Академический Документы
Профессиональный Документы
Культура Документы
Administration Center(ISAC)
May 2011
x 2003
II.OBJECTIVES 1
1. ICT USERS POLICY
1.1 OVERVIEW_________________________________________________________________2
1.2 POLICY____________________________________________________________________2
1.3 GUIDELINE_________________________________________________________________2
1.4 TERMINATIONOFEMPLOYEES______________________________________________4
2. HARDWARE & SOFTWARE PROCUREMENT SUPPORT POLICY 5
2.1 OVERVIEW_________________________________________________________________5
2.2 POLICY____________________________________________________________________5
2.3 GUIDELINE_________________________________________________________________5
3. HARDWARE POLICY 7
3.1 OVERVIEW_________________________________________________________________7
3.2 POLICY____________________________________________________________________7
3.3 GUIDELINES________________________________________________________________7
3.3.1
HARDWARE MAINTENANCE_____________________________________________7
3.3.2
DISPOSAL OF HARDWARE:_______________________________________________8
3.3.3
MOVEMENT OF ICT EQUIPMENT__________________________________________8
4. OPERATING SYSTEM & BASIC APPLICATION SOFTWARE POLICY
9
4.1 OVERVIEW_________________________________________________________________9
4.2 POLICY____________________________________________________________________9
4.3 GUIDELINES________________________________________________________________9
5. NETWORK POLICY
10
5.1 OVERVIEW________________________________________________________________10
5.2 POLICY___________________________________________________________________10
5.3 GUIDELINES_______________________________________________________________10
5.4 WIRELESSNETWORK______________________________________________________11
5.5 REMOTEACCESS__________________________________________________________11
5.6 INTERNET_________________________________________________________________12
5.6.1
INTERNET ACCESS_____________________________________________________12
5.6.2
ALLOWED INTERNET SERVICES_________________________________________13
5.6.3
PROHIBITED INTERNET ACTIVITIES_____________________________________13
5.6.4
WEBSITE EXEMPTION__________________________________________________13
5.7 VIDEOCONFERENCESERVICE______________________________________________14
6. MoFED WEB SITE POLICY
15
6.1 OVERVIEW________________________________________________________________15
6.2 POLICY___________________________________________________________________15
6.3 GUIDELINES_______________________________________________________________15
6.3.1
RESPONSIBILITY_______________________________________________________15
6.3.2
WEBSITE MANAGEMENT_______________________________________________15
6.3.3
WEB CONTENT_________________________________________________________16
6.3.4
BILINGUAL (AMHARIC & ENGLISH) VERSION____________________________17
6.3.5
ACCESSIBILITY and VISIBILITY__________________________________________18
7. MOFED ELECTRONIC MAIL SERVICE POLICY
19
[MINISTRY OF FINANCE AND ECONOMY DEVELOPMENT ]
Page i
OVERVIEW________________________________________________________________22
POLICY___________________________________________________________________22
GUIDELINES_______________________________________________________________22
THIRDPARTYSOFTWAREDEVELOPMENT(OUTSOURCING)___________________23
9. BACKUP POLICY
24
9.1 OVERVIEW________________________________________________________________24
9.2 POLICY___________________________________________________________________24
9.3 GUIDELINES_______________________________________________________________24
10. SECURITY POLICY
26
10.1
OVERVIEW______________________________________________________________26
10.2
POLICY__________________________________________________________________26
10.3
GUIDELINE______________________________________________________________26
10.3.1 PHYSICAL SECURITY___________________________________________________26
10.3.2 NETWORK SECURITY___________________________________________________27
10.3.3 INTERNET SECURITY___________________________________________________28
10.3.4 ANTIVIRUS____________________________________________________________28
10.3.5 WIRELESS ACCESS_____________________________________________________29
10.3.6 INFORMATION SYSTEMS SECURIT_______________________________________29
10.3.7 USER MANAGMENT____________________________________________________30
10.3.8 ICT SECURITY INCIDENT MANAGEMENT_________________________________30
10.3.9 SECURIYT AUDIT_______________________________________________________30
10.3.10 ICT SYSTEMS USAGE_________________________________________________31
11. DATA CENTER POLICY
32
11.1
OVERVIEW______________________________________________________________32
11.2
POLICY__________________________________________________________________32
11.3
GUIDELINES_____________________________________________________________32
11.4
DATACENTERACCESS___________________________________________________33
11.4.1 DATA CENTER TOURS / VISITORS________________________________________33
11.5
DATACENTERETIQUETTE________________________________________________34
12. INTERNAL IT SUPPORT POLICY
35
12.1
12.2
12.3
OVERVIEW______________________________________________________________35
POLICY__________________________________________________________________35
GUIDELINE______________________________________________________________35
Page ii
37
13.1
OVERVIEW______________________________________________________________37
13.2
POLICY__________________________________________________________________37
13.3
GUIDELINES_____________________________________________________________37
13.4
IBEXSUPPORTCOMMUNICATIONMODALITY______________________________38
14. IT TRAINING POLICY 39
14.1
OVERVIEW______________________________________________________________39
14.2
POLICY__________________________________________________________________39
14.3
GUIDELINES_____________________________________________________________39
14.3.1 REQUEST FOR IT TRAINING_____________________________________________39
14.3.2 TRAINING ROOM_______________________________________________________39
14.3.3 TRAINERS_____________________________________________________________39
14.3.4 TRAINING CATEGORIES_________________________________________________40
15. ENFORCEMENT 40
Page iii
ACRONYMS
AUP
BI
Budgetary Institution(s)
IBEX
IT
Information Technology
ISAC
ICT
MoFED
LAN
Page
Page
Computer
systems
and
connecting
devices
connected
together
using
telecommunication for the purpose of communicating and sharing resources in MoFED compounds.
It comprises the two LANs that are connected in both compounds of MoFED.
SECURITY: - Computer security is a branch of technology known as information security as
applied to computers and networks. The objective of computer security includes protection of
information and property from theft, corruption, or natural disaster, while allowing the information
and property to remain accessible and productive to its intended users.
SERVER: - Computers those are designed to support and deliver a computer network that allows
users to share files, applications, software and hardware. In MoFED there are servers like file
servers, application servers, DNS servers, etc.
SPAM: - Unsolicited or undesired electronic messages; in particular e-mail spam, unsolicited or
undesired email messages.
SOFTWARE: - Computer software is often regarded as anything but hardware, meaning that the
"hard" are the parts that are tangible while the "soft" part is the intangible objects inside the
computer. Software encompasses an extremely wide array of products and technologies developed
using different techniques like programming languages, scripting languages, micro-code, etc.
USERS: - Any employee, consultant or guest in MoFED who uses computer for office work. It
includes users of applications, database systems or the ICT infrastructure.
OFFICE APPLICATIONS SOFTWARE: - In computing, an office suite, sometimes called an
office software suite or productivity suite is a collection of programs intended to be used by
knowledge workers. The currently dominant office suites are Microsoft Office, which is available for
Microsoft Windows and Apple Inc.'s Mac OS X, and OpenOffice.org, free software (open source
alternative) available for many operating systems.
OPERATING SYSTEM: - Software that controls a computer and acts as a layer between the
hardware and the applications and users. (e.g., Linux, Windows, Mac OS X, UNIX).
RESTORE: - The process of bringing off line storage data back from the offline media and putting
it on an online storage system such as a file server.
WIRELESS NETWORK: - Refers to any type of computer network that is wireless, and is
commonly associated with a telecommunications network whose interconnection between nodes is
implemented without the use of wires.
Page
I.
INTRODUCTION
Over the years, MoFED has developed policies, guidelines and procedures which govern its day-today operations. While some of these policies and guidelines have been written down and formally
approved; others, specifically IT related, represent an informal consensus among the ISAC and other
work processes.
As part of its action plan for FY 2011, the ISAC worked to consolidate and codify current operating
policies, guidelines and procedures into a formal IT policy and guideline manual. This manual
defines the services provided, and governs their use. The policy also sets appropriate expectations
regarding the use and administration of MoFED's IT Infrastructure and resources.
The policies and guidelines contained in this manual address issues of appropriate use, procurement,
software development, web site administration, network security, data retention, personal use,
internet & email, support services, training, etc. The manual will be reviewed annually to incorporate
changes in policy due to changes in technology.
II.
OBJECTIVES
Provide a framework that will enable ICT to contribute towards achieving MoFED goals.
Ensure that MoFED ICT infrastructure and capacity are utilized effectively, are compliant
with regional and international standards.
Establish a trusted and secure information infrastructure and a culture of cyber security at all
levels of MoFED society.
Enhance the exploitation of IT across MoFED for increased Productivity and efficiency; and
Transform MoFED into an Information-based society where everyone has equitable and
affordable access to ICTs and use ICT as tool for its Decision.
Position MoFED IT unit as IT centre of excellence and knowledge hub for others Public
body.
Page 1
OVERVIEW
The intent of this policy is to establish guidelines for USERS, how to use computer hardware,
software, printers, fax machines, e-mail, Internet and intranet access, collectively called IT
Infrastructure.
This policy outlines polices and general guidelines and best practices in the proper utilization of IT
equipment and access credentials.
POLICY
Users of the computer system may not use the system for illegal or unlawful purposes,
including, but not limited to, copyright infringement, obscenity, libel, slander, fraud,
defamation, plagiarism, harassment, intimidation, forgery, impersonation, illegal gambling,
soliciting for illegal pyramid schemes, and computer tampering (e.g. spreading computer
viruses).
GUIDELINE
ISAC
Ensure proper utilization of ICT resources through training & help desk services.
Provide identity for users that could enable them to get access to ICT infrastructure in general
and to relevant applications, in particular.
Shall maintain up-to-date hardware inventory, including information like type of equipment,
owner, location and others.
USERS
Should not install any Software and Hardware on their PC without consulting ISAC
Are not allowed to add or modify network connections and any configurations.
Page 2
No personal data files may be stored on the MoFED computer system or on individual
workstations.
Keep all accessories, including driver and recovery CDs in a safe place
Will be given access to appropriate network printers. In some limited cases, users may be
given local printers if deemed necessary by ISAC.
Will be given as much as possible one Desktop computer or Laptop computer not both. In
some limited cases, a user may be given both if deemed necessary by ISAC and
Departments.
Shall not in any way affect the proper utilization of shared resources, such as printers.
will have the responsibility for the acceptable use of the hardware
Users are responsible for handling the IT equipment (PC, printer etc.) properly.
Expected to comply with MOFED IT policies and procedures to ensure the proper usage of
the MOFED Network Infrastructure.
Page 3
TERMINATION OF EMPLOYEES
Upon termination of Employees:
Upon transfer/return of equipment, user data should be completely removed from the PC
using appropriate tools/methods.
ISAC shall disable and then delete user accounts belonging to terminated/resigned users.
Page 4
OVERVIEW
This policy establishes guidelines for the procurement of all computing and communication
hardware and software in order to maximize MoFED's investment in Information Technology (IT),
selection of appropriate technology and made Tradeoffs between cost and quality of technology.
POLICY
To take advantage of ICT tools in the most cost-effective manner, ISAC will standardize a
series of hardware and software products that integrate easily with MoFED's IT
infrastructure, maintain and make available an up-to-date list of supported hardware and
software together with technical specification.
While the acquisition of standard products is encouraged, some core/support processes have
a need for special equipment or software which may not be included in the list of supported
products, ISAC will consult with them to select the most appropriate equipment and to work
out an agreement for continued support.
All procured software should be licensed, genuine and as much as possible shall meet the
standard set by ISAC.
GUIDELINE
II.3.1. Responsibility of ISAC
Accept IT related equipment and software purchase request from all MoFED work processes
formally.
Decide on the appropriateness of request for purchase based on certain factors; not all
procurement requests may be approved.
Be responsible for supporting the finance & procurement sub process for procuring quality
ICT equipments and software.
Prepare specification and revise it every two months based on relevant parameters such as
latest technology, cost, availability, support, warranty etc
Page 5
Approves all ICT related hardware procured should be brand new and not reconditioned or
refurbished
Consult the ISAC for any technical assistance related to the procurement of ICT related
equipments and software.
Deal with the supplier based on ISAC report if there is any problem on the equipment during
the warranty period.
Not make any payment for IT service (Hardware, software or Training) acquired from third
party unless certified and approved by ISAC.
Page 6
HARDWARE POLICY
OVERVIEW
As users of MoFED are increasing from time to time, the procurement of IT equipments and
software systems is increasing. In addition some of the items to be purchased require high
investment. This policy establishes guidelines for the deployment and use of hardware in MoFED.
POLICY
ISAC shall be responsible for the hardware maintenance, movement of ICT Equipments and disposal
of hardware. In addition, when equipment fails to function as a whole, certain parts should be moved
to be used for upgrading or replacing faulty parts, i.e., cannibalization of hard ware will be done.
GUIDELINES
Repairs/maintenances or upgrades of all ICT related hardware shall be carried out by ISAC.
ISAC shall sign an agreement when equipments are maintained off site.
Parts from non-functioning equipment shall be used to upgrade or replace faulty equipment
ISAC shall keep a stock for such items as RAM, hard disk, etc as spare part, and budget
should be allocated for such items.
In order to satisfy MoFED hardware maintenance need, ISAC shall be equipped with well
organized workshop.
ISCAC has the responsibility for UPS equipment and generators to check regularly ensuring
they have adequate capacity and tested in accordance with manufacturer recommendation.
Page 7
Hardware should be disposed when they are below the standard of MoFED, non functional,
or couldnt be upgraded.
ISAC shall determine the obsolescence of equipment annually and propose their disposal
The disposal of equipment will only be performed by concerned body in collaboration with
ISAC.
ISAC shall have sole responsibility for cannibalizing the hardware that cannot be sold and
can no longer be used in whole, but has useful components
In order to prevent damage on an ICT related equipment, computer network and user's data
by improper transportation techniques, arrangements must be made with ISAC before any
ICT related equipments are moved from its place of installation to another place
Employees, contractors and third party users who have authority to permit off-site movement
of assets should be clearly identified.
Page 8
OVERVIEW
This section is intended to describe the policy & guidelines for the standardization and usage of
operating system, application software and different software for servers and workstations.
POLICY
ISAC shall regularly standardize operating systems and any end user application software to be
used in the Ministry. All procured software should be licensed and genuine.
GUIDELINES
Users are not permitted to install any unauthorized software on their computers, servers and on
any IT equipment connected to MoFED network.
The operating system will be of the same type and version. A different version may be
installed on machines which do not support this standard software. Likewise, application
software should also be of the same type and version to the extent possible.
Before changes are done, all software, information, database entities, and hardware that
require amendment should be identified.
ISAC implements licensed software regularly assessing the requirement for the new software
within the context of MoFED's mission, strategy and current technology needs.
ISAC shall provide software training for users on basic applications like Microsoft Office
and other applications developed in house or procured of-the-shelf.
ISAC shall keep software disks, manuals and Software license inventory in a safe storage
area.
Any hardware which MoFED buys shall come with licensed software installed on it or if
needed with no software installed at all.
Page 9
NETWORK POLICY
OVERVIEW
The purpose of this policy is to confirm the ownership of the MOFED Network Infrastructure and
establish the responsibilities of MOFED staff and guests in protecting and securing the network.
The MoFED Network Infrastructure includes, but is not limited to the following:
o Wired and wireless network equipment including jacks, wiring, switches, hubs and routers;
o Network-based communication services such as e-mail & Voice Network.
o Computers and electronic devices (such as desktops, laptops, servers, and other mobile
equipment, wireless technologies, copiers, faxes, IP phones) that are purchased or leased
using MoFED funds.
POLICY
ISAC should avail appropriate network infrastructure, network services & resource access to
every user.
ISAC reserves the right to access any computer or electronic device connecting to the
MoFED Network Infrastructure in order to verify compliance with this and other applicable
information security policies.
ISAC shall implement proper network security and document the network infrastructure.
Access to the Internet will be provided to users to support business activities and only to
perform their jobs and professional roles.
GUIDELINES
ISAC shall:
Upgrade the existing network and introduce new technology to satisfy the demands of users.
Page 10
Design, implement and maintain its network architecture with the appropriate level of
administrative and technical security controls.
Establish standards to properly configure all network security technology to protect sensitive
information.
WIRELESS NETWORK
The wireless network applies to all areas of wireless connectivity to the MoFED network
infrastructure, and includes all wireless devices operating within the MoFED IP address range, on
any of the MoFED premises, or any remote location directly connected to the MoFED network.
ISAC acts as the central management body in regulating the installation and maintenance of
all wireless connection and any request for installation of new Access Points must be directed
through ISAC.
All new Access Points must be purchased via ISAC and the existing Access Points must
conform to recommended specifications as defined by ISAC.
ISAC will provide a standard and all Access Points must follow the ISAC Standard
Configuration settings.
ISAC monitor wireless networks on a regular basis and has the right to remove any
unauthorized and non standard Access Point from the network without any notification.
ISAC is solely responsible for providing, monitoring and maintaining wireless networking
services and also responsible to register the location of all wireless access points.
ISAC is responsible for maintaining a secure wireless network and will deploy adequate
security procedures to support wireless networking on campus.
REMOTE ACCESS
The purpose of this guideline is to define standards for connecting to MoFED's network from any
location. These standards are designed to minimize the potential exposure to MoFED from damages
which may result from unauthorized use of MoFED resources.
Remote access implementations that are covered by this guideline include, but are not limited to,
MINISTRY OF FINANCE AND ECONOMY DEVELOPMENT
Page 11
It is the responsibility of MoFED employees, contractors, vendors and agents with remote
access privileges to MoFED's corporate network to ensure that their remote access
connection is given the same consideration as the user's on-site connection to MoFED.
Secure remote access must be strictly controlled. Control will be enforced via password
authentication or public/private keys with strong pass-phrases.
All hosts that are connected to MoFED internal networks via remote access technologies
must use the most up-to-date anti-virus software.
Employees with VPN privileges must not transfer their account to third party.
VPN users will be automatically disconnected from MoFED's network after thirty minutes of
inactive.
By using VPN technology with personal equipment, users are subject to the same rules and
regulations that apply to MoFED-owned equipment.
INTERNET
5.1.1
INTERNET ACCESS
Access to the Internet will be provided to users to support business activities and only to
perform their jobs and professional roles.
ISAC shall have the responsibility to guarantee Internet access through proxy server
(proxy.mofed.gov.et).
Page 12
ISAC has the responsibility to deal with ISP (ETC) for the appropriate quality of service of
the Internet.
5.1.2
5.1.3
ISAC must filter/control potentially harmful contents from the Internet through its proxy server.
The following are some of Internet usages that are strictly prohibited and filtered.
Any interaction with Usenet groups, newsgroups, or other topic-based forums on the Internet,
or with any Web sites providing material that:
o Contributes to a hostile work environment.
o Promote sexual harassment.
o Promotes illegal activities of any kind.
o Links to any unsuitable, questionable, or illegal material
Chat rooms that contribute offensive acts such as racism, gender abuse, fundamentalism,
ethnicity.
5.1.4
WEBSITE EXEMPTION
ISAC may grantee Web Site Exemption for a limited duration or to a limited scope of
employees based on the nature of the site and suitable justification for the exemption.
No exemption under any circumstances will be granted for Web sites in the following categories:
o Pornography
MINISTRY OF FINANCE AND ECONOMY DEVELOPMENT
Page 13
ISAC is responsible for Video system oversight and for scheduling of video equipment.
ISAC will ensure equipment security, schedule the Video Conference with the ISAC
Centralized Scheduler and set-up the equipment before the conference begins.
Video conference participants have a basic right to privacy and confidentiality in the use of
the Video Conferencing service.
Only ISAC staff has the authorization to manipulate video system configuration.
Page 14
OVERVIEW
MoFED has established a web presence over the internet for sharing up-to-date and reliable
information to the general public and the MoFED community. Web hosting has become one of the
services available on the MoFED. This policy creates a standard way using MoFED website.
POLICY
ISAC has a sole responsibility to manage the website, handle technical issues and provide
training for end user.
Public relation and information process manage and follow up all the contents to be posted
on the website.
GUIDELINES
6.1.1
RESPONSIBILITY
To enable the concerned work processes to publish their pages, ISAC will provide disk space
on web servers and training for relevant work processes.
Work processes are responsible to assign dedicated personnel to post their content on the
website.
ISAC will prepare and conduct the training on posting web content.
The Public Relations and information process shall review the content posting/publishing
regularly and collect feedbacks from the website visitors.
It is the responsibility of ISAC to ensure that the guidelines are enforced as required and that
the content posted on MoFEDs website adheres to the guidelines.
Page 15
WEBSITE MANAGEMENT
Public relation and information process in collaboration with ISAC has the right to change or
remove any information or link on the website to assure accuracy and timeliness.
Time-sensitive content, such as information promoting events will be removed as soon as the
event takes place.
All content on the website will adhere to applicable copyright and other laws.
WEBSITE
Any technical inquiry about the web site should be sent to the following email address:
webmaster@mofed.gov.et
Web master of ISAC will take Regular Back-up of the website and gives technical support.
Content should be reviewed for quality (including originality, accuracy, and reliability)
before posting.
The website should provide information about MoFED and other related topics.
Page 16
COPYRIGHT
MoFEDs website administrator should be sensitive towards publishing any information havi
ng a third party copyright. The administrator should follow the proper procedures to obtain
the permission prior to publishing such information on the website.
In cases where the nature of the information or document calls for a restriction on its
reproduction, the copyright statement could indicate the following terms:
The following material is subject to copyright protection unless othe
rwise indicated. The material may be downloaded to file or printer without
requiring specific prior permission. Any other proposed use of the
Page 17
6.1.4
should
be
updated
simultaneously or it should have a time stamp indicating the date of updating the
information.
If links are not functional, these links should be repaired or removed in a timely manner.
The website should not redirect the viewer to a s the viewer didnt intend to visit.
There should be a general disclaimer for visitors of the website, the Disclaimer
statement could indicate the following terms:
This is a public website and author(s) are responsible for their writings
and MoFED is not responsible for the contents and the hyperlinks on this
website to other internet resources, expressed or implied, including, but
not limited to the warranties of merchantability, copyright of third party,
or the presence or absence of any computer virus.
VISIBILITY
To improve the likelihood that the website of MoFED has a high visibility:
The website should be registered with as many search engines as possible, under
appropriate categories.
Page 18
The website should incorporate internal descriptive data or meta data comprising
relevant keywords and descriptions, intended to be read by search engines.
All the stationery items of MoFED such as Letterheads, Publicity material such as Brochures,
Pamphlets and documents such as monthly magazines etc, should display the URL of the
website.
Page 19
OVERVIEW
MoFED has internal Electronic Mail Service that enables users to share information and exchange
ideas, as a means of communication. This policy is designed to ensure the proper usage of MoFEDs
Email service.
POLICY
All employees of MoFED and consultants working for MoFED are eligible to use the email
system.
All official business communications should be done using MoFEDs email address account.
Users of MoFEDs IT facilities must take all reasonable steps to prevent the receipt and
transmission by email of malicious software e.g. computer viruses.
ISAC will maintain appropriate monitoring arrangements in relation to all Internet, email and
related services and facilities that it provides, and will apply these monitoring arrangements
to all users.
GUIDELINES
When new employee is hired, the work process is responsible to request ISAC for email
account.
Work Processes may request e-mail accounts to ISAC for guests who are in some way
affiliated with MoFED.
ISAC will grant the e-mail account based on the request by the work process.
Work processes should notify the ISAC when relationship of the account holder with
MoFED no longer exists.
The email address of every employee will have the following structure:
o
Page 20
If users do not read their mail often enough, their disk space may fill up, and mail sent after
users have exceeded their quota will be bounced back to the sender with an error message.
In the interest of more disk space utilization, email client software, preferably Zimbra Desk top shall
be installed and configured on user machines.
7.1.3
ACCEPTABLE USES
The use of e-mail services is dependent on your complying with the MoFED rules and regulations
besides the stated policies hereunder. Anyone who does not comply with the following rules may
have his/her account disabled and/or the ISAC reserves the right to cancel the privilege of using mail
services at any time.
Mail account is not used for personal business activities, unless it is consistent with MoFED
policy.
Use of e-mail system communications that violate MoFEDs policy including but not limited
to transmission of abusive, obscene, offensive or harassing messages, or messages that
disclose personal information without authorization is prohibited.
Email service shall not be used for junk or unsolicited, bulk mail, and chain letters.
The mail service may not be used for personal financial/monetary gain.
Using the identity and password of someone else for access or otherwise attempting to evade,
disable, or crack password or other security provisions is not allowed.
CONFIDENTIALITY
The contents of email messages sent or received are generally intended to be confidential,
meaning that the contents of any email message are intended to be shared only by its sender
and recipients. However, the fact that these messages occurred, message sender (by whom),
receiver (to whom), and date mailed (when) are not confidential.
Page 21
Users e-mail address is not private information and we are free to include it in MoFED
contacts database so that people from anywhere can look up users e-mail address based upon
knowledge of their full name.
ACCESS TO MAIL
Users mail received/sent through MoFED network is usually considered private. The ISAC
will not read the content of mail unless there is an urgent situation that makes it necessary to
do so in the course of their duties.
7.1.5
MAIL BOUNCING
The ISAC reserve the right to refuse mail from outside hosts that send unsolicited (bulk), mass or
commercial messages, or messages that are considered as threats, or messages that appear to contain
viruses to MoFED network system or other users, and to filter, refuse or discard such messages.
7.1.6
Disable means that the account is still able to receive mail, but users will not be able to send
message. During deletion, the user will be no long be able to use MoFED mail account.
To use the email service, a user must be currently an employee of MoFED either in
permanent or contractual bases, a consultant or a guest. If they leave MoFED, their account
will be disabled or deleted.
An account will be disabled or deleted when account audit is performed, when ISAC believe
that the user violet acceptable use of mail service.
If users account remains disabled for two months without being reactivated, then the next
time an account audit is performed, it will be deleted and, hence, they will no longer be able
to use e-mail service at MoFED unless an account is created again.
Page 22
OVERVIEW
This section of the IT policy describes the standardization guidelines & procedures for in-house or
third party software development as well as deployment and management.
POLICY
ISAC shall standardize software development tools for in-house as well as third-party
software development based on the skills & knowledge of development staffs. Moreover,
Priority shall be given to Open Source development tools.
Software that cannot be developed in house would be outsourced to the third party. This
outsourcing environment shall build the capacity of the staff.
GUIDELINES
Software must be developed using the standard software development life cycle.
ISAC shall undertake regular system requirement study, develop software and provide
training for users before the software is implemented and deployed.
Work processes should provide full system information and assign relevant personnel to
work with ISACs development team during requirement analysis.
System documentation and user manual should be part of the information system
development process.
ISAC shall have document that will show ownership, role and responsibilities of departments
/work process for applications developed like IBEX, DMFAS.
Page 23
ISAC development team should fully participate in the software development process.
Contracted companies must design and develop the software inside MoFED compound.
ISAC development team must assure a complete documentation is provided for any software
developed by third party.
ISAC shall do the updating/upgrading of any software keeping in mind having standardized
software utilization.
User manuals must be designed and prepared for any software developed.
The third party shall provide either TOT ( Training of Trainers) or user training for
concerned and appropriate staff before the software is deployed. This ensures proper testing
and usage.
Page 24
BACKUP POLICY
OVERVIEW
This policy defines data and system backup from computers, servers, router, switch and other IT
equipments within MOFED.
POLICY
ISAC shall implement a standard data and system backup. Recovery shall be done when there is loss
of data or system failure on the computing system.
GUIDELINES
ISAC is responsible to take application such as Mail, DMFAS, IBEX, AMP database backup
every week on Friday.
ISAC is responsible to take system and device configuration backup every two weeks on
Friday.
ISAC shall document and periodically review backup and recovery of MoFED Information
resources.
ISAC should guarantee the recovery of lost application and system data in the event of any
failure due to natural or manmade disaster.
ISAC shall assign staff personnel to perform regular backups. The assigned person develops
a procedure for testing backups and test the ability to restore data from backups on a monthly
basis.
Backup files must be periodically tested to ensure that they can be restored in case of a
disaster.
ISAC is not responsible for loss of data on users laptops and standalone computers, and
hence is not required to perform recovery operations.
Users should take their own backup of important work such as word files, excel files, major
projects, research documents on alternate media like CD.
Physical access controls implemented at off-site backup storage locations must meet or
exceed the of the source systems.
Page 25
Backups must have at least the following information that can be readily identified by labels
and/or a bar-coding system: System name, creation date, sensitivity classification
(encryption) and MoFED contact information.
Storage server, external hard disks or CD/DVD can be used as a backup storage medium.
Archives are made at the end of every year in June (Sene). User account data associated with the mail
servers are stored one month after they have left the organization.
Offline External Hard Disks used for nightly backup shall be stored in an adjacent building in
a fireproof safe. Monthly Backups shall be stored in a fireproof safe.
9.1.1
RESTORATION
Users that need files to be restored must submit a request to the help desk including information
about the file creation date, the name of the file, the last time it was changed, and the date and time it
was deleted or destroyed.
Page 26
10 SECURITY POLICY
OVERVIEW
The purpose of this policy is to ensure secure and reliable IT infrastructure access and performance
for MoFED community. This policy is intended to protect the IT infrastructure and mitigate the risks
and losses associated with security threats to the network and information systems.
POLICY
ISAC has responsibility to classify information transmitted over the MoFED network and
determine the level of protection that should be applied to the network, thereby preventing
unauthorized disclosure of confidential information.
ISAC have the responsibility to define, implement and enforce security requirements during
information systems development.
To ensure that security activities are carried out in a timely and accurate manner, and that
security issues are resolved effectively, ISCAC has the responsibility to appoint an individual
to co-ordinate the ICT security activities associated with the MoFED.
Users should be aware of the key elements of ICT security and understand their personal ICT
security responsibilities.
GUIDELINE
Prepare documented patch list of network cabling and detailed cabling diagram to enable
proper cable fault troubleshooting.
Checks power and communication cables lines are installed in secured manner.
MEDIA HANDLING
Page 27
System documentation stored in internal network or distributed via a public network; are
appropriately protected.
ISAC shall implement a proper secure logon procedure, user identification and authentication
for accessing network resource.
The network access rights of users shall be maintained and updated as needed.
The connection capability of users can be restricted through network gateways that filter
traffic by means of pre- defined tables or rules.
Network monitoring
ISAC assess the performance of the network using techniques such as:
Port configuration
ISAC have the responsibility to implement Port Configuration Protection.
Ports, services and similar facilities which are not specifically required for business
functionality should be disabled or removed.
ISAC have the responsibility to implement the following Secure Log-on Procedures such as:
Page 28
Review of Logs
10.1.4 ANTIVIRUS
The antivirus deployed in MoFED ICT infrastructure must be centralized corporate antivirus which
ensures the detection and protection mechanism of virus, malware, adware, spyware and so on.
Users should not stop anti-virus definition updates and anti-virus scans.
Users should perform the following recommended procedures to prevent virus problems.
Page 29
Anti-virus scans shall be done a minimum of once per week on all user controlled
workstations and servers.
In the event of a viral infection, computers infected with viruses shall be disconnected from
the network until the infection has been removed.
The anti-virus product shall be operated in real time on all servers and client computers.
ISAC ensure that only authorized individuals gain Wireless access to the network
Wireless access points shall require user authentication at the access point before granting
access to MoFED network or Internet services.
Physical security should be considered for access points when planning the location of
wireless access point and other wireless network components.
Security requirements and controls should reflect the business value of the information and
ICT assets involved
Development activities should be carried out in accordance with the documented system
development methodology
ISAC has to set security controls and security requirements to check quality assurance of key
security activities.
Page 30
Users are registered with unique user ID for their duties and responsibilities.
The level of access granted for users is appropriate to the business purpose.
Users acquire a written statement about their access rights and get confirmation from users.
Users who have changed roles, jobs or left the organization their account should be removed
or blocked immediately.
users should be provided initially with a secure temporary password, which they are forced to
change immediately
Passwords should never be stored on computer systems, mail, papers and board in an
unprotected form.
Any user who becomes aware of any loss or compromise shall immediately inform to ISAC.
All security incidents shall be recorded to ensure that details of the incident, investigation,
resolution and outcome are documented.
The ICT security status of Network and systems development activity should subject to
regular Security audits or reviews by internal or external IT auditors.
Page 31
10.1.10
Terminate active sessions when finished, unless they can be secured by an appropriate
locking mechanism.
change passwords at regular intervals and change temporary passwords at the first log-on
Page 32
POLICY
GUIDELINES
A form must be completed for all equipment installations, removals, and changes
ISAC shall have certain system specifications for equipment to be housed within the Data
Center
System Administrators should be contacted immediately if any activity requires access to the
Data Center infrastructure and/or environmental systems.
Under no circumstances should food or beverage of any kind be brought into data center.
ISAC shall label all equipments in the data center including both ends of power and data
cords.
No hardware, software, furniture, shelving or other materials will be removed or added to the
Data Center without prior approval of ISAC
The Data center must be kept clean and dust-free at all times.
Page 33
Automated access
o Card swipe access holder is available to the data center on a 7/24 basis for
authorized card holders. Card swipe access is limited to authorized
Network/system administrators.
Authorized personnel with pre-approved access to the Data Center are required to register
entrance / exit time and checked by data center operator.
Users who are planning to work on equipment within the Data Center should submit
their request by call (103, 104, 105, 107, 113) or email (info@mofed.gov.et) at least
one day in advance and should notify of the scheduled work taking place.
Planned-work site visits must be pre-approved by ISAC and Notification must be sent
to the user.
Visitors must be accompanied by either Data Center Operators or other authorized staff
members while they are visiting the Data Center.
Visitors keep record when entering/exiting the Data Center. The purpose of the visit
must be documented.
Authorized user will be given immediate access to the Data Center when an emergency
situation warrants that access. It is requested that Emergency-work site visits be
preceded by a telephone call to the call center explaining the situation and the need for
Page 34
All work areas must be kept clean and free of debris. Upon completion of any work in the
room, staff performing the work should ensure they have left the area as clean as it was
before their work begun.
All rack enclosures should be kept neat and free of manuals, diskettes, cables, etc. Doors on
all racks should remain closed at all times except during performing work.
Appropriate fire detection and alarm equipment should be placed in the data center.
Page 35
Shall report any IT related problem to ISAC help desk support using :
o Extension Telephone numbers: 105, 113 and 114
o mail address: helpdesksupport@mofed.gov.et or support@mofed.gov.et
Shall only get service when they register their case by telephone or email using the above
address rather than contacting any individual IT staff members.
Shall not be allowed to come to helpdesk support office physically to get the service.
Shall sign on the form provided by support team members or electronically when their
problem is solved
ISAC:
Shall solicit the service to third-parties for support on a need base when IT staff are unable to
provide it.
shall prepare and implement users' case and knowledge management platform
Page 36
Software Support is provided for only work related application software packages and
operating systems on MoFED's PCs, servers, laptops and other computing equipment.
Support is provided for all hardware and devices, including PCs, laptops, printers, fax,
scanners, servers, photocopiers and storage devices and so on.
Personally installed or unapproved hardware, including speakers, cameras, cell phones, etc.,
will not be supported by the IT support staff.
MODE OF SUPPORT
Support can be delivered for the user using either of the following ways:o Telephone support for minor problems and difficulties.
o Remote support through remote access or control software.
o On-site support at the end users desk where applicable.
ENFORCING SUPPORT
The IT support staff reserves the right to monitor hardware and software installation and
usage on MoFED's computer systems.
The IT support staff will conduct periodic audits to ensure compliance with this Policy.
Unannounced, random spot audits may be conducted as well.
During such audits, scanning for and removal of rogue hardware may be performed.
Support will not be granted for personally owned software and hardware problems on
personally owned IT equipment.
Support may be granted if ISAC authorizes the use of personal equipment for MoFED's
purposes.
KNOWLEDGE MANAGEMENT
ISAC shall develop FAQ (Frequently Asked Questions ) as part of its knowledge
management system.
Page 37
GUIDELINES
It is the sole responsibility of MoFED to provide for level 3 and above IBEX support service
to all installations;
Regional Bureaus are responsible to provide for level 1 and 2 IBEX support services within
their capacity limit;
Every IBEX Support requests shall be directed to the relevant work processes through email
or fax messages
Work processes should review the IBEX request and forward to ISAC for appropriate action
in written form.
ISAC shall provide IBEX support to Federal or Regional users with minimal possible
response time.
ISAC shall implement a case management and knowledge management system to record and
manage all support requests.
ISAC assigned a case number for all recorded requests which helps users to track the status
of their request.
Page 38
Telephone or fax OR e-mail are the lines of communication for solving IBEX related
problems;
o Telephone numbers: (251)11-1552400
o Fax address: (251)11-15551 89
o E-mail address: ibexsupport@mofed.gov.et
Some minor problems can also be solved using the above t Telephone numbers .
Some serious problems occurs IBEX support staff will be dispatched to the concerned
location try to solve it, otherwise they will transport the equipment to MoFED premises for
maintenance.
14 IT TRAINING POLICY
OVERVIEW
The aim of the training policy is to ensure that all employees are given the necessary help to develop
MINISTRY OF FINANCE AND ECONOMY DEVELOPMENT
Page 39
Computers and network for training room must be active and work properly.
Any technical assistance for the training room is the responsibility of ISAC support team.
Technical assistance includes any hardware or software issues including the network.
14.1.3 TRAINERS
Trainers are responsible to arrange class schedule, preparing training materials and manuals.
If the training is given by third party trainers, ISAC trainers will help and arrange all the
necessary materials.
Trainers must check and approve the performance and activity of computers, network and
Page 40
Computer Basics
15 ENFORCEMENT
Individuals who do not comply with these policies shall be subject to disciplinary action in
accordance with IT security policy. Any disciplinary action under this policy shall take into
account the severity of the offense and the individuals intent. Disciplinary action can include
revocation of privileges to use or access any or all components of the MOFED Network
Infrastructure.
In Large the Violation of this policy shall be also addressed by appropriate MoFED and
Ethiopian Criminal /civic Code
Page 41