The purpose of the Information Security Policy is to:
Management throughout the Municipality should enforce the following standards: Management and Staff responsibilities
Although precautions are taken to safeguard all the systems and data, functional requirements make it impossible to prohibit all access to it. The owner or user of the data must therefore take the necessary precautions to ensure that the integrity, confidentiality and availability of all data, systems and equipment are not compromised. To achieve this the following standards should be adhered to:
In order to limit exposure to security risks, access to all computer related hardware and other resources must be controlled.
All the domain controllers and all other critical file servers must be kept in a secure (locked) environment and only authorised employees or supervised service representatives should be permitted to enter the room.
Console devices (connected to the servers or domain controllers) must be located in a secure location. Other devices such as external hard disks and tape drives must also be located in secure areas.
Workstations must be kept in a secure environment. Only authorised employees should be allowed to use them.
Printers used to print sensitive documents should be placed in a location not accessible to unauthorised personnel. No sensitive information should be stored on computers located in an insecure environment.
Network devices such as routers, firewall, bridges, hubs and servers should be treated as computers and should be located in a secure environment.
Cables, although less of an immediate security exposure than other computer devices should be placed in either secure or not readily accessible locations.
Employees must not make any unauthorised changes to the physical layout and connection points of the network.
Workstations / Notebooks
The workstations / notebooks should not be generally available to non-employees or unauthorised users.
Sensitive output from printers should either be destroyed or placed in a secure location. If employees work on sensitive information the visual access to the screens should be controlled.
No unauthorised changes may be made to the system configuration of workstations / notebooks.
Employees are not allowed to insert/remove any devices into/from any official workstation / notebook without prior authorisation (E.g. Processors, memory modules, controller cards etc.) Employees are not allowed to install any program on any official computer / workstation without the prior authorisation. No sensitive or classified information should be stored on workstations / notebooks that are not located in a secure environment.
Please note that data stored on workstations is not secured through the normal network security measures and the necessary precautions to safeguard such data should be taken. Should the current local workstation / notebook security be of any concern, additional measures can be instituted. The Centre Manager: IT can be contacted in this regard.
No modems and or related devices may be attached to and or used on any official telephone line, computer, workstation and or network device without prior authorisation.
Backup media (e.g. tapes, disks or CD?s) must be secured against unauthorised use and tampering.
Critical systems (servers, domain controllers, network equipment and workstations) should be provided with an uninterrupted power supply (UPS).
The operation and functionality of UPS?s must be tested regularly according to prescribed testing procedures.
Smoking is not allowed in areas containing computer equipment. Unauthorised access to the computer and network related resources are not allowed.
Every account must have an owner. (Someone who is responsible for account usage, password changes etc.)
A record should be maintained showing each user's profile. All modifications to user accounts should be recorded.
A new user may be registered on the system by submitting a written application with a list of services, programs and or data to which access is required. This application has to be recommended by the applicant's supervisor and approved by the Municipal Manager. After approval has been granted, the network administrator/s will register the new user.
Passwords are required to gain access to all the domain controllers and file servers. No one will be allowed to access any system without a valid password.
Users will be forced to change passwords on the domains and servers every 14 days.
Passwords will be encrypted by the system.
The minimum password length is set to five characters and must contain alpha as well numerical characters.
Care should be taken that passwords are not easily guessed (E.g. names, month etc.)
The use of a screensaver password is recommended.
Users will be allowed three login attempts before the account will be locked. This lock will remain in effect for three months or until opened by the Network administrator.
Previously used passwords are not allowed.
Passwords that expire must be changed immediately.
Critical systems (HR and Financial) may require further authentication by means of user log-on (ID and password) to the applicable system. The specific system administrator must control this.
Time restrictions are set on the domain controllers and file servers that carry the HR, Financial and other critical information. All the users will be granted access from 07:00 to 18:00 from Monday to Friday. Exceptions to the above will only be allowed with prior authorisation from the Municipal Manager.
The domain controller and file server error logs must be followed up regularly by the network administrator.
All transaction logs must be followed up regularly by the network administrator.
It is the responsibility of the specific user to ensure that his/her data is backed up regularly. Files containing static information should be protected from unauthorised modification.
Critical applications and or data files should be backed up and stored off-site. The location and procedure to access the files must be available to the specific manager.
The Data Security Manager must ensure that the approved corporate backup procedures are followed.
The official e-mail system may not be misused for private purposes. Electronic mail messages are not encrypted and the e-mail system can therefore not be used to transmit sensitive and/or classified material.
The Office retains the right to access and monitor any information sent via the e-mail system. No private information/images/data that may be offensive to any person, group or organisation may be sent to any destination via the official e-mail system.
As messages sent via the official e-mail system can have a major impact on the image of the Office, employees must see to it that such messages contain only authorised information and that it is in the format prescribed by the Correspondence and Publication Corporate Standards of the Office.
The connection of any Office network to an external network (INTERNET) must be protected by appropriate security measures (e.g. firewall restrictions etc.). Internet access is provided on a limited basis for research and communication purposes only. The procedures set out in paragraph 2.3.1 (application and authorisation) must be followed to gain access to this service. No material that may be deemed offensive may be downloaded through the official systems and networks.
Due to bandwidth constraints no live streaming of video and or audio signals over the Internet will be allowed.
Users should take care not to distribute virus infected documents, programs and or data through the network or e-mail system. All workstations/notebooks etc. should be regularly scanned for possible virus infections.
The official anti virus software should be installed on all the computers in use in the Municipalities.
All instances of virus infections should be reported. All diskettes should be scanned for possible viruses before any programs on it are executed or any data files are read or printed. Users will be informed of anti virus software updates via e-mail. Use of the electronic communication facilities and services.
Standards of Communication
Security measures and limitations on access