NDMA

ICT POLICY TRAINING PRESENTATION

February, 2015

BY: Fredrick Bitta Msc, Bsc, CISA

Contents

Change Management Policy

3
Backup policy
6
Access Control Policy
8
Network Policy
10
Commercial Software Policy
12
In-House Software Policy

13

Hardware Policy
15
Cybercrime Policy
18
Premises & Other Related Considerations
19
Q&A
20

ICT Policy

Session II

Change Management Policy

ICT Policy

Change Management policy

7. Change Management Policy
Purpose & Scope :
IT Change Management is the process of requesting, analyzing, approving, developing,
implementing, and reviewing a planned or unplanned change within the IT Infrastructure
including the IT Processes, Operating and Application Systems.
The CM begins with the creation of a Request for Change (RFC). It ends with the satisfactory
implementation of the change and the communication of the result of that change to all
interested parties. The policy covers all planned and unplanned changes affecting the NDMAs
information resources.
Key Areas Covered:
Change Management Process: All emergency and unscheduled (unplanned) changes shall be
documented once the changes have been effected. The change shall first be identified and
classified as emergency.
i.

There shall be
implemented

formal

independent

testing

process

before

changes

are

ii. All incidences must be logged and a report submitted to the IT helpdesk for record.
iii. All changes while adhering to the defined process shall be requested through the
request for change control form.
iv. All modification to the hardware, firmware, software and related systems shall be
performed in such a manner as to ensure continuity of the services supported by the
system.
v. Changes to the live (operating) environment that may disrupt services shall as far as
possible be done outside business hours and shall ensure minimum disruption to
dependent services.

ICT Policy

Change Management policy

7. Change Management Policy Cont..

Key Areas Covered:

Change Management Process:
vi. The business supporting function (within IT) shall implement the
change. The responsibility for the change in the IT environment (while
maintaining segregation of duties) rests with the manager IT.
vii.Project Team (PT) shall be appointed by management to oversee the
implementation of major changes in the IT environment.
viii.Staff shall ensure that contractors and other service providers work
affecting information resource adhere to this policy and in accordance to
the contractual agreements with NDMA. All contracts should refer to this
policy explicitly.
ix. Stake holders to be affected directly or indirectly by the change should
be informed through communication by the IT manager at least one day
before the change

ICT Policy

Backup policy
8. Backup Policy
Purpose & Scope
The purpose of this policy is to define the process of data storage for protection and integrity
of NDMAs data. The policy covers all system users data stored in the workstations, laptops,
servers and other portable devices.
Key Areas Covered:
Background: Computer systems do fail; it is not a matter of why or how, but a matter of
when.
i.

Several external factors, of which NDMA is not in control, can cause occasional or
severe problems to the systems; computer crashing, natural disasters such as flood
or lightning to man-made disasters etc.

ii. Loss of information could cause severe downtime resulting in: lost production, delay
of NDMAs operations, wasted time in recreation effort, legal liabilities, deterioration
in customer relationships, reputation among others
Backup Process: This procedure applies to all equipment and data owned and operated by
NDMA.
i.

The backups of the main storage server shall be run nightly, after business hours, to
make sure that all files are closed and available for backup.

ii. Incremental backups shall be done on the primary storage server each night Monday
through Thursday and Full Backup done on Fridays.
iii. At the end of the month, full backups shall be done to a separate series of tapes and
labeled with End of month, year.
iv. At the end of the year, full backups shall be done to another separate series of tapes
and labeled with End of year. Backups are to be complete prior to beginning of
next business day.

ICT Policy

Backup policy
8. Backup Policy Cont.

Key Areas Covered:

Backup Process:.
i. Full backups and End of the month backups shall be taken to an offsite
location determined by management for storage.
ii. IT management shall determine other backup mechanisms such
replication of data to offsite locations e.g the Government Datacenter
and Cloud-based data backup mechanisms based on the need, cost
benefit analysis, efficiency and as long as the security of data is
guaranteed. This shall form part of the Disaster Recovery Plan
Responsibilities:
i. All staff shall be responsible to backup their work to the central server.
ii. The IT department is responsible for setting backup schedules, changing
removable tapes, monitoring the success / failure of the backups,
rerunning the backup procedure if required, logging the backup results
in the yearly tape backup document and storing the backup tapes
according to daily, weekly, monthly, and yearly.
iii. The IT department is also responsible for data restores of
deleted/misplaced/corrupt data files at the request of the owner. All
requests for restore shall be sent through the IT helpdesk

ICT Policy

Access Control Policy

9. Access Control Policy
Purpose & Scope
This policy defines access controls to Information & Systems within NDMA. It covers access
to the Operating Systems as well as access privileges granted to third parties. It further
defines information ownership and access privileges to both internal & external users. It is
the responsibility of IT management to ensure compliance to this policy
Key Areas Covered:
Managing Access Control Standards: Access control standards for information systems shall
be established in a manner that carefully balances restrictions to prevent unauthorized
access against the need to provide unhindered access in accordance with the needs of the
business
Managing User Access: Access to all systems shall be authorized by the nominated owner of
that system and such access, including the appropriate access rights (or privileges) shall be
recorded in an Access Control List
Securing Unattended Workstations: Equipment is always to be safeguarded appropriately
with password protected screen savers especially when left unattended
Managing Network Access Controls: Access to the resources on the network shall be strictly
controlled to prevent unauthorized access. Access to all computing and information systems
and peripherals shall be restricted unless explicitly authorized
Controlling Access to Operating System Software Access to operating system commands
shall be restricted to those persons who are authorized to perform systems administration
functions. Such access shall be operated under dual control requiring the specific approval of
senior management
8

ICT Policy

Access Control Policy

9. Access Control Policy Cont..
Key Areas Covered:
Securing Against Unauthorized Physical Access: Physical access to high security areas shall
be controlled with strong identification and authentication techniques.
Staff with
authorization to enter such areas shall be provided with information on the potential security
risks involved
Monitoring System Access and Use: Access is to be logged and monitored to identify
potential misuse of systems or information
Types of Access Granted to Third Parties: Access to systems, networks and information shall
only be granted to third parties in controlled circumstances and shall be approved based on
the type of access
Management Duties: Management has individual and collective responsibility to ensure third
parties adhere to approved information security procedures
Third Party Service Management : Service level management concepts shall be applied to all
deliveries of services from third party. This will require third parties to meet all security and
service controls, service definitions and agreed service levels
Monitoring Third Party Services: Third party services shall be governed through service level
agreements and service levels are to be monitored on an ongoing basis and penalty clauses
invoked as appropriate.
Third Party Service Changes: Any changes that are to be made to services provided by third
parties shall be agreed prior to the changes taking place and the service level agreements
amended accordingly

ICT Policy

Network Management policy

10. Network Policy
Purpose & Scope
This policy defines how the NDMA network shall be configured and managed including the
kind of personnel assigned this responsibility. It is the duty of IT management to ensure
adherence to this policy
Key Areas Covered:
Network configuration: The network shall be designed and configured to deliver high
performance and reliability to meet the needs of the business whilst providing a high degree
of access control and a range of privilege restrictions
Network management: ICT staff shall manage the NDMAs network, and preserve its integrity
in collaboration with the nominated individual system owners
Time-out facility: A time-out facility shall be provided covering all terminals and PCs to
ensure that the screens are cleared and unauthorized access is prevented after a minimum
time of inactivity.
Appointing system administrators: NDMAs systems shall be managed by suitably qualified
systems administrators who are responsible for overseeing the day to day running and
security of the systems
Responding to system faults Only qualified and authorized staff or approved third party
technicians may repair information system hardware faults.
Administrating Systems: System Administrators shall be fully trained and have adequate
experience in the wide range of systems and platforms used by the organization. In addition,
they shall be knowledgeable and conversant with the range of Information Security risks
which need to be managed.
10

ICT Policy

Network Management policy

10. Network Policy Cont..

Key Areas Covered:

Accessing your Network Remotely: Remote access to the NDMAs
network and resources shall only be permitted provided that
authorized users are authenticated, data is encrypted across the
network, and privileges are restricted
Defending your Network Information from Malicious Attack:
System hardware, operating and application software, the
networks and communication systems shall all be adequately
configured and safeguarded against both physical attack and
unauthorized network intrusion
Managing System Documentation: All documentation shall be kept
up-to-date and be available
Monitoring Error Logs: Error logs must be properly reviewed and
managed by qualified staff
Scheduling Changes to Routine Systems Operations: Changes to
routine systems operations shall be fully tested and approved
before being implemented.

11

ICT Policy

Purchasing & Maintaining Commercial Software

11. Commercial Software Policy
Purpose & Scope
The purpose of this policy is to guide in the acquisition of commercial software that meets
the user requirements and ensure compliance with legislation on software licensing
Key Areas Covered:
Specifying user requirements: All requests for new applications systems or software
enhancements shall be presented to senior management with a Business Case with the
business requirements presented in a User Requirements Specification document
Selecting Business Software Packages: The selection process for all new business software
shall incorporate the criteria upon which the selection will be made. Such criteria shall
receive the approval of senior management.
Using Licensed Software: To comply with legislation and to ensure ongoing vendor support,
the terms and conditions of all End User License Agreements shall be strictly adhered to
Applying Patches to Software: Patches to resolve software bugs may only be applied where
verified as necessary and with management authorization. They must be from a reputable
source and are to be thoroughly tested before use
Disposing of Software: The disposal of software should only take place when it is formerly
agreed that the system is no longer required and that its associated data files which may be
archived will not require restoration at a future date.

12

ICT Policy

Developing & Maintaining In-house Software

12. In-House Software Policy
Purpose & Scope
The purpose of this policy is to guide in the development process of an in-house software for
NDMA. It governs the software development process and incorporates software quality
assurance measures so that the final product meets user needs. The business owners shall
ensure compliance to this policy when developing in-house software.
Key Areas Covered:
Controlling Software Code : Formal change control procedures shall be utilized for all
changes to systems. All changes to programs shall be properly authorized and tested before
moving to the live environment
Controlling Program Source Libraries: Formal change control procedures with comprehensive
audit trails are to be used to control Program Source Libraries.
Software Development: Software developed for or by the organization shall always follow a
formalized development process which itself is managed under the project in question. The
integrity of the NDMAs operational software code shall be safeguarded using a combination
of technical access controls and restricted privilege allocation and robust procedures
Separating Systems Development and Operations: Management shall ensure that proper
segregation of duties applies to all areas dealing with systems development, systems
operations, or systems administration.
Controlling Test Environments: Formal change control procedures shall be employed for all
amendments to systems. All changes to programs must be properly authorized and tested in
a test environment before moving to the live environment.

13

ICT Policy

Developing & Maintaining In-house Software

12. In-House Software Policy Cont..

Key Areas Covered:

Making Emergency Amendments to Software : Emergency amendments to
software shall be discouraged, except in circumstances previously designated
by management as 'critical'. Any such amendments shall strictly follow agreed
change control procedures
Managing Change Control Procedures: Formal change control procedures shall
be utilized for all amendments to systems. All changes to programs shall be
properly authorized and tested in a test environment before moving to the live
environment
Testing Software before Transferring to a Live Environment: Formal change
control procedures shall be utilized for all amendments to systems. All changes
to programs shall be properly authorized and tested in a test environment
before moving to the live environment
Capacity Planning and Testing of New Systems: New systems must be tested
for capacity, peak loading and stress testing. They must demonstrate a level of
performance and resilience which meets or exceeds the technical and business
needs and requirements of the organization
Documenting New and Enhanced Systems:. All new and enhanced systems
shall be fully supported at all times by comprehensive and up to date
documentation
14

ICT Policy

Securing Hardware, Peripherals & other Equipment's

13. Securing Hardware
Purpose & Scope
This policy shall govern the acquisition, installation, maintenance and disposal of IT hardware
and related peripherals. The IT committee of the Board, IT steering committee and IT
management shall ensure compliance to this policy
Key Areas Covered :
Specifying New Hardware Requirements: All purchases of new systems hardware or new
components for existing systems shall be made in accordance with the Public Procurement
Act, as well as technical standards. Such requests to purchase shall be based upon a User
Requirements Specification document and take account of longer term NDMA business needs.
The user requirements specification document shall originate from the user department and
this shall be evaluated by a technical team appointed by management.
Based on the cost benefit analysis and value of the equipment to be purchased, the Public
Procurement rules shall apply; either direct procurement, single sourcing or competitive
bidding.
The IT steering committee shall determine the mode of procurement and get approval from
the IT committee of the Board. The process of procurement at all times shall be in accordance
with the Public Procurement Act
Installing New Hardware: All new hardware installations shall be planned formally and
notified to all interested parties ahead of the proposed installation date. ICT requirements
for new installations are to be circulated for comment to all interested parties, well in
advance of installation

15

ICT Policy

Securing Hardware, Peripherals & other Equipment's

13. Securing Hardware Cont.

Key Areas Covered:

Testing Systems and Equipment: All equipment shall be fully and
comprehensively tested and formally accepted by users before being
transferred to the live environment
Supplying Continuous Power to Critical Equipment: An Uninterruptible Power
Supply shall be installed to ensure the continuity of services during power
outages
Managing and Maintaining Backup Power Generators: Secondary and backup
power generators shall be employed where necessary to ensure the continuity
of services during power outages
Installing and Maintaining Network Cabling: Network cabling shall be installed
and maintained by qualified engineers to ensure the integrity of both the
cabling and the wall mounted sockets. Any unused network wall sockets shall
be sealed-off and their status formally noted
Using Laptop/Portable Computers: Persons who are issued with portable
computers and who intend to travel for business purposes must be made aware
of the information security issues relating to portable computing facilities and
implement the appropriate safeguards to minimize the risks
Maintaining a Hardware Inventory or Register: A formal Hardware Inventory of
all equipment shall be maintained and kept up to date at all times

16

ICT Policy

Securing Hardware, Peripherals & other Equipment's

13. Securing Hardware Cont..

Key Areas Covered:

Disposing of Obsolete Equipment: Equipment owned by the
organization shall only be disposed of by authorized personnel who
have ensured that the relevant security risks have been mitigated. It
shall be the duty of the IT steering committee to come up with
procedures on disposal of IT equipment's and this shall be in line with
the procurement & disposal act.
Insuring Hardware: All computing equipment and other associated
hardware belonging NDMA shall carry appropriate insurance cover
against hardware theft, damage, or loss
Taking Equipment off the Premises: Only authorized personnel are
permitted to take equipment belonging to the organization off the
premises; they are responsible for its security at all times

17

ICT Policy

Combating Cybercrime
14. Cybercrime Policy

Purpose & Scope

This policy shall govern how to mitigate the threats posed by cybercrime
including denial of service attack and virus attack. It is the sole responsibility of
IT management to ensure compliance to this policy
Key Areas Covered:
Defending Against Premeditated Cyber Crime Attacks: Security on the network
shall be maintained at the highest level
Defending Against Premeditated Internal Attacks: In order to reduce the
incidence and possibility of internal attacks, access control standards and data
classification standards shall be periodically reviewed whilst maintained at all
times
Safeguarding Against Malicious Denial of Service Attack: Contingency plans for
a denial of service attack shall be maintained and periodically tested to ensure
adequacy.
Defending Against Virus Attacks: Anti Virus software shall be deployed across
all PCs with regular virus definition updates and scanning across both servers,
PCs and laptop computers
18

ICT Policy

Physical Security
15. Premises Related Considerations
Purpose & Scope
This policy governs the physical protection of computer premises, environmental conditions
and other external threats. The policy is alive to the fact that illegal physical access to
computers & networks can compromise the integrity of information and lead to loss of
computer equipment's as well
Key Areas Covered:
Securing Physical Protection of Computer Premises: Computer
safeguarded against unlawful and unauthorized physical intrusion

premises

shall

be

Ensuring Suitable Enviromental Conditions: When locating computers and other hardware,
suitable precautions shall be taken to guard against the environmental threats of fire, flood
and excessive ambient temperature and humidity
Physical Access Control to Secure Areas: All computer premises shall be protected from
unauthorized access using an appropriate balance between simple ID cards to more complex
technologies to identify, authenticate and monitor all access attempts
Electronic Eavesdropping: Electronic eavesdropping shall be guarded against by using
suitable detection mechanisms, which shall be deployed if and when justified by the periodic
risk assessments of the organization
Disaster Recovery Plan: Owners of the NDMAs information systems shall ensure that
disaster recovery plans for their systems are developed, tested, and implemented
Cabling Security: The security of network cabling shall be reviewed during any upgrades or
changes to hardware or premises

19

Q & A?

Thank You