................................................................................20
Section 07 - Internet Usage Policy ......................................................................................... 24
Section 08 - Social Media Policy ............................................................................................ 26
Section 09 - Software Policy .................................................................................................. 28
Section 10 - Application Systems Development Policy .......................................................... 30
Section 11 - Physical and Operational Security Policy ........................................................... 32
Section 12 – Business Continuity Management Policy .......................................................... 35
Section 13 - Management of External Service Providers ....................................................... 36
Section 14 - Electronic Data Destruction Policy ..................................................................... 38
Section 15 - Encryption Controls Policy ................................................................................. 41
Section 16 - Information Security Incident Management Policy ............................................. 43
Section 17 - Information and Data Classification Policy ......................................................... 45
Section 18 - Cloud Computing Services Policy ...................................................................... 48
Section 19 - Removable Media Policy.................................................................................... 53
Section 20 – IT Risk Management Policy............................................................................... 55
Annex A – ICT Confidentiality and Conflict of Interest Agreement ......................................... 56
Annex B – Third Party Access Request Form ........................................................................ 58
Annex C1 – Account Management - User Account Creation Form ........................................ 60
Annex C2 – Account Management - Account Transfer/Update Form .................................... 61
Annex C3 – Account Management - Account Deletion Form ................................................. 62
Annex C4 – Account Management - E-mail Distribution List (DL) / Shared Mailbox Form .... 63
Introduction
This Instruction provides a foundation for the Organization to facilitate an open, yet secure,
information-sharing environment to the benefit of all users. This will, in turn, advance IOM’s
commitment to preserve the confidentiality, integrity and availability of IOM ICT resources.
This Instruction covers all IOM ICT resources in its broadest sense and includes technical
infrastructure, telecommunication systems, software, hardware and all related components, as
well as desktops, laptops, mobile phones, tablets and other portable media equipment
assigned by the Organization. It specifically aims to:
a. Enhance the uniform performance of the ICT Division in delivering, implementing, and
maintaining ICT systems suitable to fulfill the business needs of the Organization;
b. Define the duties and responsibilities of individuals and entities that are authorized
access to and/or use the IOM ICT resources in the performance of their duties; and
c. Provide the basis for the Organization to build the necessary internal standards and
processes for complying with the Policies and Guidelines outlined in this Instruction.
In this policy, information (processed data) and data (unprocessed information) is used in a
broad sense and includes fully, partially, unprocessed, interpreted, organized, or structured
information and data.
Exceptions
Request for any exception to the application of the Policies and Guidelines in this Instruction
must be submitted in writing with justification to the Director ICT / Chief Information Officer
(CIO) for review. A request for an exception will only be granted if justified and for a limited
period of time, after the ICT Division coordinates with other relevant IOM organizational units,
conducts a risk assessment, and provided the security risks are low and the user requesting
the exception assumes full responsibility for all risks involved.
3
Non-Compliance
All users should be aware of the contents of this Instruction and must, to the extent applicable,
comply with it. The obligation to respect this Instruction will continue to be valid even after the
user’s contract of employment or service with IOM.
Any breach of this Instruction must be reported immediately to the Director ICT / Chief
Information Officer (CIO), who will coordinate with the Ethics and Conduct (ECO) Office, and
the Office of Legal Affairs (LEG), as appropriate.
Non-compliance with this Instruction by IOM staff members will be investigated and may result
in disciplinary action, in accordance with the IOM Staff Regulations and Rules. Any breach by
non-staff members or external users may result in termination of their contract of employment
or service with IOM, without prejudice to any remedy available to IOM in law or in equity.
Policies Review
IOM, through the ICT Division, will review this Instruction periodically. Questions and feedback
on this Instruction and/or its application should be sent to ICTPolicySupport@iom.int at the ICT
Division.
4
Section 01 - Information Security Policy
Version 2.0
Last updated on October 2017
IOM recognizes the importance of information security and the ICT Division acknowledges the
obligation to ensure appropriate security of all ICT data, systems, equipment, and processes
under its ownership and control. This obligation is shared by all users.
This section provides the framework for protecting IOM ICT resources against unacceptable
security risks and aims at ensuring that appropriate physical and technological security
measures are applied in a systematic manner throughout the Organization.
5
Principle 4: Integrity
Integrity means to protect the accuracy and completeness of information and data, and
the methods that are used to process and manage it. Users should take reasonable
and necessary precautions to preserve the integrity of IOM ICT resources and to
prevent unauthorized modification and tampering that could affect the integrity, quality,
accuracy and completeness of the information and data stored in IOM ICT resources.
6
1.4 Authorization
Access to IOM ICT resources and the information and data stored therein is privileged and
should be restricted to authorized individuals. Users require explicit authorization to access
and/or use IOM ICT resources and electronic records. Custodians of ICT systems and data
(refer to section 2) should only grant such authorization for the purpose of the duties assigned
to the user.
7
1.7 Exceptions to information privacy
Within compliance to Section 2.1, IOM shall take reasonable steps to respect the right to
information privacy. However, IOM reserves the right to make exceptions if competing interests
of the Organization override a user’s right to information privacy. Such organizational interests
should be justified and proportionate to, or appropriately balanced with, a user’s right to
information privacy. Requests for access to IOM ICT resources for such purposes are
hereinafter called “third party” access requests.
8
f. The designated IOM staff member shall monitor the access process to ensure that only
the necessary information and/or data copied to a separate media is made available to
those authorized and associated with the specified purpose;
g. Where access to a user account is granted, the user will be informed about such
access, unless specifically instructed to the contrary by the Director General.
Only information directly related to the specified purpose that necessitated the access request
should be disclosed, subject to the obligation to report any irregular practices, wrongdoing or
misconduct (Refer to Policy on Reporting Irregular Practices, Wrongdoing and Misconduct,
IN/142). The ICT Division will keep a record of access requests.
9
ICT staff who is granted privileged access rights must sign a standard IOM ICT confidentiality
agreement (Refer to ‘ICT Confidentiality and Conflict of Interest Agreement’, Annex A) because
they may have special privileged access to user accounts, e-mail account, personal data
and/or other electronic documents or communications stored in IOM ICT resources. Failure to
sign the agreement will not alleviate the ICT staff from their obligations under this Instruction.
10
Section 02 - ICT resources Policy
Version 2.0
Last updated on October 2017
All IOM ICT resources must be used for the organizational purpose for which they are intended.
The organization’s ICT Policies establish guidelines and general principles for initiating,
implementing, maintaining, and improving ICT service support management in the
Organization and to help build confidence in ICT-related inter-organizational activities and
processes.
The ICT Division will conform to sound management processes and adhere to industry-
standards and best practices, specifically aimed at managing ICT services and providing an
effective and timely delivery of information technology services to the entire Organization.
The ICT Service Management processes of IOM will adhere to and incorporate best practices
from International Standards such as ISO/IEC 20000 for IT Service Management, the
“Information Technology Infrastructure Library” (ITIL), and the PRINCE2 Project Management
Method.
2.1 Ownership
IOM shall retain ownership of all ICT resources assigned to users throughout the Organization.
All information and data created, stored and/or processed for IOM business purposes shall be
owned by IOM and intellectual property rights of all ICT applications and systems developed
by users during the scope of their contract of employment or service shall vest in IOM.
11
Section 03 - Acceptable Use Policy
Version 2.0
Last updated on October 2017
IOM ICT resources are strategic assets of the Organization and are made available for users
to fulfill their responsibilities related to IOM business purposes. Use of ICT resources shall in
all cases be in accordance with the provisions set out in this policy.
By using the Organization’s ICT resources, each user agrees to comply with this policy and
other applicable ICT standards and policies, as well as applicable country laws and
regulations.
12
a. Activities that maliciously interfere with the ability of other users to access or use IOM
ICT resources;
b. Disclosing or transferring IOM information and data intended for use only within the
Organization, including confidential information and personal data of IOM staff
members, beneficiaries, vendors and partners;
c. Circumventing a computer system’s access controls and using privileged access to
assist unauthorized persons to access IOM ICT resources and the information and data
stored therein;
d. Intentionally destroying or damaging IOM ICT resources and deleting, suppressing,
modifying or tampering with IOM ICT resources and IOM information and data, without
the required authorization;
e. Disabling a computer system’s security protection settings, including Anti-Virus and
browser controls for malicious purposes;
f. Establishing, without approval, connections to blocked Internet sites, third party or peer-
to-peer file sharing, or publishing unapproved Internet web pages;
g. Deriving any direct or indirect benefit or using IOM ICT resources, including computer
systems, facilities or products for personal and/or third-party gain;
h. Installing or using computer systems, hardware and software not licensed by IOM, nor
approved by the ICT Division or using/copying software or files in a manner inconsistent
with applicable license agreements or intellectual property rights. This prohibition
includes the storage or sharing of audio or video files (i.e. MP3, WMA, MP4, AVI, etc.)
that are not required for IOM business purposes;
i. Participating in “chain messages”, chats, file sharing or other activities where the
content or audience does not support the goals and objectives of IOM;
j. Accessing, viewing, storing, or transmitting sexually explicit images, text, cartoons,
jokes, or any other form of sexually explicit material, or failing to immediately delete
such material upon receipt;
k. Using IOM ICT resources for purposes inconsistent with IOM’s values, such as, threats
or intimidation, discrimination or hate speech, trafficking in firearms or illegal drugs,
violence, games or gambling;
l. Use ICT resources to attempt to, or assist other users to, commit any of the activities
prohibited under this Instruction or engage in any activities that violate the IOM
Standards of Conduct, IOM Staff Regulations and other IOM policies, regulations and
rules.
13
Section 04 - Account and Password Management Policy
Version 2.0
Last updated on October 2017
This Policy defines the modalities for user account creation, management, transfer and
closure; and establishes the rules for password management. It aims to protect the
authenticity, integrity and confidentiality of user accounts and consequently minimize the risk
of unauthorized access and disruption to IOM’s ICT systems and services.
14
As a corollary to the user account, an e-mail account/mailbox and membership(s) to relevant
e-mail distribution list(s) should also be created, whenever necessary (Refer to ‘Account
Creation Form’, Annex C1) as requested in the account creation authorization document.
New user accounts created for external users must have an expiration date corresponding to
the duration of the contract of employment or service, as provided by the requestor of the
account.
15
b. To avoid account disabling or deletion, users should ensure utilization of their accounts
within the 4-6 months period.
c. As part of periodic housekeeping tasks, all accounts marked for deletion will be
validated with HRM before deletion. For external users, the relevant IOM supervisor
will be notified.
4.2 Passwords
Passwords are a critical element in protecting access to IOM ICT resources and must be
carefully selected. Users should keep passwords confidential and should not share it with
anyone, not even with ICT Staff. Precautions should be taken against deceptive techniques
that may be used by unauthorized persons who intend to breach access controls. For example,
the intruder will send an e-mail to the user (commonly referred as phishing), from a source
looking deceptively reliable, asking for user credentials.
Weak passwords may expose IOM to high security risks, including internal and external threats
to IOM network systems, impersonation of users, unauthorized access and use of confidential
information and data, as well as loss or theft of valuable electronic records. Therefore, IOM
requires that users choose a password that is sufficiently complex and difficult for others to
make an educated guess as to what the user has chosen. User passwords will be automatically
forced to meet the standards as specified below.
If a user suspects or believes that another person has, by some means, gained access to
his/her credentials (username or password), the user must report the incident as per section
16 of this Instruction, and immediately change his/her password.
16
4.2.5 Password history
Users must have used three (3) different passwords before being able to use an old password
again. Avoiding the use of old passwords continually aims to enhance password security.
17
Section 05 - Mobile and Remote Access Policy
Version 2.0
Last updated on October 2017
IOM recognizes the need for users to connect to, and access IOM network and systems while
out of the office to meet IOM’s business needs. This policy provides guidelines for such remote
access, and also describes the security controls that are necessary to minimize information
security risks affecting the IOM network system when using laptops and/or other portable
equipment for remote access. It also complements the IOM Policy on Home-Based Work
(IN/146) and IN/76 Mobile devices (phones, tablets) usage guidelines for Field and
Headquarters.
Connection of portable devices must comply with the guidelines outlined in the Mobile devices
(phones, tablets) usage guidelines for Field and Headquarters (IN/76).
5.3.1 Usage
Off-site computer usage, whether at home or at another nominated location, is restricted to
IOM business purposes and subject to compliance with this Instruction. Such equipment must
only be used as authorized and should not be used by other individuals such as family or
friends.
18
5.3.3 Information security and appropriate use
Portable devices should not be used to store confidential or secret information and personal
data of project beneficiaries, unless unavoidable. In such cases, when a user keeps
confidential or secret information and personal data on portable devices, the respective device
and/or important files contained in it should be encrypted and password-protected to avoid
unauthorized access if the device was lost or stolen.
Users must obtain approval from the ICT Division prior to using any unsupported devices to
connect to IOM ICT services (Refer to ICT Standards IN/88 and IN/76). All personal electronic
devices on which IOM data are likely to be stored must be approved by the ICT Division and
must be password or PIN protected. For cases of authorized utilization of unsupported devices,
the user has the responsibility for maintaining the confidentiality, security and integrity of IOM
data and network, and not to expose it to undue risks, which in the case of unsupported devices
can be high.
All incidents of loss or theft of any portable devices should be reported as per section 16 of
this Instruction.
5.3.5 Backups
Users should ensure that backup of their work-related data is done regularly. To ensure this,
they should store the data on their designated network drives (or make daily/weekly copies to
network drives, if stored on the workstation’s local drive), which is backed up by ICT on a daily
basis in compliance with IN/88 ICT Standards and Guidelines.
19
Section 06 – E-mail Policy
Version 2.0
Last updated on October 2017
Electronic mail (E-mail) has become a vital, effective and efficient tool for business
communications. However, when inadequately used, it can become a considerable waste of
resources. Like any business transaction, e-mail in the organizational context should be
treated as a professional and formal method of correspondence. All messages sent by users
through the organizational e-mail system are official IOM documents, unless clearly marked
as private. This policy provides guidelines for the proper use of e-mail.
ICT will regularly monitor e-mail distribution lists that are not active and proceed with deletion
after 6 months of inactivity.
6.5 Disclaimer
All outgoing IOM e-mails have the following automatic disclaimer:
“This email message is for the sole use of the intended recipient(s) and may contain
confidential and privileged information. If this email has been sent to you by error, please notify
the sender immediately and then delete the email from your system. Any views expressed in
this message are those of the individual sender, except where the sender specifically states
them to be the views of the Organization.”
E-mail users must keep this disclaimer on all IOM outgoing messages to protect the interests
of the Organization.
21
6.7.3 Recipients of e-mail and outgoing messages
E-mail distribution lists should be used selectively and messages should only be addressed to
recipients who have a direct interest in the content of the message. It is required to avoid too
many addresses in the TO list, particularly when actions are requested, because unless
specifically noted in the body of the message, it creates confusion about who should take
action. When replying to a message, the Reply to All should be avoided if it is not necessary
and the address list should be modified to include only those concerned.
For outgoing messages, the subject line of the e-mail should be clear and should relate to the
content of the message. Users should sign the message as the sender, even if it is sent from
a department mailbox or another user account, and the IOM website address should be
included with the signature as required.
22
Sensitive information and personal data transmitted via e-mail over the Internet is not safe. It
may be read by unintended recipients, and malicious third parties could potentially intercept
and manipulate e-mail traffic.
Therefore, users should not use e-mail to transfer sensitive information and personal data,
such as credentials (username/passwords), personal data and case-specific details of project
beneficiaries, social security numbers or bank account numbers; without the necessary IT
security safeguards such as encryption. Users should limit e-mail recipients on a need-to-know
basis and, where appropriate, use confidentiality indicators, disclaimers, encryption, codes or
pseudonyms; to protect confidentiality during e-mail transmission.
Users should not respond to any request from an unknown sender to disclose any information
and data. Such disclosure requests should be escalated to the ICT Division
(ICTDivision@iom.int) for guidance.
23
Section 07 - Internet Usage Policy
Version 2.0
Last updated on October 2017
The internet, which has grown exponentially over the past years, has become an important
tool to support IOM’s work, and facilitates information dissemination. While IOM recognizes
the internet as an indispensable tool in its day-to-day work, it is important to set standards on
its acceptable, proper and efficient use via the IOM network system.
Every user is expected to use the internet in a responsible manner and consistent with the IOM
Staff Regulations and Rules and the IOM Standards of Conduct (IN/15).
7.1 Privacy
The internet is in the public domain. Users should be aware that all information posted on the
internet will be available to the general public, therefore privacy cannot be expected. Users
should also comply with IOM’s Social Media Policy (Section 8 of this Instruction) when using
social media for personal or business purposes.
24
7.6 Virus scan
Users are responsible for ensuring that all files downloaded from the internet are scanned for
viruses or malware in order to avoid infecting and damaging IOM’s network system (refer to
Section 6.4. of this Instruction).
25
Section 08 - Social Media Policy
Version 2.0
Last updated on October 2017
The continuing evolution of the Internet has profoundly changed the way people communicate
today. This is also increasingly evident in the context of migration. Social media platforms
(such as Facebook, Twitter, Instagram, YouTube, etc.) create a dynamic opportunity for IOM
communications and can add value to IOM’s work.
This policy sets standards on the official use of social media for institutional communications
and outreach purposes, and augments the “Social Media Guidelines” from the Media and
Communications Division (MCD), which can be found on IOM’s Intranet under “Manuals and
Guidelines” (https://intranetportal/Pages/HQ_ICP_MCD.aspx). Users are advised to refer to
the guidelines issued by MCD for appropriate use of social media with IOM official accounts.
8.4 Responsibilities
MCD is responsible for all social media accounts that are created or used for IOM official
business purposes. All users should coordinate with and obtain approval by MCD prior to
creating a social media account in the name of IOM. Users should immediately report to the
ICT and MCD Divisions, if they encounter an unauthorized IOM website or social media
account on the internet.
8.5 Copyright
All users should always respect copyrights and intellectual property rights while using third
party contents on social media. As a general rule, users should assume that all materials (text,
photos, videos, etc.) obtained from the Internet are copyright protected. The use of any such
materials requires prior written authorization from the copyright owner. Please contact LEG for
clearance should there be any conditions attached to the authorization by the copyright owner.
The copyright of photos and videos taken by internal users, related to the exercise of their
duties, belongs to IOM.
26
IOM shall assume copyright of all photos and videos taken by external users or other
authorized individuals and entities working for, or on behalf of IOM, unless agreed otherwise
in writing. Users should respect IOM’s copyright of all material posted on or linked to social
media platforms.
27
Section 09 - Software Policy
Version 2.0
Last updated on October 2017
This policy sets standards regarding software purchasing, licensing and installation on any of
IOM’s computing devices, operated within the IOM network system locally or remotely.
Ownership of all software licenses acquired by IOM shall be governed by the license
agreement between IOM and the vendor concerned. All such software must be used in
compliance with applicable licenses, notices, contracts and agreements.
ICT shall publish a yearly catalog of software applications and solutions, where organizational
business requirements should be covered. Evaluation of software solutions should be
coordinated with the ICT Division and the usage of freeware software is not permitted.
28
Each user is responsible for reading, understanding, and following all applicable licenses,
notices, contracts, and agreements for software that he/she uses or seeks to use.
Users needing help in interpreting the meaning/application of any such licenses, notices,
contracts and agreements, may contact the ICT Division for assistance
(ITProcurement@iom.int). Unless otherwise provided in the applicable license, notice,
contract, or agreement; any duplication of copyright software, except when authorized by the
ICT Division, is not allowed.
29
Section 10 - Application Systems Development Policy
Version 2.0
Last updated on October 2017
This policy sets standards for the development and maintenance of application systems
throughout the Organization which can be: (a) corporate applications used across the
Organization (such as PRISM, Mimosa, etc.); (b) specific project or office applications, which
are used for particular needs and by a limited number of users, such as an IOM Organizational
Unit.
30
i. User manuals and technical support documentation must be developed and regularly
maintained;
j. Training should be provided to users of the application systems (end-users), as
coordinated with the relevant ICT Staff or the development team;
k. If purchased, the application system must be installed according to the terms defined
by the conditions of purchase;
l. Access credentials (username/password) built into any application systems code
should have minimum privileges sufficient to conclude the function and, where
applicable, all such credentials must be hashed (encrypted);
m. All IOM application systems must have a level of access control and security defined,
depending upon the nature and sensitivity of the information provided. Where
appropriate, encryption and confidentiality indicators/disclaimers should be used to
protect sensitive information and in accordance with Section 17 of this Instruction;
n. All application systems or tools to be purchased by IOM to support business processes,
must be secured by an appropriate support contract with the software manufacturer or
authorized support vendor in close coordination with the ICT Division
(ITProcurement@iom.int);
o. A process must be developed, documented, and implemented to manage application
systems releases and change activities;
p. Procedures must exist to ensure proper version control, distribution, and tracking of
application systems;
q. Previous versions of application systems and supporting documentation describing
changes must be retained by the relevant ICT Staff to meet business and regulatory
requirements;
r. The ICT Division will maintain an inventory of the existing application systems or
Software library, with their characteristics (purpose, responsible ICT Staff, end-users,
etc.).
31
Section 11 - Physical and Operational Security Policy
Version 2.0
Last updated on October 2017
This policy outlines physical and operational security measures that are needed to protect
IOM’s ICT resources and the information and data stored therein.
32
11.2 Anti-virus and anti-spyware
The relevant ICT Staff should:
a. Ensure that all servers have an updated anti-virus installed which should offer real-time
scanning and protection to files, documents, e-mail attachments, and ICT systems and
applications compliant with IN/88;
b. Ensure that mailbox servers have either an external or an internal anti-virus scanning
application that scans all e-mail destined to and from the mailbox server;
c. Ensure that all servers must have an anti-spyware application installed.
33
11.7 Unauthorized access
Equipment at Data Centers / Server Rooms at Headquarters and in all the missions and field
offices worldwide need to be adequately secured from unauthorized access. All Data Centers
/ Server Rooms must be protected with electronic access controls and cameras monitored by
security personnel. The physical location/room in an office handling or processing information
and data deemed secret or confidential or the desk, drawer or cabinet must be adequately
secured from any unauthorized access.
Access to IOM Data Centers / Server Rooms and data-processing facilities are to be controlled
strictly based on a “need to access” basis. Such access may be logged for security reasons.
Third-party access to IOM Data Centers / Server Rooms and data-processing facilities will be
restricted for authorized third-party services and all such access will be logged. Third-party
services will not be allowed such access, unless accompanied by responsible IOM personnel
for the entire duration of such access.
34
Section 12 – Business Continuity Management Policy
Version 1.0
Last updated on October 2017
The continuity of IOM business processes is essential to the efficient functioning of the
Organization. Each Department/Regional Office/ Field Office/ Administrative Centre is
responsible for ensuring that business continuity plans are in place to protect their business
processes from any disruption, in accordance with IN/174 Business Continuity Planning (BCP)
Guidelines and in adherence to ISO 22301 the International Business Continuity Standard.
For cases where business processes involve computer systems, procedures must be in place
to ensure that no data is lost and that the systems can be recovered in an acceptable
timeframe.
IOM has a process in place to facilitate business continuity in the event of a significant
disruption to IOM network and systems at Central Hubs (Geneva, Manila, Panama), with
Disaster Recovery procedures that will:
a. Address the implications of a range of disruptions, from extended power outages and
other possible disastrous situations, to small incidents (minor power outages or
virus/malware attacks), which could be significant in terms of disruption and data loss
to the Organization;
b. As part of the overall IOM Business Continuity Plans, define and document the ICT
actions to be taken in the event of a disruption, and define and document ICT plans for
recovery;
c. Identify and categorize, by importance to the business, the business needs for recovery
of all computer systems;
d. Establish the infrastructure to support business continuity and procedures for
periodically reviewing, testing, and updating contingency plans. Such tests of
contingency plans will verify that computing applications can be recovered in the
timeframe required by the business;
e. Ensure procedures and protocols are in place for the management of back-up media,
information and materials required to restore and operate critical computing
environments. Such materials must be stored offsite and be ready for access by
authorized personnel;
f. Define ICT escalation procedures specifying the mobilization and briefing procedures
to be followed in the event of an incident.
The ICT Business Continuity Plan documents the situations in which certain actions will be
taken, the procedures required by the IOM Organizational Unit impacted by the outage, and
the actions ICT will undertake to restore the business systems.
Business Continuity Plans must be tested at least once a year, and reviewed periodically (at
least twice a year) to ensure they reflect updated scenarios.
35
Section 13 - Management of External Service Providers
Version 2.0
Last updated on October 2017
IOM will require the services of external service providers to supplement resources for short-
term, limited-duration projects or for specific tasks. Providing these individuals with access to
the IOM ICT resources, brings with it specific risks that must be mitigated.
36
13.4 Compliance
Appropriate management and monitoring solutions will be put in place to regularly review the
performance of the external service provider to ensure compliance with this Instruction and
any other policies, rules or procedures of IOM.
Any violation of IOM ICT Policies and Guidelines by external service providers, may result in
immediate termination of their contract with IOM, without prejudice to any remedy available to
IOM in law or in equity.
37
Section 14 - Electronic Data Destruction Policy
Version 1.0
Last updated on October 2017
IOM increasingly collects, organizes, disseminates and manages large amounts of data that,
according to its category and sensitivity, may need to be retained or archived for a specified
time, indefinitely, or may become unnecessary or irrelevant. Some data will need to be
destroyed in compliance with prevalent best practices, and in order to comply with relevant
Instructions. Data destruction for the purpose of this Instruction, is the process of removing
information from media (the material in which information is stored) in a way that it can no
longer be retrievable or readable.
In most cases, simply deleting digital records of data will be insufficient to remove the
information contained therein, but specific methods of disposal need to be used in order to
decrease the likelihood of the information being recoverable. Likewise, the specific data
destruction methods should be based on the underlying classification of the data.
Media sanitization is the process applied to data to make its retrieval unlikely for a given level
of effort. Current best practices for data and media sanitization are software-based techniques,
laboratory-based techniques and methods that render the media unusable (such as physical
destruction).
Before donation or sale of IOM computers or ICT equipment, it is particularly important to
ensure the destruction of all electronic data in them.
38
Extreme caution should be exercised before undertaking data destruction procedures. It is an
irreversible process and should only be performed by qualified staff with previous written
authorization from the relevant Director/Chief/Head.
14.8 Data Destruction on hard drives and portable USB removable media
Destruction of electronic data can be achieved through software-based tools that perform
overwriting techniques on the information, making it unrecoverable.
Depending on the device type, some manufacturers offer secure erase, overwrite or
sanitization commands and utilities that perform the required sanitization outside of the
operating’s system level.
The usage of organization-approved software and written authorization (according to the
procedures in Section 14.2 of this Instruction) is mandatory.
39
14.9 Physical destruction of data containers
When physical destruction of a data container is required, environmental and safety factors
must be prioritized, by only using industry-accepted solutions.
Printed materials (considered a representation of information, as per section 14.1 in this
Instruction) containing confidential or secret data, when no longer needed, should be
destroyed using crosscut paper shredders, ensuring that the resulting pieces are small enough
to render reconstruction impossible. For an additional layer of assurance, shredding of material
containing information classified as confidential or secret, can be destroyed mixed with non-
sensitive material.
Physical destruction of optical media (CD/DVD) should be done with caution. When resources
make it possible and the number of CDs/DVDs is large, optical media shredders should be
used. Some crosscut paper shredders have additional capabilities for shreding of CD/DVD.
40
Section 15 - Encryption Controls Policy
Version 1.0
Last updated on October 2017
This policy sets standards in regards to encryption and encryption key management required
for maintaining the confidentiality and integrity of IOM's data, when data encryption is used as
an information protection control. It applies to all devices, physical or virtual where IOM data is
classified as Confidential or Secret.
15.1 Scope
Encryption is defined as a cryptographic process aimed at enhancing the security of and
protection of electronic data, by converting readable information into unintelligible information.
As a result, encryption becomes an effective tool against the threat of unauthorized access to
data. However, it is important to highlight that data encryption must never be used alone, but
in conjunction with other controls, such as access control, authentication and authorization.
Data encryption implementations should be proportional to the classification of data to be
protected (please refer to Section 17 of this Instruction) and applies to all IOM ICT systems
and networks.
15.2 Requirements
Encryption of data in transit: Any data classified as Confidential or Secret must be transmitted
via encrypted communication channels, even when being transmitted inside IOM’s network.
Data classified as Restricted / Internal use must be transmitted via encrypted communication
while traversing public networks.
Encryption of data at rest: Any data classified as Confidential or Secret, and having a required
need for confidentiality and/or integrity, must be encrypted at rest in systems and/or databases
and/or portable media. When the implementation of encryption at rest or in transit is not
possible, mitigation controls must be put in place. These controls must combine business
practices and technology.
15.3 Encryption Services
Symmetric key algorithms: The following algorithms shall be used for encrypting Confidential
and Secret information.
• Advanced Encryption Standard (AES) (128, 192, or 256 bit)
• Triple-DES Encryption Algorithm (TDEA) (56, 112 or 168 bits)
Asymmetric key algorithms: The following algorithms shall be used for encrypting Confidential
and Secret information.
• Digital Signature Standard (DSS) - Digital Signature Algorithm (DSA) (1024, 2048,
3072 bits)
• RSA (2048 or 3072 bits)
• The Elliptic Curve Digital Signature Standard (ECDSA) (minimum 384 bit)
Secure Hash Standard (SHS): The following algorithms shall be used when hashing operation
is required:
• SHA-1: Should only be accepted when required for legacy systems, but should not be
used for new implementations.
• SHA-2 (SHA-256, SHA-384, SHA-512, SHA-512/224 and SHA-512/256)
• SHA-3 (SHA3-256, SHA3-384, SHA3-512, SHAKE128 and SHAKE256)
41
15.4 Encryption Key Management
Proper encryption key management is critical to prevent unauthorized disclosure or
irretrievable loss of data.
Cryptographic private or shared keys, cryptographic secrets, or authentication secrets or
hashes aimed to protected data, will be classified as Confidential as per Section 17 of this
Instruction.
All application owners, where data is being encrypted at rest or in transit, must implement an
encryption key management plan, to ensure data can be decrypted when access is necessary.
Backup or other strategies must be implemented to enable decryption.
The encryption key management plan must address ways for handling the compromise or
suspected compromise of encryption keys, and the destruction or revocation of encryption
keys that are no longer in use.
All symmetric encryption keys used on systems associated with Confidential or Secret data
must be randomly generated according to industry standards.
Where symmetric encryption is used to protect data:
• Master keys shall be changed at least once per year.
• Data encrypting keys shall be changed once per session or every 24 hours.
When asymmetric encryption is used, the operational period of asymmetric keys associated
with a public key certificate are defined by the encryption key management plan.
Encryption keys shall be stored within an encrypted key store or an otherwise encrypted form
using approved algorithms; or the keys may be stored on a security token (e.g., a smart card).
The encryption keys shall never leave the device if stored on a security token.
Encryption keys are classified as confidential information, with strict accessibility restrictions.
Owner(s) of data protected via encryption services, shall explicitly assign responsibility for the
encryption key management that should be used to protect this data. If keys are transmitted
electronically, they shall be sent in encrypted form. The exchange of keys should employ
encryption with a stronger algorithm than that used to encrypt data protected by the keys.
Encryption keys that are compromised, lost or stolen; entail a security incident and must be
reported immediately to the ICT Division (ICTDivision@iom.int) as outlined in Section 16 of
this Instruction. The key shall be revoked or destroyed and a new key generated. Key re-
assignments shall require re-encryption of the data.
42
Section 16 - Information Security Incident Management Policy
Version 1.0
Last updated on October 2017
For the purposes of this policy, an observable occurrence in an ICT system at a particular point
in time, is considered an event. As such, when an adverse event, or the significant threat of an
adverse event, entail actual or possible damage to the organization’s ICT infrastructure or
information assets; IOM considers it an information security incident.
Suspected and observed information security incidents must be reported immediately to the
ICT Division (ICTDivision@iom.int), where information regarding security incidents is to be
considered confidential as per Section 17 of this Instruction.
43
c. The Senior Information Security Officer (SISO), in close coordination with the Director
ICT / Chief Information Officer (CIO), is responsible for evaluating and categorizing
security incidents, as well as coordinating response, mitigation and protection activities.
d. When information security incidents data suggest possible breach of IOM regulations
or suspected fraud by IOM staff, the SISO shall prepare a confidential incident report
to the Director ICT / Chief Information Officer (CIO) for further endorsement or
escalation to the Ethics and Conduct Office (ECO) as applicable.
e. For information security incidents of high severity, or on the recommendation of the
SISO, the Director ICT / Chief Information Officer (CIO) may instruct disconnection of
ICT systems or services in IOM Data Centers / Server Rooms or affected IOM offices,
to prevent further expansion of the threat or incident.
f. Upon identified information security incidents, the ICT Division shall propose and
undertake the necessary adjustments to security protocols and security protections to
prevent future instances of the incident.
44
Section 17 - Information and Data Classification Policy
Version 1.0
Last updated on October 2017
This policy provides guidance on the information and data classification process, describing
the different classification levels and by whom and how they should be applied. In this policy,
information (processed data) and data (unprocessed information) is used in a broad sense and
includes fully, partially, unprocessed, interpreted, organized, or structured information and
data.
Information and data classification procedures are required as the basis for information
security decisions in the organization, to allocate adequate resources for information
protection.
17.2 Responsibilities
Migration Data Sets
As per IN/253, Data Stewards are responsible for the classification of data sets under their
responsibility.
Other Data Sets, Organizational and other documents
Organizational documents of worldwide applicability (instructions/policies/etc.), that have not
been otherwise already classified through other rules or by agreements with external parties,
will be classified by Directors/Chiefs/Heads. Classification of all other documents will be
assigned by the respective author or, in the case of a file, the individual who created the file
(herewith referred to as “Information and Data Creators”). In the case of a file, the
classification given to the file must align to the information classification of data in that file.
Directors/Chiefs/Heads, as well as information and data creators are responsible for choosing
the appropriate classification level and applying the classification criteria (see below,
“Classification Levels”). In doing so, they need to consider the potential consequences of
unintended disclosure and how those may compromise IOM’s interests.
The Directors/Chiefs/Heads as well as the information and data creators are further
responsible for labelling or otherwise identifying the information or data in a way that allows
easy recognition of the classification, and for applying the safeguards in accordance with the
classification level and as defined herein.
All users are required to comply with the classification and implications described herein.
45
17.3 Classification Levels
All Information and data should be assigned to one of the following classification levels:
• Public
• Restricted / Internal Use
• Confidential
• Secret
17.3.1 Public
Information and data should be classified as “Public” when it is intended for unrestricted use,
can be distributed to the public without restriction, poses no risk in case of unauthorized use,
and has no adverse impact on IOM’s mission, safety, finances, or reputation. Information and
data that has been classified as “Public” can be shared with any third-party.
17.3.3 Confidential
Information and data must be classified “Confidential” if it is sensitive, internal to IOM and that
if disclosed could negatively impact IOM activities. In case of unauthorized use, there is a
moderate risk for IOM. Access shall be limited to one individual or a well-defined group of
individuals. The Directors/Chiefs/Heads as well as information and data creators must define
the information distribution list.
Considering the confidential nature of information and data in this category, recipients shall
exercise good judgment and, when in doubt, consult with the information and data owner
before copying, forwarding or otherwise sharing the Information with someone else.
Users who accidently come across information and data which has been classified as
“Confidential”, must not use the content and immediately contact the Directors/Chiefs/Heads
or the information and data creator to inform about the situation.
17.3.4 Secret
Information and data classified as “Secret” is reserved to highly sensitive instances intended
for limited, specific use by individuals with a legitimate need to know. In case of unauthorized
use, there is a high risk for IOM. Specific handling procedures shall be established on a case-
by-case basis and indicated specifically.
17.4 Scope
All Migration Data Sets, other datasets, organizational documents and other documents
created by users are subject to classification, irrespective of format or whether they are in
electronic or paper form. Classification of migration data sets is governed by IN/253.
Given the frequency and nature of internal electronic communications, it would be impractical
to classify each of them. Consequently, internal electronic communications will be considered
“Restricted / Internal Use”, unless they are intended to communicate confidential information
in which they should be classified as “Confidential” accordingly.
Information and data that is not classified, would be automatically considered “Restricted /
Internal Use”, with the exception of data from Migrant Applications Unit (MAU) applications or
PRISM, which are to be treated as “Confidential”.
Information and data classified as “public” must be labelled accordingly and specifically.
46
17.5 Declassification
Unless otherwise provided for in other rules or agreements with external parties;
Directors/Chiefs/Heads under whose control the information or data is, may declassify or lower
a previously-assigned classification if:
• Consultation was done with the originator (internal or external)
• No date or event for declassification was specified
• The reasons that caused it to be classified originally, have changed or no longer exist
47
Section 18 - Cloud Computing Services Policy
Version 1.0
Last updated on October 2017
Cloud computing services and technologies entail a dedicated, customizable and quickly
scalable pool of computing resources for the provision of ICT infrastructure, applications and
services. This represents a valuable opportunity for IOM to optimize and leverage ICT
infrastructure and services deployment, but has associated risks that must be addressed and
mitigated.
For the purposes of this policy, a cloud computing service is any third-party-managed ICT
solution that exists outside of IOM, accessible over the internet, for storing or processing
information. The service is considered to be outside of IOM if not hosted in IOM data centers /
server rooms.
This policy outlines a set of mandatory controls and regulations that must be followed to secure
adequate and unified cloud services deployment strategies in the organization.
48
18.2 IT Risk Management for Cloud Computing Services
In compliance with organizational regulations on Risk Management (IN/213) and IT Risk
Management Policy in this Instruction, an assessment of Cloud Computing Services risk must
be done before implementation and as outlined herewith.
49
• Donor considerations: If IOM agreed to specific donor requirements or restrictions
regarding the implementation of the service, or where to store the data.
• Implementation timelines: Cloud Computing Services often allow for quick availability
and scalability or expansion of the contracted services.
• Availability and planning: Current technological trends offer a variety of cloud
computing solutions, where an implementation strategy must be done accordingly in
consultation with the ICT Division.
50
18.5.3 Authorized Cloud Computing Services
Only Cloud Computing Services approved by the ICT Division can be used for any deployment.
Authorization by ICT Division is also necessary for the utilization of “free” cloud computing
services for cases such as team-collaboration or cloud-based file sharing for IOM business
purposes.
51
The below matrix summarizes the required evaluation:
Encryption of Confidential
Organization Maturity
Service Management
CSA Questionnaire
IT Security Annex
Hosting Provider
Liability Clause
Cloud Provider
Data in Motion
Management
Exit Clause
Contract
k
Annex
Business
Impact
t
Negligible X X X1 X1 X X X
Moderate X1 X X X X X1 X1 X X X
Significant X1 X X X X X X X1 X1 X X X
Major X1 X X X X X X X1 X1 X X X
X1 - Only applicable sections of the document
52
Section 19 - Removable Media Policy
Version 1.0
Last updated on October 2017
Removable media provides added flexibility for transporting electronic data within devices. At
the same time, this also presents an increased risk of virus/malware infection and data loss,
given the possibilities that such media will be connected to other workstations and networks
outside of the organization.
This policy sets standards related to the utilization of removable media, its acceptable uses
and security precautions that must be observed when using such devices.
19.1 Scope
This policy applies to any removable media device being connected to an IOM workstation
(desktop or laptop), server, mobile device (phone/tablet), and other types of USB-enabled
devices. The items and connectivity options listed below are collectively referred to as
“removable media” for the purposes of this policy.
This policy applies to removable media devices such as (but not limited to):
• External hard drives (USB, thunderbolt, solid-state-drive)
• USB memory sticks / USB Flash Drives
• Memory cards such as SD / SSD / SM / MM / CF Cards
• External optical media such as CD/DVD drives
• Mobile telephones/smartphones and tablets
• Digital cameras or digital media players (audio/video)
• Personal Computer Memory Card International Association (PCMCIA) devices such
as hard disks, network cards, and others
The connection of removable media devices can be any of the following ways:
• Through dedicated cable connection (i.e. USB, or Lightning cable)
• Through Wireless connection such as Wi-Fi, Bluetooth, or infrared
• Through any other remote or physical connection
53
19.3 Encryption and Erasure
For the utilization of removable media, it is mandatory to use data encryption in full compliance
with the provisions outlined on Section 15 of this Instruction, as well as full compliance with
Section 14.
54
Section 20 – IT Risk Management Policy
Version 1.0
Last updated on October 2017
55
Annex A – ICT Confidentiality and Conflict of Interest Agreement
The ICT Division will be responsible for identifying staff with administrator rights for
workstations, file servers and e-mail servers. A record of signed agreements will be maintained
by ICT and HRM.
1. I hereby acknowledge that within the scope of my work I will have access to different types of
information and data that is proprietary to the International Organization for Migration (IOM). I
recognize the critical importance of protecting the privacy of individuals and securing the
confidentiality of all organizational records and undertake to protect and secure IOM data and
information which comes into my knowledge or possession.
2. I understand that I may be granted privileged access to or custody of Information and
Communications Technology (ICT) computing systems, applications, databases, network
monitoring tools or other equipment that may contain records and information that are
confidential in nature. I acknowledge that I may be entrusted with such privileged access and
encounter or have access to sensitive, confidential or proprietary information whether or not it
is labeled or identified as such.
3. I hereby undertake to ensure that my conduct and usage of ICT resources will always be in
accordance with the provisions of the ICT Policies and guidelines issued by IOM from time to
time and I shall uphold the integrity and confidentiality of ICT systems and data belonging to
IOM.
4. I acknowledge the sensitive and confidential nature of information concerning persons
employed by IOM, donors, vendors, partners, beneficiaries and other members of the IOM
community. I understand and agree that this information may only be disclosed with proper
authorization from my supervisor and in the exercise of my designated duties.
5. I hereby undertake that I shall use IOM ICT systems only for the purpose for which it is intended
and only to the extent I am authorized to use it. I agree not to use any privileged access or
information and data available to me in the course of my duties to engage in any activity that
conflicts with the interests of IOM.
6. Specifically, with respect to IOM’s computing systems, networks, records, files, e-mail and other
information, I agree that I shall treat all such information strictly confidential and that I shall
respect the privacy of users and the integrity of the systems and the related physical resources.
7. I further agree not to independently contract to perform or provide information technology
services to other external entities while employed by IOM or to use IOM’s resources in the
delivery of privately contracted services. I understand IOM’s resources include time, equipment,
computers, systems, tools, software, telephone, e-mail or other items that are provided by or
acquired through my employment relationship with IOM.
8. I understand and agree that my failure to comply with the terms of this agreement will have
consequences and may result in appropriate action taken against me by IOM including
immediate termination of my contract, depending upon the infraction’s severity, evidence of my
intentions, and the sensitivity and scope of the information compromised.
9. I understand and agree that my obligation to comply with this agreement shall survive the
termination of my employment with IOM. I also agree that, when my employment with the IOM
ends, I will not keep in my possession any documents, records, files, computer programmes,
hardware/software, other IOM assets or copies thereof, and I shall not recreate or deliver to
anyone else, any confidential, sensitive, or proprietary information that I acquired while
employed by the International Organization for Migration, whether or not it is labeled as such.
56
10. In addition, and more specifically, I shall:
a. access, copy and store data or information solely in the performance of my job
responsibilities, limiting perusal of contents and actions taken to the least necessary to
accomplish the specified task.
b. when providing direct services to users, copy and store data or information only with the
user’s consent, only to complete a specified task, and only to copy and store user data
for long enough to complete the specified task.
c. not engage in identity misuse of any form, impersonate another user or, knowingly, or
through gross negligence cause another person to use the identity that does not belong
to the person concerned. In particular, I will not intrude into ICT systems under other
users’ custody without their knowledge or explicit authorization.
d. not seek personal benefit or permit others to benefit personally from any data or
information that has come into my knowledge or possession during my work assignments.
e. not make or permit unauthorized use of any information in IOM’s information systems or
records.
f. not enter, change, delete or add data to any information system or file outside of the scope
of my job responsibilities.
g. not intentionally or knowingly include or cause to be included in any record or report, a
false, inaccurate or misleading entry.
h. not intentionally or knowingly alter or delete or cause to be altered or deleted from any
records, report or information system, a true and correct entry.
i. not release IOM data and information in my custody, other than what is required for the
completion of my job responsibilities.
j. not communicate, transfer, exhibit, or divulge the contents of any record, file or
information system to any person or entity, unless explicitly authorized by my supervisor.
k. not use my technical knowledge to circumvent controls imposed on IOM ICT systems and
assets (including, but not limited to connecting any non-IOM ICT resources to the IOM
Network or loading non-IOM ICT data onto any IOM ICT resources) unless it is in full
compliance with Sections 1.6 and 1.6.1 of this document.
l. take every reasonable precaution to prevent unauthorized access to any passwords, user
identifications, or other information that may be used to access IOM information systems
or records.
m. limit access to information contained in or obtained from the systems to authorized
persons.
n. report any incidents of my non-compliance with the terms of this agreement to my
supervisor.
By signing this agreement, I certify that I have read and understood the contents of this agreement and
declare that I shall fully comply with all aspects of this agreement.
57
Annex B – Third Party Access Request Form
THIRD PARTY ACCESS REQUEST FORM
MAILBOXES AND/OR USER FILES
This form is to be used for requesting third party access to a user’s mailbox and/or other electronic documents
and communications (user files). The Conditions for Third-Party Access Requests as outlined in section 1.7.1
of this Instruction shall apply.
I. Details of the account and data to which access is required (the person requiring access to complete).
Mailbox [ ] ___________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
Description of the nature of the information and data needed to meet the specified purpose(s):
_____________________________________________________________________________________
_____________________________________________________________________________________
_____________________________________________________________________________________
II. Details of the person requesting access (the person requiring access to complete).
I confirm that I have read and agree to comply with the conditions as per this Instruction governing my access
to another user’s information and data:
58
III. To be completed by the requestor’s Director/Chief/Head and sent to the DGO/Chief of Staff for approval.
I agree to the request by the staff member named in Section II to access the e-mailbox and/ or user files of the
person named in Section I for the reasons and period specified above. I confirm that such access is necessary
and in the interests of IOM.
IV. The following person is designated to monitor the access (the person monitoring access to complete).
I confirm that I have read and agree to comply with the conditions as per this Instruction governing my monitoring
of the access to another user’s data.
Yes [ ], I authorize the staff member designated in Section II to access, and the person designated in Section
IV to monitor the access of the mailbox and/or user files as specified in Section I of this form.
AND/OR
Yes [ ], I authorize the Director ICT / Chief Information Officer (CIO) to provide the required access detailed in
Section I to the staff member in Section II and the designated person in Section IV for the stated duration.
(Please forward the original form to ICT Division for action)
No [ ]. Comments/special instructions:_________________________________________________________
59
Annex C1 – Account Management - User Account Creation Form
Please send a scanned/signed version of this form to your local ICT Support if available, HQ users to Global User Support Geneva
and others to ICT Global User Support (support-ict@iom.int); copying the Unit’s Supervisor. Please submit this form at least three
working days before the new user’s entry on duty.
User’s Contract Expiry Date (day-month-year): (Unless ICT is notified in advance of contract extension, the
account will be disabled automatically on the day after the contract expiration)
General information:
PRISM Personnel Number:
First Name:
Last Name:
Job Title/Function:
Duty station / Department / Unit:
Supervisor's Name:
User’s computer available? At user’s desk With procurement/admin In process
Requested date of set-up:
Office location and telephone extension:
Name of replaced staff (when applicable):
Network Account
Network Drive Access Applications Needed
(drive(s) or folder(s) the user should have access to)
PRISM PRIMA
MiMOSA iGator
Amadeus UKTB
RMI LTS
Others (specify)
Membership
Distribution list(s) membership:
Access to specific shared mailboxes:
60
Annex C2 – Account Management - Account Transfer/Update Form
Please send a scanned/signed version of this form to your local ICT Support if available, HQ users to Global User Support Geneva
and others to ICT Global User Support (support-ict@iom.int); copying the Unit’s Supervisor. Please submit this form at least three
working days before the required readiness date.
Remarks:
By signing this form, the user confirms that all necessary work-related files have been duly handed over to his/her
supervisor or successor.
61
Annex C3 – Account Management - Account Deletion Form
Please send a scanned/signed version of this form to your local ICT Support if available, HQ users to Global User Support Geneva
and others to ICT Global User Support (support-ict@iom.int); copying the Unit’s Supervisor. Please submit this form at least three
working days before separation date.
General Information:
PRISM Personnel Number:
First Name: Last Name:
Username: Domain (AS/EU/IOMINT):
Job Title/Function:
Duty station / Department / Unit:
Supervisor's Name and E-mail:
Remarks:
Upon the effective date of separation, the user’s network and e-mail accounts will be disabled for all
access, and the associated workstation will be wiped-out for re-deployment.
One (1) month after the effective separation date, the user’s network and e-mail accounts will be deleted
irreversibly.
By signing this form, I confirm that I have duly handed over all my work related files to my supervisor or successor and
certify that I shall not retain any IOM information and data, which came to my knowledge and possession while employed
by IOM.
62
Annex C4 – Account Management - E-mail Distribution List (DL) / Shared Mailbox Form
Please send a scanned/signed version of this form to your local ICT Support if available, HQ users to Global User Support Geneva
and others to ICT Global User Support (support-ict@iom.int); copying the Unit’s Supervisor. Please submit this form at least three
working days before the required readiness date.
UPDATE/CONVERT:
E-mail DL / Shared Mailbox name:
Update Display name / E-mail to:
Update Owner to (Name/E-mail):
Convert: E-mail DL to Shared Mailbox OR Shared Mailbox to E-mail DL
ADD authorized user(s): _______________________________________
Update Shared Mailbox Access: REMOVE authorized user(s): _______________________________________
IOM E-mail Distribution Lists do not accept incoming messages from non-IOM senders. Exceptions to
this would only be attended on a case-by-case basis and must be properly justified to the Head Global
User Support for consideration of approval providing details below:
________________________________________________________________________________
________________________________________________________________________________
Remarks:
Upon the E-mail DL’s/Mailbox expiration date, the associated E-mail address will no longer exist, and messages
sent to that address will receive a Non-Deliverable-Notice to the sender(s).
Requests for extension of the expiration date should be sent in advance to ICT Global User Support (support-
ict@iom.int) attaching a scanned copy of this initial creation form duly signed.
By signing this form, I confirm that the requested E-mail DL/Mailbox will be used for IOM business purposes, in
compliance with relevant ICT Policies and Standards.
63