IT SECURITY

Expand all Collapse all

• Background

  The purpose of the Information Security Policy is to:

  • Establish and maintain management and staff accountability for the protection of information resources.
  • Promulgate the policy regarding the security of data and information technology resources.
  • Define the minimum security standards for the protection of information resources.
    Policy

  Management throughout the Municipality should enforce the following standards:
  
  Management and Staff responsibilities

  Although precautions are taken to safeguard all the systems and data, functional requirements make it impossible to prohibit all access to it. The owner or user of the data must therefore take the necessary precautions to ensure that the integrity, confidentiality and availability of all data, systems and equipment are not compromised. To achieve this the following standards should be adhered to:

  • Each Departmental Head must see to it that all his or her employees take note of the Policy regarding the implementation and maintenance of data and system security.
  • Each manager is responsible for assuring an adequate level of security for all the data and resources that form part of his or her component or team.
  • An employee may only access and or use the information that he or she is authorised to access/use.
  • No information/images/data that may be offensive to any person, group or organisation may be stored on any of the official computer systems or transported across any official network or system.
  • As official messages sent via the e-mail system can have a major impact on the image of the Office, employees should see to it that such messages contain only authorised information and that it is in the format prescribed by the Correspondence and Publication Corporate Standards of the Office.
  • All the data and information on the Office's systems is the property of the Office of the Auditor-General. The Office retains the right to access any information (e-mail etc.) that is stored on or transported across any of the resources in use and to utilise it for whatever reason it deems necessary.
  • Employees must report any form of misuse of data, systems and equipment that comes to their attention to their respective managers or the Data Security Manager: IT.

• Physical access and utilisation

  Physical Access

  Computers

  In order to limit exposure to security risks, access to all computer related hardware and other resources must be controlled.
  
  All the domain controllers and all other critical file servers must be kept in a secure (locked) environment and only authorised employees or supervised service representatives should be permitted to enter the room.
  Console devices (connected to the servers or domain controllers) must be located in a secure location.  Other devices such as external hard disks and tape drives must also be located in secure areas.
  Workstations must be kept in a secure environment. Only authorised employees should be allowed to use them.
  
  Printers used to print sensitive documents should be placed in a location not accessible to unauthorised personnel. No sensitive information should be stored on computers located in an insecure environment.

  Network

  Network devices such as routers, firewall, bridges, hubs and servers should be treated as computers and should be located in a secure environment.
  
  Cables, although less of an immediate security exposure than other computer devices should be placed in either secure or not readily accessible locations.
  
  Employees must not make any unauthorised changes to the physical layout and connection points of the network.

  Workstations / Notebooks

  The workstations / notebooks should not be generally available to non-employees or unauthorised users.
  Sensitive output from printers should either be destroyed or placed in a secure location. If employees work on sensitive information the visual access to the screens should be controlled.
  
  No unauthorised changes may be made to the system configuration of workstations / notebooks.
  Employees are not allowed to insert/remove any devices into/from any official workstation / notebook without prior authorisation (E.g. Processors, memory modules, controller cards etc.) Employees are not allowed to install any program on any official computer / workstation without the prior authorisation.  No sensitive or classified information should be stored on workstations / notebooks that are not located in a secure environment.
  
  Please note that data stored on workstations is not secured through the normal network security measures and the necessary precautions to safeguard such data should be taken.  Should the current local workstation / notebook security be of any concern, additional measures can be instituted. The Centre Manager: IT can be contacted in this regard.

  Modems

  No modems and or related devices may be attached to and or used on any official telephone line, computer, workstation and or network device without  prior authorisation.

  Off-line media

  Backup media (e.g. tapes, disks or CD?s) must be secured against    unauthorised use and tampering.

  Computer resources

  Critical systems (servers, domain controllers, network equipment and workstations) should be provided with an uninterrupted power supply    (UPS).
  
  The operation and functionality of UPS?s must be tested regularly according to prescribed testing procedures.
  Smoking is not allowed in areas containing computer equipment. Unauthorised access to the computer and network related resources are not   allowed.

• Network Access

  Access Management

  Every account must have an owner. (Someone who is responsible for account usage, password changes etc.)
  A record should be maintained showing each user's profile. All modifications to user accounts should be recorded.
  
  A new user may be registered on the system by submitting a written application with a list of services, programs and or data to which access is required. This application has to be recommended by the applicant's supervisor and approved by the Municipal Manager. After approval has been granted, the network administrator/s will register the new user.

  Passwords

  Passwords are required to gain access to all the domain controllers and file servers. No one will be allowed to access any system without a valid password.
  
  Users will be forced to change passwords on the domains and servers every 14 days.
  
  Passwords will be encrypted by the system.
  
  The minimum password length is set to five characters and must contain alpha as well numerical characters.
  
  Care should be taken that passwords are not easily guessed (E.g. names, month etc.)
  
  The use of a screensaver password is recommended.
  
  Users will be allowed three login attempts before the account will be locked. This lock will remain in effect for three months or until opened by the Network administrator.
  
  Previously used passwords are not allowed.
  
  Passwords that expire must be changed immediately.

  Authentication

  Critical systems (HR and Financial) may require further authentication by means of user log-on (ID and password) to the applicable system. The specific system administrator must control this.

  Time restrictions

  Time restrictions are set on the domain controllers and file servers that carry the HR, Financial and other critical information. All the users will be granted access from 07:00 to 18:00 from Monday to Friday. Exceptions to the above will only be allowed with prior authorisation from the Municipal Manager.

  Transaction logs

  The domain controller and file server error logs must be followed up regularly by the network administrator.
  All transaction logs must be followed up regularly by the network administrator.

  Backup

  It is the responsibility of the specific user to ensure that his/her data is backed up regularly. Files containing static information should be protected from unauthorised modification.
  Critical applications and or data files should be backed up and stored off-site. The location and procedure to access the files must be available to the specific manager.
  The Data Security Manager must ensure that the approved corporate backup procedures are followed.

  Email

  The official e-mail system may not be misused for private purposes. Electronic mail messages are not encrypted and the e-mail system can therefore not be used to transmit sensitive and/or classified material.
  
  The Office retains the right to access and monitor any information sent via the e-mail system. No private information/images/data that may be offensive to any person, group or organisation may be sent to any destination via the official e-mail system.
  
  As messages sent via the official e-mail system can have a major impact on the image of the Office, employees must see to it that such messages contain only authorised information and that it is in the format prescribed by the Correspondence and Publication Corporate Standards of the Office.

  Internet

  The connection of any Office network to an external network (INTERNET) must be protected by appropriate security measures (e.g. firewall restrictions etc.). Internet access is provided on a limited basis for research and communication purposes only. The procedures set out in paragraph 2.3.1 (application and authorisation) must be followed to gain access to this service. No material that may be deemed offensive may be downloaded through the official systems and networks.
  
  Due to bandwidth constraints no live streaming of video and or audio signals over the Internet will be allowed.

  Viruses

  Users should take care not to distribute virus infected documents, programs and or data through the network or e-mail system. All workstations/notebooks etc. should be regularly scanned for possible virus infections.
  The official anti virus software should be installed on all the computers in use in the Municipalities.
  
  All instances of virus infections should be reported. All diskettes should be scanned for possible viruses before any programs on it are executed or any data files are read or printed. Users will be informed of anti virus software updates via e-mail.
  
  Use of the electronic communication facilities and services.

  • Employees are allowed access to communication facilities and services for bona fide business purposes.

  Standards of Communication

  • Each user has a responsibility to use the communication facilities and services in a lawful, informed and responsible way and in a manner that conforms to computer network etiquette, custom, courtesy and corporate policy.
  • Users should apply exactly the same standards of care and professionalism when using electronic communication facilities and services as they would apply in any other business related communications.

  Security measures and limitations on access

  • Each user must comply with all of the Municipality's access procedures, including the use of assigned user ID's and use of the licensed software made available to the employee by the Municiplity.
    User ID's may not be shared with other persons, a user may not use e-mail accounts assigned to other individuals to send or retrieve messages. 
    It remains the responsibility of each user to safeguard their passwords to prevent unauthorised access. Every user must ensure that system access is signed off when they leave their desk.