Consolidated Human resources Policies & Procedures Manual

CONSOLIDATED HUMAN RESOURCES POLICIES & PROCEDURES

CONSOLIDATED INFORMATION AND COMMUNICATION TECHNOLOGY POLICIES Author:

Human Resources Manager: Policies, Systems & Administration

Creation Date:

17 November 2008

Last Updated:

Friday, January 13, 2017

Document Ref:

Policies & Procedures

Version:

Draft 1.4

Consolidated Information and Communication Technology Policies Last Updated: 13 January 2017

Page i

Document Properties Author:

Information Technology: ICT Policy Committee

Creation Date:

March, 2010

Last Updated:

Tuesday, February 09, 2016

Document Ref:

Policies & Procedures

Version:

Final

Policy Number:

IT-CON 001

Document revision history

Revision Date 1.0 March 2010 1.1 September 2010 1.2 6 October 2011 1.3 31 October 2011 11 July 2013

1.4

28 March 2014

2.0

March 2015

2.1

October 2015 9 February 2016 13 July 2016

3.0 3.1

Summary Changes Existing ICT Policies currently in use at RISA are reviewed New policies are proposed Proposed policies are discussed and formatted Changes were made as proposed by the NRF Policy Committee Document reviewed no changes to policy content. Changes were made to the Policy Committee Status Report section of document: “Policies currently under consideration for development” Enforcement Section Updated: Removal of “Any employee found to have violated this policy may be subject to the NRF disciplinary process, in line with the NRF HR Policies.” Consolidation of Consolidated Information Technology Policies and Consolidated Information Technology Operations Policies into one document. Changes to format of document as per recommendation by NRF Policy Committee Inclusion of board approved BYOD Policy Inclusion of Disclaimer notice as per IT Policy Committee meeting

Please note: This is a living document; kindly refer to the intranet for most up to date version of this document.

Consolidated Information Technology Policies TABLE OF CONTENTS 1.

GENERAL OVERVIEW ........................................................................................................... 1

1.1 1.2 1.3 1.4

DISCLAIMER................................................................................................................................. 1 INTRODUCTION ............................................................................................................................ 1 ROLE OF INFORMATION TECHNOLOGY DEPARTMENTS IN POLICY DEVELOPMENT ....................................... 1 CHANGES IN LEGISLATION, CODES, STANDARDS AND BEST PRACTICES RELATED TO INFORMATION TECHNOLOGY .............................................................................................................................................. 2 1.5 CORPORATE INFORMATION TECHNOLOGY POLICY CONTACTS................................................................ 2 1.6 LEGISLATIVE FRAMEWORK .............................................................................................................. 3 ACCEPTABLE USE POLICY – IT-ACU101................................................................................................. 5 2.

ACCEPTABLE USE POLICY – IT-ACU101 .................................................................................. 6

2.1 2.2 2.3 2.4

OVERVIEW ................................................................................................................................... 6 PURPOSE ..................................................................................................................................... 6 SCOPE ......................................................................................................................................... 6 POLICY ........................................................................................................................................ 6

2.4.1 2.4.2

2.5

UNACCEPTABLE USE ...................................................................................................................... 7

2.5.1 2.5.2 2.5.3

2.6 2.7

GENERAL USE AND OWNERSHIP............................................................................................ 6 SECURITY AND PROPRIETARY INFORMATION ....................................................................... 7 SYSTEM AND NETWORK ACTIVITIES ...................................................................................... 8 eMAIL AND COMMUNICATION ACTIVITIES ........................................................................... 9 SOCIAL NETWORKING ............................................................................................................ 9

ENFORCEMENT ............................................................................................................................. 9 DEFINITIONS ................................................................................................................................ 9

EMAIL USE POLICY – IT-EMU101 ...................................................................................................... 11 3.

EMAIL USE POLICY – IT EMU101 ........................................................................................ 12

3.1 3.2 3.3 3.4

OVERVIEW ................................................................................................................................. 12 PURPOSE ................................................................................................................................... 12 SCOPE ....................................................................................................................................... 12 POLICY ...................................................................................................................................... 12

3.4.1 3.4.2 3.4.3 3.4.4

3.5 3.6

PROHIBITED USE .................................................................................................................. 12 PERSONAL USE ..................................................................................................................... 13 MONITORING ....................................................................................................................... 13 ATTACHMENT SIZE ............................................................................................................... 13

ENFORCEMENT ...................................................................................................................... 13 DEFINITIONS .............................................................................................................................. 13

PASSWORD POLICY – IT-PAS101 ...................................................................................................... 14 4.

PASSWORD POLICY – IT-PAS101 ........................................................................................ 15

4.1 4.2 4.3 4.4


4.4.1 4.4.2 4.4.3

4.5 4.6

GENERAL USE ....................................................................................................................... 15 GUIDELINES .......................................................................................................................... 16 GENERAL PASSWORD CONSTRUCTION ............................................................................... 16

PASSWORD PROTECTION STANDARDS ............................................................................................. 17 APPLICATION DEVELOPMENT STANDARDS........................................................................................ 18


Page i

Consolidated Information Technology Policies 4.7 4.8 4.9

USE OF PASSWORDS AND PASSPHRASES FOR REMOTE ACCESS USERS .................................................... 18 ENFORCEMENT ........................................................................................................................... 18 DEFINITIONS .............................................................................................................................. 18

LOGICAL ACCESS POLICY – IT-LOG101................................................................................................ 19 5.

LOGICAL ACCESS POLICY......................................................................................................

5.1 5.2 5.3 5.4


5.4.1 5.4.2 5.4.3

5.5

20

PROCESS FOR OBTAINING AN ACCOUNT ............................................................................. 20 PROCESS FOR GAINING ACCESS TO SYSTEMS ...................................................................... 21 PROCESS FOR TERMINATION OF EMPLOYMENT ................................................................. 21

ENFORCEMENT ........................................................................................................................... 21

ICT DATACENTRE POLICY – IT-DCE101 ............................................................................................... 22 6.

IT DATACENTRE POLICY.......................................................................................................

6.1 6.2 6.3 6.4

OVERVIEW ................................................................................................................................. 23 PURPOSE ................................................................................................................................... 23 SCOPE ....................................................................................................................................... 23 ROLES AND RESPONSIBILITIES ........................................................................................................ 23

6.4.1 6.4.2

6.5

IT MANAGEMENT ................................................................................................................ 23 ALL OTHER STAFF WITH RIGHTS TO ACCESS ........................................................................ 23

DATACENTRE ACCESS ................................................................................................................... 24

6.5.1 6.5.2 6.5.3

6.6

23

ACCESS CONTROL ................................................................................................................ 24 SAFETY AND HYGIENE .......................................................................................................... 24 VISITORS .............................................................................................................................. 24

ENFORCEMENT ........................................................................................................................... 24

VULNERABILITY MANAGEMENT POLICY – IT-VUM101 ........................................................................... 25 7.

VULNERABILITY MANAGEMENT POLICY – IT-VUM101 ..............................................................

7.1 7.2 7.3 7.4

OVERVIEW ................................................................................................................................. 26 PURPOSE ................................................................................................................................... 26 SCOPE ....................................................................................................................................... 26 POLICY...................................................................................................................................... 26

7.4.1 7.4.2 7.4.3 7.4.4

7.5

26

SYSTEM INVENTORY ............................................................................................................ 26 MONITORING FOR VULNERABILITIES AND THREATS ........................................................... 27 REMEDIATION AND MITIGATION OF VULNERABILITIES ...................................................... 27 VULNERABILITY PROCESS MANAGEMENT ........................................................................... 27

ENFORCEMENT ........................................................................................................................... 27

INFORMATION TECHNOLOGY DISASTER RECOVERY POLICY – IT-IDR101...................................................... 28 8.

IT DISASTER RECOVERY POLICY – IT IDR101 ............................................................................

8.1 8.2 8.3 8.4

OVERVIEW ................................................................................................................................. 29 PURPOSE ................................................................................................................................... 29 SCOPE ....................................................................................................................................... 29 POLICY...................................................................................................................................... 30

8.4.1 8.4.2 8.4.3

Page ii

29

CORPORATE RESPONSIBILITIES ............................................................................................ 30 OPERATIONAL RESPONSIBILITIES ........................................................................................ 30 SUPPORT AND KEY CONTACTS............................................................................................. 30

Consolidated Human resources Policies & Procedures Manual Last Updated: 13 January 2017

Consolidated Information Technology Policies 8.5

ENFORCEMENT ........................................................................................................................... 30

DATA REDUNDANCY POLICY – IT-DRE101............................................................................................ 31 9.

DATA REDUNDANCY POLICY – IT-DRE101 ..............................................................................

9.1 9.2 9.3 9.4


9.4.1 9.4.2 9.4.3 9.4.4 9.4.5

9.5

32

GENERAL .............................................................................................................................. 32 ADMINISTRATORS RESPONSIBILITIES .................................................................................. 32 VERIFICATION ...................................................................................................................... 33 MEDIA ROTATION AND RETENTION .................................................................................... 33 STORAGE .............................................................................................................................. 33

ENFORCEMENT ........................................................................................................................... 33

APPROVED APPLICATION POLICY – IT-APP201 ..................................................................................... 34 10.

APPROVED APPLICATION POLICY – IT-APP201 ....................................................................... 35

10.1 10.2 10.3 10.4


10.4.1

APPROVED APPLICATIONS / EXCEPTIONS ............................................................................ 35

ICT DOCUMENTATION POLICY – IT-DOC201........................................................................................ 37 11.

ICT DOCUMENTATION POLICY – IT-DOC201 ......................................................................... 38

11.1 11.2 11.3 11.4 11.5 11.6 11.7

OVERVIEW ................................................................................................................................. 38 PURPOSE ................................................................................................................................... 38 DOCUMENTATION ...................................................................................................................... 38 ACCESS TO DOCUMENTATION ....................................................................................................... 39 CHANGE NOTIFICATION ............................................................................................................... 39 DOCUMENTATION REVIEW........................................................................................................... 39 STORAGE LOCATION.................................................................................................................... 40

SERVER MONITORING POLICY – IT-SMO201........................................................................................ 41 12.

SERVER MONITORING POLICY ............................................................................................. 42

12.1 12.2 12.3 12.4


SYSTEM LOCKDOWN POLICY – IT-SLD201 ........................................................................................... 44 13.

SYSTEM LOCKDOWN POLICY – IT-SLD201 ............................................................................. 45

13.1 13.2 13.3 13.4


SYSTEM SECURITY UPDATE POLICY – IT-SSU201 ................................................................................... 46 14.

SYSTEM SECURITY UPDATE POLICY ..................................................................................... 47


Page iii

Consolidated Information Technology Policies 14.1 14.2 14.3 14.4

OVERVIEW ................................................................................................................................. 47 PURPOSE ................................................................................................................................... 47 SCOPE ....................................................................................................................................... 47 UPDATE REQUIREMENT ............................................................................................................... 47

14.4.1 14.4.2 14.4.3 14.4.4

14.5

UPDATE REQUIREMENT DETERMINATION .......................................................................... 47 UPDATE TYPES ..................................................................................................................... 47 UPDATE CHECKING .............................................................................................................. 48 UPDATE VULNERABILITY TYPES ........................................................................................... 48

UPDATE INFORMATION ............................................................................................................... 48 14.5.1

VERIFICATION ...................................................................................................................... 48

CHANGE CONTROL /MANAGEMENT POLICY – IT-CCM201 ...................................................................... 49 15.

CHANGE CONTROL MANAGEMENT POLICY.................................................................... 50

15.1 15.2 15.3 15.4 15.5

OVERVIEW ................................................................................................................................ 50 PURPOSE ................................................................................................................................... 50 SCOPE ....................................................................................................................................... 50 DEFINITIONS........................................................................................................................... 50 POLICY ...................................................................................................................................... 51 15.5.1 15.5.2 15.5.3 15.5.4 15.5.5 15.5.6

15.6

ROLES AND RESPONSIBILITIES ............................................................................................. 51 PROCESS OBJECTIVES ........................................................................................................... 51 PROCESS SCOPE ................................................................................................................... 51 CHANGE CATEGORIES .......................................................................................................... 52 PROCESS AND PROCEDURE OVERVIEW ............................................................................... 52 GENERAL CHANGE REQUEST PROCEDURE AND APPROVAL ................................................ 53

ENFORCEMENT ...................................................................................................................... 55

PRIVATE DEVICES / BOYD – IT-BYO100 ............................................................................................ 56 16.

PRIVATE DEVICES / BRING YOUR OWN DEVICE (BYOD) POLICY ........................................... 57

16.1 16.2 16.3 16.4 16.5 16.6 16.7

POLICY STATEMENT .................................................................................................................... 57 OVERVIEW ................................................................................................................................ 57 PURPOSE ................................................................................................................................... 57 POLICY APPILCATION ................................................................................................................... 57 RESPONSIBILITIES ........................................................................................................................ 57 DEFINITIONS........................................................................................................................... 57 POLICY ...................................................................................................................................... 58 16.7.1 16.7.2 16.7.3 16.7.4 16.7.5

Page iv

ACCEPTABLE USE ................................................................................................................. 58 DEVICES AND SUPPORT ....................................................................................................... 58 REIMBURSEMENT ................................................................................................................ 58 SECURITY .............................................................................................................................. 58 RISK / LIABILITIES / DISCLAIMERS ........................................................................................ 58

16.8

ENFORCEMENT ...................................................................................................................... 59

17.

CORPORATE INFORMATION TECHNOLOGY POLICY CONTACTS ....................................... 60

Consolidated Human resources Policies & Procedures Manual Last Updated: 13 January 2017

1. GENERAL OVERVIEW 1.1

DISCLAIMER

The National Research Foundation provides its employees with the necessary communication tools in order to successfully conduct its business. As an organisation, it acknowledges the occasional private use of such tools; however it reserves the right to monitor all activity that takes place on the organisation's network and computing systems. Such monitoring will be authorised according to the Operations Delegation Tables as specified on the organisation's intranet.

1.2

INTRODUCTION

The purpose of this policy document is to provide NRF employees with a consolidated view of information technology policies within the organisation. ICT policies are established to protect the people, assets and information of the organisation as well as provide a set of rules for expected behaviour by users, system administrators, and management. The information contained within this document has been developed in an attempt to meet the needs of the organisation and employees. These are influenced by legislation, codes, best practices and frameworks and are benchmarked against policies that exist in similar organisations. These policies should be consistently applied, widely communicated and open to review. The practices, policies, rules and guidelines stated in this manual are applicable to all NRF employees and may be changed from time to time as business and legislation changes and must always be considered as guidelines. If and when provisions are changed, employees will be given replacement pages for those that have become out-dated. Employees will be informed as soon as practical when this occurs. Where applicable business unit specific annexures will be developed where aspects of these policies do not apply. The annexures must be approved by the Managing Director of the relevant business unit. All relevant staff will have these policies brought to their attention by the ICT Manager or delegated resource. These policies will be made available on the NRF’s intranet. Any queries regarding these documents will be dealt with by the ICT Manager or delegated resource.

1.3

ROLE OF INFORMATION TECHNOLOGY DEPARTMENTS IN POLICY DEVELOPMENT


Page 1

General Overview The Corporate Information Technology Department has oversight on the development of Information Technology policies. The NRF Board has the ultimate authority to approve these policies. The Information Technology Departments of the respective Business Units, all ICT Staff, as well as managers in the NRF, are responsible for implementing, monitoring, and ensuring compliance with these policies.

1.4

CHANGES IN LEGISLATION, CODES, STANDARDS AND BEST PRACTICES RELATED TO INFORMATION TECHNOLOGY

King III states that companies “must comply with all applicable laws”. When considering such compliance, “the board should ensure that all ICT related laws, rules, codes and standards are considered.” During the development and updating of ICT policies there are a number of forms of legislation taken into account. These can be broken down into: Laws directly related to ICT (must comply with) – These are laws which are of general application and apply to the organisation irrespective of type of organisation and the sector in economy in which it operates Laws indirectly related to ICT(must comply with) – These are laws that are of general application. Whether they apply to the organisation depends on the type of organisation and the sector in the economy in which it operates. Codes related to ICT (apply or explain)– King III and the Wireless Application Service Providers' Association (WASPA) Code of Conduct are dealt with here. Best Practices (consider adhering to) -Accepted methods for achieving specific business functions, goals or industry requirements. They are optional or voluntary and not mandatory. Best practice provides concrete guidance on what is considered reasonable and prudent. Policies are reviewed on a yearly basis. All employees and Business Units are encouraged to provide input regarding existing policies or new policies for consideration. Policy questions should be directed either to your immediate supervisor, your Business Unit’s ICT Manager or to the Corporate Information and Communication Technology Department.

1.5

CORPORATE INFORMATION TECHNOLOGY POLICY CONTACTS

For contact details please refer to section 10 of this document


Page 2

Consolidated Information Technology Policies 1.6

LEGISLATIVE FRAMEWORK

This policy manual is informed by the following legislature, amongst others: i.

Cryptography Regulations (GN R216 of 2006 in Government Gazette 28594 of March 2006)

ii.

Electronic Communications Act 26 of 2005

iii.

Electronic Communications and Transactions Act 25 of 2002

iv.

Promotion to Access to Information Act 2 of 2000

v.

Protection of Information Act (PI Act) 84 of 1982

vi.

Protection of Personal Information Bill

vii.

Regulation of Interception of Communications and Provision of Communication Related Information Act (RICA) 70 of 2002

viii.

Basic Conditions of Employment Act 75 of 1997

ix.

Civil Proceedings Evidence Act 25 of 1965

x.

Companies Act 71 of 2008

xi.

Constitution of the Republic of South Africa of 1996

xii.

Consumer Protection Act 68 of 2008

xiii.

Copyright Act 98 or 1978

xiv.

Criminal Procedure Act 51 of 1977

xv.

Patents Act 57 of 1978

xvi.

Labour Relations Act 66 of 1995

xvii.

National Archives and Records Service of South Africa Act43 of 1996

xviii.

National Credit Act 34 of 2005

xix.

National Gambling Act 7 of 2004

xx.

Occupational Health and Safety Act 85 of 1993

xxi.

Promotion of Equality and Prevention of Unfair Dismissal Act 4 of 2000

xxii.

Public Finance Management Act 1 of 1999

xxiii.

State Information Technology Agency Act 88 of 1998

xxiv.

Local Government: Municipal Systems Act 32 of 2000

xxv.

Trade Marks Act 194 of 1993 Consolidated Information and Communication Technology Policies Last Updated: 13 January 2017

Page 3

General Overview xxvi.

King III Code and Report on Corporate Governance

xxvii.

Wireless Application Server Providers’ Association (WASPA) Code of Conduct

xxviii.

SABS38500:2008

xxix.

ISO17799

xxx.

SABS27001:

xxxi.

SABS27002

xxxii.

South African National Standards (SANS)


Page 4

Acceptable Use Policy – IT-ACU101

Acceptable Use Policy – IT-ACU101 2. ACCEPTABLE USE POLICY – IT-ACU101 2.1 i.

OVERVIEW The National Research Foundation (NRF)’s intention for publishing an Acceptable Use Policy is not to impose restrictions that are contrary to the organisation’s established culture of openness, trust and integrity. The NRF is committed to protecting its employees, stakeholders and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.

ii. Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of the NRF. These systems are to be used for business purposes in serving the interests of the organisation, and of its stakeholders in the course of normal operations. iii. Effective security is a team effort involving the participation and support of every NRF employee and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly.

2.2

PURPOSE

The purpose of this policy is to outline the acceptable use of computer equipment and systems at the NRF. These rules are in place to protect the employee and the NRF. Inappropriate use exposes the NRF to risks including virus attacks, compromise of network systems and services, and legal issues.

2.3

SCOPE

This policy applies to employees, contractors, consultants, temporaries, and other workers at the NRF, including all personnel affiliated with third parties. This policy applies to all equipment and systems that is owned or leased by the NRF.

2.4

POLICY

2.4.1 GENERAL USE AND OWNERSHIP i.

While the NRF's network administration desires to provide a reasonable level of privacy, users should be aware that the data they create on the corporate systems remains the property of NRF. Because of the need to protect the NRF's network, management cannot guarantee the confidentiality of information stored on any network device belonging to the NRF.


Page 6

Acceptable Use Policy – IT-ACU101 ii. Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Each ICT department is responsible for creating guidelines concerning the personal use of Internet/Intranet/Extranet systems. In the absence of such policies, employees should be guided by facility policies on personal use, and if there is any uncertainty, employees should consult the ICT manager / supervisor. iii. For security and network maintenance purposes, authorised ICT personnel within the NRF may monitor equipment, systems and network traffic at any time. iv. NRF reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. 2.4.2 SECURITY AND PROPRIETARY INFORMATION i.

Passwords should be kept in line with the password policy.

ii. All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging-off (control-alt-delete for Win2K users) when the host will be unattended. iii. Because information contained on laptop computers is especially vulnerable, special care should be exercised. iv. Postings by employees from an NRF email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of the NRF, unless posting is in the course of business duties. v. Users should adhere to the vulnerability assessment policy. vi. Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse code.

2.5

UNACCEPTABLE USE

The following activities are, in general prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g. systems administration staff may have a need to disable the network access of a host if that host is disrupting production services). i.

Under no circumstances is an employee of the NRF authorised to engage in any activity that is illegal under local or international law while utilising NRF-owned resources.

ii.

The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use.


Page 7

Acceptable Use Policy – IT-ACU101

2.5.1 SYSTEM AND NETWORK ACTIVITIES The following activities are prohibited: i.

Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by the NRF.

ii. Unauthorised copying of copyrighted material including, but not limited to, digitisation and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which the NRF or the end user does not have an active license is strictly prohibited. iii. Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question. iv. Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.). v. Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home. vi. Using an NRF computing asset to actively engage in procuring or transmitting material that is of a sexual nature. vii. Making fraudulent offers of products, items, or services originating from any NRF account. viii. Making statements about warranty, expressly or implied, unless it is a part of normal job duties. ix. Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorised to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes. x. Introduction of devices on to the network is prohibited and should only be done in consultation with ICT. xi. Port scanning or security scanning is expressly prohibited unless prior notification to the facility’s ICT Manager. xii. Executing any form of network monitoring which will intercept data not intended for the employee's host, unless this activity is a part of the employee's normal job/duty.


Page 8

Acceptable Use Policy – IT-ACU101 xiii. Circumventing user authentication or security of any host, network or account, unless this activity is a part of the employee's normal job/duty. xiv. Interfering with or denying service to any user (for example, denial of service attack). xv. Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the Internet/Intranet/Extranet. xvi. Providing information about, or lists of, NRF employees to parties outside the NRF. 2.5.2 EMAIL AND COMMUNICATION ACTIVITIES The following activities are prohibited: i.

Sending unsolicited email messages, including the sending of “junk mail” or other advertising material to individuals who did not specifically request such material (email spam).

ii. Any form of harassment via email, telephone whether through language, frequency or size of messages. iii. Unauthorised use, or forging, of email header information. iv. Creating or forwarding “chain letters”, “Ponzi” or other “pyramid” schemes of any type. v. Use of unsolicited email originating from within the NRF’s networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by the NRF or connected via the NRF’s network. vi. Posting the same or similar non-business-related messages to large number of Usenet newsgroups (newsgroup spam) 2.5.3 SOCIAL NETWORKING i.

2.6

Use of social networks is acceptable within reasonable limits or as defined by the facility.

ENFORCEMENT

Violation of this policy may result in disciplinary action, in line with the NRF HR Policies.

2.7 i.

DEFINITIONS Social Networking – The term social networking will be used as an umbrella for any platform that allows social interaction between individuals, groups and organisations as well as those that allow users to generate their own content in the form of blogs or digital media.

ii. Spam - Unauthorised and or unsolicited electronic mass mailings.


Page 9

Acceptable Use Policy – IT-ACU101 iii. Monitoring – The process of reviewing, analysing and managing network traffic for any abnormality or process that can affect network performance, availability and/or security. iv. Chain email or letter – Email sent to successive people. Typically the body of the note has direction to send out multiple copies of the note that promises good luck or money if the direction is followed. v. Virus warning – Email containing warnings about virus or malware. The overwhelming majority of these emails turn out to be a hoax and contain bogus information usually intent only on frightening or misleading users. vi. Unauthorised Disclosure – The intentional or unintentional revealing of restricted information to people, both inside and outside NRF, who do not have a need to know that information.


Page 10

Email Use Policy – IT-EMU101

Email Use Policy – IT EMU101

3. EMAIL USE POLICY – IT EMU101 3.1 i.

3.2

OVERVIEW The National Research Foundation (NRF)’s intention for publishing an Email Use Policy is not to impose restrictions that are contrary to the organisation’s established culture of openness, trust and integrity. The NRF is committed to protecting its employees, stakeholders and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.

PURPOSE

This policy covers appropriate use of any email sent from an NRF Unit / Facility email address and applies to all employees, vendors, and agents operating on behalf of NRF Unit/ Facility.

3.3

SCOPE

This policy applies to employees, contractors, consultants, temporaries, and other workers at the NRF, including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by the NRF.

3.4

POLICY

3.4.1 PROHIBITED USE i.

The NRF email system shall not to be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, disabilities, age, sexual orientation, religious beliefs and practice, political beliefs, or national origin. Employees who receive any emails with this content from any NRF employee should report the matter to their supervisor/ manager immediately.


Page 12

Email Use Policy – IT-EMU101

3.4.2 PERSONAL USE i.

Using a reasonable amount of the NRF resources for personal emails is acceptable.

ii. Virus or other malware warnings and mass mailings from NRF shall be approved by the ICT Manager or a representative of the ICT department at each Facility before sending. 3.4.3 MONITORING i.

Authorised email monitoring applies to content of email messages.

3.4.4 ATTACHMENT SIZE i.

3.5

i.

3.6

i.

Attachment sizes – The restrictions on the size of the attachments varies from mail server to mail server. Each server has its own rules on size and this could have implications when sending large attachments.

ENFORCEMENT

Violation of this policy may result in disciplinary action, in line with the NRF HR Policies.

DEFINITIONS

Email – The electronic transmission of information through a mail protocol such as SMTP or IMAP.

ii. Sensitive information – Information considered sensitive if it can be damaging to NRF or its customer’s reputation or market standing.


Page 13

Password Policy – IT-PAS101


4. PASSWORD POLICY – IT-PAS101 4.1 i.

4.2

OVERVIEW Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of NRF's entire corporate network. As such, all NRF employees (including contractors and vendors with access to NRF systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

PURPOSE

The purpose of this policy is to establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of change.

4.3

SCOPE

The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any NRF facility, has access to the NRF network, or stores any non-public NRF information.

4.4

POLICY

4.4.1 GENERAL USE i.

All system-level passwords (e.g., root, enable, NT admin, application administration accounts, etc.) must be changed on at least a quarterly basis.

ii. All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every 30 days. iii. User accounts that have system-level privileges granted through group memberships or programs such as "sudo" must have a unique password from all other accounts held by that user. iv. Passwords must not be inserted into email messages or other forms of electronic communication.


Page 15

Password Policy – IT-PAS101 v. Where SNMP is used, the community strings must be defined as something other than the standard defaults of "public," "private" and "system" and must be different from the passwords used to log in interactively. A keyed hash must be used where available (e.g., SNMPv2). vi. All user-level and system-level passwords must conform to the guidelines described below. 4.4.2 GUIDELINES i.

Passwords should be kept in line with the password policy.

ii. All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging-off (control-alt-delete for Win2K users) when the host will be unattended. iii. Because information contained on laptop computers is especially vulnerable, special care should be exercised. 4.4.3 GENERAL PASSWORD CONSTRUCTION Passwords are used for various purposes at the NRF. Some of the more common uses include: user level accounts, web accounts, email accounts, screen saver protection, voicemail password, and local router logins. Since very few systems the ability to support one-time tokens (i.e., dynamic passwords which are only used once), everyone should be aware of how to select strong passwords. Poor, weak passwords have the following characteristics: i.

The password contains less than 8 characters

ii. The password is a word found in a dictionary (English or foreign) iii. The password is a common usage word such as: iv. Names of family, pets, friends, co-workers, fantasy characters, etc. v. Computer terms and names, commands, sites, companies, hardware, software. vi. The words "NRF", "Facility Name” or any derivation. vii. Birthdays and other personal information such as addresses and phone numbers. viii. Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc. ix. Any of the above spelled backwards. x. Any of the above preceded or followed by a digit (e.g., secret1, 1secret)


Strong passwords have the following characteristics: i.

Contain both upper and lower case characters (e.g., a-z, A-Z)

ii. Have digits and punctuation characters as well as letters e.g., 0-9,!@#$%^&*()_+|~=\`{}[]:";'?,./) iii. Is at least 8 (eight) alphanumeric characters long and is a passphrase (Ohmy1stubbedmyt0e). iv. Is not a word in any language, slang, dialect, jargon, etc. v. Is not based on personal information, names of family, etc. vi. Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation. NOTE: Do not use either of these examples as passwords!

4.5

PASSWORD PROTECTION STANDARDS

Do not use the same password for NRF accounts as for other non-NRF access (e.g., personal ISP account, option trading, benefits, etc.). Where possible, don't use the same password for various NRF access needs. For example, select one password for the Engineering systems and a separate password for ICT systems. Also, select a separate password to be used for an NT account and a UNIX account. Do not share NRF passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, Confidential NRF information. Here is a list of "don’ts": i.

Don't reveal a password over the phone to ANYONE

ii. Don't reveal a password in an email message iii. Don't reveal a password to the boss iv. Don't talk about a password in front of others v. Don't hint at the format of a password (e.g., "my family name") vi. Don't reveal a password on questionnaires or security forms vii. Don't share a password with family members


Page 17

Password Policy – IT-PAS101 viii. Don't reveal a password to co-workers while on vacation If someone demands a password, refer them to this document or have them call the ICT Manager / Supervisor. Do not use the "Remember Password" feature of applications (e.g., Eudora, Outlook, and Netscape Messenger). Again, do not write passwords down and store them anywhere in your office. Do not store passwords in a file on ANY computer system (including Palm Pilots or similar devices) without encryption. Change passwords every 30 days (except system-level passwords which must be changed quarterly). If an account or password is suspected to have been compromised, report the incident to the ICT department and change all passwords. Password cracking or guessing may be performed on a periodic or random basis by the ICT department or its delegates. If a password is guessed or cracked during one of these scans, the user will be required to change it.

4.6

APPLICATION DEVELOPMENT STANDARDS

Application developers must ensure their programs contain the following security precautions. Applications: i.

Should support authentication of individual users, not groups.

ii. Should not store passwords in clear text or in any easily reversible form. iii. Should provide for some sort of role management, such that one user can take over the functions of another without having to know the other's password.

4.7

USE OF PASSWORDS AND PASSPHRASES FOR REMOTE ACCESS USERS Access to the NRF Networks via remote access is to be controlled by the network / domain administrators. Access is granted via a formal request and activated accordingly.

4.8

ENFORCEMENT Violation of this policy may result in disciplinary action, in line with the NRF HR Policies.

4.9 i.

DEFINITIONS Application Administration Account – Any account that is for the administration of an application (e.g. Database administrator)

Logical Access Policy – IT-LOG101


5. LOGICAL ACCESS POLICY 5.1

OVERVIEW The National Research Foundation (NRF) provides networking and computing infrastructure (all computerised systems, ICT assets and NRF information) to authorised users in order to facilitate the effective operation of all business units. Logical access control measures are put in place in order to prevent the possible compromise of information, ICT assets and facilities under the control of the NRF, as a means to protect NRF information and its communications infrastructure in general.

5.2

PURPOSE

The purpose of this policy is to ensure the control of NRF information in electronic form by means of stringent logical access control baseline requirements.

5.3

SCOPE

This policy is applicable to all authorised users (NRF staff, visitors and contractors who many have access to the NRF’s network and computing infrastructure). This policy does not specifically cover the availability and integrity of NRF information, though these may be in part provided by the baseline requirements to ensure confidentiality.

5.4

POLICY

5.4.1 PROCESS FOR OBTAINING AN ACCOUNT i.

Accounts are created for a variety of purposes. Staff and contractors need accounts to gain access to network services.

ii. Accounts are requested via the helpdesk by the supervisor / manager of the relevant department. Records are stored appropriately for audit purposes. iii. Notification of access requests need to be sent to the helpdesk of the relevant facility before an account is issued for a new employee. iv. Access to certain systems and information are determined at this time. Not all employees have the same access level, this is determined based on their job role.


v. Systems such as the Financial, Human Resources and Granting have separate processes and forms to obtain access to these systems. vi. Accounts on all systems need to be audited quarterly for validity. 5.4.2 PROCESS FOR GAINING ACCESS TO SYSTEMS i.

There are some systems at the NRF that require more than one user id and password for access to data.

ii. If a user has access to network services, but cannot access some area that they need, a request form for that particular system needs to be completed, signed off and authorised by the supervisor / manager / executive director. 5.4.3 PROCESS FOR TERMINATION OF EMPLOYMENT

i.

Each employee’s termination voluntarily or involuntarily, who is currently being paid through the NRF payroll system, must be processed through Human Resources Department.

ii. All other contractors or service provider’s access termination will be processed by the relevant department who the contract is held with. iii. The Human Resources Department has a check-out list that requires the signature of several departments. iv. Accounts are disabled and access to groups is removed by Information Technology once staff termination notifications are received from the Human Resources Department or the Department with whom the contract is held with. v. When an Information Technology staff member exits employment at the NRF all shared system accounts are changed on all systems. Accounts should be audited to ensure that the process happened as it was supposed to.

5.5



Page 21

ICT Datacentre Policy – IT-DCE101


6. IT DATACENTRE POLICY 6.1

OVERVIEW The National Research Foundation (NRF) provides networking and computing infrastructure (all computerised systems, ICT assets and NRF information) to authorised users in order to facilitate the effective operation of all business units. The security of all NRF Datacentres is the responsibility of all departments that share the data centre space. The NRF Datacentre security is the responsibility of all staff that has access to and share the Datacentre space.

6.2

PURPOSE

The purpose of this policy is to ensure the minimum level of security is maintained by all NRF staff, including contractors that have access to the ICT Data centre.

6.3

SCOPE

This policy is applicable to all NRF staff that has access to the ICT Data centre and all visitors requiring access to the ICT Data centre.

6.4

ROLES AND RESPONSIBILITIES

6.4.1 IT MANAGEMENT i.

It is the responsibility of the ICT Manager to ensure that this policy is enforced and complied with. Delegated resources are responsible for holding and maintaining an Access Log.

6.4.2 ALL OTHER STAFF WITH RIGHTS TO ACCESS

i.

All staff must be aware of this policy and their obligations therein. It is the responsibility of all staff members who have access to the ICT Datacentre Room to conduct their duties in a professional manner while working in the ICT Datacentre.


Page 23


6.5

DATACENTRE ACCESS

6.5.1 ACCESS CONTROL i.

Access control to the ICT Datacentre will be monitored and reviewed on a quarterly basis by the ICT Manager or a delegated resource.

ii. Staff should carry their access cards at all times, and visitors must be accompanied by an authorised staff member at all times. iii. Inclusion onto the ICT Datacentre Access List must be approved and signed off by the ICT Manager or delegated resource. These inclusions will be documented and retained by the ICT Manager or delegated resource. iv. The ICT Manager or delegated resource should review Access logs on a quarterly basis. v. In the event of an unauthorised person gaining access into the ICT Datacentre, the incident must be reported to the ICT Manager and escalated to Senior Management. 6.5.2 SAFETY AND HYGIENE i.

A procedure for the safe use of the Datacentre’s facilities should be developed. This will mainly be concerned with the safe use of the fire safety system in the room.

ii. Food and drink must not be taken into the ICT Datacentre. 6.5.3 VISITORS i.

6.6

All visitors need to be made aware of this policy and their obligations therein. It is the responsibility of the member of staff accompanying the visitor to ensure they carry out their duties in a professional manner while working in the ICT Datacentre.



Page 24

Vulnerability Management Policy – IT-VUM101


7. VULNERABILITY MANAGEMENT POLICY – IT-VUM101 7.1

OVERVIEW The National Research Foundation (NRF) provides networking and computing infrastructure (all computerised systems, ICT assets and NRF information) to authorised users in order to facilitate the effective operation of all business units. All NRF information systems must be monitored for vulnerabilities to maintain their operational availability, confidentiality and integrity. Vulnerability management is a security practice designed to discover and mitigate information technology vulnerabilities that may exist. Through proactively managing vulnerabilities the NRF condenses the likelihood of exploitation.

7.2

PURPOSE

The purpose of this policy is to ensure the monitoring of information systems for vulnerabilities in order to reduce the potential for exploitation thereof.

7.3

SCOPE

This policy is applicable to all NRF information systems and covers all computing resources directly operationally controlled by the NRF.

7.4

POLICY

7.4.1 SYSTEM INVENTORY i.

All computing resources must be inventoried to determine the types of hardware, operating systems, and software applications that are used within the organisation.

ii. This inventory must be periodically reviewed and updated in order to accurately reflect the environment. The inventory must be updated whenever new resources, hardware, operating systems or software are added to the environment.


Page 26


7.4.2 MONITORING FOR VULNERABILITIES AND THREATS i.

NRF ICT Departments must continuously monitor sources of threat and vulnerability information from internal and external security sources.

ii. NRF ICT Departments must perform timely review of vulnerability information received from reputable sources. iii. Proper analysis must be performed to confirm applicability of identified vulnerabilities in comparison to system inventory. iv. Applicable vulnerabilities must be categorized according to a vulnerability classification that should consist of urgent, routine or not applicable. 7.4.3 REMEDIATION AND MITIGATION OF VULNERABILITIES i.

A process must be in place to remediate vulnerabilities based on significance.

ii. Automated patch management tools should be used, where applicable, to expedite the distribution of patches to systems. iii. Action plans to remediate all verified vulnerabilities should be developed and maintained continuously. 7.4.4 VULNERABILITY PROCESS MANAGEM ENT i.

A vulnerability management process must be developed and maintained by the relevant ICT Departments.

ii. Verify vulnerability remediation through network and host vulnerability scanning.

7.5



Page 27

Information Technology Disaster Recovery Policy – IT-IDR101


8. IT DISASTER RECOVERY POLICY – IT IDR101 8.1

OVERVIEW The National Research Foundation (NRF) appreciates that information technology systems are increasingly critical to its business and that any loss of key systems could have a negative effect on operations. Appropriate and reasonable measures must be put in place to be able to restore facilities in order to maintain business activities in the event of a major failure or disaster. The NRF acknowledges that some form of disaster may occur, despite precautions, and the need to contain the impact of such events on its core business, should be done by catering for it through tested disaster recovery plans.

8.2

PURPOSE

The purpose of this policy is to ensure that critical systems can be restored in order to support trust in the delivery of Information Technology services. This policy also ensures that appropriate business continuity plans are in place, with fully documented processes and that appropriate measures taken to safeguard security and confidentiality.

8.3

SCOPE

This policy is applicable to all NRF information systems and infrastructure. The main elements of the policy include: i.

Identifying critical computer systems.

ii. Identifying areas of greatest vulnerability. iii. Risk mitigation through developing resilience. iv. Developing, documenting and testing disaster recovery plans that are linked to the ICT Business Continuity Plan. v. Analysis of incidents and failures. vi. Recovery management to inform future planning, action and mitigation.


Page 29


8.4

POLICY

8.4.1 CORPORATE RESPONSIBILITIES i.

The ICT Director is responsible for ensuring that appropriate plans are in place to restore NRF ICT facilities in the event of a major failure or disaster.

ii. As part of the Business Continuity process, the ICT Director and Corporate Risk Manager is responsible to ensure that a risk assessment is conducted on each application in order to measure the impact on the NRF’s business. 8.4.2 OPERATIONAL RESPONSIBILITIES The ICT Manager at each facility must ensure that: i.

The computer systems including applications and servers are backed up.

ii. Backup media is stored in an alternate location other than the datacentre. iii. Where possible applications and hardware must have appropriate hardware and software support contracts in place. iv. There are Uninterruptable Power Supply units within the Datacentre and where possible continuous power. v. The critical data network must be designed in such a way that users will be able to connect to ICT facilities from a remote location. vi. If the Datacentre becomes unusable in a disaster, alternative arrangements for a temporary computer room must be in place. vii. Documented procedures should be prepared for system housekeeping activities associated with server and network management. 8.4.3 SUPPORT AND KEY CONTACTS i.

The ICT Department will provide advice and guidance on NRF business continuity to the Corporate Governance and Risk unit.

ii. The ICT Department will ensure that there is an out of hours contact list for emergency access to ICT personnel.

8.5



Page 30

Data redundancy policy – IT-DRE101


9. DATA REDUNDANCY POLICY – IT-DRE101 9.1

OVERVIEW The National Research Foundation (NRF) appreciates that information technology systems are increasingly critical to its business and that any loss of key systems could have a negative effect on operations. Appropriate and reasonable measures must be put in place to be able to restore facilities in order to maintain business activities in the event of a major failure or disaster. The ICT department is responsible for ensuring that mission critical applications and data are well preserved and protected against loss and destruction. Adequate redundancy allows data recovery when information technology systems or information has been destroyed due to system failure or by accidental or intentional behaviour.

9.2

PURPOSE

The purpose of this policy is to ensure that critical data can be restored when required. This policy also ensures that appropriate redundancy systems are in place, with fully documented processes and that appropriate measures taken to safeguard against data loss.

9.3

SCOPE

This policy is applicable to identified critical data managed by the ICT departments that reside at any company facility or that stores confidential company information.

9.4

POLICY

9.4.1 GENERAL i.

All critical data stored on servers must be recoverable at all times.

ii. Recovery strategies are determined by the business unit’s ICT department. 9.4.2 ADMINISTRATORS RESPONSIBILITIES The recovery processes shall have at least one primary administrator and one substitute who are responsible for adhering to the established data redundancy policy. Relevant information should be kept when documenting recovery procedures.


Page 32


9.4.3 VERIFICATION i.

Depending on the strategy selected per business unit, verification mechanisms should be put in place if appropriate.

9.4.4 MEDIA ROTATION AND RETENTION Where applicable the following applies: i.

Each backup media set must contain a full weekly backup.

ii. Available onsite backup media shall be 1 week. iii. All retired backup media must be destroyed before being discarded. o

As a minimum, before disposal, contents on retired media must be rendered unusable through formatting or erasing the media.

iv. For maximum security, consider hiring a media disposal contractor. 9.4.5 STORAGE Where applicable the following applies: i.

At a minimum backup media should be stored in a fireproof and protected location accessible only by authorised staff.

ii. For maximum safety, backup media should preferably be stored off site.

9.5



Page 33

Approved Application Policy – IT-APP201

Approved Application Policy – IT-APP201

10. APPROVED APPLICATION POLICY – IT-APP201 10.1 OVERVIEW The National Research Foundation (NRF)’s intention for publishing an Approved Application Policy is not to impose restrictions that are contrary to the organisation’s established culture of openness, trust and integrity. The NRF is committed to protecting its employees, stakeholders and the company from illegal or damaging actions by individuals, either knowingly or unknowingly. All employees and personnel that have access to organizational computer systems must adhere to the approved application policy in order to protect the security of the network, protect data integrity, and protect computer systems.

10.2 PURPOSE This policy is designed to protect the organizational resources by requiring all network users to only run or install application programs deemed safe by the IT department. These rules are in place to protect the employee and the NRF. Inappropriate use exposes the NRF to risks including virus attacks, compromise of network systems and services, and legal issues.

10.3 SCOPE

This policy applies to employees, contractors, consultants, temporaries, and other workers at the NRF, including all personnel affiliated with third parties. This policy applies to all equipment and systems that is owned or leased by the NRF.

10.4 POLICY 10.4.1 APPROVED APPLICATIONS / EXCEPTIONS v. All employees may operate programs on the IT approved application list. If an employee wants to use an application that is not listed, they should submit the application program to the IT department for approval prior to using the program on a system connected to the organizational network. Each business unit’s IT Department has their own comprehensive list of approved applications.


Page 35

Approved Application Policy – IT-APP201 Approved Application Policy – IT-APP201 vi. Special exception may be made to this policy for specific employees depending on the required job function and the skills of the employee. Some reasons for exception include: a) The employee may be the person who needs to test new applications on a test network, then on the main network. b) The employee may be a developer that must run applications that they have developed in order to test their own work. c) Network administrators may be allowed the ability to operate and test new software. For security and network maintenance purposes, authorised ICT personnel within the NRF may monitor equipment, systems and network traffic at any time. vii. NRF reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.


Page 36

ICT Documentation Policy – IT-DOC201


Page 37


11. ICT DOCUMENTATION POLICY – IT-DOC201 11.1 OVERVIEW This policy is an internal ICT policy and defines the requirements for documentation. This policy defines the level of documentation required such as documentation of which switch ports connect to what rooms and computers. It defines who will have access to read ICT documentation and who will have access to change it. It also defines who will be notified when changes are made to the network.

11.2 PURPOSE This policy is designed to provide support for network and systems stability through ensuring that relevant documentation is complete and current. This policy should complement disaster management and recovery by ensuring that documentation is available in the event that systems need to be rebuilt. This policy will help reduce troubleshooting or the restoration of services time by ensuring that appropriate personnel are notified when a change is made to the network or systems.

11.3 DOCUMENTATION

The network structure and server configuration will be documented and provide the following information: i.

IP addresses of critical devices on the network with static IP addresses configurations.

ii.

Server documentation on all servers that captures the minimum configuration settings of the servers namely: a) Hostname b) IP Address c) Short description of Server Role d) Operating System e) Role (Application / Database)


Page 38

iii.

Network diagrams should illustrate the following: a. The physical locations and IP addresses of all hubs, switches, routers, and firewalls on the network. b. The various security zones on the network and devices that control access between them, e.g. VLANS, Demilitarised Zones (DMZ). c. All wide area network (WAN) information including network devices connecting them and IP addresses of connecting devices.

11.4 ACCESS TO DOCUMENTATION

ii. The IT Management and Systems Administrators shall have full access to all network documentation. iii. Systems Administrators shall have access to read and modify all network documentation. iv. Helpdesk Staff will have read access to all network documentation. v. Network documentation and changes will be approved by the business units IT Manager or Team Leader.

11.5 CHANGE NOTIFICATION

i.

All IT staff will be notified when any major network changes are made.

11.6 DOCUMENTATION REVIEW

i.

Any current or completed projects affecting network settings should be reviewed to determine whether there were any network changes made to support the project.


Page 39


11.7 STORAGE LOCATION

i.

Network documentation shall be kept either in written form or electronic form in a minimum of two places.

ii.

It should be kept in two locations so that if one location is destroyed, information from the other location may be used to help reconstruct the IT infrastructure.


Page 40

Server Monitoring Policy – IT-SMO201

Server Monitoring Policy – IT-SMO201

12. SERVER MONITORING POLICY 12.1 OVERVIEW This server monitoring policy is an internal ICT policy and defines the monitoring of servers in the organization for both security and performance issues.

12.2 PURPOSE

This policy is designed both to protect the organization against loss of service by providing minimum requirements for monitoring servers. It provides for monitoring servers for storage space and performance issues to prevent system failure or loss of service.

12.3 SCOPE

This policy applies to all production servers and infrastructure support servers including but not limited to the following types of servers: i.

File servers

ii.

Database servers

iii.

Mail servers

iv.

Web servers

v.

Application servers

vi.

Domain controllers

vii.

FTP servers

viii.

DNS servers

12.4 POLICY


Page 42

Server Monitoring Policy – IT-SMO201 Server Monitoring Policy All critical parameters on all servers will be monitored at all times. Each business units ICT department will define monitoring parameters.


Page 43

System Lockdown Policy – IT-SLD201

System Lockdown Policy – IT-SLD201

13. SYSTEM LOCKDOWN POLICY – IT-SLD201 13.1 OVERVIEW This system lockdown policy is an internal ICT policy and defines a general process that should be used to lock down servers and workstations.

13.2 PURPOSE

The purpose of this policy is to minimize risk to organizational resources and data by establishing a process for increasing the security of servers and workstations by stopping unneeded services and testing for vulnerabilities.

13.3 SCOPE

This policy is applicable to all servers and equipment hosted by the NRF.

13.4 POLICY Each business unit’s ICT department will take appropriate steps to ensure adequate server protection.


Page 45

System Security Update Policy – IT-SSU201


14. SYSTEM SECURITY UPDATE POLICY 14.1 OVERVIEW This policy is an internal ICT policy which defines how often computer system updates are done and under what conditions they are done.

14.2 PURPOSE

This policy is required to establish a minimum process for protecting the organizational computers and other devices on the network from security vulnerabilities.

14.3 SCOPE

This policy determines how updates are done for computers and devices on the network.

14.4 UPDATE REQUIREMENT 14.4.1 UPDATE REQUIREMENT DETERMINATION This section defines methods used to determine what updates should be done and when they should be applied. 14.4.2 UPDATE TYPES

i.

Several types of updates may be required on any computer and all the types should be considered for the listed computer system components below. They include: a) Firmware versions. b) Operating system. c) Application updates.


Page 47


14.4.3 UPDATE CHECKING Several methods must be considered to determine when updates should be performed. a) Review of posted security flaws and patches for each type of update applicable to the computer system. b) An automatic scanning of the system to determine available updates not yet applied to the system or application. 14.4.4 UPDATE VULNERABILITY TYPES The update considerations should address vulnerabilities caused by: a) Bugs b) Misconfiguration not covered by patches - An example would be a configuration problem with a mail server allowing non authenticated users to relay email using the mail server.

14.5 UPDATE INFORMATION 14.5.1 VERIFICATION vi. Each business unit’s ICT department will determine their own verification process and whether to update systems or not.


Page 48

Change Control /Management Policy – IT-CCM201

CHANGE CONTROL MANAGEMENT POLICY

15. CHANGE CONTROL MANAGEMENT POLICY 15.1 OVERVIEW The goal of any change management process is to ensure that standardised methods and procedures are used for the efficient and prompt handling of all changes. This is necessary in order to minimise the impact of change-related incidents on service quality and to improve the day-to-day operations of the organisation.

15.2 PURPOSE The purpose of the policy is to ensure that the NRF information technology environment follows a formal Change Control Management standard in order to minimise the possible negative impact of changes to the information technology environment. Through the management of change requests the NRF ICT department can ensure that changes to ICT operations and their associated impact and activities are properly documented, risks are identified and mitigated accordingly.

15.3 SCOPE

The policy applies to full time or temporary employees, contractors, consultants, , and other workers at the NRF, including all personnel affiliated with third parties. This policy applies to all ICT equipment that is owned or leased by the NRF.

15.4 DEFINITIONS

i.

ii. iii.

iv.

CHANGE – an event that results in a new status of one or more configuration items approved by management, that are cost effective and enhances business process changes with minimal risk to the information technology infrastructure. CHANGE CONTROL – a formal process used to ensure that a product, service or process is only modified in line with the identified necessary change. CHANGE MANAGEMENT – the process followed in controlling changes to all configuration items within all environments under the control of ICT Operations to avoid the introduction of errors related to lack of testing or incompatibilities with other configuration items. CONFIGURATION ITEMS – the requirements, code (where applicable), documentation, models and other files.


Page 50

15.5 POLICY 15.5.1 ROLES AND RESPONSIBILITIES i. ii.

iii. iv.

v. vi.

vii.

15.5.2

Change Requestor: The individual who requests the change. Change Administrator: The individual, who carries out the initial categorisation and assessment of a change, monitors the process of change requests through the change owners and ensures acceptance. Change/Task Owner: The individual who is allocated to a change and who manages the change through to acceptance and closure. Herein represented by an IT representative. Change Management Committee: A team represented by the Change/Task Owner, Change Administrator, Change Sponsor and an Impact Assessor, used to review the change process and specific changes where required. Change Sponsor: The individual who provides business approval for a change. (May not be required) Change Manager: The IT Manager / Team Leader / Supervisor who manages the overall change process, acts as a point of escalation, exercises judgement in assessing requests and escalates to a Change Management Team Impact Assessors / Reviewers: A team to assess the impact of the change. (May not be required) PROCESS OBJECTIVES The key policy objectives are to: i. ii. iii. iv.

Establish a common approach for requesting, assessing, categorizing, scheduling, implementing, documenting and approving change requests. Implement proper risk mitigation controls to manage risk to the environment and ensure minimal disruption to NRF computing operations. Describe the required communications, escalation procedures and co-ordination point for proper processing and execution of changes. Create an audit trail of all requested and implemented changes.

15.5.3 PROCESS SCOPE The policy shall be used by all parties requesting changes to all environments under the control of NRF ICT operations which includes both the live and test environments. System administrators are responsible for the development and documentation of a change control procedure for their respective systems that have to be reviewed and signed-off by the respective system owners.


Page 51


15.5.4 CHANGE CATEGORIES There are 3 types of changes: i.

ii.

iii.

Standard Change - a change that is pre-approved by the Change Management Committee evaluated as a low-risk, relatively common and performed according to a procedure or work instructions. Normal Change – a change that is not a standard change, or an urgent change. It is divided 3 categories, which are evaluated according to the impacts, risks, benefits, and costs: minor , significant, major; a different level of authorization may be applied depending on the change category Emergency Change - An Emergency Change is a change that must be implemented as soon as possible. Essentially, it will follow the same normal change procedure with a few exceptions: namely, testing can be reduced, and documentation of the change and configuration data will be delayed (but not neglected).

15.5.5 PROCESS AND PROCEDURE OVERVIEW The following section provides an overview of the change control / management process and procedure. i. ii.

iii. iv. v. vi.

vii. viii.

ix.

The change request is initiated and logged by a Change Requestor (usually a business representative or IT staff member). The change request form and supporting documentation must be submitted. Documents include an impact assessment, mitigation steps and an implementation plan. The Change Administrator and designated IT representative assess the documentation for completeness, accuracy, effectiveness and impact. The Change Administrator categorises, prioritises and logs the change request. The change is tabled at the weekly Change Management Committee meetings for further assessment and approval. If the Change Management Committee is convinced that the detail is clear, the impact is understood and any risks are sufficiently mitigated, the change request is approved for implementation. All changes with cost implications are conditionally approved by the Change Management Team pending budget approval by the Change Sponsor. If the change takes longer than a week to implement it is automatically promoted to a project and is managed within the Project Prioritisation and Management Processes. All changes are executed with an emphasis on Quality Assurance principles, which include verification testing on completion thereby assuring that the negative impact of change (if any) is minimised.


Page 52

x. xi. xii. xiii.

Approved changes are implemented. Rejected changes are re-worked for submission or cancelled as decided by the committee. Change status is updated / communicated at each step of the process. The Change Management Team reviews the status of implemented requests for closure, cancellation or to hear new and reworked requests for approval.

15.5.6 GENERAL CHANGE REQUEST PROCEDURE AND APPROVAL CHANGE REQUEST PROCEDURE xiv. xv. xvi. xvii. xviii.

The change request form is completed by the Change Requestor, usually initiated by the user and owned by IT Personnel. The change is communicated to the IT Manager / Team Leader / Supervisor; The change request form is completed and forwarded to the Change Administrator to log. The Change Administrator together with applicable IT personnel assesses the request and supporting documents for completeness and accuracy. The Change Administrator validates the request and logs it into the change control log.

CHANGE REQUEST APPROVAL PROCEDURE This procedure establishes the Change Management Team which is the structure for management review and final approval of all change requests. i.

ii.

iii. iv.

v.

vi.

The Change Management Team meets on a weekly basis or as required to review new change requests and receive status updates on implemented and outstanding requests. The Change Administrator has delegated authority from the IT Manager / Team Leader / Supervisor to coordinate and chair the Change Control / Management meeting. The changes have to be endorsed and supported by the IT Manager / Team Leader / Supervisor before they are tabled. The meeting reviews all changes in detail, and discusses and evaluates each request to purpose, impact and mitigation steps, cost and benefits and time proposed for implementation and the plan. . The Change Management Team approves or rejects the change request during the meeting documenting reasons for the decision. Once change has been approved changes have to be signed by the IT Manager / Team Leader / Supervisor after the meeting. All approved changes are allocated to owners and are managed using a Project Management methodology and Software Development projects are executed using the Software Development Life Cycle. Quality Assurance and testing are the integral part of the Software Development Life Cycle (SDLC) and this ensures that the


Page 53


vii. viii. ix.

x.

developed change(s) / technology / software is fit for purpose or resolves problems being experienced. The Change Owner gives feedback on the change to The Change Administrator and Project Manager. The Change Administrator updates the change control log and provides the final status to the requestor and the Change Advisory Team. The Task / Change Owner / Change Administrator provides feedback to the IT Manager / Team Leader / Supervisor during and after the implementation of the request. The Project Manager then communicates successful implementation to the stakeholders. An unsuccessful change is documented, the status is logged, communicated to IT Manager / Team Leader / Supervisor and stakeholders and is reassessed for resubmission and or cancellation.

Change Management Process Change Requestor Completes Change Request Form

Change Administrator Verifies documentation for completeness, accuracy, effectiveness and impact NO NO

Cancel Change

Right Documentation?

YES

Rework Change?

Change Administrator Categorise, prioritise and log change

Change Management Team Review

Reject Change

Implement Change

NO

NO

Decision Criteria Met?

YES

Cost Implications

YES

Change Management Team Conditionally Approves

Change Sponsor Approves Budget

Change Sponsor notified of cost Implications


Page 54

On occasion, changes of an emergency or critical nature arise and require quick resolution. In these cases a streamlined process is used to allow the fastest possible response while adhering to the process documented herein. The emergency change procedure supports the implementation of urgent changes in order to speed up the resolution of problems and expedite recovery of systems to the normal state. Many details are captured after the fact. EMERGENCY CHANGE REQUEST / APPROVAL PROCEDURE i.

ii.

iii. iv. v. vi.

The change owner communicates the change, impact, plan to the IT Manager and the change is conditionally approved by the IT Manager if it meets the Emergency Change Request Criteria as stipulate. The Change Request form is completed by the Change Owner signed by Change Manager and is submitted to the Change Administrator for validation and logging into the Change Control Log. The change owner attends to the change and on completion immediately communicates to the IT Manager, stakeholder and administrator. The change is then logged formally on the call logging system and the Change Administrator updates the Change Request Log to record key information regarding the change. The change owner completes the change and provides information to the Change Administrator to update the Change Request Log and Change Management documentation. The change is then retrospectively tabled at the Change Management Team meeting for information, assessment, approval and closure or resubmission.

15.6 ENFORCEMENT Violation of this policy may result in disciplinary action, in line with the NRF HR Policies.


Page 55

Private Devices / BOYD – IT-BYO100


Page 56

PRIVATE DEVICES / BRING YOUR OWN DEVICE

16. PRIVATE DEVICES / BRING YOUR OWN DEVICE (BYOD) POLICY 16.1 POLICY STATEMENT The National Research Foundation (NRF) provides all employees with the necessary tools to function within their respective positions. The NRF acknowledges the use of personal devices on its network, however the use of such devices are based on the conditions stipulated in this policy.

16.2 OVERVIEW The NRF grants its employees permission to use their personal smartphones, tablets, and other devices at work. This privilege is conditional on the employees abiding by the NRF’s policies and procedures, in particular this policy. This permission is contingent on privately owned devices not affecting productivity.

16.3 PURPOSE This policy provides a flexible working environment whilst safeguarding the security and integrity of the NRF’s data and technology infrastructure.

16.4 POLICY APPILCATION The policy applies to all individuals inclusive of employees, interns, students, contractors, service providers, suppliers, professional experts, committee members, panel members, and visitors of the NRF who connect privately owned devices to the NRF network or conduct any work related activities on said devices.

16.5 RESPONSIBILITIES i.

ii.

NRF BOARD - The Board is aware of and takes responsibility for IT Governance in the organisation. Policies and standards are approved by the Board and are implemented by Management. EMPLOYEES - Manage the information and communication activities and safeguards the assets and liabilities from such activities. Approve transactions in terms of the Delegation of Powers of Authority Policy.

16.6 DEFINITIONS i.

ii.

DEVICE – In this context, refers to a mobile phone, tablet or other such device not owned by the NRF which is utilised for NRF activities or connected to a network which is managed or controlled by the NRF. ILLICIT MATERIALS – In this context, refers to any material that is not legally permitted, authorised licensed, or lawful.


Page 57

iii.

OWNER / USER – a party that possesses the right to hold, use, benefit-from, enjoy, convey, transfer, and otherwise dispose of a device.

16.7 POLICY 16.7.1 ACCEPTABLE USE By connecting a privately owned device to the NRF network, the device owner agrees to adhere to the NRF Consolidated Information and Communication Policy especially the Acceptable Use Policy. 16.7.2

DEVICES AND SUPPORT The NRF makes reasonable effort to support all mainstream devices.

16.7.3 REIMBURSEMENT The NRF does not reimburse the user for loss of or damage to their personal devices. 16.7.4 SECURITY The NRF holds the device owner responsible for configuring device security that meets the minimum standard acceptable to NRF IT. If in doubt, it is the responsibility of the device owner to seek assistance from the NRF IT helpdesk. The NRF’s minimum-security protocols are: i.

The device must be Pin or password protected and auto locked within five minutes.

ii.

All devices must have the latest patches released by the manufacturer installed in order to ensure that operating system vulnerabilities are rectified.

iii.

All devices running a Windows operating system must have active anti-virus and antimalware for protection.

16.7.5 RISK / LIABILITIES / DISCLAIMERS i.

It is the user’s responsibility to take the appropriate steps to safeguard NRF and personal data.

ii.

The NRF retains the prerogative to disconnect devices or disable services without notification.

iii.

Device owners must report lost or stolen devices to the relevant NRF IT functionary within 24 hours. Device owners are responsible for notifying their mobile service carrier immediately upon loss of a device.


Page 58

PRIVATE DEVICES / BRING YOUR OWN DEVICE

iv.

The device owner is personally liable for all costs associated with his or her device.

v.

The device owner assumes full liability for risks including, but not limited to, the partial or complete loss of NRF and personal data due to an operating system crash, errors, bugs, viruses, malware, and/or other software or hardware failures, or programming errors that render the device unusable.

vi.

The NRF does not take responsibility for backing-up personal devices.

16.8 ENFORCEMENT Violation of this policy may result in disciplinary action, in line with the NRF HR Policies.


Page 59

17.

CORPORATE INFORMATION TECHNOLOGY POLICY CONTACTS

Name

Office Number

Position

Email

L Benjamin

(012)481-4299

Manager: Corporate IT Compliance

[email protected]

M Robertson

(021)843-1360

Head: Systems Support

[email protected]

I Kohler

(021)843-1084

Group Head: Electronics and Information Technology

[email protected]

M Delport

(012)392-9300

Acting Manager: Finance and Administration

[email protected]

SJ Fishley

(021)460-6290

Systems Administrator

[email protected]

AR Grant

(046)603 5800

IT Systems Administrator

[email protected]

W Hugo

(012)349 7700

Chief Data and Information Officer

[email protected]

T Swemmer

(012)328 3265

Systems Administrator

[email protected]

C Allenby

(012)328 3265

Manager - Commercial Services and Business Development

[email protected]

A Greyling

(082)377 1836

Systems and Network Administrator (SAASTA)

[email protected]

A Bell

(012)481 4047

Senior Systems Administrator

[email protected]

K Toka

(012)481 4220

Manager: RISA IT

[email protected]