The Good People Data Company (Pty) Ltd
(TGPDC)
Information Security Policy
Document updated June 2022
Table of Contents
The Good People Data Company (Pty) Ltd 1
(TGPDC) 1
Information Security Policy 1
1. Policy Framework 5
1.1. Purpose 5
1.2. Aims and Objective 6
1.3. Scope 6
1.4. Mandatory Compliance 7
1.5. Locations or Offices subject to Compliance 7
2. Implementation Guidelines 7
Guideline Introduction 7
2.1. Acceptable Use Policy 8
2.1.1. Each User Shall 8
2.1.2. Users may NOT do the following 9
2.1.3. Users may NOT use IT resources for 10
2.1.4. Misuse of IT Resources 10
2.2. Security Management and Responsibilities of all Stakeholders 11
2.2.1. Objective 11
2.2.2. TGPDC Policy 12
2.2.3. IT Manager 12
2.2.4. Information Owners 12
2.2.5. System Development 13
2.2.6. ICT Management Responsibilities 13
2.2.7. Staff Responsibilities 14
2.2.8. System Administrators / IT Support 14
2.3. Management’s Right to Access Information 17
2.4. Forbidden Content of Email Communications or Internet Material 18
2.5. Information Communication / Transmission Policy 18
2.5.1. Objective 18
2.5.2. Network Security Policy 18
2.5.3. Telephone Security 21
2.5.4. Email & Internet Policy 21
2.5.5. Email & Internet Guideline 22
2.5.6. Email Etiquette on Email Signatures 23
2.5.7. Fax Security 24
2.5.8. Verbal Communications 24
2.6. Risk Management Policy 24
2.6.1. Objective 24
2.6.2. TGPDC Risk 24
2.6.3. Protection of Employees, Records, Data, and Information 24
2.6.4. High Data Quality 25
2.6.5. Risk of Computer Crime 25
2.6.6. Risk from Viruses and Trojan Horses 25
2.6.7. Awareness 25
2.6.8. Confidentiality Agreement 26
2.7. Security to and from Third Party Access 26
2.7.1. Objective 26
2.7.2. Access control 26
2.8. Network Security 27
2.8.1. Objective 27
2.8.2. Responsibility 27
2.8.3. Intrusion Detection Systems 27
2.8.4. Use of ‘modems’ and other communications equipment 28
2.9. User Access Control 28
2.9.1. Objective 28
2.9.2. Access to Systems 28
2.9.3. Eligibility 29
2.9.4. Registering users 29
2.9.5. User password management 30
2.9.6. Password Guidelines 31
2.9.7. User Restrictions 32
2.9.8. User Account Policy 33
2.9.9. Temporally Accounts 34
b.9.10. Local Machines 34
b.9.11. Logging 34
b.9.12. Staff leaving TGPDC’s employment 35
b.10. Housekeeping 36
2.10.1. Objective 36
2.10.2. Data Backup 36
2.10.3. Equipment, Media, and Data Disposal 37
b.11. Software and Information Protection 38
2.11.1. Objective 38
2.11.2. Licensed software / Copyright Issues 38
2.11.3. Unauthorised Software 38
2.11.4. Virus Control 39
2.11.5. Time Out Procedures 39
2.11.6. Patch Management 40
b.12. Equipment Security 40
2.12.1. Objective 40
2.12.2. Equipment location and protection 40
2.12.3. Power supplies 40
2.12.4. Portable & Hand-held Computing Equipment 40
2.12.5. System Documentation 41
b.13. Physical Access Security 42
b.14. Data & Information Storage & Transportation 42
2.14.1. Objective 42
2.14.2. Storage 43
2.14.2 Elsewhere 43
2.14.3. Transportation 43
2.14.4. Responsibility 43
b.15. Business Continuity 43
2.15.1. Objective 44
2.15.2. Need for effective plans 44
2.15.3. Planning process 44
2.15.3. Planning framework 45
2.16. Working from Home – Information Security Standards 46
2.16.1. Objective 46
2.16.2. Authorization to remove data files 46
2.16.3. Protecting data files 46
2.16.4. Use of Privately owned Computers at Home 46
2.16.5. Transportation of data or confidential documents 47
2.16.6. Storage of equipment 47
2.14.7. Storage of confidential data or reports 47
2.17. Change Management 47
2.17.1. Operational Procedures 47
2.17.2. Documented Change 48
2.17.3. Risk Management 48
2.17.4. Change Classification 48
2.17.5. Testing 48
2.17.6. Changes affecting agreements/contracts 49
2.17.7. Version control 49
2.17.8. Approval 49
2.17.9. Communicating changes 49
2.17.10. Implementation 49
2.17.11. Fall back 49
2.17.12. Documentation 50
2.17.13. Business Continuity Plans (BCP) 50
DOCUMENT CHANGE CONTROL FOR BCM CHANGES 50
A. Scope 52
B. Assumptions 52
C. Plan Testing Procedures and Responsibilities 53
D. Plan Training Procedures and Responsibilities 54
2.17.14. Emergency Changes 55
2.17.15. Change Monitoring 55
2.2. Disciplinary Processes and procedures 55
3. Monitoring, Evaluation, Reporting and Auditing 58
3.1. Monitoring 58
3.2. Evaluation 58
3.3. Reporting 58
3.4. Auditing 58
4. Amendments to and review of policy 58
5. Implementation Date 59
1. Policy Framework
1.1. Purpose
The purpose of this policy is to outline the acceptable use of information systems and computer equipment at The Good People Data Company (Pty) Ltd (hereafter referred to as TGPDC). This policy sets forth the mechanisms by which data stored on TGPDC owned computing systems and utilised by TGPDC employees, its agents and contractors are secured and protected. These rules are in place to protect the employee and TGPDC. Inappropriate use exposes TGPDC to risks including virus attacks, compromise of network systems, services, and legal issues.
This policy is adopted and promoted in order that:
1. TGPDC can meet its record-keeping and reporting obligations as required by legislation and other laws.
2. TGPDC can consistently maintain data integrity and accuracy.
3. TGPDC can ensure that authorised individuals have timely and reliable access to necessary information.
4. TGPDC can ensure that unauthorised individuals are denied access to computing resources or other means to retrieve, modify or transfer information within the TGPDC network.
5. Every employee, agent and contractor must be aware of these risks, and act in a way to protect the information resources of TGPDC.
1.2. Aims and Objective
The aims and objectives of this policy are to:
1. Ensure all staff members have a proper awareness and concern for computer systems security and an adequate appreciation of their responsibility for information security
2. Ensure all contractors and their employees have a proper awareness and concern for security of TGPDC information
3. Provide a framework giving guidance for the establishment of standards, procedures and computer facilities for implementing computer systems security
4. Meet the general objectives of ISO27001 (Information Security: 2013).
5. Ensure all TGPDC staff is aware of their accountability and that they are aware that failure to comply with the Information Security Policy is a disciplinary offence which may include action up to and including dismissal. Any action taken will conform to the appropriate TGPDC Human Resource policies and procedures.
6. Protect both the organisation and individuals by providing rules for appropriate use of information systems and IT resources
7. Eliminate any misunderstandings and ambiguity in how IT resources can be used
8. Ensure professional and responsible approach to both equipment and managing users of information systems and computer equipment
9. To establish a standard for creation of user accounts with strong passwords, the protection of those user accounts and passwords, and the frequency of change.
10. Provide guidelines in terms of:
a. use of TGPDC owned or sponsored personal computers, laptops, notebooks, and related hardware and TGPDC owned software.
b. access to and disclosure of electronic mail messages sent or received by employees or contractors of TGPDC with use of TGPDC e-mail system.
c. access and the use various worldwide web sites (WWW site).
1.3. Scope
The level of security required in a particular system will depend upon the risks associated with the system, the data held on the system and the working environment of the system. This policy applies to all information held in both manual and electronic form. Furthermore, this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any TGPDC facility, has access to the TGPDC network, or stores any non-public TGPDC information.
1.4. Mandatory Compliance
The Policy applies to all employees of TGPDC. It also applies to contractors and visitors, not employed by TGPDC but engaged to work with or who have access to TGPDC information, e.g. consultants. The policy also applies to agents contracted to perform/offer services on behalf of TGPDC. It is the responsibility of management to bring this Policy to the attention of contractors, visitors, consultants, and agents referred to above.
The following are mandatory areas covered:
1. All TGPDC owned, operated, leased or contracted computing, networking, telephony and information resources, whether they are individually controlled, shared, standalone or networked.
2. All information maintained in any form and in any medium within the TGPDC's computer resources
3. All TGPDC voice and data networks, telephony systems, telecommunications infrastructure, communications system, services, and physical facilities including all hardware, software, applications, databases, and storage media.
Additionally, all creation, processing, communication, distribution, storage, and disposal of information by any combination of TGPDC’s IT resources and non-TGPDC IT resources are covered by this policy.
1.5. Locations or Offices subject to Compliance
The Policy applies to all locations from which TGPDC systems are accessed (including home users or other remote use). Where there are links to enable non-TGPDC offices or organisations (to have access to TGPDC information and systems), TGPDC must confirm the security policies they operate, meet our security requirements or the risk is understood and mitigated. The Policy applies to all systems and all information processed, developed or transmitted for TGPDC purpose or within its information systems.
2. Implementation Guidelines
Guideline Introduction
Information stored in manual and electronic systems used by TGPDC represent an extremely valuable asset. The increasing reliance on information technology for the delivery of TGPDC services makes it necessary to ensure that these systems are developed, operated, used and maintained in a safe and secure fashion in addition to paper-based records. The increasing need to transmit information across networks of computers renders information more vulnerable to accidental or deliberate unauthorised modification or disclosure.
2.1. Acceptable Use Policy
The only acceptable use is defined as use for the purposes of development work and communication associated with work legitimate, reviewed and approved work contracted to TGPDC; and
It is TGPDC’s policy that all use of information systems facilities used shall be lawful, honest and decent and shall have regard to the rights and sensitivities of other people.
2.1.1. Each User Shall
1. Be responsible for the security and integrity of information stored on his or her personal desktop system. This includes:
a. Ensuring regular backups of information and files.
b. Controlling and securing physical and network access to information systems, information, and equipment.
c. Properly logging out of sessions.
d. Monitor access to their accounts, if a user suspects that their access codes have been compromised or that there has been unauthorised activity on their accounts, they are to report it and change access codes immediately; and
e. Regularly updating virus protection software.
2. Choose appropriate password(s) and guard the security of that password.
3. Abide by the password protection practices specified for each information system and change their access codes on a regular basis, or as required by standards.
4. Use only the access codes and privileges associated with their computer account(s) and utilise those account(s) for the purposes for which they were authorised.
5. Respect and honour the rights of other individuals, with regard to intellectual property, privacy, freedom from harassment, copyright infringement and use of information systems and related resources.
2.1.2. Users may NOT do the following
1. Share usernames, access codes or passwords.
2. Provide usernames, access codes or passwords to any user not authorised for such access.
3. Utilise of accounts, usernames, access codes, passwords, privileges or information systems to which they are no longer authorised.
4. Tamper with, modify or alter restrictions, or protection placed on their accounts, TGPDC information system, or network facilities.
5. Use TGPDC's Internet access in a malicious manner to alter or destroy any information available on the internet or on any network accessible through the internet, for which he or she does not own or have explicit permission to alter or destroy.
6. Share remote access authentication with other users or non-users.;
7. Introduce, create, or propagate computer viruses, worms, Trojan Horses, or other malicious code to TGPDC network and information systems.
8. Use knowledge of security or access controls to damage computer and network systems, obtain information systems or gain access to accounts for which they are not authorised.
9. Eavesdrop or intercept transmissions not intended for them.
10. Physically damage or vandalise IT resources.
11. Attempt to degrade the performance of the system or to deprive authorised users of IT resources or access to any TGPDC IT resource.
12. Alter the source address of messages, or otherwise forging email messages.
13. Send malicious email chain letters or mass mailings that affect legitimate TGPDC business transactions.
14. Engage in activities that harass, degrade, intimidate, demean, slander, defame, interfere with, or threaten others; and
15. Comment or act on behalf of TGPDC over the Internet unless you have the authority to do so.
2.1.3. Users may NOT use IT resources for
1. Compensated outside work, except as authorised by the Chief Executive Officer (CEO) or the board of TGPDC.
2. The benefit of organisations not related to TGPDC, except those authorised by TGPDC for appropriate TGPDC-related service.
3. Personal gain or benefit.
4. Political or lobbying activities not approved by TGPDC's management.
5. Private business or commercial enterprise; and
6. Use any USB devise to download any TGPDC data.
2.1.4. Misuse of IT Resources
TGPDC recognises and allows for the fact that employees and others covered by this policy may, on rare occasions, use the TGPDC computer network for non-work or non-TGPDC-related purposes. Such use is a privilege and not a right. An example of such use would be the accessing of an information web site on the Internet or sending or responding to an e-mail for necessary personal needs. Such use is to be kept to an absolute minimum. In no way may such use interfere with an employee's work, customer service, and responsibilities of the workplace or the necessary, reputable business of TGPDC. TGPDC IT resources may not be used in any way for non-organisational uses as specified in the Non-organisational Use section of this policy. In any and all cases, where acceptable use comes into question, management of TGPDC reserves the right to determine what is appropriate and acceptable and what is not. Violating TGPDC policies will result in one or more of the following actions:
1. User will be notified that the misuse must cease and desist.
2. The project or work will be more carefully supervised.
3. The user will be required to reimburse TGPDC or pay for IT resource(s).
4. The user will be denied access to IT resource(s) temporarily or permanently.
5. The appropriate TGPDC disciplinary action will be initiated. Actions may include
6. sanctions up to and including termination of employment.
7. Civil action may be initiated.
8. Law enforcement authorities may be contacted to initiate criminal prosecution.
All users are encouraged to report to the helpdesk (
[email protected]) any suspected violations of TGPDC computer policies, such as unauthorised access attempts. Users are expected to cooperate with systems administrators during investigations of system abuse. Failure to cooperate may be grounds for disciplinary action.
If a system administrator has persuasive evidence of the misuse of IT resources and that evidence points to a particular individual, the administrator must notify the Manager of IT. The Manager of IT shall review the evidence and pass the matter on to the appropriate area of TGPDC for possible disciplinary action, if appropriate. During the investigation, the user' IT-resource privileges may be restricted or suspended.
TGPDC retains final authority to define what constitutes proper use and may prohibit or discipline non-compliance.
2.2. Security Management and Responsibilities of all Stakeholders
2.2.1. Objective
To ensure that staff is aware of security risks and their responsibilities to minimise the threats. The rationale is that Information Security is a shared responsibility. Confidentiality, integrity and availability of information could be compromised due to a breach of security (which could be accidental or malicious) occurring at any point in the information flow.
2.2.2. TGPDC Policy
TGPDC’s policy is to accept all reasonable obligations in respect of information security and to protect its information resources by implementing best practices which achieve an effective balance between cost and risk.
2.2.3. IT Manager
The ICT Manager is responsible for providing help and guidance on all matters relating to information security but ultimately information owners are responsible for ensuring compliance with the above information security policy statements and that the information and systems under their control have an appropriate level of security.
2.2.4. Information Owners
Each department with their own computer system and required access levels will appoint a senior member of staff as the information owner. The responsibility lies within each line manager to ensure that the required access levels are maintained. Key responsibilities include:
1. To ensure, in liaison with IT, the software license to use the system is accurate, available, and purchased according to proper TGPDC acquisition procedures.
2. Preparing details of who can access what information, how and when, according to the particular classification of the information.
3. Ensuring that the system is maintained in an effective and controlled manner.
4. Ensuring that staff immediately reports any violations or misuse of the system to them. The information owner will then report it to IT, if necessary.
5. Application training and password control.
6. Information is disposed of in compliance to retention disposal policy
Those systems which are operated throughout TGPDC should also have a designated system owner. The Manager, IT will offer advice to systems and information owners as to how they can manage their responsibilities. With existing systems, advice is available to help systems and information owners meet their responsibility in complying with the Information Security Policy. With new and proposed systems, advice must be sought at the planning and development phase to ensure systems will meet the security policy requirements before purchase and installation.
2.2.5. System Development
All system developments must comply with the Information Technology (IT) Strategy for TGPDC. All system developments must include security issues in their consideration of new developments, seeking guidance from Manager, IT at all times.
2.2.6. ICT Management Responsibilities
It is the responsibility of ICT Management to ensure the following, with respect to all TGPDC staff:
1. All current and future staff should be instructed in their security responsibilities.
2. Staff using computer systems/media must be trained in their use.
3. Staff must not be able to gain unauthorised access to any of TGPDC’s IT systems or manual data which would compromise data integrity.
4. Respective ICT or product managers should determine which individuals are given authority to access specific information systems. The level of access to specific systems should be on a job function need.
5. The ICT manager should implement procedures to minimise TGPDC’s exposure to fraud, theft or disruption of its systems such as segregation of duties, dual control, and peer review or staff rotation in critical susceptible areas.
6. The ICT Manager should review access and logs of ICT administrators in relation to information security and system usage to ensure that only approved data and systems are accessed
7. Current documentation must be maintained for all critical job functions to ensure continuity in the event of relevant staff being unavailable.
8. All staff should be aware of the confidentiality clauses in their contract of employment.
9. Respective ICT and Product managers must ensure that the relevant system managers are advised immediately about staff changes affecting computer access (e.g. job function changes leaving department or organisation) so that passwords may be withdrawn or deleted as appropriate.
10. Respective managers must ensure that all contractors or consultants undertaking work for TGPDC have signed confidentiality (non-disclosure) agreements when they are assigned work on information systems of the organization.
11. Respective managers should ensure that all staff have access to and have read the TGPDC Information Security Policy.
2.2.7. Staff Responsibilities
1. Each employee is responsible for ensuring that no breaches of information security result from their actions.
2. Each employee is responsible for reporting any breach, or suspected breach of security.
2.2.8. System Administrators / IT Support
1. Job descriptions for IT staff will include specific reference to the security role and responsibility of their position
2. The IT systems within TGPDC should have a minimum of two, preferably three individuals with the expertise to manage or administer.
3. System Administers/ IT support staff will be responsible to the Manager, IT for continued system security.
4. Systems Administrators/ IT support staff are responsible for promptly issuing user accounts with relevant access in accordance with account creation and maintenance policies.
5. Systems Administrators/ IT support staff must ensure that only those persons who are authorised to have access are provided with that capability.
System Administrators / IT Support Responsibilities
1. All system administrators will preserve users' privileges and rights of privacy consistent with this and other applicable TGPDC policies.
2. Provide information to users about policies pertaining to use of and access to IT resources.
3. Preserve the availability and integrity of TGPDC IT resources, data and systems.
4. Restore the integrity of the affected system in case of abuse, viruses or malfunctions.
5. Determine and authorise the appropriate level of access for each user or class of users.
6. Initiate access change procedures when individual users' circumstances change (e.g. termination or relocation)
7. Provide or obtain the necessary training for the proper use of IT Resources, systems and data made available to users.
8. Implement individual department remote access connection methods only when TGPDC-provided IT Resources cannot meet their needs and when the method desired will be reasonably secure and is certified by the IT department with all minimum-security requirements met.
9. Ensure that all hardware and software licensing agreements applicable to IT Resources are executed by appropriate TGPDC authority.
10. Ensure that all server and networking device user IDs are administered in accordance with established policies.
11. Perform monitoring and maintenance of IT Resources and troubleshooting and resolution of technical problems.
12. Assist in the investigation of suspected violations of TGPDC policies or procedures.
13. Take reasonable steps to keep their log files secure and physically secure equipment and IT resources.
14. Implement basic logging for all remote access systems and remote access sessions.
15. Protect the security of TGPDC IT resources, data, and assets.
16. Monitor the usage and content of IT Resources in order to administer the systems properly.
17. Maintenance of IT Resources and the troubleshooting and resolution of technical problems.
18. Investigate suspected violations of TGPDC policies or procedures.
19. Conduct internal audits to evaluate the effectiveness of and compliance with security policies and procedures.
20. Handle any other unusual and compelling circumstances that require system administrator access.
21. Allocate usage of IT Resources in accordance with TGPDC priorities.
22. Restore the integrity of the affected system in case of abuse, virus or other malfunction.
2.3. System Administrator / IT Support Rights
1. Administrative rights over certain IT Resources as delegated by the Manager, IT.
2. Administrative authorities to grant other users the authority to read, write, edit, or delete information in files or databases established by them.
3. Administrative authority to establish security controls and protection for information and IT Resources under their authority.
4. Employ a variety of security monitoring devices and tools to identify misuse or unauthorised use of systems under their management.
5. To temporarily shut off TGPDC's Internet connection and or any other system, without prior notice, in order to protect TGPDC systems, data and users. A member of IT management team must give approval for the Internet connection to be shut down.
6. To take all reasonable steps necessary to preserve the availability and integrity of IT resources.
7. Reject or destroy email messages and email attachments that are suspected of containing email-borne malicious code, such as viruses and worms.
2.4. System Administrator / IT Support Restrictions
1. Obtain and utilise access privileges only to the extent required by the performance of their job responsibilities.
2. Observe confidentiality and non-disclosure.
2.3. Management’s Right to Access Information
TGPDC respects the individual privacy of its employees. However, employee privacy does not extend to the employee's work-related conduct or to the use of TGPDC-provided equipment or supplies. Employees should be aware that the following guidelines may affect their privacy in the workplace.
The electronic mail system has been installed by TGPDC to facilitate business communications. Although each employee has an individual password to access this system, it belongs to TGPDC and the contents of e-mail communications are accessible at all times by TGPDC management for any business purpose. These systems may be subject to periodic unannounced inspections and should be treated like other shared filing systems.
All e-mail messages are TGPDC recorded. The contents of e-mail, properly obtained for legitimate business purposes, may be disclosed within TGPDC without the employee’s permission. Therefore, employees should not assume that messages are confidential. Back-up copies of e-mail may be maintained and referenced to for business and legal reasons.
TGPDC reserves the right to access, monitor and disclose the contents and activity of an individual user account(s) and to access any TGPDC-owned computer or IT resource including non-TGPDC-owned IT resources on TGPDC property connected to TGPDC networks. This action may be taken to maintain the network's integrity and the rights of others authorised to access the network. Additionally, this action may be taken if the security of a computer or network system is threatened, other misuse of TGPDC resources is suspected or TGPDC has a legitimate business need to review such files (e.g., due to sudden death or incapacity of the employee). This action will be taken without the consent of the user. Approval from either one (1) or more from the Department Executives, CEO or the Board will be required at all times.
2.4. Forbidden Content of Email Communications or Internet Material
No one may use TGPDC e-mail or internet system in any way that may be seen as insulting, disruptive, or offensive by other persons, or harmful to morale. Examples of forbidden transmissions, software, programmes or websites include sexually-explicit messages, cartoons, or jokes; unwelcome propositions or love letters; ethnic or racial slurs; or any other message that can be construed to be harassment or disparagement of others based on, inter alia, their sex, race, sexual orientation, age, national origin, or religious or political beliefs. Use of TGPDC-provided electronic communication systems in violation of this guideline will result in disciplinary action, which may include termination and criminal prosecution.
The use of the “Internal Comms” to communicate to all TGPDC staff on the Exchange Facility is restricted to the EXCO and CEO.
2.5. Information Communication / Transmission Policy
2.5.1. Objective
To ensure that TGPDC uses electronic, postal and verbal communications appropriately.
2.5.2. Network Security Policy
ESET has been deployed on the network as the preferred network security tool.
The Network Security policy defines rules and requirements for connecting to TGPDC's network from any host. These rules and requirements will minimize the potential exposure to TGPDC from damages which may result from unauthorized use of TGPDC resources. Damages include the loss of sensitive or company confidential data, intellectual property, damage to public image, damage to critical TGPDC internal systems, and fines or other financial liabilities incurred as a result of those losses.
This policy applies to all TGPDC employees, contractors, vendors and agents with a TGPDC-owned computer or workstation used to connect to the TGPDC network. This policy applies to remote access connections used to do work on behalf of TGPDC, including reading or sending email and viewing intranet web resources. This covers any and all technical implementations of remote access used to connect to TGPDC networks.
It is the responsibility of TGPDC employees, contractors, vendors and agents with remote access privileges to TGPDC's corporate network to ensure that their remote access connection is given the same consideration as the user's on-site connection to TGPDC.
General access to the Internet for recreational use through the TGPDC network is strictly limited to TGPDC employees, contractors, vendors and agents (hereafter referred to as “Authorized Users”). When accessing the TGPDC network from a personal computer, Authorized Users are responsible for preventing access to any TGPDC computer resources or data by non-Authorized Users. Performance of illegal activities through the TGPDC network by any user (Authorized or otherwise) is prohibited. The Authorized User bears responsibility for and consequences of misuse of the Authorized User’s access. For further information and definitions, see the Acceptable Use Policy.
Authorized Users will not use TGPDC networks to access the Internet for outside business interests.
Secure remote access must be strictly controlled with encryption (i.e., Virtual Private Networks (VPNs)) and strong pass-phrases. For further information see the Acceptable Encryption Policy and the Password Policy.
Authorized Users shall protect their login and password, even from family members.
While using a TGPDC-owned computer to remotely connect to TGPDC's corporate network, Authorized Users shall ensure the remote host is not connected to any other network at the same time, with the exception of personal networks that are under their complete control or under the complete control of an Authorized User or Third Party.
Use of external resources to conduct TGPDC business must be approved in advance by TGPDC and the appropriate business unit manager.
All hosts that are connected to TGPDC internal networks via remote access technologies must use the most up-to-date anti-virus software, this includes personal computers. Third party connections must comply with requirements as required by the ICT Management team.
The TGPDC team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and inspection, and will provide feedback to the policy owner and appropriate business unit manager.
Any exception to the policy must be approved by Remote Access Services and the TGPDC ICT Team in advance.
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Remote Access Tools
TGPDC provides mechanisms to collaborate between internal users, with external partners, and from non-TGPDC systems. The approved software list can be obtained from your ICT Manager. Because proper configuration is important for secure use of these tools, mandatory configuration procedures are provided for each of the approved tools.
The approved software list may change at any time, but the following requirements will be used for selecting approved products:
a) All remote access tools or systems that allow communication to TGPDC resources from the Internet or external partner systems must require multi-factor authentication. Examples include authentication tokens and smart cards that require an additional PIN or password.
b) The authentication database source must be Active Directory or LDAP, and the authentication protocol must involve a challenge-response protocol that is not susceptible to replay attacks. The remote access tool must mutually authenticate both ends of the session.
c) Remote access tools must support the TGPDC application layer proxy rather than direct connections through the perimeter firewall(s).
d) Remote access tools must support strong, end-to-end encryption of the remote access communication channels as specified in the TGPDC network encryption protocols policy.
e) All TGPDC antivirus, data loss prevention, and other security systems must not be disabled, interfered with, or circumvented in any way.
All remote access tools must be purchased through the standard TGPDC procurement process, and the information technology group must approve the purchase.
2.5.3. Telephone Security
TGPDC management will ensure that staff is aware of the importance of checking the credentials of all callers requesting personal or otherwise sensitive information.
2.5.4. Email & Internet Policy
1. Because TGPDC provides the electronic mail and internet system to assist employees in the performance of their duties, employees should use it for official TGPDC business. Incidental and occasional personal use of e-mail is permitted by TGPDC, but these messages will be treated the same as other messages. TGPDC reserves the right to access and disclose as necessary all messages sent over its e-mail system, without regard to content. Since employees’ personal messages can be accessed by TGPDC management without prior notice, employees should not use e-mail to transmit any messages whose contents are offensive.
2. Access to Internet and use of E-mail facilities for all employees will be conditional on signing an Internet Access Request and E-mail access form, indicating that they have read and understood their obligation to fully comply with this policy. This form will allow management to access the employee’s e-mail, as well as the internet, in order to verify that usage is for official purpose only.
3. Each employee is responsible for the content of all text, audio, programmes or images that they place retrieve or send over the TGPDC's e-mail/Internet system. No e-mail or other electronic communications may be sent which hides the identity of the sender or represents the sender as someone else or someone from another TGPDC. All messages communicated on the TGPDC's e-mail/Internet system should contain the employee's name.
4. All communications sent by employees via TGPDC’s e-mail/Internet system must comply with this and other TGPDC policies and may not disclose any confidential or proprietary TGPDC information.
2.5.5. Email & Internet Guideline
Every staff member has a responsibility to maintain and enhance the TGPDC's public image and to use TGPDC e-mail and access to the Internet in a productive manner. To ensure that all employees are responsible, the following guidelines have been established for using e-mail and the Internet. Any improper use of the Internet or e-mail is not acceptable and will not be permitted.
Unacceptable uses of the Internet and TGPDC e-mail:
1. TGPDC e-mail and Internet access may not be used for transmitting, retrieving or storage of any communications of a discriminatory or harassing nature or materials that are obscene or X-rated.
2. Harassment of any kind is prohibited.
3. No messages with derogatory or inflammatory remarks about an individual's race, age, disability, religion, national origin, physical attributes or sexual preference shall be transmitted.
4. No abusive, profane or offensive language is to be transmitted through TGPDC's e-mail or Internet system
5. Electronic media may not be used for any other purpose which is illegal or against TGPDC policy or contrary to the TGPDC's best interest.
6. Solicitation of non-TGPDC business or any use of the TGPDC e-mail or Internet for personal gain is prohibited
7. No chain e-mails are permitted to be sent through the e-mail or Internet system.
8. No one may download from the internet unauthorised software, lengthy files, or files containing images, videos or graphics, including computer games, music files or internet broadcasting services.
9. No computer hacking is allowed to neither any other device on the TGPDC campus nor to any other external network connected to the Internet.
2.5.6. Email Etiquette on Email Signatures
All email messages are required to have the following standard signature and disclaimer attached to all outgoing messages.
1. Name of Sender
2. Designation of Sender
3. Telephone Number:
4. Facsimile Number:
5. Email address: commissioned
6. This message contains confidential information and is intended only for
. If you are not you should not disseminate, distribute or copy this e-mail. Please notify immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or contain viruses. therefore does not accept liability for any errors or omissions in the contents of this message, which arise as a result of e-mail transmission. If verification is required, please request a hard-copy version from TGPDC.
2.5.7. Fax Security
TGPDC management shall ensure that fax communications are protected at all times and that faxes containing personal or sensitive information are sent and received in a secure manner.
2.5.8. Verbal Communications
TGPDC management will ensure that all staff are advised and regularly reminded of their obligation to respect the privacy of TGPDC information. This means holding conversations discreetly and with due regard to the sensitivity of the subject under discussion.
2.6. Risk Management Policy
2.6.1. Objective
To identify and counter possible threats to TGPDC’s information security and standards. An assessment of all risks will be made for each information system to ensure that it is secured appropriately and cost effectively. Information systems within TGPDC face many risks which a Security Policy can reduce or eradicate:
2.6.2. TGPDC Risk
The risks of disruption to day to day business are reduced by informing staff about contingency procedures, backup, and safekeeping of records.
2.6.3. Protection of Employees, Records, Data, and Information
This Policy will ensure better protection of confidential information from unauthorised staff, contractors and immediate agents or thieves etc. Well protected records are less likely to fall into the wrong hands or be misused. Standardised procedures also protect honest employees because they know what is expected of them, therefore protecting their integrity if a serious incident occurs.
2.6.4. High Data Quality
Good security measures often function as preventative internal controls, they help eliminate mistakes. Error correction is often the most time consuming of all manual processes and reducing errors frees staff to concentrate on developments and improvements of official core TGPDC business.
2.6.5. Risk of Computer Crime
Following a strict security policy ensures staff closes the loopholes in working practices, which makes life more difficult for thieves, unauthorised persons attempting to steal computer equipment or information.
2.6.6. Risk from Viruses and Trojan Horses
Viruses are one of the greatest threats to TGPDC’s computer systems. PC viruses become easier to avoid with staff aware of the risks with unlicensed software or bringing data/software from outside TGPDC. Anti-virus measures reduce the risks of damage to the network.
The ICT Manager centrally maintains and updates the currency of the virus definition files on servers, but users are also responsible for checking that virus updates are automatically occurring on all desktop machines.
TGPDC currently use ESET internet security. Our Anti-virus contains a firewall, Network attack protection and botnet protection and the ICT Manager reviews any scanning flags that are provided by the anti-virus software.
Advice and support is available to all staff from the ICT Manager if any remedial action is necessary.
2.6.7. Awareness
ICT Managers are responsible for ensuring that all staff are aware of and adhere to this Information Security Policy and that all start members are trained continuously on the requirements of this document. The ICT Manager will ensure that Security is included in all Computer User Training. Departmental Managers are responsible for ensuring their staff attends these awareness sessions. In order to maintain the TGPDC’s information security and integrity, departmental managers must view Information Security training with the same gravity as any other policies and procedures within TGPDC.
2.6.8. Confidentiality Agreement
TGPDC will continue to adopt comprehensive policies and procedures to ensure the secure handling of personal information within all information environments such as complying with legislative requirements. Computer system users should sign an appropriate confidentiality (non-disclosure) agreement. This should be part of the contract of employment for all staff; however, this applies particularly to staff with access to sensitive data or systems. Before signing, each employee should have the conditions carefully explained by the line manager or other such staff members delegated by them. TGPDC staff and third-party users not already covered by an existing contract (containing the confidentiality agreement) should be required to sign a Confidentiality Agreement prior employment/authorisation to use TGPDC information systems. These Confidentiality Agreements should be reviewed when there are changes to terms of contract, particularly when systems are upgraded, or contracts are due to end.
2.7. Security to and from Third Party Access
2.7.1. Objective
To enable TGPDC to control external access to its information systems.
2.7.2. Access control
No external agency/party will be given access to any of the TGPDC’s networks unless that body has been formally authorised to have access in writing for a specific period. All non-TGPDC agencies/parties will be required to sign security and confidentiality agreements with the TGPDC. TGPDC will control all external agencies’ access to its information systems by enabling/disabling connections for each approved access requirement. TGPDC will put in place adequate policies and procedures to ensure the protection of all information being sent to external systems. In doing so, it will make no assumptions as to the quality of security used by any third party but will request confirmation of levels of security maintained by those third parties. Where levels of security are found to be inadequate, alternative ways of sending data will be used. All third parties and any outsourced operations will be liable to the same level of confidentiality as TGPDC Staff
2.8. Network Security
2.8.1. Objective
To ensure confidentiality and integrity is preserved on critical data.
2.8.2. Responsibility
It is the responsibility of the Manger: IT to ensure that access rights and control of traffic on all TGPDC networks are correctly maintained. Access rights to networked applications will be controlled by system administrators. The Manager: IT will control access to personal data held on networked servers. Each System Manager has a responsibility for keeping the Manager IT informed of their requirements. This will include the number and names of users, their access requirements in terms of times and locations, the activities requiring network support and the needs of the support contractors. Systems Administrators must keep the Manager IT informed of new users requiring access and those users who no longer need access either through changing jobs or leaving the employment of TGPDC. It is the responsibility of the Manager IT to ensure that data communications to remote networks and computing facilities do not compromise the security of the TGPDC systems. All communications cabling will be arranged by IT and cannot be authorised without their involvement.
2.8.3. Intrusion Detection Systems
TGPDC routinely monitors usage patterns for its e-mail/Internet communications. The reasons for this monitoring are many, including cost analysis/allocation and the management of TGPDC's gateway to the Internet. All messages created, sent, or retrieved over TGPDC’s e-mail/Internet are the property of the TGPDC and should be considered public information. TGPDC reserves the right to access and monitor all messages and files on the TGPDC's e-mail/Internet system. Employees should not assume electronic communications are totally private and should transmit highly confidential data in other ways.
TGPDC currently use ESET internet security. Our Anti-virus contains a firewall, Network attack protection and botnet protection and the ICT Manager reviews any scanning flags that are provided by the anti-virus software.
2.8.4. Use of ‘modems’ and other communications equipment
TGPDC aims to employ suitable measures to reduce risks of damage and corruption to its computer equipment and systems. The use of ‘modems’ in an unstructured, unplanned and uncontrolled way puts its networks and information at risk. Therefore, any unauthorised modification to computers is prohibited and ‘approved modems’ may only be attached to personal computers not connected to any of TGPDC’s networks. Staff personal computers and ‘modems’ must be brought to IT for approval prior to attempting to join/access TGPDC network and systems.
2.9. User Access Control
2.9.1. Objective
To control individuals’ access to systems as is required by their job function.
2.9.2. Access to Systems
Staff and contractors should only access systems for which they are authorised. It is a criminal offence to attempt to gain access to computer information and systems for which they have no authorisation. All contracts of employment, conditions of contract for contractors’ access agreements should have a non-disclosure clause, which means that in the event of accidental unauthorised access to information, the member of staff or contractor is prevented from disclosing information which they had no right to obtain.
1. All users are granted access to and permitted use of TGPDC's IT equipment and information systems. Access is granted for specific purposes based on the user’s particular needs or classification.
2. Users have the authority to read, write, edit, or delete information in files or databases as established on behalf of the designated owners of the information.
3. All users are provided with TGPDC's network access including, electronic mail ("e-mail") and Internet access.
2.9.3. Eligibility
The following are eligible to register as users:
1. Any staff member dully appointed and having signed a contract of employment with TGPDC including confidentiality and non-disclosure agreement.
2. Contractors/Consultants
3. Any person holding a position recognised by TGPDC
4. Any person recommended by the TGPDC IT Manager or CEO.
With the exception of access to material intended for the general public, e.g. Promotion of Access to Information Act (PAIA), use of information systems and networks shall be restricted to registered users.
2.9.4. Registering users
All new users will be induced and will be introduced to all IT policies, systems and procedures prior to being registered on TGPDC’s IT systems. All users must be vetted and registered as users before they can log in, create a secure password or access any systems.
In order for a user to be registered on any of TGPDC’s ICT systems, the user must undertake and go through the following:
- A formal interviewing process
- A vetting process where all required checks are completed, including Home Affairs, Credit Checks and Criminal checks where required.
- Training on all platforms as well as the familiarisation with the IT and security policies of TGPDC
- Sign-off from the ICT manager as well as the hiring manager for any and all access within the TGPDC systems after all checks and training has been completed.
Formal procedures will be used to control access to systems. An authorised manager must countersign each application for access. Access privileges will be modified /removed - as appropriate based on role and access requirements - when an individual changes job. Each user’s system application for access should be countersigned by the manager against the rules agreed by the ICT Manager. Staff will be provided with an account after registration which can be activated by logging on to the system and applying a new password known only to them.
2.9.5. User password management
A password is “Confidential authentication information composed of a string of characters” used to access computer systems. Passwords must be kept confidential. Passwords are the responsibility of individual users; they must not be used by anyone else even for a short period of time. The giving of an authorised password to someone unauthorised in order to gain access to an information system may be a disciplinary offence. Systems Administrators will ensure their systems enforce password changes at monthly intervals. Passwords must be at least (ten) 10 characters in length. They should be a mix of upper and lowercase and use other characters such as # @ $ * etc. It is good practice to use ‘screensaver’ passwords in multiple occupancy offices, and essential in public areas. Passwords should be changed at least monthly, new systems should force this. No staff should be given access to a live system unless properly trained and made aware of their security responsibilities.
The following password policy rules must be adhered to:
1. All system-level passwords (e.g., domain admin, application administration accounts) will change at least every sixty (30) days.
2. All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least every thirty (30) days.
3. Passwords shall have at least ten (10) characters containing combination of letters numbers and special characters.
4. After three (3) consecutive failed attempts the user’s account will be locked out. The user will then be required to contact the IT helpdesk to unlock the account. The user maybe required to provide proof of identity and reasons for locking out his/her account.
5. Passwords must not be inserted into email messages or other forms of electronic communication.
6. All users will not share or reveal any password to anyone. Users shall not write down or keep a password at an obvious place where any perpetrator can find it.
7. All users shall not allow applications to remember password. In cases where an application prompt to save a password to a password list, the user is obliged to decline such prompt.
8. TGPDC IT will ensure that any business application should comply with all acceptable security standards as set out in this policy. This entails:
9. Ensure that system-level passwords are changed from default.
10. Ensure that application-level authentication supports strong secure authentication.
11. Ensure that applications have the same build in security features as operating system security.
12. All user-level and system-level passwords must conform to the guidelines described below.
13. Any account that has not been in use for 3 consecutive working days will have a password reset automatically applied and the user will have to apply for a new password.
14. Any account that has not been in use for 30 days will be automatically de-activated and the user credentials deleted.
2.9.6. Password Guidelines
Passwords are used for granting access to TGPDC’s business systems. Some of the more common uses include user level accounts, web accounts, email accounts, screen saver protection, voicemail pins, and local router logins. Everyone should be aware of how to select strong passwords.
Poor, weak passwords have the following characteristics:
1. The password contains less than fifteen characters
2. The password is a word found in a dictionary (English or foreign)
3. The password is a common usage word such as:
4. Names of family, pets, friends, co-workers, fantasy characters, etc.
5. Computer terms and names, commands, sites, companies, hardware, software.
6. The words TGPDC or any derivation of this.
7. Birthdays and other personal information such as addresses and phone numbers.
8. Word or number patterns like aaabbb, qwerty, syxwvuts, 123321, etc.
9. Any of the above spelled backwards.
10. Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
Strong passwords have the following characteristics:
1. Contain both upper- and lower-case characters (e.g., a-s, A-S)
2. Have digits and punctuation characters as well as letters e.g., 0-9, !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)
3. Are at least fifteen alphanumeric characters long and is a passphrase (Ohmy1stubbedmyt0e).
4. Are not a word in any language
5. Are not based on personal information, names of family, etc.
6. Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way to Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation.
2.9.7. User Restrictions
Employees, other than designated Network Supervisors, are prohibited from the unauthorised use of the passwords and encryption keys of other employees to gain access to the other employee's e-mail messages.
Users may not do the following:
1. Share usernames, access codes or passwords
2. Provide usernames, access codes or passwords to any user not authorised for such access.
3. Utilise of accounts, usernames, access codes, passwords, privileges or information systems to which they are no longer authorised.
4. Tamper with, modify or alter restrictions, or protection placed on their accounts, TGPDC information system, or network facilities.
5. Remote access authentication must not be shared with other users or non-users.
6. Use knowledge of security or access controls to damage computer and network systems, obtain information systems or gain access to accounts for which they are not authorised.
2.9.8. User Account Policy
a. All individuals shall have own accounts to TGPDC’s business systems. No individual will be allowed to share any account or to use any account not belonging to him/her.
b. All individuals shall take responsibility and ownership of their accounts. Misuse or improper use will lead to violation of this policy and steps for non-compliance will take effect.
c. Access rights linked to the user account will be considered to be minimum privilege. Line Managers will use its discretion to establish what access rights should be given to a user in order to perform his/her duties.
d. Access granted to a user will be signed by the user on the “IT employee signoff” sheet.
e. Should the user terminate its services from TGPDC then all access will be revoked by IT. TGPDC HR will communicate to TGPDC IT of resignation.
f. Should the user change department or province and remain within employment of TGPDC, access will be reviewed. A new “IT employee signoff” sheet will be signed between the user and IT.
g. Administrative accounts of applications and operating systems will be shared between two Administrators of the TGPDC IT department. This is to ensure that continuity is in place should an Administrator not be available to perform necessary duties.
2.9.9. Temporally Accounts
a. Temporally accounts are only granted to a contract employee who is not in permanent employment of TGPDC.
b. Temporally accounts will expire automatically every three months or will be terminated once the employee’s contract expires.
b.9.10. Local Machines
a. No local accounts are allowed to be created on local machines without the permission of TGPDC IT.
b. Local machines will have the same settings as the TGPDC global domain settings. No changes are permitted without the approval of TGPDC IT.
b.9.11. Logging
Logging will be enabled on all servers and local machines. Regular monitoring of the server logs will be conducted by TGPDC IT. Monitoring of local machines will be performed on an ad hoc basis by any TGPDC IT personnel.
Detailed audit logs of all activities, modifications, deletion and user access and transfer of data and information is collected.
Currently, TGPDC has 2 whitelisted laptops that have access to TGPDCs servers that host the code. We have a group that has developers who have access to RDS (database) and EC2 (code servers). All database and code servers can only be deleted by authorised Admins (tech leads) in our organization. Attached are the rights for developers and admins. Access advisor provides TGPDC with services last access for accounts and implements permissions guardrails using service control policies (SCPs) that restrict access to those services.
b.9.12. Staff leaving TGPDC’s employment
When a member of staff serves a notice to leave the employment of TGPDC at Human Resources (HR), the information is forwarded to IT who will then on the employees last day terminate their system account record on the Active Directory (AD) Server. Prior to an employee leaving, or to a change of duties, line managers should ensure that:
a. the employee is informed in writing that he/she continues to be bound by their signed confidentiality agreement
b. passwords are removed or changed to deny access
c. relevant departments are informed of the termination or change, and, where appropriate, the name is removed from authority and access lists
d. power user passwords allocated to the individual should be removed and consideration given to changing higher level passwords, to which they have access
e. reception staff and others responsible for controlling access to appropriate premises, are informed of the termination, and are instructed not to admit in future without a visitor pass
f. where appropriate, staff working out notice are assigned to non-sensitive tasks, or are appropriately monitored
g. TGPDC property is returned.
Particular attention should be paid to the return of items which may allow future access. These include personal identification devices, access cards, keys, passes, manuals & documents. The timing of the above requirements will depend upon the reason for the termination, and the relationship with the employee. Where the termination is mutually amicable, the removal of such things as passwords and personal identification devices may be left to the last day of employment. Once an employee has left, it can be impossible to enforce security disciplines, even though legal process. Many cases of unauthorised access into systems and premises can be traced back to information given out by former employees. System Administrators will delete or disable all identification codes and passwords relating to members of staff who leave the employment of TGPDC on their last working day. Prior to leaving, the employee’s manager should ensure that all PC files of continuing interest to the business of TGPDC are transferred to another user before the member of staff leaves. Special care needs to be taken when access personnel data and commercially sensitive and financial data is involved. Managers must ensure that staff leaving the TGPDC’s employment do not inappropriately wipe or delete information from hard disks. If the circumstances of leaving, make this likely then access rights should be restricted to avoid damage to TGPDC information and equipment. In certain circumstances to be evaluated on a case by case basis certain employees may be provided with access to an email account after they have left the employment of TGPDC for a limited time.
b.10. Housekeeping
2.10.1. Objective
To maintain the integrity and availability of computer assets.
2.10.2. Data Backup
Data should be held on a network directory where possible, to ensure routine backup processes capture the data. Should information be held on a PC hard drive the PC “owner” is responsible for back-ups? Data should be protected by clearly defined and controlled back-up procedures which will generate data for archiving and contingency recovery purposes. IT and all other systems managers should produce written backup instructions for each system under their management. The backup copies should be clearly labelled and held in a secure area.
Procedures should be in place to recover to a useable point after restart of the backup. A cyclical system, whereby several generations of backup are kept, is recommended. Archived and recovery data should be accorded the same security as live data and should be held separately, preferably at an off-site location. Archived data is information, which is no longer in current use, but may be required in the future, for example, for legal reasons or audit purposes. Recovery data should be sufficient to provide an adequate level of service and recovery time in the event of an emergency and should be regularly tested.
To ensure that, in an emergency, the back-up data is sufficient and accurate, it should be regularly tested. This can be done by automatically comparing it with the live data immediately after the backup is taken and by using the backed-up data in regular tests of the contingency plan. Recovery data should be used only with the formal permission of the data owner or as defined in the documented contingency plan for the system. If live data is corrupted, any relevant software, hardware and communications facilities should be checked before using the backed-up data. This aims to ensure that backed up data is not corrupted in addition to the live data. Systems Administrators (software or hardware) should check the relevant equipment or software using his/her own test data.
2.10.3. Equipment, Media, and Data Disposal
If a machine has ever been used to process personal data or "in confidence" data, then any storage media should be disposed of only after reliable precautions to destroy the data have been taken. Procedures for disposal should be documented. Many software packages have routines built into them which write data to temporary files on the hard disk for their own purposes. Users are often unaware that this activity is taking place and may not realise that data which may be sensitive is being stored automatically on their hard disk. Although the software usually (but not always) deletes these files after they have served their purpose, they could be restored and retrieved easily from the disk by using commonly available utility software. Therefore, disposal should only be arranged through the IT Department who will arrange for disks to be wiped.
b.11. Software and Information Protection
2.11.1. Objective
To comply with the law on licensed products and to minimise risk of computer viruses.
2.11.2. Licensed software / Copyright Issues
All users should ensure that they only use licensed copies of commercial software. It is a criminal offence to make/use unauthorised copies of commercial software and offenders are liable to disciplinary action. Each user should ensure that a copy of each license for commercial software is held. The loading and use of unlicensed software on TGPDC computing equipment is NOT allowed. All staff must comply with the Copyright, Designs and Patents Act. This states that it is illegal to copy and use software without the copyright owner’s consent or the appropriate license to prove the software was legally acquired. The TGPDC monitors the installation and use of software by means of regular software audits; any breaches of software copyright may result in personal litigation by the software author or distributor and may be the basis for disciplinary action under TGPDC Disciplinary Policy.
2.11.3. Unauthorised Software
TGPDC will only permit authorised software to be installed on its PCs and servers. Approval will be via IT Department. TGPDC will require the use of specific general-purpose packages (e.g., word-processing, spreadsheets, databases) to facilitate support and staff mobility. Non-approved packages should be phased out as soon as practicable unless there is a definable business use. Where TGPDC recognises the need for specific specialised PC products, such products should be registered with IT and be fully licensed. Software packages must comply with and not compromise TGPDC security standards. Computers owned by TGPDC are only to be used for the work of TGPDC. The copying of leisure software on to computing equipment owned by TGPDC is not allowed. Copying of leisure software may result in disciplinary action under TGPDC Disciplinary Procedure. Computer leisure software is one of the main sources of software corruption and viruses which may lead to the destruction of complete systems and the data contained on them.
2.11.4. Virus Control
TGPDC seeks to minimise the risks of computer viruses through education, good practice/procedures and anti-virus software positioned in the most vulnerable areas. Users should report any viruses detected/suspected on their machines immediately to IT. No newly acquired disks from whatever source are to be loaded unless they have previously been virus checked by locally installed virus software. Users must be aware of the risk of viruses from the internet, including email. If in doubt about any data received please contact the IT Department for anti-virus advice.
To prevent computer viruses from being transmitted through TGPDC's e-mail/Internet system:
1. All employees are to ensure that their computer is enabled with the TGPDC approved virus protection software.
2. There will be no unauthorised downloading of any unauthorised software. All software downloaded must be registered to TGPDC. Employees should contact the designated Network Supervisor if they have any questions.
2.11.5. Time Out Procedures
Inactive sessions should be set to time out after a pre-set period of inactivity. The time-out facility should clear the screen. In high risk areas the time-out facility should also close both application and network sessions. A high-risk area might be a public or external area outside the control of TGPDC security systems. The time-out delay should reflect the security risks of the area. Users should log off sessions or PCs when leaving them unattended. PCs should be secured by a key lock or equivalent control (for example, password access control) when not in use. For high risk applications, connection time restriction should be considered. Limiting the period during which the session connection to IT services is allowed reduces the window of opportunity for unauthorised access.
2.11.6. Patch Management
Find attached our database backups which are automated in AWS RDS. Our database has snapshots for up to a point in time as shown in the snapshot picture. Database maintenance happens every Wednesday for normal maintenance and immediately for critical updates from AWS. For our servers usually, Amazon EC2 maintenance is a live-update to minimize impact. Sometimes, however, a live update is not possible, and therefore a scheduled maintenance event is needed which we trigger on our side
b.12. Equipment Security
2.12.1. Objective
To protect IT equipment against loss or damage and avoid interruption to business activity.
2.12.2. Equipment location and protection
IT equipment must always be installed and sited in accordance with the manufacturer’s specification. Equipment must always be installed by, or with the permission of IT. Where appropriate environmental controls will be installed to protect central or key equipment. Such controls will trigger alarms if environmental problems occur. In such cases where equipment is sited in a secure area, only authorised entry will be permitted. Smoking, drinking, and eating will not be permitted in areas housing computer equipment.
2.12.3. Power supplies
Where appropriate all sites within TGPDC will have either UPS or generator backup to the mains electricity supply.
2.12.4. Portable & Hand-held Computing Equipment
Equipment, data, or software must not be taken off-site by staff without documented management authorisation. (Management may provide authorisation on a ‘once only’ basis as long as it is subject to regular review) Portable computers must have appropriate access protection, for example passwords and encryption and must not be left unattended in public places. Computer equipment is vulnerable to theft, loss or unauthorised access. Always secure laptop and handheld equipment when leaving an office unattended.
When travelling, the high incidence of car theft makes it inadvisable to leave such equipment in cars or take them into vulnerable areas. To preserve the integrity of data, frequent transfers must be maintained between portable units and the main TGPDC system. The portable unit must be maintained regularly, and batteries recharged regularly. Users of portable computing equipment are responsible for the security of the hardware and the information it holds at all times on or off TGPDC property and network. The equipment should only be used by TGPDC staff to which it is issued or belongs to. All of the policy statements regarding the use of software apply equally to users of portable equipment belonging to TGPDC.
Users of this equipment must pay particular attention to the protection of, personnel data and commercially sensitive data. The use of a password to start work with the computer when it is switched on, known as a ‘power on’ password, is mandatory and all sensitive files must be password protected if encrypting the data is not technically possible.
Personal computers, hardware, software and related TGPDC assets, must be safeguarded against environmental hazards (dust, excessive heat, damp, lightning etc).
2.12.5. System Documentation
All systems should be adequately documented by the System Administrators and should be kept up to date so that it matches the state of the system at all times. In this context system documentation relates to the configuration, processes etc. of TGPDC’s systems and not material which would otherwise be in the public domain. System documentation, including manuals, should be physically secured (for example, under lock and key) when not in use. An additional copy should be stored in a separate location which will remain secure, even if the computer system and all other copies are destroyed. Distribution of system documentation should be formally authorised by the Manager, IT. System documentation may contain sensitive information, for example, descriptions of applications processes, authorisation processes.
b.13. Physical Access Security
Direct physical access to certain IT Resources such as servers, data networking devices, and telecommunications switches is restricted. Rooms containing critical IT Resources must be secured strongly. All entrances to such rooms must be closed and locked at all times. Alarms, sensors, and other types of physical security systems must be utilised to further secure these facilities and to detect and report emergency conditions that might occur. Signs outside the rooms must not indicate the sensitivity of the equipment inside. Water sources, including sprinkler systems, must not be located in such rooms. Printing equipment and paper must be stored in separate rooms to protect systems from paper dust and fire hazards. Equipment should not be left logged on while unattended. Visitors must be escorted at all times.
Authorised personnel may be granted access to server or network equipment rooms through the issuance of ID cards or keys or through the use of passwords or other access codes. These access controls may not be shared with any other personnel. If an authorised person is leaving their current role and should no longer have access to systems, his or her access must be revoked immediately upon the termination of duties. In the case of employees or independent contractors, departments must promptly notify Human Resources of such changes.
All access to server and network equipment rooms made by authorised personnel; escorted visitors and vendors must be logged when entering the room. Logs must be reviewed on a regular basis. Vendors must supply the names of all authorised personnel that will be performing on-site work and must keep the list up to date at all times.
If TGPDC personnel believe that an unauthorised person gained or attempted to gain access to a server or network equipment room, they must contact the ICT Manager immediately.
b.14. Data & Information Storage & Transportation
2.14.1. Objective
To identify and counter possible threats to TGPDC’s records and determine protocols for their storage and transportation
2.14.2. Storage
All information and data should be stored in a secure area and not left in an unattended, unlocked room. They should only be retained for the minimum length of time that they are absolutely required.
2.14.2 Elsewhere
All other areas where Records are stored should follow the general best practice guidelines of:
a. Stored in a secure area
b. Not left unattended
c. Not kept for longer than necessary
2.14.3. Transportation
Where it is necessary to transport Records around TGPDC sites, the individual is responsible for ensuring their security. Records should not be left unattended at any time. When being transported by car, records should be stored in a concealed enclosure.
2.14.4. Responsibility
All TGPDC Staff who use or come into contact with confidential information and records are individually responsible for their safekeeping. Staff should be aware of their contractual and legal confidentiality obligations.
b.15. Business Continuity
Departmental management will be responsible for their own department’s contingency plan, its ongoing review and maintenance. This is part of the wider organisational plan.
ICT is responsible for the technical aspects of all contingency plans and can provide advice on aspects of system data to restore. TGPDC’s ICT team will maintain a Disaster Recovery Plan to ensure that all critical systems can be restored if necessary. Please refer to the Disaster Recovery plan for detailed information on system back-ups and recoveries.
2.15.1. Objective
To be able to restore computer facilities to maintain essential business activities following a major failure or disaster.
2.15.2. Need for effective plans
TGPDC recognises that some form of disaster may occur, despite precautions, and therefore seeks to contain the impact of such an event on its core business through tested disaster recovery plans.
TGPDC recognises that IT systems are increasingly critical to its business and that the protracted loss of key systems/user areas could be highly damaging in operational terms.
2.15.3. Planning framework
The TGPDC disaster recovery plan caters for different levels of incident including:
a. Loss of a key user area within a building.
b. Loss of a key building.
c. Loss of a key operational area.
d. Loss of a key part of a computer network.
e. Loss of a computer’s processing power; and
f. Loss of key staff.
The TGPDC design for regular and adequate testing of Disaster Recovery Plans.
a. In the event of a disaster, all of our servers are now hosted in Amazon Web Service (AWS).
b. For Disaster Recovery (DR) TGPDC uses a warm recovery site for all deployed and running systems. Our systems are Infrastructure as Code.
c. This means that all staff will have immediate access to online servers from alternative sources and from any locations as our data and infrastructure is hosted and backed up in multiple locations on the AWS network.
d. Cryptography Management TGPDC uses a table level and column level encryption for each table that might contain personal information or any other sensitive information for enhanced security measures while staff are accessing the working environments remotely.
e. On servers and databases running on AWS we use AWS IAM to control access to these resources. IAM helps admin users track the times those resources were accessed, and we can time restrict access if required in instances where employees are required to work from home.
f. Our system architecture allows us to log events at the function level.
g. TGPDC uses GitHub code security scanner that triggers every code push and simulated scanning that randomly triggers. We monitor client calls and use anomaly detection to track any abnormal number of calls. Our client servers log spikes in CPU usage that is not normal and alert us.
2.16. Working from Home – Information Security Standards
2.16.1. Objective
To provide staff with information about the standards that should be used when they are working at home using computers (privately or TGPDC owned) and data. This applies equally to electronic and paper-based data. This can be a confusing area and it is necessary to ensure that staff is informed and confident that they are doing the right thing. Today’s technology allows a number of options about the way we work. TGPDC IT department will continually study these options and develop appropriate protocols.
2.16.2. Authorization to remove data files
Formal written authorisation by your Line Manager is required before person-identifiable data files can be taken home. Each Line Manager must inform Manager, IT of all staff who regularly work with information at home. The Manager IT will maintain a register.
2.16.3. Protecting data files
All electronic files used at home must be protected at least by file level password control.
2.16.4. Use of Privately owned Computers at Home
General Internet access carries with it a security risk of downloading viruses or programs that can look around a network and infiltrate password security systems. This information can then be sent back to the originator of the program in order to allow them unauthorised access to our systems. Therefore, you must use care when transferring data between your home PC TGPDC networks. All home PCs which are used for the manipulation of TGPDC data must have current virus software installed and adhered to all security requirements as per this policy.
2.16.5. Transportation of data or confidential documents
Staff should take reasonable care to minimise that risk of theft or damage; IT equipment must be transported in a clean, secure environment. During transfer of equipment between home and work staff should keep the equipment out of sight and not leave it unattended at any time. Computer equipment or manual data must not be left in cars overnight.
2.16.6. Storage of equipment
Staff should take all reasonable steps to minimise the visibility of computer equipment from outside the home, and to secure windows and doors when the home is unoccupied.
2.14.7. Storage of confidential data or reports
Staff should secure confidential data or reports that they are not actively using in the most secure area of their homes.
2.14.8 Licence keys
License keys will be stored in 1Password where data is end-to-end encrypted to keep data safe at rest and in transit. Security is an AES 256-bit encryption, and they use multiple techniques to ensure that only rightful individuals have access to their passwords.
2.17. Change Management
2.17.1. Operational Procedures
A change control process shall be in place to control changes to all critical company information resources (such as hardware, software, system documentation and operating procedures). This documented process shall include management responsibilities and procedures as well as the why, what, where when and how. Wherever practicable, operational and application change control procedures should be integrated.
2.17.2. Documented Change
All change requests shall be logged whether approved or rejected on a standardised and central spreadsheet. The approval of all change requests and the results thereof shall be documented.
A documented audit trail, containing relevant information shall be maintained at all times. This should include change request documentation, change authorisation and the outcome of the change. No single person should be able to effect changes to production information systems without the approval of other authorised personnel.
2.17.3. Risk Management
A risk assessment shall be performed for all changes and dependent on the outcome, an impact assessment must be performed.
The impact assessment shall include the potential effect on other information resources and potential cost implications. The impact assessment should, where applicable consider compliance with legislative requirements and standards.
2.17.4. Change Classification
All change requests shall be prioritised in terms of benefits, urgency, effort required and potential impact (high, medium, or low) on operations.
2.17.5. Testing
Changes shall be tested in an isolated, controlled, and representative environment (where such an environment is feasible) prior to implementation to minimise the effect on the relevant business process, to assess its impact on operations and security and to verify that only intended and approved changes were made.
2.17.6. Changes affecting agreements/contracts
The impact of change on existing agreements and contracts shall be considered. Where applicable, changes to the agreements and contracts shall be controlled through a formal change process which includes contractual amendments, where applicable.
2.17.7. Version control
Any software change and/or update shall be controlled with version control. Older versions shall be retained in accordance with retention and storage management policies.
2.17.8. Approval
All changes shall be approved prior to implementation. Approval of changes shall be based on formal acceptance criteria i.e. the change request was done by an authorised user; the impact assessment was performed, and proposed changes were tested.
2.17.9. Communicating changes
All users, significantly affected by a change, shall be notified of the change. The user representative shall sign-off on the change. Users shall be required to make submissions and comment prior to the acceptance of the change.
2.17.10. Implementation
Implementation will only be undertaken after appropriate testing and approval by stakeholders. All major changes shall be treated as new system implementation and shall be established as a project. Major changes will be classified according to effort required to develop and implement said changes.
2.17.11. Fall back
Procedures for aborting and recovering from unsuccessful changes shall be documented. Should the outcome of a change be different to the expected result (as identified in the testing of the change), procedures and responsibilities shall be noted for the recovery and continuity of the affected areas. Fall back procedures will be in place to ensure systems can revert back to what they were prior to implementation of changes.
2.17.12. Documentation
Information resources documentation shall be updated on the completion of each change and old documentation shall be archived.
Information resources documentation is used for reference purposes in various scenarios i.e. further development of existing information resources as well as ensuring adequate knowledge transfer in the event of the original developer and/or development house being unavailable. It is therefore imperative that information resources documentation is complete, accurate and kept up to date with the latest changes. policies and procedures, affected by software changes, shall be updated on completion of each change.
2.17.13. Business Continuity Plans (BCP)
Business continuity plans shall be updated with relevant changes, managed through the change control process. Business continuity plans rely on the completeness, accuracy and availability of BCP documentation. BCP documentation is the road map used to minimise disruption to critical business processes where possible, and to facilitate their rapid recovery in the event of disasters. \
DOCUMENT CHANGE CONTROL FOR BCM CHANGES
Date Version Requester Tech. Writer Change/Review
Modified by: ________________________________________________ ________/____/_____
Reviewed by: ________________________________________________ ________/____/_____
Approved by: ________________________________________________ ________/____/_____
In the event of a disaster which interferes with TGPDC’s ability to conduct business from one of its offices, this plan is to be used by the responsible individuals to coordinate the business recovery of their respective areas and/or departments. The plan is designed to contain, or provide reference to, all of the information that might be needed at the time of a business recovery.
This plan is not intended to cover the operations of TGPDC’s separately structured Emergency Response Team.
Objectives
The objective of the Business Continuity Plan is to coordinate recovery of critical business functions in managing and supporting the business recovery in the event of a facilities (office building) disruption or disaster at Ground Floor, 35 Ferguson Road, Illovo, Sandton. This can include short or long-term disasters or other disruptions, such as fires, floods, earthquakes, explosions, terrorism, tornadoes, extended power interruptions, hazardous chemical spills, and other natural or man-made disasters.
A disaster is defined as any event that renders a business facility inoperable or unusable so that it interferes with the organization’s ability to deliver essential business services.
The priorities in a disaster situation are to:
1. Ensure the safety of employees and visitors in the office buildings. (Responsibility of the ERT – Angie Pillay is our trained and certified office safety officer)
2. Mitigate threats or limit the damage that threats can cause. (Responsibility of the ERT - Angie Pillay is our office safety officer)
3. Have advanced preparations to ensure that critical business functions can continue (as per back-ups and warm sites in AWS)
4. Have documented plans and procedures to ensure the quick, effective execution of recovery strategies for critical business functions.
This Business Continuity Plan includes procedures for all phases of recovery as defined in the Business Continuity Strategy section of this document.
A. Scope
The Business Continuity Plan is limited in scope to recovery and business continuance from a serious disruption in activities due to non-availability of TGPDC’s facilities. The Business Continuity Plan includes procedures for all phases of recovery as defined in the Business Continuity Strategy of this document.
This plan is separate from TGPDC’s Disaster Recovery Plan, which focuses on the recovery of technology facilities and platforms, such as critical applications, databases, servers or other required technology infrastructure. Unless otherwise modified, this plan does not address temporary interruptions of duration less than the time frames determined to be critical to business operations.
The scope of this plan is focused on localized disasters such as fires, floods, and other localized natural or man-made disasters. This plan is not intended to cover major regional or national disasters such as regional earthquakes, war, or nuclear holocaust. However, it can provide some guidance in the event of such a large scale disaster.
B. Assumptions
The viability of this Business Continuity Plan is based on the following:
1. That a viable and tested IT Disaster Recovery Plan exists within TGPDC and will be put into operation to restore data center service at a backup site within two days.
2. That the Organization’s facilities management department has identified available space for relocation of departments which can be occupied and used normally within two to five days of a facilities emergency.
3. That this plan is being properly maintained and updated as required by TGPDC’s ICT Team.
Management is responsible for:
1. Periodically reviewing the adequacy and appropriateness of its Business Continuity strategy.
2. Assessing the impact on TGPDC’s Business Continuity Plan of additions or changes to existing business functions, procedures, equipment, and facilities requirements.
3. Keeping recovery team personnel assignments current, taking into account promotions, transfers, and terminations.
4. Communicating all plan changes to the ICT Management Team so that the organization’s IT master Disaster Recovery Plan can be updated.
The ICT Management Team is responsible for:
1. Keeping the organization’s IT Recovery Plan updated with changes made to facilities plans.
2. Coordinating changes among plans and communicating to management when other changes require them to update their plans.
C. Plan Testing Procedures and Responsibilities
ICT Management is responsible for ensuring the workability of their Business Continuity Plan. This is periodically verified by active or passive testing.
D. Plan Training Procedures and Responsibilities
ICT management is responsible for ensuring that the personnel who would carry out the Business Continuity Plan are sufficiently aware of the plan’s details. This may be accomplished in a number of ways including; practice exercises, participation in tests, and awareness programs.
2.17.14. Emergency Changes
Specific procedures to ensure the proper control, authorisation, and documentation of emergency changes shall be in place. Specific parameters will be defined as a standard for classifying changes as emergency changes.
2.17.15. Change Monitoring
All changes will be monitored once they have been rolled-out to the production environment. Deviations from design specifications and test results will be documented and escalated to the solution owner for ratification.
2.2. Disciplinary Processes and procedures
Transgression of this policy constitutes an offence and depending on the facts may lead to disciplinary action.
The following general guidelines may be used for the purposes of taking disciplinary action against employees.
Category 1st Occurrence 2nd Occurrence 3rd Occurrence 4th Occurrence
Changing the configuration of computer hardware or software without proper authorisation Verbal Warning Written Warning Final Warning Dismissal
Accessing information available on TGPDC computers or networks to which you are not properly authorised Verbal Warning Written Warning Final Warning Dismissal
Failing to ensure a strong password selection Verbal Warning Written Warning Final Warning Dismissal
Sharing a username and password Verbal Warning Written Warning Final Warning Dismissal
Failing to ensure that desktop / laptop is locked out when it is left unattended Verbal Warning Written Warning Final Warning Dismissal
Obtaining unauthorised access through a username and password not belonging to the user Verbal Warning Written Warning Final Warning Dismissal
Perform a reset of password on a username that does not belong to the user Final Warning Dismissal
Cracking of password files Final Warning Dismissal
Maliciously tapping the network for usernames and passwords. Final Warning Dismissal
Loading of malicious software to perform random logins to machines. Final Warning Dismissal
Loading illegal software or offensive material onto a TGPDC computer Final Written Dismissal
Accessing pornographic or discriminatory material Final Warning Dismissal
Changing the configuration of computer hardware or software without proper authorisation Verbal Warning Written Warning Final Warning Dismissal
Removing a computer, software or hardware from TGPDC premises without authorisation As per TGPDC’s disciplinary code on theft / unauthorised possession
Purchasing computer equipment without proper authorisation Final written warning Dismissal
Contracting for the development of computer software or related services without proper authorisation Final Written Warning Dismissal
Accessing information available on TGPDC computers or networks to which you are not properly authorised Final Warning Dismissal Warning
Sending mail to all TGPDC staff address without authority Written warning Final written warning Dismissal
Sending out chain e-mail Written warning Final written warning Dismissal
3. Monitoring, Evaluation, Reporting and Auditing
3.1. Monitoring
The Manager – IT, Manager Risk and Compliance, Audit and Risk Committee will monitor the implementation of this policy.
3.2. Evaluation
The Manager – IT, Manager Risk and Compliance, Audit and Risk Committee will evaluate the policy and report on its effectiveness to the CEO and the Board.
3.3. Reporting
The Manager responsible for IT will ultimately report to the CEO with recommendations of how to improve on the policy.
3.4. Auditing
The IT Manager will address the audit findings providing management comments and update the audit register.
4. Amendments to and review of policy
The IT Manager and EXCO will review this policy and make suggested and required amendments.
5. Implementation Date
The implementation date of this Policy will be the date that this policy is approved by the board.