National Drought Management Authority (NDMA)

ICT Policy Presentation

10 February 2015

DROUGHT MANAGEMENT SECTOR

2

Contents

Background 4Background 4

ICT Policy Organization 12ICT Policy Organization 12

IT Organization & Governance Structure 11IT Organization & Governance Structure 11

ICT Governance Processes 13ICT Governance Processes 13

Information & Data Management 14Information & Data Management 14

E-mail Policy 16E-mail Policy 16Internet Policy 18 Internet Policy 18 Password Management Policy 20Password Management Policy 20Q & A 22Q & A 22

3

i.It is important for employees to know what is expected and required of them when using the technology provided by their employer

ii.It is also critical for a company to protect itself by having policies to govern areas such as personal internet and email usage, security, software and hardware inventory and data retention etc.

• An ICT Policy is a governance tool that defines the rules on use of technology.

• Procedures: explain how these same rules are practically applied in real life.

So policies and procedures set expectations for behaviors and activities, as well as provide mechanisms to enforce these expectations

Background – What is an ICT Policy?

ICT PolicyIntroduction

4

The National Drought Management Authority (NDMA) is a statutory body established under the State Corporations Act (Cap 446) of the Laws of Kenya through Legal Notice Number 171 of November 24, 2011.

NDMA’s Vision

To be a world-class authority in drought management and climate change adaptation

NDMA’s mission statement

“To provide leadership and coordination of Kenya’s management of drought risks and adaptation to climate change.”

The NDMA’s strategic plan identifies six strategic objectives which will contribute towards its goal of enhanced drought resilience and climate change adaptation. These strategic objectives are:

To reduce drought vulnerability and enhance adaptation to climate change.

To provide drought and climate information to facilitate concerted action by relevant stakeholders.

To protect the livelihoods of vulnerable households during drought.

To ensure coordination of action by government and other stakeholders.

To develop and apply knowledge management approaches that generate evidence for decision-making and practice.

To strengthen institutional capacity.

ICT function must align itself to these objectives by ensuring Availability, Confidentiality & Integrity of drought related data and information.

Background

ICT PolicyIntroduction

5

The IT department has developed this ICT Policy document that establishes a framework for secure utilization of information technology (IT) resources through a suite of appropriate policies, standards, procedures and guidelines

In developing the ICT Policy, the following have been taken into consideration:

Review of existing processes and incorporation of feedback arising from discussions with Heads of Departments and Senior Management;

Compliance to the ISO 27001, the “best practice” and standard code of practice that provides default guidelines on the types of security controls that should be implemented to safeguard information assets; and

Implementation of the Control Objectives for Information and related Technology (COBIT), the framework for implementing IT governance that the NDMA has adopted

For the Policies to be effective on implementation, they shall be supported and ratified by the NDMA Board.

Purpose of the Policy:

i.Integrate Information Security best practices into the NDMA’s day-to-day business operations.

ii.Create a comprehensive, consistent and meaningful security conscious environment within NDMA.

iii.Encourage ethical and knowledgeable behavior to all who provide and use information resources.

iv.Comply to COBIT & specifically ISO 27001 standards

v.To ensure availability, integrity and confidentiality of the organization’s data

vi.To establish safeguards to protect ICT and information resources from theft, abuse, misuse or any form of damage.

Background…..Why this policy?

ICT PolicyIntroduction

6

Purpose of the Policy (cont..):

vii.To protect and support the maintenance of all ICT infrastructure of NDMA in an efficient manner

viii.Ensure information in the possession of NDMA is not only secure but is efficiently disseminated in time for policy formulation and decision making to the partners, stakeholders and clients.

ix.To encourage the development and maintenance of appropriate level of awareness, knowledge and skill to support ICT systems so as minimize the occurrence and deal with security threats to hardware and software resources.

x.To ensure that the NDMA is able to continue its operational activities in the event of significant ICT threats

xi.To support the formulation and development of ICT systems in an environment that supports an innovative culture that is geared towards process improvements and value addition.

Background…..Why this policy?

ICT PolicyIntroduction

7

Roles & Responsibilities:

1. The NDMA Board:

Shall form an IT Committee of the Board composed of at least 4 members. The IT Committee of the Board shall:

i.Approve and monitor implementation of this Policy.

ii.Mobilize and allocate resources for the policy implementation

2. Senior Management Team :

Shall form an IT Steering Committee headed by the CEO. This Committee shall:

i.Be the owners of the ICT Policy.

ii.Authorize IT security measures on behalf of NDMA

Background---What are your Roles?

ICT PolicyIntroduction

8

Background…..What are your Roles?

ICT PolicyIntroduction

3. IT Function/ Department

Shall:

i.Establish and review information security policies guided by the IT Steering Committee

ii.Facilitate and co-ordinate the necessary countermeasures with departments; report and evaluate changes to the policies

iii.Co-ordinate the implementation of new or additional ICT policies

iv.Implement, maintain and update the ICT strategy , architecture, standards and procedures with input from all stakeholders

v.Ensure that all staff are aware of ICT policies relevant to them

vi.Assess the requirements for IT equipment, both hardware and software

vii.Help in procurement of the right IT equipment, software and maintenance thereof

viii.Provide opinions and technical advice on capacity building through basic computer training for users

ix.Provide IT Helpdesk services

9

4. Users:

Are classified into either Internal or External users.

The Internal Users of the NDMA systems (staff) are those who use ICT to support them in the discharge of their daily duties.

External Users includes consultants, and distributors, among others, who are facilitated to have specific access to resources over a defined, relatively shorter period of time as compared to internal users.

All users shall:

i.Comply with all ICT policies and supporting guidance applicable to the performance of their job functions

ii.Ensure they understand their information security responsibilities

5. Internal Audit and Risk Management Department

Shall review

i.Compliance with the organization's ICT policies

ii.The adequacy of the ICT policies

Background…..What are your Roles?

ICT PolicyIntroduction

10

ICT Organization & Governance Structure

ICT PolicyICT Organization & Governance

11

Purpose & Scope:

This section emphasizes the need for Board ratification and management support for the policy. It also acknowledges that the ICT policy is alive document subject to annual review. It also spells out the IT governance structure of NDMA with emphasis on protection of IT resources, accountability for usage and compliance by all system users.

The Key areas covered include:

ICT Policy Approval: That NDMA shall put in place a suitable ICT policy and obtain Board approval and that this policy shall be distributed and communicated to all employees.

Senior Management Support: That Senior management shall be required to actively support, and take responsibility for, the implementation and maintenance of an effective ICT management system in a positive and pro-active manner

Independent Review of the Policy: That an independent review shall be carried annually on the NDMA's overall ICT processes to ensure they are adequate, complete, fit-for-purpose and enforced and that the ICT policy shall be reviewed and evaluated annually and also if changes occur within the organization that affect a particular approved policy statement.

1. ICT Policy Organization

ICT PolicyICT Organization & Governance

12

Purpose & Scope

This policy spells out the IT governance structure of NDMA with emphasis on protection of IT resources, accountability for usage and compliance to the ICT policy by all system users

Protection of ICT Resources: That all users of ICT resources at NDMA have a responsibility for protecting the security and integrity of both information and computer equipment's. It is the responsibility of all members of staff, both permanent and contracted, to:

i. Comply with ICT policy standards

ii. Act in a responsible and proactive manner regarding ICT security.

Accountability for ICT Resources: Owners of information and systems shall be responsible for deciding what restrictions to be placed on the use of assets and authorizing access to the assets for those who have a business need

Compliance to ICT Policy Form: That every new employee shall, regardless of job function, acknowledge in writing that he or she has read and understands the Compliance to ICT Policy attached to the user definition form which forms part of this policy.

2. ICT Governance Processes

ICT PolicyICT Organization & Governance

13

Purpose & Scope :

This policy shall ensure that NDMA maintains a comprehensive and up-to-date database containing details of its data & information for the purposes of defining its value, criticality, sensitivity and legal implications.

Key Areas Covered:

Classifying Information: That all information, data and documentation shall be classified strictly according to its level of confidentiality, sensitivity, value and criticality

Information Ownership: That the responsibility of each item of information, data and documentation shall be allocated to a specifically designated information owner or custodian.

Sharing Information: That NDMA shall ensure that all employees are fully aware of their legal and corporate duties and responsibilities concerning the inappropriate sharing and releasing of information, both internally within the organization and to external parties

Storing & Handling Classified Information: That all information, data and documents shall be processed and stored strictly in accordance with the classification levels assigned to that information in order to protect its integrity and confidentiality

Transferring, Exchanging, Managing and Archiving Data: Sensitive or confidential data shall only be transferred across networks, or copied to other media, when the confidentiality and integrity of the data can be reasonably assured. Integrity and stability of the NDMA’s databases shall be maintained at all times. Archiving of documents shall take place with due consideration for legal, regulatory and business issues.

3. Information & Data Management

ICT PolicyInformation & Data Management

14

Key Areas Covered:

Sending Information to Third Parties & Other Stakeholders: Prior to sending information to third parties, not only must the intended recipient be authorized to receive such information, but the procedures and Information Security measures adopted by the third party, must be seen to continue to assure the confidentiality and integrity of the information.

Need for Dual Control / Segregation of Duties:. The techniques of dual control and segregation of duties shall be employed to enhance the control over procedures wherever both the risk from, and consequential impact of, a related Information Security incident would likely result in financial or other material damage to NDMA

Permitting Third Party Access: Third party access to corporate information shall only be permitted where the information in question has been safeguarded and the risk of possible unauthorized access is considered to be negligible

Using Clear Desk Policy: All NDMA staff shall operate a clear desk policy

3. Information & Data Management Cont….

ICT PolicyInformation & Data Management

15

Purpose & Scope :

E-mail access is provided to staff for the purpose of increasing overall productivity within NDMA and therefore should be used primarily for business activities. The purpose of this policy is to ensure that all staff use e-mail services in a proper and lawful manner.

Key Areas Covered:

Email Guidelines: That the Authority shall have standard email addresses for all employees which will be firstname.sirname@ndma.go.ke and designation@ndma.go.ke

Prohibited use of E-mail: That it is strictly prohibited to send or forward emails containing defamatory, offensive, racist, discriminatory on the basis of race, gender, nationality or ethnic origin, age, marital status, sexual orientation, religion, or disability etc.

Sending E-mail: E-mail shall only be used for business purposes, using terms which are consistent with other forms of business communication.

Receiving E-mail: Incoming e-mail shall be treated with the utmost care due to its inherent Information Security risks. The opening of e-mail with file attachments is not permitted unless such attachments have already been scanned for possible viruses or other malicious code

Deleting E-mail: That data retention periods for e-mail shall be established to meet legal and business requirements and must be adhered to by all staff

4. E-mail Policy

ICT PolicyE-mail policy

16

.

Key Areas Covered:

Email Security: The encryption of e-mail is not necessary in most situations. However, confidential messages shall be secured using appropriate technology.

All staff can access their email accounts when outside NDMA. To safeguard NDMA’s data observe the following:

i. Don’t print to a public printer

ii. Make sure no one is overlooking your screen as you access the data

iii. Don’t save to the public computer

Passwords are the best defense against unauthorized use of a staff’s e-mail account. Staff members shall therefore observe the password guidelines to ensure optimum security of their passwords.

Email accounts not used for 90 days will be deactivated and possibly deleted

4. E-mail Policy Cont…….

ICT PolicyE-mail policy

17

Purpose & Scope :

The objective of the Internet Usage Policy is to protect the interests of the NDMA without inhibiting the use of the Internet service that is intended for the greater benefit of staff members and NDMA at large. These standards are designed to ensure that the Internet is used in a safe and responsible manner.

Key Areas Covered:

Unauthorized use of Internet: That shall include but not limited to: Utilizing NDMA’s Internet services to access, create, store or distribute pornographic material, Running a business using the NDMA’s Internet facilities etc.

Downloading Content from Internet: That staff members shall be prohibited from downloading and installing software from the Internet to the NDMA’s computers. All software in the NDMA’s computers must be adequately licensed. Staff members can download documents for official use

Use of Internet for Work Purposes: That Management shall be responsible for controlling user access to the Internet, as well as for ensuring that users are aware of the threats, and trained in the safeguards, to reduce the risk of Information Security incidents

Use of Phones & Faxes: That Staff making phones and using faxes shall be responsible for safe and appropriate use. Identity of recipients of sensitive or confidential information over the telephone must be verified.

5. Internet Policy

ICT PolicyInternet policy

18

Key Areas Covered:

Disruptions:. The IT department endeavors to provide uninterrupted Internet services at the highest level. However, disruptions for administrative purposes and due to reasons beyond the NDMA’s control are unavoidable. In the event of Internet service unavailability staff members will be promptly informed.

Setting up Internet Access: Persons responsible for setting up Internet access shall ensure that the NDMA’s network is safeguarded from malicious external intrusion by deploying, as a minimum, a configured firewall.

Security: NDMA shall endeavor to put in place appropriate security systems that can perform the following functions: Antivirus Scanning, Intrusion Detection and Prevention Systems and Content Filtering - monitors and filter contents from the Internet.

Security: NDMA shall endeavor to put in place appropriate security systems that can perform the following functions: -

i. Antivirus Scanning- checks for viruses, worms, Trojans, etc on all incoming and outgoing traffic.

ii. Intrusion Detection and Prevention Systems - detect inappropriate, incorrect or anomalous activity against the network and enable the administrator to take appropriate action.

iii. Content Filtering - monitors and filter contents from the Internet, chat rooms, instant messaging, e-mail and all other applications and report on violations identified.

5. Internet Policy Cont……..

ICT PolicyInternet policy

19

Purpose & Scope :

The purpose of this policy is to establish a standard for creation of strong passwords, protection of those passwords, and the frequency of change. Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of the NDMA’s entire network.

Key Areas Covered:

Password Protection: That Passwords must be kept confidential and not shared with colleagues, For departmental accounts, a distribution list to designated users’ accounts shall be created.

i. That Users are responsible for maintaining the security of their passwords.

ii. That Users are responsible for all activities performed with their account and therefore must not allow others to perform any activity with their usernames. Similarly, users must not perform any activity with the usernames belonging to other users.

iii. That your username or variations of the username should not be embedded in your password.

iv. That you shall not send a password through email or include it in a non-encrypted stored document.

v. Do not hint at the format of your password.

vi. Do not use common acronym/words or reverse words as part of your password.

vii.Do not use names of people or places as part of your password.

viii.Do not use parts of numbers easily remembered such as phone numbers, your date of birth.

6. Password Management Policy

ICT PolicyPassword Management policy

20

Key Areas Covered:

Password Composition:

That Passwords shall meet the following criteria

i. Passwords must be at least eight characters long.

ii. Passwords must be strong; composed of alphanumeric characters (alphabets- A...Z, a...z Numbers 0...9) and non-alphanumeric or special characters (! £; $; %; &; *; #; @; ?; {; }; [; ]; =; +; >; <; “;)

Password Change:

That Passwords shall be changed under any one of the following circumstances:

i. After every 60 days (a MUST)

ii. Immediately, if a password has been compromised.

6. Password Management Policy Cont…….

ICT PolicyPassword Management policy

Q & A

Thank You