See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/338142467

Information Security Policy for Ronzag

Technical Report · December 2019

DOI: 10.13140/RG.2.2.15344.81929

CITATION
S READS

0 1,499

1 author:

Shafiq Lutaaya
Makerere University
35 PUBLICATIONS 0 CITATIONS

Some of the authors of this publication are also working on these related projects:

Speech Analyser for Call Centers View project

MASTER'S OF SCIENCE IN INFORMATION SYSTEMS View project

All content following this page was uploaded by Shafiq Lutaaya on 24 December 2019.

The user has requested enhancement of the downloaded file.

 MAKERERE UNIVERSITY

COLLEGE OF COMPUTING AND INFORMATION SCIENCES

SCHOOL OF COMPUTING AND INFORMATICS TECHNOLOGY

INFORMATION SYSTEMS SECURITY

Lecturer: Dr. Rehema Baguma

INFORMATION TECHNOLOGY SECURITY POLICY:

RONZAG WEB SERVICES.

www.ronzag.com

BY

SHAFIQ LUTAAYA
REG. NO: 2018/HD05/2094U
STUDENT NO: 1800738426
lutayashafiqholmes@gmail.com | info@ronzag.com
+256702772721
shafiqlutaaya.ronzag.com

OPTION: ISM

October, 2019

www.ronzag.com
Information
Security Policy
www.ronzag.com
 Information Security Policy Approvals

Name Title Date Signature

Dr. Rehema Baguma Executive Director
Mr. Shafiq Lutaaya Chief Information Officer
Mr. Frank Musoke Training Manager
Ms. Esther Apio Enterprise Architect
Mr. Simon Odong Chief Financial Officer
Mr. Timothy Wasike Google AdWords Specialist

2
Table of Contents Ronzag Web Services Information Security Policy

Purpose...............................................................................................................................................4
Policy Definition................................................................................................................................4
Direction.............................................................................................................................................5
Scope and Responsibilities.................................................................................................................6
Specific responsibilities......................................................................................................................7
Chief Executive Officer....................................................................................................... 7
All users..........................................................................................................................................7
Information Security......................................................................................................................8
Information Governance Board.....................................................................................................8
Management...................................................................................................................................8
Information Asset Owners.............................................................................................................9
Guardian.......................................................................................................................................10
Shared Services............................................................................................................................10
Human Resources and Development...........................................................................................10
Review of Information Security Policy...........................................................................................11
Information Security Policy – Exceptions.......................................................................................11
Associated Documentation..............................................................................................................11
Appendix A............................................................................................................................ 12
Associated documentation................................................................................................. 12
Appendix B......................................................................................................................................14
Legislation......................................................................................................................... 14

3
 Ronzag Web Services: Information Security Policy

Introduction.
Goal Number of the United Nations Sustainable Development goals calls on us to
contribute to Innovation, Industry and Infrastructure for the betterment of the world by
2040. Since its inception 2015, Ronzag Web Services has been privileged to serve the
people of Uganda, and the world, through providing quality Information Technology
Services including Google AdWords Advertising Campaign Management, Web
Applications Development, Email Management, Web site hosting and most importantly
connecting the world through the social network www.ronzag.com, and therefore
contributing to the global goals, set by the United Nations.

Purpose

The purpose of Information Security for Ronzag Web Services is to protect the
company’s information assets, regardless of whether these are held in manual or
electronic form. This will help to safeguard the reputation of the company, to optimize
the management of risk and to minimise the impact of Information Security incidents.
Implementation of this Policy will provide assurance to stakeholders, partners and
citizens, that their information is held securely and used appropriately by the company,
whilst complying with legislation and satisfying auditors. Further, it is a key enabler for
information sharing through enhanced controls e.g. supporting access channel strategy,
business continuity planning, citizen focussed services, first contact deployment and
flexible working.

Policy Definition

The International Standard: ISO 27001 Code of Practice defines Information Security
as the preservation of three aspects of Information:

Confidentiality: Information is only available to those that are authorised to

gain access.

Integrity: Safeguarding the accuracy and completeness of information

and processing methods.

Availability: The assurance that authorised users have access to information

and associated assets when this is required.

Information takes many forms. It may be processed and stored on computers or in

other electronic form, printed or written on paper, shared through voice or video
communications, transmitted through post or electronic means such as e-mail or fax,
made available on corporate videos or web sites. Whatever form the information may
take, or means by which it is shared, stored or processed, it should always be
appropriately classified and protected according to that classification.

Information systems and the information they process and store are a vital asset to
Ronzag Web Services. Ronzag is dependent on the availability of accurate
information to provide local government services.

Any loss of computer systems or the information they contain could have serious
repercussions for Ronzag and / or its clients. A breach of security during processing,
storage or transfer of data could result in financial loss, personal injury to a member of
staff, or client, serious inconvenience, embarrassment, or even legal proceedings
against Ronzag, and possibly the individuals involved. In order to ensure the
confidentiality,
integrity and availability of these systems an appropriate level of security must be
achieved and maintained. The level of security implemented on each of the various
systems will be consistent with the designated security classification of the
information and the environment in which it operates.

Information on computer systems will be protected with anti-virus software, which

will be updated regularly. Scans will be carried out regularly on all servers,
workstations and laptops, and virus definitions will be updated each weekday.
Updates and scans will be automatic for every machine and must not be turned off or
bypassed.

Ronzag will take appropriate steps to prevent, detect, and recover from any loss or
incident, whether accidental or malicious, including error, fraud, misuse, damage and
disruption to, or loss of computing or communications facilities.

A security risk assessment will be carried out on each information asset to identify the
level of protection required. The security and control procedures required will take
into account the sensitivity and value of the information.

All groups must have business continuity plans for information that is deemed to

be critical.

Direction

Information Security is a key enabling mechanism for supporting the strategy for e-
Government, knowledge sharing and joined–up team working. It promotes trust both
internally and externally in shared data and infrastructure. Ronzag’s strategic direction
for Information Security is to provide a strong forward-looking information
management system that is clearly aligned to the Company’s Corporate Vision and
strategic priorities. This vision for Information Security reflects its growing role in
maintaining trust and confidence both within the company and outside.

The National Information Technology Authority (NITA-U) has produced data

handling procedures designed for local authorities to use as standard guidelines. They
set out the fundamental steps that every company should take to mitigate against the
ever-present risk that personal information is lost or that data protection systems fail.
They therefore provide chief executives, senior managers and elected members with a
vital aid in discharging their responsibilities and accountability for secure and
effective handling of personal information. The guidelines were prepared by working
closely with company’s and central government to meet local government
circumstances.

As governments cast a wider net on their ability to share sensitive information among
agencies, security requirements dictate that a sophisticated internal networking
environment be developed within the authority.

This security policy ensures that the fundamental security principals of the data
handling guidelines are followed.
5
 The Ronzag Web Services Information Security Policy

Scope and Responsibilities

The Ronzag Web Services Information Security Policy is applicable to:

• All Company information, information owned by its clients and partners,

and information about its clients.

• All Company members, permanent, contract and temporary personnel, and

all third parties, who have access to Ronzag premises, systems or
information.

• All Company systems, software, and information created, held, processed or

used on those systems or related media, electronic, magnetic, or written/
printed output from Ronzag systems.

• All means of communicating information, both within the Company and

externally. For example data and voice transmissions or recordings, post, e-
mail, sms/text, cameras, whiteboards, memory sticks, disks, fax, telex,
image/sound processing, video-conferencing, photocopying, flip charts,
general conversation etc.

It also includes the requirement to comply with any criminal and civil law, statutory,
regulatory or contractual obligations, and any other security requirement, including
business continuity management.

Information security is not an option. We are all required to maintain a minimum level
of Information Security to maintain our legal and contractual obligations. Defined and
approved policies and standards of information security must be implemented.

The Service Management for Information Management and the Security Specialist(s)
are responsible for defining Information Security policy and standards. Department
heads and service providers are responsible for implementing policies and standards in
their area of jurisdiction. Furthermore, these policies and standards must be included
in service level agreements and contracts with IT service providers.

Non -compliance with this policy will be dealt with under the relevant Company
procedures and may result in disciplinary action, termination of contract, or
criminal prosecution in the most serious of cases.

This policy is a living document and thus frequently updated to reflect technological,
legal and organisational changes. It should therefore be revisited on a regular basis by
all staff.
6
 The Ronzag Web Services Information Security Policy

Specific responsibilities
Chief Executive Director

The Chief Executive Director is ultimately responsible for ensuring the

implementation of this Security Policy. It is the responsibility of all employees to
ensure that they conduct their business in accordance with this Policy.

All users

Users of systems and information must:

• Access only systems and information, including reports and paper documents,
to which they are authorised.
• Use systems and information only for the purposes for which they have been
authorised, and only from Ronzag ICT controlled or authorised secure
equipment and approved software.
• Comply with all appropriate legislation, and with the controls defined by the
Information Owner, and all corporate Policies, Standards, Procedures and
Guidelines
• Not disclose confidential information to anyone without the permission of
the Information Owner.
• Keep their passwords and other access credentials secret, and not allow
anyone else to use their account, or equipment or media in their care, to gain
access to any system or information.
• Notify their immediate superior, or the Security Specialist or the Service
Manager for Information Management, of any actual or suspected breach of
Information Security, or of any perceived weakness in the Company Security
Policies, Procedures and Practices, Process or infrastructure.
• Establish the identity and authority of anyone requesting information access
or information system access e.g. for servicing or repairs
• Familiarise themselves with this Policy, and all applicable supporting Policies,
Procedures, Standards and Guidelines. Compliance with this Policy is
mandatory, and any employee failing to comply will be subject to disciplinary
procedures, revoking of access &/or prosecution in serious cases.
• If responsible for management of third parties you must ensure that those third
parties are contractually obliged to comply with this Policy and are aware that
their failure to comply may lead to contract termination &/or prosecution in
serious cases. Use the relevant Ronzag “Code of Connection” terms.
• Be aware that the Company monitors the content and usage of its systems
and communications to check for Policy compliance.
• Never leave computers logged into the network unattended unless
password protected screen locking is available and has been engaged
<ctrl alt delete>.
• Keep your desk clear of all confidential paper files and documents when you
are not working on them. Maintain a clear desk policy when leaving your desk
unattended for any period of time and out of office hours. Keep all confidential
paper files and documents in secure, lockable cabinets.
7
 The Ronzag Web Services Information Security Policy

• Not take confidential documents or materials home, however, if this is

unavoidable, do consider the use of lockable bags or cases when it is necessary
to carry paper files or documents in person.
• Stand at public Fax machines/printers or have documents containing
confidential information retrieved immediately so that unauthorised
individuals have no opportunity to see the information.
• Not store confidential electronic files and documents on your computer’s
local drive (C:) or mail to a personal email address in order to work on them
at home.
• Not use standard USB data sticks or digital drives as portable temporary
storage for electronic files and documents. AES 256 standard encrypted USB
data sticks may be used only after the Service Manager for Information
Management has approved a valid business case. If permission is granted,
these USB data sticks may only be purchased from Procurement.
• Purchase all new laptops, mobile phones, PDA’s and any other hand held
devices capable of storing data, through the Security Manager to allow
encryption software to be installed prior to being released to you. This ensures
that the device is protected should it be lost or stolen. Any existing Company
owned laptops or portable devices should be returned to Security Manager
who will make appropriate arrangements to have the encryption software
installed at a predetermined rate.
• Lock all laptops away in a secure cabinet when not in use in the office or in
the home and never leave on the back seat of a car!
Information Security

The Service Management for Information Management and the Security Specialist(s)
will act as the focus for all Information security issues, suggesting policies to mitigate
risk, and assisting with their interpretation into team procedures and standards, whilst
implementing those aspects affecting the operational security of the Company’s
Information and IT infrastructure.

Information Governance Board

An Information Governance Board (IGB) has been established and the Company’s Section
151 officer (Corporate Director Finance) has assumed the role of the Information
Governance Lead with delegated authority from the Chief Executive. This Board
would provide the forum by which Information Management issues are translated into
an ongoing strategy and action plan, it would ensure a consistent approach across the
Company, promoting information management/sharing including partnership working.

The IGB will be represented by all levels of management to provide visible management
support and clear direction for information security at the executive level.

Management

Managers are responsible for:

• In conjunction with Shared Services, defining reference and vetting

requirements for the role and undertaking pre-employment/contract reference
checking
8
 The Ronzag Web Services Information Security Policy

• Ensuring that their permanent, contract and temporary personnel are fully
conversant with this Policy and all associated Policies, Standards, Procedures,
Guidelines and relevant legislation, and are aware of the consequences of non-
compliance.
• Developing compliant procedures, processes and practices for use in
their business areas.
• Maintaining an appropriate Business Continuity Plan, which is incorporated
into the corporate Business Continuity Plan, and is broad enough to respond to
all types of potential loss of critical infrastructure, systems and data.
• Ensuring that when requesting or authorising access for their staff, they
comply with the standards and procedures defined by the Information Owners,
with particular regard to segregation of duties, minimum access and any
minimum training requirements.
• Notifying the Service Manager for Information Management, Security
Specialist via the Company Help Desk of any suspected or actual breaches or
perceived weaknesses of information security.
• Taking disciplinary action supported by the Human Resources Department in
the event of misconduct, and non-compliance with Security Policies.

Information Asset Owners

Before any asset can be protected to an appropriate level, it must be identified, and
have a value assigned to it. Somebody must take responsibility for managing, or
owning the asset, and defining the levels of access that may be given to it.

The information owner is responsible for identifying, documenting, valuing and

carrying out a risk assessment on assets, then specifying the level of protection and
access that should be given to those assets in accordance with the Information
Classification Guidelines.

Although the work may be delegated, the information owner retains accountability,
and must be satisfied that all assets have been assessed, and that appropriate
procedures are in place to protect them from unauthorised access or modification.

The activities carried out by the information owner are:

• Identify and document major assets – all physical assets must be labelled,
and information held on electronic media should be clearly identifiable.
• Assign a sensitivity value to each asset based on a business impact analysis
• Carry out a risk assessment – to identify specific threats and
vulnerabilities relating to each asset, and their estimated recovery costs
or asset value.
• Specify the controls from ISO27001 that will be used to protect the assets including:

o Physical protection and access controls.

o Storage requirements for hard copy information.
o Authorisation of users, job roles or security clearance levels, who may
access the asset, together with the level of access allowed.
o Backups, media handling and storage.
o Compliance with legislation.
o Any need for encryption to protect information at rest on computer
systems and/or in transit across internal or external networks.
 o Ensuring appropriate Contract/Code of Connection with any 3rd parties.
o Specifying minimum training requirements and arranging its availability.

• Ensure that procedures are in place reflecting the controls and access levels.
• Periodically review access to ensure that procedures are followed,
especially in the event of process changes that affect the asset.
• Specify the retention period for each asset, and the manner in which it should
be deleted or destroyed at the end of that period.
• Be advised in the event of any incident relating to the assets, and revise
controls if required.

This is not a one- off process, but a live ongoing responsibility. These activities will
be carried out with guidance and assistance from the Service Manager, Information
Management.
Please be aware that the if data under your responsibility is sent or distributed to 3rd
party organizations outside the company, then appropriate precautions should be
undertaken to safeguard the confidentiality of this data and its content. Company
guidelines on sending such data are available to you to enable you to share this
information securely.

Guardian

The Guardian has a specific set of responsibilities for defining the circumstances in
which personal information held about clients can be legitimately shared with other
Ronzag departments and with other agencies. In Ronzag, the Guardian’s
responsibilities primarily relate to Social Care; similar roles exist in other agencies.
The Guardian is responsible for ensuring that these information-sharing guidelines are
publicised appropriately and strictly adhered to.

Shared Services

Shared Services are responsible for monitoring vetting processes and for the
management of employee lifecycle information. Their responsibilities include:
• Monitoring pre-employment reference checking and advising management to
ensure compliance with requirements of the role.

• Ensuring that system administrators receive prompt notification of employee

role changes and departures.

Human Resources and Development

• Promoting awareness of training, including induction training and for

ensuring inclusion of relevant security awareness therein & in employee
documentation.
 • Supporting management to define disciplinary action in the event of
misconduct, and non-compliance with Security Policies and assisting
management with disciplinary procedures.

Review of Information Security Policy

The Information Governance Board (IGB) will review this policy on a yearly basis,
and the results of the review will be detailed on the minutes of this meeting. Any
resulting changes will be notified to all relevant stakeholders.

In the event of major network configuration changes, change of policy, security

incidents or a lack of security identified in the yearly penetration test performed on the
Company’s network, the policy will be reviewed for effectiveness, and modified if
appropriate.

Information Security Policy – Exceptions

It is not intended that any exceptions will be permitted even on a temporary basis but
rather the Policy should be reviewed at the next opportunity. Any changes must be
approved by the Information Governance Board.

Associated Documentation

Further information security documents supporting this policy will be developed over
time. Intended further Policies can be found in Appendix A.
11
 The Ronzag Web Services Information Security Policy
Appendix A
Associated documentation
Documents supporting this policy include (this is not an exhaustive list):
Document
Acceptable Use Policy
Asset Management
Business continuity
Change Control Procedure
Data backup
Disposal of equipment, media and
documents
Protocols on Sharing Data (IL1 to
IL3)
Incident reporting and handling
Induction and user awareness
Information Classification
Information Security Statement
Network and infrastructure
security
Remote Working Policy/Toolkit
Purpose
Defines the acceptable use of Ronzag’s computer
systems, networks, passwords, internet access and
email (to include notification of monitoring)
Procedure for protecting information assets in
accordance with their classification and value
Procedure and plan to ensure continuity of business in
the event of an incident that affects the availability of
information or information systems
Procedure for identifying, approving and carrying out
change in a controlled manner
Procedure for creating, managing, storing, labelling,
testing and restoring backups of computer based
information.
Procedure for protection of the confidentiality of
information in the event of equipment upgrades,
maintenance or disposal, or when information has
reached the end of its retention period.
Procedure for the use of encryption and/or secure ftp
services to protect the confidentiality of sensitive
information when sent to 3rd party organisations.
Procedure for reporting, management, and learning
from actual, potential or suspected security breaches
or weaknesses.
Procedure for ensuring that all employees, contractors
and third parties who have access to Ronzag
information are aware of their responsibilities and the
consequences of non-compliance with Security
Policies.
Procedure defining the classifications, and the process
for identifying information assets and ensuring that
they are appropriately protected according to their
value and sensitivity.
CEO statement regarding Information Security
Technical procedures relating to internet, intranet,
remote access, and related equipment including
firewalls, switches & routers.
Procedures relating to accessing of corporate data
remotely.

Offsite security of equipment and
information (including mobile
computing and telephony)
System security
Physical security
Virus and malicious
code protection
Policy and procedure for protection of information
that is taken out of Ronzag premises,
whether in the form of paper documents,
digital documents, or electronically stored media
held on laptops or other portable computer
equipment.
This also covers equipment which is installed on
sites
of third party organisations.
Standards for building, managing, monitoring and
maintaining secure computer systems and clients.
Policy for physical security of premises and
computing
facilities, together with standards for environmental
controls
Procedure for protecting against malicious code,
and
for handling incidents caused by malicious code
13
 Ronzag Web Services Information Security Policy

Appendix B

Legislation

All employees will comply with all current legislation. Laws relating to information
security include those outlined below:

Computer Misuse Act 2011 (Act No. 2 of 2011)

Data Protection and Privacy Bill-published

Electronic Signatures Act 2011 (Act No. 7 of

2011)

Electronic Signatures Regulations 2013 - SI 43 of 2013

Electronic Transactions Act 2011 (Act No. 8 of 2011)

Electronic Transactions Regulations 2013 - SI 42 of

2013 NITA-U Act (Act No. 4 of 2009)

Gorski, P. (2005). “Education equity and the digital divide”. Association for
the Advancement of Computing in Education Journal, 13(1), 3-45

World Bank (2010). Information and Communication Technology for Education in

India and South Asia (Volume 1), Extend summary. Washington. D.C.: Info Dev/ Price
Water House Coopers.
https://www.apc.org/en/pubs/ugandas-ict-laws-and-policies-gender-perspective
- (accessed 3/10/2019)

Education Sector Strategic Plan 2004-2015 (Education Planning

Development, June 2004)
Constitution of the Republic of Uganda, 1995

Guide to Measuring Information and Communication Technologies (ICT)

in Education (DOI: http://dx.doi.org/10.15220/978-92-9189-078-1-en)

Trucano, M. (2005). Knowledge Maps: ICT in Education. Information for

Development Programme. Washington DC: World Bank. pp 5–7.
www.infodev.org/en/Publication.8.html

Copyright, Designs and Patents Act

Documentation must be used strictly in accordance with current applicable copyright

legislation, and software must be used in accordance with the licence restrictions.
Unauthorised copies of documents or software may not be made under any
circumstances.
Computer Misuse Act 2011

This Act addresses the following offences:

 • Unauthorised access to computer material.
• Unauthorised access with intent to commit or facilitate commission
of further offences.
• Unauthorised modification of computer material.

Code on Employers Monitoring Practices

Part 3 of the Employee Practices Data Protection Code, which provides best practice
guidance on monitoring of emails, phone calls and Internet access in the context of the
Data Protection Act.

www.ronzag.com
View publication stats