1. No category

Draft ICT Policy - Koukamma Municipality

Koukamma Municipality ICT
Policy
Prepared by: ICT Manager
KOUKAMMA MUNICIPALITY
ICT POLICY
TABLE OF CONTENT
1. PASSWORD AND USER ID POLICY
1.1 INTRODUCTION
1.2 PURPOSE
1.3 PASSWORD POLICY
1.4 PASSWORD MANAGEMENT
2. INTERNET AND EMAIL USAGE POLICY
2.1 INTRODUCTION
2.2 SCOPE
2.3 POLICY STATEMENT
2.4 APPLICATION OF THIS POLICY
3. POLICY ON THE USE OF COMPUTER EQUIPMENT
3.1 PURPOSE
3.2 SCOPE
3.3 POLICY STATEMENT
3.4 LEGAL SUPPORT FOR THIS POLICY
4. IT SERVER DOCUMENT POLICY
4.1 PURPOSE
4.2 SCOPE
4.3 POLICY
5. VPN: Virtual PRIVATE NETWORK (POLICY)
5.1 PURPOSE
5.2 SCOPE
5.3 POLICY
ICT POLICY
3
3
3
3
4
6
6
6
6
7
8
8
8
8
10
12
11
11
12
15
15
15
15
Page 2
KOUKAMMA MUNICIPALITY
ICT POLICY
1. PASSWORD AND USER ID POLICY
1.1 INTRODUCTION
A computer access password is the primary key to computer security. The importance of password
maintenance and security cannot be over emphasized. All employees and users of the KKM’s
computer facilities are solely responsible for the integrity and secrecy surrounding passwords
allocated for their usage. The password uniquely identifies employees and users, and allows access
to the KKM’s information and computer services. For the user’s protection, and for the protection
of KKM’s resources, the password must be kept secret and not be shared with anyone else.
The IT Department should be contacted if any further password information is required, or if there
is any uncertainty surrounding the usage, applicability, and installation or issuing of passwords.
1.2 PURPOSE
The purpose of this document defines the policy required to securely deploy, manage and control user
accounts and passwords. Accounts and passwords are the primary security credentials used to identify,
authenticate and authorize access to the KKM systems. The policy applies to all KKM computer users
(e.g. staff, contractors, students, consultants) of systems, applications and networks.
1.3 PASSWORD POLICY
All user-chosen passwords for computers and networks shall be difficult to guess. Do not choose:











Words in a dictionary
Proper nouns
Geographical locations
Common acronyms
Slang
Derivatives of user-IDs
Common character sequences such as "123456"
Spouse’s name
Children’s/boyfriend’s/girlfriend’s/pet’s names
Car license plate
Your ID number/ birth date
ICT POLICY
Page 3
KOUKAMMA MUNICIPALITY
ICT POLICY
Do not:
 Construct fixed passwords by combining a set of characters that do not change, with a set of
characters that predictably change.
 Construct passwords which are identical or substantially similar to passwords previously
employed.

Write down or otherwise record a readable password and store it near the access device to
which it pertains.
1.4 PASSWORD MANAGEMENT
1.4.1 Allocation and Block user
User IDs and passwords are required as the principal means of validating a user's authority to access
information services. The allocation and change on request of user IDs and passwords must be strictly
controlled by ICT Manager or IT Administrator.
When a user resigned or dismissed, a written letter from HR must be sent to the IT Department to
disable the user account for 30 days so that all important emails can be save and sent to a relevant
employee, After 30 days the user account will be removed automatically from the server.
1.4.2 The Policy requires:
Mandatory use of a user ID and password, Only ICT Manager or IT Administrator is permitted to allocate
initial passwords to users, who will be required to change it on first use before access to systems will be
granted. When new accounts are created, the IT administrator must assign a unique password that is
not known to anyone else (and especially not a 'standard' password) and conforms to the KKM minimum
standard. A letter from HR indicating a new employee must be forwarded to the IT Department to
create user profile a week before the start date of the employee. Users must log a call for password
request to the IT Department.







Ensure that reset passwords comply with the KKM minimum standard. If the reset request was
anonymous; i.e. the administrator did not see the new password, and the new password was
delivered via secure means (e.g. an SSL web stream), it can be used as the user's new
password. Otherwise, the user must be forced to change this password the next time they log
in.
Be at least 8 characters in length
Contains at least two special characters
Contain no more than three identical consecutive characters in any position from the previous
password
Permit routine password changes to be made only by the user
Ensure passwords reuse is not permitted within 12 months or 12 iterations.
Alter default vendor passwords (and IDs if possible) following installation of software.
ICT POLICY
Page 4
KOUKAMMA MUNICIPALITY
ICT POLICY
1.4.3 Storage and Transmission
Passwords are automatically classified as confidential and must be protected appropriately. If passwords are
stored on systems, they must be encrypted. Under no circumstances is password information to be stored in
clear text on systems, even if it does not relate to the system on which they are stored. Passwords must be
encrypted during transmission. The recommended level of protection is to use a one-way encryption
algorithm. Clear text passwords must never be embedded into application or user files, end user device
emulator or file transfer set-ups, etc, unless on a computer stored or operated in a proven secure area.
Password files must be stored separately from the main application system data.
1.4.3 Monitoring
Monitoring on sharing of username and password will be done on a regular basis. When a user enters an
incorrect password 3 times the system blocks the user until an administrator unblock the user.
ICT POLICY
Page 5
KOUKAMMA MUNICIPALITY
ICT POLICY
2. INTERNET AND EMAIL USAGE POLICY
2.1 INTRODUCTION
The internet and email have emerged as valuable and cost-effective tools for municipal employees.
However, press and court cases from around the world underscore the fact that these technologies may
also pose potential problems for both employers and individual employees.
The Municipality provides selected and authorized employees with internet access and electronic
communication services for the performance and fulfillment of their job responsibilities. This Internet
and Email Usage Policy is designed to encourage the appropriate use of these services subject to
compliance with the requirements stated therein which are necessary to minimize risks associated with
such usage.
Authorized users of the internet and email services provided by the Municipality must appreciate that
the access thereto is for the purpose of increased productivity and not for private activities. Authorized
uses must also appreciate that any connection to the internet offers an opportunity for non-authorized
users to view or access corporate information. Therefore, it is important that all connections be secure,
controlled, and monitored.
Municipal employees are trusted colleagues and are expected to use all business tools appropriately.
However, if instances of abuse of internet access become prevalent, more active monitoring might be
needed. Authorized internet and email users must send and receive emails with attachments that do
not exceed 10 MB in size, and that all attachments are scanned by the Municipality’s chosen anti-virus
and content filtering software.
To comply with international SPAM standards, employees are not permitted to send emails with more
than 20 recipients. A breach of this may result in the municipality being temporarily blacklisted on the
internet.
2.2 SCOPE
This policy applies to all employees who have been granted internet and/or email facilities. Whether this
is from a computer, network enabled device (such as a multi-function printer), and mobile devices
(where applicable).
2.3 POLICY STATEMENT
Authorized employees should contact the ICT Manager if they have any questions about the following
guidelines:
 The display of sexually explicit image or document on any municipal system, including related
“chat-room” conversations, is prohibited and may constitute a violation of the policy on sexual
ICT POLICY
Page 6
KOUKAMMA MUNICIPALITY






ICT POLICY
harassment. In addition, such explicit material may not be archived, stored, distributed, edited
or recorded using the municipal network or computing resources.
If an authorized employee is connected unintentionally to a site that contains sexually explicit or
other offensive material, he/she must disconnect from that site immediately.
To prevent computer viruses or other potentially harmful computer codes from being
transmitted to or through the Municipality’s information technology systems, the downloading
or installation of any software or computer code is strictly prohibited unless explicitly authorized
by the Municipal Manager or his/her nominee. All software downloaded or installed must be
registered to and becomes the property of the Municipality.
No employee may use the KKM’s internet or network to:
Download entertainment software or games, or to play against opponents over the
internet.
Download images, audio or video files unless there is an explicit business related use for
the material.
Obtaining without authorization the access codes and/or passwords of another user.
Browsing websites where people can communicate socially over the internet in chat
rooms or using a client to enable such actions like Facebook, MSN, Tweeter, Yahoo
Gmail, etc.
Software piracy or other infringement of intellectual property rights in digital content.
Use of a PC connected to the Koukamma Municipality network without running virus
detection software
Websites that deals in illegal products or content.
No employee may use the KKM’s internet or email facilities for personal financial gain, political
activities, to express a grievance, to disseminate confidential or false information or to
propagate or encourage hatred or discrimination in any manner whatsoever.
Access to internet is only granted on application where such access is necessary for completion
of tasks for such members of staff and must be approved by Municipal Manager or Dorector of
that section.
Internet access will not be allowed where a job function does not allow such access.
2.4 APPLICATION OF THIS POLICY
The Internet and Email use policy will be applied in several ways:
 Where technology allows, policy will be enforced automatically. For example, Anti-Virus and
Internet Proxies can filter and restrict content.
 Management reports will highlight possible violations. These will be investigated to identify
actual violations. The offender's manager will take disciplinary action in line with Municipal
policy.
 Users may self-police the policy by reporting any violations via the grievance procedure.
ICT POLICY
Page 7
KOUKAMMA MUNICIPALITY
ICT POLICY
2.5 ACCESS TO INTERNET
Unlimited Access to Internet all employees
2.6 ACCESS TO EMAIL
E-mail should be seen as a privilege and not a right. It is therefore imperative that the user should
ensure that his/her e-mail access is kept official and at all times devoid of profanity, obscene, racist,
defamatory, abusive or threatening, discriminatory or otherwise biased remarks or content, lies to
discredit the municipality or any individual that acts as representative of the municipality or government
to discredit any person in a way.




Users should also not distribute or forward any content that is sexual, pornographic, biased,
offensive or violent to disgust or that can be viewed as inappropriate or illegal content.
It is also deemed illegal to send emails that contain usernames and passwords to persons not on
the network or not members of the network, especially if those accounts and passwords grant
access to network with administrator or equal rights and the intended party uses it illegally.
All e-mail messages should be kept to a maximum of 10MB or less. This will aid in necessary
bandwidth being conserved and utilized for important transfers.
Users are also requested to keep private e-mails to absolute minimum and all users are hereby
informed that on all government networks monitoring software may be installed and used to
monitor all electronic communication in accordance with the intelligence acts and to ensure
that the country is properly protected against terrorism of any type.
ICT POLICY
Page 8
KOUKAMMA MUNICIPALITY
ICT POLICY
3. POLICY ON THE USE COMPUTER EQUIPMENT
3.1 PURPOSE
The purpose of this policy is to regulate use of computer equipment so that the Municipality:





Controls costs with a standardized set of software and hardware that can be well supported in
terms of maintenance and user training.
Uses municipal assets efficiently.
minimizes loss of, or damage to, equipment, software and data;
Is protected from legal difficulties
Is productive, by limiting personal use to reasonable levels.
3.2 SCOPE
This policy is applicable to everyone who works at the Koukamma Municipality. This means all
permanent, contract or temporary personnel including anyone supplied by a labour broker or serviceprovider to the Municipality, Referred to as "personnel" or “users” in this document.
This policy must be made an enforceable part of any contract with a labour broker or service provider
whose personnel use the Municipality's computers.
3.3 POLICY STATEMENT
3.3.1 PERSONNEL MAY BE ISSUED WITH A COMPUTER
At the request of your manager you may be issued with computer equipment/ Laptop and access to
computer-based services. These are provided to help you do your job. Qualifying criteria are set by
management.
Qualifying personnel will normally get a standard-issue computer from IT department, along with
standard-issue software. New equipment will be bought only if necessary. Printers are allocated in the
same way, but you may be expected to share a printer with other personnel.
Some personnel may need non-standard equipment or software to do their job effectively. To get this,
your manager must make a recommendation in the form of a submission to management. The
submission must include the details and cost of the software or equipment you need.
3.3.2 THE COMPUTER SYSTEMS BELONG TO THE MUNICIPALITY
The computer, the printers, software licenses, network and data that you use at the Municipality remain
the property of the Municipality.
ICT POLICY
Page 9
KOUKAMMA MUNICIPALITY
ICT POLICY
3.3.3 MANAGEMENT WILL SPECIFY THE STANDARD ISSUE PERSONAL COMPUTER
To make for cost-effective use of equipment and software, the Municipality will standardize on a core
set of software and hardware products. The specifications will be set, and revised from time to time, by
management and the ICT Steering committee. The Committee may set different standards for different
parts of the organization. The standards will cover the following:




Hardware specifications for standard issue desktop computers, notebook computers and
printers. Users will be issued with a computer that meets this standard. When the standard
is raised, computers below the standard will be upgraded or replaced (budget allowing),
without the need for a motivation from the user.
Specifications for new desktop computer, notebook computer or printer hardware. When
the Municipality buys a new computer or printer, its specification will conform to this
standard.
Additional software set. A list of software that may be installed if needed to do the job. To
control maintenance cost, no other software may be used without the written approval of
both the user's Director and the ICT Manager.
Disallowed software and hardware. A list of software, hardware or categories of software or
hardware that is not allowed. In setting the standard, the ICT Committee will consider the
following issues as a minimum: security, licensing, support and risk of harassment (through
offensive material)
3.3.4 USE OF PERSONAL COMPUTERS IS ENCOURAGED FOR OFFICIAL PURPOSES
The use of your personal computer is encouraged for Koukamma Municipality business or activities
sponsored or authorized by the Municipality. An Employee may use his/her computer only under the
following circumstances:



Computer equipment on repairs.
Instructed by his/her Director and approved by Municipal Manager.
Waiting for new Computer equipment to be delivered.
3.3.5 YOU HAVE A DUTY TO USE MUNICIPAL RESOURCES RESPONSIBLY
Take care to use your computer responsibly, ethically and lawfully. Do not waste computer resources or
unfairly monopolize resources to the exclusion of others.
Any file copied from an external source must be scanned for computer viruses. This includes files from a
CD, USB drive, e-mail or Internet.
You may not use the Municipality's computer facilities to:

Play games or run other entertainment software.
ICT POLICY
Page 10
KOUKAMMA MUNICIPALITY




ICT POLICY
Save files containing images, music, sound or video onto Municipal servers, unless they are
for official purposes.
Make or store illegal copies of material protected by copyright. This includes software
programs, music, and publications, in whole or in part.
Back up your entire local hard drive onto Municipal servers.
Print large documents if there is a viable on-screen alternative
3.3.6 YOU MAY HAVE TO PAY FOR LOST, DAMAGED OR STOLEN EQUIPMENT
If an item is lost, damaged or stolen while it was under your control or responsibility, the Municipality
will not normally ask you to pay for it, but you may lose Municipal cover if you fail to follow treasury
regulations or standing instructions. The main elements are summarized here. But, this summary does
not replace the original prescripts, which will be used to deal with any loss. It is not allowed to install
Municipal software of personal computer equipment
You may lose your Municipal cover against loss if you:









Were not on official business when the loss occurred;
Did not obtain permission from the Director/Manager and approval of Municipal Manager;
Were under the influence of alcohol or drugs when the loss occurred;
Had not been issued with a permit to take the item off Municipal premises;
Did not obtain a receipt for equipment you voluntarily surrendered;
Acted recklessly or negligently;
Intentionally caused the damage; or ignored any standing instructions (including Municipal
Circulars);
Water Damage of computer equipment;
Vandalized;
3.3.7 MANAGERS ARE ACCOUNTABLE FOR COMPUTER USE BY THEIR STAFF
Managers should ensure that all their computer-using staff, whether temporary, permanent or contract
is made aware of the contents of this policy. You are required to apply the policy to all those who report
to you. You are accountable for the use your staff makes of personal computer equipment, software and
services.
3.4 LEGAL SUPPORT FOR THIS POLICY






Code of Conduct for the Public Service, which is part of the Public Service Regulations 1999 and
issued in terms of the Public Service Act, 1994.
National Treasury Regulations - Chapter 12: Management of Losses and Claims.
Disciplinary Code and Procedures (Public Service Coordinating Bargaining Council Resolution No:
2 of 1999).
Copyright Amendment Act 125 of 1992
Copyright Act 98 of 1978
Occupational Health and Safety Act, 1993
ICT POLICY
Page 11
KOUKAMMA MUNICIPALITY
ICT POLICY
4. IT SERVER DOCUMENTATION POLICY
4.1 PURPOSE
The purpose of this policy is to establish standards for the base configuration of internal server
equipment that is owned and/or operated by Koukamma Municipality. Effective implementation of this
policy will minimize unauthorized access to Koukamma Municipality proprietary information and
technology.
4.2 SCOPE
This policy applies to server equipment owned and/or operated by Koukamma Municipality, and to
servers registered under any Koukamma Municipality-owned internal network domain.
This policy is specifically for equipment on the internal Koukamma Municipality network. For secure
configuration of equipment external to Koukamma Municipality on the DMZ, refer to the Internet DMZ
Equipment Policy.
4.3 POLICY
OWNERSHIP AND RESPONSIBILITIES
All internal servers deployed at Koukamma Municipality must be owned by an operational group that is
responsible for system administration. Approved server configuration guides must be established and
maintained by each operational group, based on business needs and approved by InfoSec. Operational
groups should monitor configuration compliance and implement an exception policy tailored to their
environment. Each operational group must establish a process for changing the configuration guides,
which includes review and approval by InfoSec.

Servers must be registered within the corporate enterprise management system. At a minimum,
the following information is required to positively identify the point of contact:

Server contact(s) and location, and a backup contact

Hardware and Operating System/Version

Main functions and applications, if applicable

Information in the corporate enterprise management system must be kept up-to-date.

Configuration changes for production servers must follow the appropriate change management
procedures.
GENERAL CONFIGURATION GUIDELINES

Operating System configuration should be in accordance with approved InfoSec guidelines.

Services and applications that will not be used must be disabled where practical.
ICT POLICY
Page 12
KOUKAMMA MUNICIPALITY
ICT POLICY

Access to services should be logged and/or protected through access-control methods such as
TCP Wrappers, if possible.

The most recent security patches must be installed on the system as soon as practical, the only
exception being when immediate application would interfere with business requirements.

Trust relationships between systems are a security risk, and their use should be avoided. Do not
use a trust relationship when some other method of communication will do.

Always use standard security principles of least required access to perform a function.

Do not uses root when a non-privileged account will do.

If a methodology for secure channel connection is available (i.e., technically feasible), privileged
access must be performed over secure channels, (e.g., encrypted network connections using SSH
or IPSec).

Servers should be physically located in an access-controlled environment.

Servers are specifically prohibited from operating from uncontrolled cubicle areas.
MONITORING


All security-related events on critical or sensitive systems must be logged and audit trails saved
as follows:

All security related logs will be kept online for a minimum of 1 week.

Daily backups will be retained for at least 1 month.

Weekly full tape backups of logs will be retained for at least 1 month.

Monthly full backups will be retained for a minimum of 2 years.
Security-related events will be reported to InfoSec, who will review logs and report incidents to
Information Technology management. Corrective measures will be prescribed as needed.
Security-related events include, but are not limited to:

Port-scan attacks

Evidence of unauthorized access to privileged accounts

Anomalous occurrences that are not related to specific applications on the host.
COMPLIANCE

Audits will be performed on a regular basis by authorized organizations within Koukamma
Municipality.

Audits will be managed by the internal audit group or InfoSec, in accordance with the Audit
Policy. InfoSec will filter findings not related to a specific operational group and then present the
ICT POLICY
Page 13
KOUKAMMA MUNICIPALITY
ICT POLICY
findings to the appropriate support staff for remedial action or justification.

Every effort will be made to prevent audits from causing operational failures or disruptions.
ENFORCEMENT
Any employee found to have violated this policy may be subject to disciplinary action, up to and
including termination of employment.
DEFINITION
Term
Definition
DMZ:
network.
De-militarised Zone: A network segment external to the corporate production
Server For purposes of this policy, a Server is defined as an internal Koukamma Municipality
Server. Desktop machines and Lab equipment are not relevant to the scope of this policy.
ICT POLICY
Page 14
KOUKAMMA MUNICIPALITY
ICT POLICY
5. VPN: VIRTUAL PRIVATE NETWORK (POLICY)
PURPOSE
The purpose of this policy is to provide guidelines for Remote Access IPSec or L2TP Virtual Private
Network (VPN) connections to the Koukamma Municipality corporate network.
SCOPE
This policy applies to all Koukamma Municipality employees, contractors, consultants, temporaries, and
other workers including all personnel affiliated with third parties utilizing VPNs to access the Koukamma
Municipality network. This policy applies to implementations of VPN that are directed through an IPSec
Concentrator.
POLICY
Approved Koukamma Municipality employees and authorized third parties (approved consultants.) may
utilize the benefits of VPNs, which are a supplied by the Information Technology Department as a
service. This means that the Information Technology Department through the prescribed Procurement
policies is responsible for selecting an Internet Service Provider (ISP), coordinating installation, installing
any required software, and paying associated fees. Further details may be found in the Remote Access
Policy.
Additionally,

It is the responsibility of employees with VPN privileges to ensure that unauthorized users are
not allowed access to Koukamma Municipality internal networks.

VPN use is to be controlled using either a one-time password authentication such as a token
device or a public/private key system with a strong passphrase.

When actively connected to the corporate network, VPNs will force all traffic to and from the PC
over the VPN tunnel: all other traffic will be dropped.

Dual (split) tunneling is NOT permitted; only one network connection is allowed.

VPN gateways will be set up and managed by Koukamma Municipality network operational
groups.

All computers connected to Koukamma Municipality internal networks via VPN or any other
technology must use the most up-to-date anti-virus software that is the corporate standard
(provide URL to this software); this includes personal computers.

VPN users will be automatically disconnected from Koukamma Municipality's network after
thirty minutes of inactivity. The user must then logon again to reconnect to the network. Pings or
other artificial network processes are not to be used to keep the connection open.

The VPN concentrator is limited to an absolute connection time of 24 hours.

Users of computers that are not Koukamma Municipality-owned equipment must configure the
equipment to comply with Koukamma Municipality's VPN and Network policies.
ICT POLICY
Page 15
KOUKAMMA MUNICIPALITY
ICT POLICY

Only InfoSec-approved VPN clients may be used.

By using VPN technology with personal equipment, users must understand that their machines
are a de facto extension of Koukamma Municipality's network, and as such are subject to the
same rules and regulations that apply to Koukamma Municipality-owned equipment, i.e., their
machines must be configured to comply with InfoSec's Security Policies.
ENFORCEMENT
Any employee found to have violated this policy may be subject to disciplinary action, up to and
including termination of employment.
DEFINITIONS
Term
Definition
IPSec Concentrator:
A device in which VPN connections are terminated.
REVISION HISTORY
Date
Revisions
Date of Adoption
………………………………………………
……………………………………………
Municipal Manager
ICT POLICY
Page 16

 Download  Report

Paperzz.com

Your Paperzz

© Copyright 2025 Paperzz