DROUGHT MANAGEMENT SECTOR

National Drought Management

Authority (NDMA)
ICT Policy Presentation

10 February 2015

Contents

Background
4
IT Organization & Governance Structure
11
ICT Policy Organization

12

ICT Governance Processes

13

Information & Data Management

14

E-mail Policy
16
Internet Policy

18

Password Management Policy

20
Q&A
22

ICT Policy

Introduction
Background What is an ICT Policy?

i.It is important for employees to know what is expected and

required of them when using the technology provided by their
employer
ii.It is also critical for a company to protect itself by having
policies to govern areas such as personal internet and email
usage, security, software and hardware inventory and data
retention etc.

An ICT Policy is a governance tool that defines the rules

on use of technology.

Procedures: explain how these same rules are practically

applied in real life.

So policies and procedures set expectations for behaviors and

activities, as well as provide mechanisms to enforce these
expectations

ICT Policy

Introduction
Background
The National Drought Management Authority (NDMA) is a statutory body established under
the State Corporations Act (Cap 446) of the Laws of Kenya through Legal Notice Number
171 of November 24, 2011.
NDMAs Vision
To be a world-class authority in drought management and climate change adaptation
NDMAs mission statement
To provide leadership and coordination of Kenyas management of drought risks and
adaptation to climate change.
The NDMAs strategic plan identifies six strategic objectives which will contribute towards
its goal of enhanced drought resilience and climate change adaptation. These strategic
objectives are:
To reduce drought vulnerability and enhance adaptation to climate change.
To provide drought and climate information to facilitate concerted action by relevant
stakeholders.
To protect the livelihoods of vulnerable households during drought.
To ensure coordination of action by government and other stakeholders.
To develop and apply knowledge management approaches that generate evidence for
decision-making and practice.
To strengthen institutional capacity.
ICT function must align itself to these objectives by ensuring Availability, Confidentiality &
Integrity of drought related data and information.
4

ICT Policy

Introduction
Background..Why this policy?
The IT department has developed this ICT Policy document that establishes a framework for
secure utilization of information technology (IT) resources through a suite of appropriate
policies, standards, procedures and guidelines
In developing the ICT Policy, the following have been taken into consideration:
Review of existing processes and incorporation of feedback arising from discussions with
Heads of Departments and Senior Management;
Compliance to the ISO 27001, the best practice and standard code of practice that
provides default guidelines on the types of security controls that should be implemented to
safeguard information assets; and
Implementation of the Control Objectives for Information and related Technology (COBIT),
the framework for implementing IT governance that the NDMA has adopted
For the Policies to be effective on implementation, they shall be supported and ratified by the
NDMA Board.
Purpose of the Policy:
i.Integrate Information
operations.

Security

best

practices

into

the

NDMAs

day-to-day

business

ii.Create a comprehensive, consistent and meaningful security conscious environment within

NDMA.
iii.Encourage ethical and knowledgeable behavior to all who provide and use information
resources.
iv.Comply to COBIT & specifically ISO 27001 standards
v.To ensure availability, integrity and confidentiality of the organizations data
vi.To establish safeguards to protect ICT and information resources from theft, abuse, misuse

ICT Policy

Introduction
Background..Why this policy?

Purpose of the Policy (cont..):

vii.To protect and support the maintenance of all ICT infrastructure of NDMA in an efficient
manner
viii.Ensure information in the possession of NDMA is not only secure but is efficiently
disseminated in time for policy formulation and decision making to the partners,
stakeholders and clients.
ix.To encourage the development and maintenance of appropriate level of awareness,
knowledge and skill to support ICT systems so as minimize the occurrence and deal with
security threats to hardware and software resources.
x.To ensure that the NDMA is able to continue its operational activities in the event of
significant ICT threats
xi.To support the formulation and development of ICT systems in an environment that
supports an innovative culture that is geared towards process improvements and value
addition.

ICT Policy

Introduction
Background---What are your Roles?

Roles & Responsibilities:

1. The NDMA Board:
Shall form an IT Committee of the Board composed of at least 4 members. The IT
Committee of the Board shall:
i.Approve and monitor implementation of this Policy.
ii.Mobilize and allocate resources for the policy implementation
2. Senior Management Team :
Shall form an IT Steering Committee headed by the CEO. This Committee shall:
i.Be the owners of the ICT Policy.
ii.Authorize IT security measures on behalf of NDMA

ICT Policy

Introduction
Background..What are your Roles?
3. IT Function/ Department
Shall:
i.Establish and review information security policies guided by the IT
Steering Committee
ii.Facilitate and co-ordinate the necessary countermeasures
departments; report and evaluate changes to the policies

with

iii.Co-ordinate the implementation of new or additional ICT policies

iv.Implement, maintain and update the ICT strategy
standards and procedures with input from all stakeholders

architecture,

v.Ensure that all staff are aware of ICT policies relevant to them
vi.Assess the requirements for IT equipment, both hardware and software
vii.Help in procurement
maintenance thereof

of

the

right

IT

equipment,

software

and

viii.Provide opinions and technical advice on capacity building through

basic computer training for users
ix.Provide IT Helpdesk services

ICT Policy

Introduction
Background..What are your Roles?
4. Users:
Are classified into either Internal or External users.
The Internal Users of the NDMA systems (staff) are those who use ICT to support them in the
discharge of their daily duties.
External Users includes consultants, and distributors, among others, who are facilitated to
have specific access to resources over a defined, relatively shorter period of time as
compared to internal users.
All users shall:
i.Comply with all ICT policies and supporting guidance applicable to the performance of their
job functions
ii.Ensure they understand their information security responsibilities
5. Internal Audit and Risk Management Department
Shall review
i.Compliance with the organization's ICT policies
ii.The adequacy of the ICT policies

ICT Policy

ICT Organization & Governance

ICT Organization & Governance Structure

10

ICT Policy

ICT Organization & Governance

1. ICT Policy Organization
Purpose & Scope:
This section emphasizes the need for Board ratification and management support for the
policy. It also acknowledges that the ICT policy is alive document subject to annual review. It
also spells out the IT governance structure of NDMA with emphasis on protection of IT
resources, accountability for usage and compliance by all system users.
The Key areas covered include:
ICT Policy Approval: That NDMA shall put in place a suitable ICT policy and obtain Board
approval and that this policy shall be distributed and communicated to all employees.
Senior Management Support: That Senior management shall be required to actively support,
and take responsibility for, the implementation and maintenance of an effective ICT
management system in a positive and pro-active manner
Independent Review of the Policy: That an independent review shall be carried annually on
the NDMA's overall ICT processes to ensure they are adequate, complete, fit-for-purpose and
enforced and that the ICT policy shall be reviewed and evaluated annually and also if changes
occur within the organization that affect a particular approved policy statement.

11

ICT Policy

ICT Organization & Governance

2. ICT Governance Processes
Purpose & Scope
This policy spells out the IT governance structure of NDMA with emphasis on
protection of IT resources, accountability for usage and compliance to the ICT
policy by all system users
Protection of ICT Resources: That all users of ICT resources at NDMA have a
responsibility for protecting the security and integrity of both information and
computer equipment's. It is the responsibility of all members of staff, both
permanent and contracted, to:
i.

Comply with ICT policy standards

ii. Act in a responsible and proactive manner regarding ICT security.

Accountability for ICT Resources: Owners of information and systems shall be
responsible for deciding what restrictions to be placed on the use of assets and
authorizing access to the assets for those who have a business need
Compliance to ICT Policy Form: That every new employee shall, regardless of
job function, acknowledge in writing that he or she has read and understands
the Compliance to ICT Policy attached to the user definition form which forms
part of this policy.

12

ICT Policy

Information & Data Management

3. Information & Data Management
Purpose & Scope :
This policy shall ensure that NDMA maintains a comprehensive and up-to-date database
containing details of its data & information for the purposes of defining its value, criticality,
sensitivity and legal implications.
Key Areas Covered:
Classifying Information: That all information, data and documentation shall be classified
strictly according to its level of confidentiality, sensitivity, value and criticality
Information Ownership: That the responsibility of each item of information, data and
documentation shall be allocated to a specifically designated information owner or custodian.
Sharing Information: That NDMA shall ensure that all employees are fully aware of their legal
and corporate duties and responsibilities concerning the inappropriate sharing and releasing
of information, both internally within the organization and to external parties
Storing & Handling Classified Information: That all information, data and documents shall be
processed and stored strictly in accordance with the classification levels assigned to that
information in order to protect its integrity and confidentiality
Transferring, Exchanging, Managing and Archiving Data: Sensitive or confidential data shall
only be transferred across networks, or copied to other media, when the confidentiality and
integrity of the data can be reasonably assured. Integrity and stability of the NDMAs
databases shall be maintained at all times. Archiving of documents shall take place with due
consideration for legal, regulatory and business issues.

13

ICT Policy

Information & Data Management

3. Information & Data Management Cont.
Key Areas Covered:
Sending Information to Third Parties & Other Stakeholders: Prior to sending
information to third parties, not only must the intended recipient be
authorized to receive such information, but the procedures and Information
Security measures adopted by the third party, must be seen to continue to
assure the confidentiality and integrity of the information.
Need for Dual Control / Segregation of Duties:. The techniques of dual
control and segregation of duties shall be employed to enhance the control
over procedures wherever both the risk from, and consequential impact of, a
related Information Security incident would likely result in financial or other
material damage to NDMA
Permitting Third Party Access: Third party access to corporate information
shall only be permitted where the information in question has been
safeguarded and the risk of possible unauthorized access is considered to be
negligible
Using Clear Desk Policy: All NDMA staff shall operate a clear desk policy

14

ICT Policy

E-mail policy
4. E-mail Policy
Purpose & Scope :
E-mail access is provided to staff for the purpose of increasing overall productivity within
NDMA and therefore should be used primarily for business activities. The purpose of this
policy is to ensure that all staff use e-mail services in a proper and lawful manner.
Key Areas Covered:
Email Guidelines: That the Authority shall have standard email addresses for all employees
which will be firstname.sirname@ndma.go.ke and designation@ndma.go.ke
Prohibited use of E-mail: That it is strictly prohibited to send or forward emails containing
defamatory, offensive, racist, discriminatory on the basis of race, gender, nationality or
ethnic origin, age, marital status, sexual orientation, religion, or disability etc.
Sending E-mail: E-mail shall only be used for business purposes, using terms which are
consistent with other forms of business communication.
Receiving E-mail: Incoming e-mail shall be treated with the utmost care due to its inherent
Information Security risks. The opening of e-mail with file attachments is not permitted
unless such attachments have already been scanned for possible viruses or other malicious
code
Deleting E-mail: That data retention periods for e-mail shall be established to meet legal and
business requirements and must be adhered to by all staff

15

ICT Policy

E-mail policy
4. E-mail Policy Cont.
.
Key Areas Covered:
Email Security: The encryption of e-mail is not necessary in most situations. However,
confidential messages shall be secured using appropriate technology.
All staff can access their email accounts when outside NDMA. To safeguard NDMAs data
observe the following:
i.

Dont print to a public printer

ii. Make sure no one is overlooking your screen as you access the data
iii. Dont save to the public computer
Passwords are the best defense against unauthorized use of a staffs e-mail account. Staff
members shall therefore observe the password guidelines to ensure optimum security of
their passwords.
Email accounts not used for 90 days will be deactivated and possibly deleted

16

ICT Policy

Internet policy
5. Internet Policy

Purpose & Scope :

The objective
inhibiting the
members and
used in a safe

of the Internet Usage Policy is to protect the interests of the NDMA without
use of the Internet service that is intended for the greater benefit of staff
NDMA at large. These standards are designed to ensure that the Internet is
and responsible manner.

Key Areas Covered:

Unauthorized use of Internet: That shall include but not limited to: Utilizing NDMAs Internet
services to access, create, store or distribute pornographic material, Running a business
using the NDMAs Internet facilities etc.
Downloading Content from Internet: That staff members shall be prohibited from
downloading and installing software from the Internet to the NDMAs computers. All software
in the NDMAs computers must be adequately licensed. Staff members can download
documents for official use
Use of Internet for Work Purposes: That Management shall be responsible for controlling
user access to the Internet, as well as for ensuring that users are aware of the threats, and
trained in the safeguards, to reduce the risk of Information Security incidents
Use of Phones & Faxes: That Staff making phones and using faxes shall be responsible for
safe and appropriate use. Identity of recipients of sensitive or confidential information over
the telephone must be verified.

17

ICT Policy

Internet policy
5. Internet Policy Cont..

Key Areas Covered:

Disruptions:. The IT department endeavors to provide uninterrupted Internet services at the
highest level. However, disruptions for administrative purposes and due to reasons beyond
the NDMAs control are unavoidable. In the event of Internet service unavailability staff
members will be promptly informed.
Setting up Internet Access: Persons responsible for setting up Internet access shall ensure
that the NDMAs network is safeguarded from malicious external intrusion by deploying, as a
minimum, a configured firewall.
Security: NDMA shall endeavor to put in place appropriate security systems that can perform
the following functions: Antivirus Scanning, Intrusion Detection and Prevention Systems and
Content Filtering - monitors and filter contents from the Internet.
Security: NDMA shall endeavor to put in place appropriate security systems that can perform
the following functions: i.

Antivirus Scanning- checks for viruses, worms, Trojans, etc on all incoming and
outgoing traffic.

ii. Intrusion Detection and Prevention Systems - detect inappropriate, incorrect or

anomalous activity against the network and enable the administrator to take
appropriate action.
iii. Content Filtering - monitors and filter contents from the Internet, chat rooms,
instant messaging, e-mail and all other applications and report on violations
identified.
18

ICT Policy

Password Management policy

6. Password Management Policy
Purpose & Scope :
The purpose of this policy is to establish a standard for creation of strong passwords,
protection of those passwords, and the frequency of change. Passwords are an important
aspect of computer security. They are the front line of protection for user accounts. A poorly
chosen password may result in the compromise of the NDMAs entire network.
Key Areas Covered:
Password Protection: That Passwords must be kept confidential and not shared with
colleagues, For departmental accounts, a distribution list to designated users accounts shall
be created.
i.

That Users are responsible for maintaining the security of their passwords.

ii. That Users are responsible for all activities performed with their account and
therefore must not allow others to perform any activity with their usernames.
Similarly, users must not perform any activity with the usernames belonging to other
users.
iii. That your username or variations of the username should not be embedded in your
password.
iv. That you shall not send a password through email or include it in a non-encrypted
stored document.
v. Do not hint at the format of your password.
vi. Do not use common acronym/words or reverse words as part of your password.
vii. Do not use names of people or places as part of your password.
viii.Do not use parts of numbers easily remembered such as phone numbers, your date
of birth.

19

ICT Policy

Password Management policy

6. Password Management Policy Cont.

Key Areas Covered:

Password Composition:
That Passwords shall meet the following criteria
i.

Passwords must be at least eight characters long.

ii. Passwords must be strong; composed of alphanumeric characters

(alphabets- A...Z, a...z Numbers 0...9) and non-alphanumeric or special
characters (! ; $; %; &; *; #; @; ?; {; }; [; ]; =; +; >; <; ;)
Password Change:
That Passwords shall be changed under any one of the following circumstances:
i.

After every 60 days (a MUST)

ii. Immediately, if a password has been compromised.

20

Q&A

Thank You