ICT Policy Amended January 2019
Uploaded by
kelvin koomeICT Policy Amended January 2019
Uploaded by
kelvin koomeNDEGE CHAI
SAVINGS AND CREDIT COOPERATIVE SOCIETY LIMITED
ICT Policy
Reference No Revision Approved by Effective Date Issued to
NCS/ICT /P/09/14 Revised Audit Sub November 2018 Policy File
August Committee &
2018 BOD
Amended November 2018 1
Policy: ICT Policy
Applicable Laws/regulations: Co-operative Societies Act
Co-operative Societies Rules
By Laws of NDEGE CHAI SACCO
Review History: September 2014 Adopted
November 2018 Current Review
Amended November 2018 2
ICT POLICY
Introduction
IT's intentions for publishing an Acceptable Use Policy is not to impose restrictions that are
contrary to Ndege Chai Sacco Ltd established culture of openness, trust and integrity. IT is
committed to protecting Ndege Chai Sacco Ltd employees, partners and the SACCO from illegal
or damaging actions by individuals, either knowingly or unknowingly.
Internet/Intranet/Extranet-related systems, including but not limited to computer equipment,
software, operating systems, storage media, network accounts providing electronic mail, WWW
browsing, and FTP, are the property of Ndege Chai Sacco Ltd. These systems are to be used for
business purposes in serving the interests of the society, and of our clients and members in the
course of normal operations.
Effective security is a team effort involving the participation and support of every Ndege Chai
Sacco Ltd employees and affiliates who deals with information and/or information systems. It is
the responsibility of every computer user to know these guidelines, and to conduct their activities
accordingly.
Principles
The principle of this guideline is to outline the acceptable use of computer equipment at Ndege
Chai Sacco Ltd.
These rules are in place to protect the employees and Ndege Chai Sacco Ltd. Inappropriate use
exposes the society to risks including virus attacks, compromise of network systems and
services, and legal issues.
Capacities
This policy applies to employees, contractors, consultants, temporaries, and other workers in the
society, including all personnel affiliated with third parties. The policy applies to all equipment
that is owned or leased by Ndege Chai Sacco Ltd.
Amended November 2018 1
General Use and Ownership
a) While Ndege Chai Sacco Ltd network administration desires to provide a reasonable
Level of privacy, users should be aware that the data they create on the corporate systems
remains the property of the society. Because of the need to protect the society network,
management cannot guarantee the confidentiality of information stored on any network
device belonging to society.
b) Employees are responsible for exercising good judgment regarding the reasonableness of
personal use. Individual departments are responsible for creating guidelines concerning
personal use of Internet/Intranet/Extranet systems. In the absence of such policies,
employees should be guided by departmental policies on personal use, and if there is any
uncertainty, employees should consult their supervisor or manager.
c) IT recommends that any information that users consider sensitive or vulnerable be
encrypted or backed up regularly to avoid data loss.
d) For security and network maintenance purposes, authorized individuals within the society
may monitor equipment, systems and network traffic at any time, as per It’s Audit policy.
e) Ndege Chai Sacco Ltd reserves the right to audit networks and systems on a periodic
basis to ensure compliance with this policy.
Amended November 2018 2
PASSWORD POLICY
Purpose
Passwords are a critical part of information and network security. Passwords serve to protect user
accounts, but a poorly chosen password, if compromised, could put the entire network at risk. As
a result, all employees of Ndege Chai Sacco Ltd are required to take appropriate steps to ensure
that they create strong, secure passwords and keep them safeguarded at all times.
The purpose of this policy is to set a standard for creating, protecting, and changing passwords
such that they are strong, secure, and protected.
Scope
This policy applies to all employees of NdegeChai Sacco Ltd who have or are responsible for a
computer account, or any form of access that supports or requires a password, on any system that
resides at any NdegeChai Sacco Ltd facility, has access to the Ndege Chai Sacco Ltd network, or
stores any non-public Ndege Chai Sacco Ltd information.
Policy
General
Passwords must be changed every 30 days.
Old passwords cannot be re-used for a period of 12 months.
Users will be notified one week in advance of password expiration date. At this time,
users will be prompted to select a new password.
All passwords must conform to the guidelines outlined below.
Password Construction Guidelines
Passwords are used to access any number of SACCO systems, including the network, e-mail, the
Web, and voicemail. Poor, weak passwords are easily cracked, and put the entire system at risk.
Therefore, strong passwords are required. Try to create a password that is also easy to remember.
1. Passwords should not be based on well-known or easily accessible personal
information.
2. Passwords must contain at least eight characters.
3. All passwords must start with a letter.
4. Passwords must contain at least two uppercase letters (e.g. N) and four lowercase
letters (e.g. t).
5. Passwords must contain at least two numerical characters (e.g. 5).
6. Passwords must contain at least two special characters (e.g. $).
7. A new password must contain at least four characters that are different than those
found in the old password which it is replacing.
8. Passwords must not be based on a users’ personal information or that of his or her
friends, family members, or pets. Personal information includes logon I.D., name,
birthday, address, phone number, social security number, or any permutations
thereof.
9. Passwords must not be words that can be found in a standard dictionary (English or
foreign) or are publicly known slang or jargon.
10. Passwords must not be based on publicly known fictional characters from books,
films, and so on.
11. Passwords must not be based on the SACCO’s name or geographic location.
Amended November 2018 3
Password Protection Guidelines
1. Passwords should be treated as confidential information. No employee is to give, tell, or hint at their
password to another person, including ICT staff, administrators, superiors, other co-workers, friends, and
family members, under any circumstances.
2. If someone demands your password, refer them to this policy or have them contact the ICT Department or
the CEO for direction.
3. Passwords are not to be transmitted electronically over the unprotected Internet, such as via e-mail.
However, passwords may be used to gain remote access to SACCO resources via the SACCO’s IPsec-
secured Virtual Private Network or SSL-protected Web site.
4. No employee is to keep an unsecured written record of his or her passwords, either on paper or in an
electronic file. If it proves necessary to keep a record of a password, then it must be kept in a controlled
access safe if in hardcopy form or in an encrypted file if in electronic form.
5. Do not use the “Remember Password” feature of applications.
6. Passwords used to gain access to SACCO systems should not be used as passwords to access non-SACCO
accounts or information.
7. If possible, don’t use the same password to access multiple SACCO systems.
8. If an employee either knows or suspects that his/her password has been compromised, it must be reported
to the ICT Department and the password changed immediately.
9. The ICT Department may attempt to crack or guess users’ passwords as part of its ongoing security
vulnerability auditing process. If a password is cracked or guessed during one of these audits, the user will
be required to change his or her password immediately.
Enforcement
Any employee who is found to have violated this policy may be subjected to disciplinary action,
up to an including termination of employment.
Amended November 2018 4
E-Mail Acceptable Use Policy
E-mail is a critical mechanism for business communications at Ndege Chai Sacco Ltd. However,
use of NdegeChai Sacco Ltd’s electronic mail systems and services are a privilege, not a right,
and therefore must be used with respect and in accordance with the goals of Ndege Chai Sacco
Ltd.
The objectives of this policy are to outline appropriate and inappropriate use of Ndege Chai
Sacco Ltd’s e-mail systems and services in order to minimize disruptions to services and
activities, as well as comply with applicable policies and laws.
Scope
This policy applies to all e-mail systems and services owned by Ndege Chai Sacco Ltd, all e-
mail account users/holders at Ndege Chai Sacco Ltd (both temporary and permanent), and all
SACCO e-mail records.
Account Activation/Termination
E-mail access at Ndege Chai Sacco Ltd is controlled through individual accounts and passwords.
Each user of Ndege Chai Sacco Ltd’s e-mail system is required to read and sign a copy of this E-
Mail Acceptable Use Policy prior to receiving an e-mail access account and password. It is the
responsibility of the employee to protect the confidentiality of their account and password
information.
All employees of Ndege Chai Sacco Ltd are entitled to an e-mail account. E-mail accounts will
be granted to third party non-employees on a case-by-case basis. Possible non-employees that
may be eligible for access include:
Attachees
Seasonal/temporary employees.
Applications for these temporary accounts must be submitted in writing to CEO. All terms,
conditions, and restrictions governing e-mail use must be in a written and signed agreement.
E-mail access will be terminated when the employee or third party terminates their association
with Ndege Chai Sacco Ltd, unless other arrangements are made. Ndege Chai Sacco Ltd is under
no obligation to store or forward the contents of an individual’s e-mail inbox/outbox after the
term of their employment has ceased.
General Expectations of End Users
Important official communications are often delivered via e-mail. As a result, employees of
Ndege Chai Sacco Ltd with e-mail accounts are expected to check their e-mail in a consistent
and timely manner so that they are aware of important SACCO announcements and updates, as
well as for fulfilling business- and role-oriented tasks.
E-mail users are responsible for mailbox management, including organization and cleaning. If a
user subscribes to a mailing list, he or she must be aware of how to remove himself or herself
from the list, and is responsible for doing so in the event that their current e-mail address
changes.
E-mail users are also expected to comply with normal standards of professional and personal
courtesy and conduct.
Amended November 2018 5
Appropriate Use
Individuals at Ndege Chai Sacco Ltd are encouraged to use e-mail to further the goals and
objectives of Ndege Chai Sacco Ltd. The types of activities that are encouraged include:
Communicating with fellow employees, business partners of Ndege Chai Sacco Ltd, and
clients within the context of an individual’s assigned responsibilities.
Acquiring or sharing information necessary or related to the performance of an
individual’s assigned responsibilities.
Participating in educational or professional development activities.
Inappropriate Use
Ndege Chai Sacco Ltd’s e-mail systems and services are not to be used for purposes that could
be reasonably expected to cause excessive strain on systems. Individual e-mail use will not
interfere with others’ use and enjoyment of Ndege Chai Sacco Ltd’s e-mail system and services.
E-mail use at Ndege Chai Sacco Ltd will comply with all applicable laws, all Ndege Chai Sacco
Ltd policies, and all Ndege Chai Sacco Ltd contracts.
The following activities are deemed inappropriate uses of Ndege Chai Sacco Ltd systems and
services and are prohibited:
1. Use of e-mail for illegal or unlawful purposes, including copyright infringement,
obscenity, libel, slander, fraud, defamation, plagiarism, harassment, intimidation,
forgery, impersonation, soliciting for illegal pyramid schemes, and computer
tampering (e.g. spreading of computer viruses).
2. Use of e-mail in any way that violates Ndege Chai Sacco Ltd’s policies, rules, or
administrative orders, including, but not limited to, any applicable code of conduct
policies, etc.
3. Viewing, copying, altering, or deletion of e-mail accounts or files belonging to Ndege
Chai Sacco Ltd or another individual without authorized permission.
4. Sending of unreasonably large e-mail attachments. The total size of an individual e-
mail message sent (including attachment) should be 10Mb or less.
5. Opening e-mail attachments from unknown or unsigned sources. Attachments are the
primary source of computer viruses and should be treated with utmost caution.
6. Sharing e-mail account passwords with another person, or attempting to obtain another
person’s e-mail account password. E-mail accounts are only to be used by the
registered user.
7. Excessive personal use of Ndege Chai Sacco Ltd e-mail resources. Ndege Chai Sacco
Ltd allows limited personal use for communication with family and friends,
independent learning, and public service so long as it does not interfere with staff
productivity, pre-empt any business activity, or consume more than a trivial amount of
resources. Ndege Chai Sacco Ltd prohibits personal use of its e-mail systems and
services for unsolicited mass mailings, non-Ndege Chai Sacco Ltd commercial
activity, political campaigning, dissemination of chain letters, and use by non-
employees.
Monitoring and Confidentiality
The e-mail systems and services used at Ndege Chai Sacco Ltd are owned by the SACCO, and
are therefore its property. This gives Ndege Chai Sacco Ltd the right to monitor any and all e-
Amended November 2018 6
mail traffic passing through its e-mail system. While the SACCO does not actively read end-user
e-mail, e-mail messages may be inadvertently read by IT staff during the normal course of
managing the e-mail system.
In addition, backup copies of e-mail messages may exist, despite end-user deletion, in
compliance with Ndege Chai Sacco Ltd’s records retention policy. The goals of these backup
and archiving procedures are to ensure system reliability and prevent business data loss.
If Ndege Chai Sacco Ltd discovers or has good reason to suspect activities that do not comply
with applicable laws or this policy, e-mail records may be retrieved and used to document the
activity in accordance with due process. All reasonable efforts will be made to notify an
employee if his or her e-mail records are to be reviewed. Notification may not be possible,
however, if the employee cannot be contacted, as in the case of employee absence due to
vacation.
Use extreme caution when communicating confidential or sensitive information via e-mail. Keep
in mind that all e-mail messages sent outside of Ndege Chai Sacco Ltd become the property of
the receiver. A good rule is to not communicate anything that you wouldn’t feel comfortable
being made public. Demonstrate particular care when using the “Reply” command during e-mail
correspondence.
Reporting Misuse
Any allegations of misuse should be promptly reported to the Operation Manager .If you receive
an offensive e-mail, do not forward, delete, or reply to the message. Instead, report it directly to
the individual named above.
Disclaimer
This email (including any attachments) is confidential and intended only for the use of the
addressee. It may contain information covered by legal, professional or other privilege, which
privilege is not lost or waived by reason of mistaken transmission thereof. Unless you are the
intended recipient (or authorized to receive for the intended recipient), you may not read, print,
retain, use, copy, distribute or disclose to anyone the message (including any attachments) or any
information contained in the message. Any representation or opinions expressed are those of the
individual sender and not necessarily those of Ndege Chai Sacco Ltd. Internet communications
are not secure or safe and therefore Ndege Chai Sacco Ltd does not accept legal responsibility
for the contents of this message. If you are not the addressee, please inform the sender
immediately and destroy this e-mail (including any attachments). Although Ndege Chai Sacco
Ltd operates anti-virus programmes, it does not accept responsibility for any damage whatsoever
caused by any viruses passed by e-mail.
Failure to Comply
Violations of this policy will be treated like other allegations of wrongdoing at Ndege vChai
Sacco Ltd. Allegations of misconduct will be adjudicated according to established procedures.
Sanctions for inappropriate use on Ndege Chai Sacco Ltd’s e-mail systems and services may
include, but are not limited to, one or more of the following:
1. Temporary or permanent revocation of e-mail access;
2. Disciplinary action according to applicable Ndege Chai Sacco Ltd policies;
3. Termination of employment; and/or
4. Legal action according to applicable laws and contractual agreements.
Amended November 2018 7
E-Mail User Agreement
I have read and understand the E-Mail Acceptable Use Policy. I understand if I violate the rules
explained herein, I may face legal or disciplinary action according to applicable laws or SACCO
policy.
Name: ………………………………………… Designation………………………………..
Signature: …………………… Date: ……………………
Amended November 2018 8
Amended November 2018 9
E-MAIL COMMUNICATIONS BEST PRACTICES POLICY
The following are guidelines for drafting professional e-mail communications. These guidelines
should be followed to ensure a professional online image and to conserve network bandwidth
and server storage space.
Subject Line: A poor subject line could cause your e-mail to be dumped in the trash.
Write “information-rich” subject lines. Say exactly what the e-mail is about.
Avoid exclamation marks and words like “Urgent.” They quickly lose their effect.
Length: The briefer the e-mail, the more likely the chance it will be read in full.
Stick to one screen (i.e. 25 lines, or 250 words). If you need more space, then e-mail may
not be the right medium – consider phone, fax, or snail mail instead.
If you absolutely must send a longer e-mail, add the word “Long” to the subject line so
that your reader is prepared or include the bulk of your content in an attachment.
Content: Your ultimate goal is to ensure your content is read and understood.
If the recipient doesn’t know you, include your name, occupation, and employer.
Focus on one subject per e-mail. Send several messages if you have multiple topics to
cover.
Get to your point by the second sentence.
Use absolute dates and times (e.g. “Monday, December 5 at 2:00” instead of “this
afternoon”). If communicating between time zones, set a reference.
If you are including a URL, type it out in full (i.e. http://…). A URL is also more
valuable and bandwidth-friendly than sending a copy of the Web page.
Sign your e-mail and include a signature file with your contact information. With so
many viruses, signing assures your recipient that the message is from you.
Attachments: Attachments, while a valuable tool, could cause problems at the recipient end due
to viruses, download time, or poor translation. Use them judiciously.
Only send attachments when absolutely necessary and with the permission of the
recipient (especially if the attachment is over 50kbs).
If you have multiple attachments, send each in a separate message with an appropriate
subject line to make them easier for the recipient to track and retrieve.
Format: The format or layout of your e-mail serves to maximize readability.
Use numbers and bullets to recap or list agenda and action items.
Amended November 2018 10
Write a series of brief paragraphs, and always insert a line between them.
Avoid all-caps – it comes across as shouting. If you need emphasis, put asterisks on
either end of the word or phrase. Conversely, avoid typing in all lower-case.
Style: Style is the hardest element to master. Too rigid, and you could come off as humorless
and intimidating. Too casual and you may be dismissed as someone not to be taken seriously.
Know your audience. This will dictate the level of formality required. A “business
casual” tone will suit most occasions. Think “khakis and a golf shirt.”
Avoid acronyms like TIA (thanks in advance) or BTW (by the way). A lot of people will
have no ideas what these mean.
Avoid making jokes – they often misfire.
Responding: E-mail communication is a two-way street. Responding to e-mail in a professional
manner is just as important as being a good e-mail writer.
Don’t reply unless it is required in some way. Don’t spam the sender’s inbox.
Respond to e-mail messages promptly. If you need more time, send a brief
acknowledgement telling the sender when you’ll respond in full.
Always refer back to the content in the sender’s original e-mail. Quote them.
Consider “interweaving” your response within the sender’s original text, especially if
they want feedback on multiple issues. This makes it clear what item you are addressing
in your response.
Amended November 2018 11
INTERNET ACCEPTABLE USE POLICY
The goals of this policy are to outline appropriate and inappropriate use of Ndege Chai Sacco
Ltd’s Internet resources, including the World Wide Web, electronic mail, the intranet, FTP (file
transfer protocol), and USENET. Your account provides you with access to networks around the
world through these services. Use of these services is subject to the following conditions.
Your Account
Internet access at NdegeChai Sacco Ltd is controlled through individual accounts and passwords.
Department managers are responsible for defining appropriate Internet access levels for the
people in their department and conveying that information to the ICT Department.
Each user of the Ndege Chai Sacco Ltd system is required to read this Internet policy and sign an
Internet use agreement prior to receiving an Internet access account and password.
Appropriate Use
Individuals at Ndege Chai Sacco Ltd are encouraged to use the Internet to further the goals and
objectives of Ndege Chai Sacco Ltd. The types of activities that are encouraged include:
1. Communicating with fellow employees, business partners of NdegeChai Sacco Ltd, and
clients within the context of an individual’s assigned responsibilities;
2. Acquiring or sharing information necessary or related to the performance of an
individual’s assigned responsibilities;
3. Participating in educational or professional development activities.
Inappropriate Use
Individual Internet use will not interfere with others’ use and enjoyment of the Internet. Users
will not violate the network policies of any network accessed through their account. Internet use
at Ndege Chai Sacco Ltd will comply with all State laws, all Ndege Chai Sacco Ltd policy, and
all Ndege Chai Sacco Ltd contracts. This includes, but is not limited to, the following:
1. The Internet may not be used for illegal or unlawful purposes, including, but not limited
to, copyright infringement, obscenity, libel, slander, fraud, defamation, plagiarism,
harassment, intimidation, forgery, impersonation, illegal gambling, soliciting for illegal
pyramid schemes, and computer tampering (e.g. spreading computer viruses).
2. The Internet may not be used in any way that violates Ndege Chai Sacco Ltd’s policies,
rules, or administrative orders including, but not limited to, [any applicable code of
conduct policies, etc.]. Use of the Internet in a manner that is not consistent with the
mission of Ndege Chai Sacco Ltd, misrepresents Ndege Chai Sacco Ltd, or violates any
Ndege Chai Sacco Ltd policy is prohibited.
3. Individuals should limit their personal use of the Internet. Ndege Chai Sacco Ltd allows
limited personal use for communication with family and friends, independent learning,
and public service. Ndege Chai Sacco Ltd prohibits use for mass unsolicited mailings,
access for non-employees to Ndege Chai Sacco Ltd resources or network facilities,
competitive commercial activity unless pre-approved by NdegeChai Sacco Ltd, and the
dissemination of chain letters.
Amended November 2018 12
4. Individuals may not view, copy, alter, or destroy data, software, documentation, or data
communications belonging to Ndege Chai Sacco Ltd or another individual without
authorized permission.
5. In the interest of maintaining network performance, users should not send unreasonably
large electronic mail attachments.
Security
For security purposes, users may not share account or password information with another person.
Internet accounts are to be used only by the assigned user of the account for authorized purposes.
Attempting to obtain another user’s account password is strictly prohibited. User is required to
obtain a new password if they have reason to believe that any unauthorized person has learned
their password. Users are required to take all necessary precautions to prevent unauthorized
access to Internet services.
Failure to Comply
Violations of this policy will be treated like other allegations of wrongdoing at Ndege Chai
Sacco Ltd. Allegations of misconduct will be adjudicated according to established procedures.
Sanctions for inappropriate use of the Internet may include, but are not limited to, one or more of
the following:
1. Temporary or permanent revocation of access to some or all computing and networking
resources and facilities;
2. Disciplinary action according to applicable Ndege Chai Sacco Ltd policies;
3. Legal action according to applicable laws and contractual agreements;
Monitoring and Filtering
NdegeChai Sacco Ltd may monitor any Internet activity occurring on Ndege Chai Sacco Ltd
equipment or accounts. Ndege Chai Sacco Ltd does employ Web Marshall filtering software to
limit access to sites on the Internet. If Ndege Chai Sacco Ltd discovers activities which do not
comply with applicable law or departmental policy, records retrieved may be used to document
the wrongful content in accordance with due process.
Disclaimer
NdegeChai Sacco Ltd assumes no liability for any direct or indirect damages arising from the
user’s connection to the Internet. Ndege Chai Sacco Ltd is not responsible for the accuracy of
information found on the Internet and only facilitates the accessing and dissemination of
information through its systems. Users are solely responsible for any material that they access
and disseminate through the Internet.
We encourage you to use your Internet access responsibly. Should you have any questions
regarding this Internet Acceptable Use Policy, feel free to contact ICT Manager at
Helpdesk@ndegechaisacco.com
Amended November 2018 13
Internet Acceptable Use Policy
Internet User Agreement
I hereby acknowledge that I have read and understand the Internet Acceptable Use Policy of
Ndege Chai Sacco Ltd. I agree to abide by these policies and ensure that persons working under
my supervision abide by these policies. I understand that if I violate such rules, I may face legal
or disciplinary action according to applicable law or departmental policy.
I hereby agree to indemnify and hold Ndege Chai Sacco Ltd and its officers, trustees, employees,
and agents harmless for any loss, damage, expense or liability resulting from any claim, action or
demand arising out of or related to my use of Ndege Chai Sacco Ltd owned computer resources
and the network, including reasonable attorney fees. Such claims shall include, without
limitation, those based on trademark or service mark infringement, trade name infringement,
copyright infringement, unfair competition, defamation, unlawful discrimination or harassment,
and invasion of privacy.
Name: ………………………………………… Designation………………………………..
Signature: …………………… Date: ……………………
Amended November 2018 14
Limited Personal Use of Network Resources
Policy
Internet access is provided to employees of Ndege Chai Sacco Ltd for the purpose of advancing
the goals of the SACCO, as well as for professional development and the education or training of
employees. This must always be the primary rationale for Internet use.
Authorized users of SACCO Internet connectivity may also use the Internet for limited personal
use. This is a privilege, not a right, and may be removed at any time by management. Ndege
Chai Sacco Ltd does not accept liability for any loss or damage suffered by an employee as a
result of that employee using the SACCO Internet connection for personal use.
Detailed Parameters
Primary Use: Your primary and overriding rationale for using your Internet connection should
be the performance of your role in advancing the business of the SACCO. This could include,
but is not limited to:
1. Communication with, and providing service to, clients and customers.
2. Conducting the business of your department or unit (such as using the tools available
on the SACCO intranet).
3. Communicating with other employees for work-related purposes.
4. Gathering information relevant to your duties or to expand your expertise.
Limited Personal Use: This is defined as any personally-initiated online activity (including e-
mail and Web usage) that is conducted for purposes other than those listed above. It is limited by
the following considerations:
1. It shall not cause any additional expense to the SACCO or department.
2. It shall be infrequent and brief.
3. It shall not have a negative impact on overall employee productivity.
4. It shall not interfere with the normal operation of your department or work unit.
5. It will not compromise your department or the SACCO in any way.
6. It will be ethical and not contravene acceptable use policies of the SACCO.
Personal Judgment: In limiting personal use, the SACCO expects employees to exercise the
same good judgment that they would use in all work situations. For example, you are expected to
know that taking five minutes to call your spouse during a coffee break is acceptable, while
taking three hours to go shopping at the mall during the workday is not. Making decisions about
your use of Internet resources is no different.
Examples of Limited Personal Use: Personal use is, by definition, up to the individual. We offer
these examples only to illustrate the kinds of situations where it is hoped employees would
exercise their good judgment.
Limited Personal Use Access Abuse
Alice keeps in touch with a circle of friends from Rob is the convener of a local amateur sports association. He
high school via e-mail. Occasionally she will take a has given his work e-mail out as his main contact. During the
few minutes to read and respond to an e-mail from sports season, he spends up to 90 minutes each morning
one of those friends. responding to queries and complaints, and otherwise
conducting league business.
Amended November 2018 15
Nauman is a big fan of international Football. Mike frequents Web sites that are clearly prohibited by the
During the world championships, he takes a few SACCO’s acceptable use policy. Co-workers have been
minutes every morning to check a Web site that offended by some of the images clearly displayed on Mike’s
carries the overnight scores. computer.
Mary reads a review of a new novel by Stephen Todd needs a new fishing rod and spends over an hour
King. While at work the next day, she logs onto browsing different models at a sporting goods Web site.
Amazon.com and purchases the book for delivery to
her home address.
Acceptable Use: While some limited personal use is allowed, all prohibitions described within
the SACCO’s acceptable use and security policies remain fully in force. For example, limited
personal use does not include (see other policies for a more extensive listing):
1. Providing internal network access to any other users.
2. Using corporate resources for personal commercial gain.
3. Propagating, transmitting, accessing, downloading, or otherwise communicating any
content that is likely to be deemed racist, sexist, harassing, abusive, obscene, or likely
to cause offence to a recipient.
4. Misrepresenting the SACCO brand for your own gain.
5. Using your account to gain unauthorized access to external networks and systems.
Sanctions for inappropriate use of the Internet may include, but are not limited to, one or more of
the following:
1. Temporary or permanent revocation of access to some or all computing and
networking resources and facilities;
2. Disciplinary action according to applicable Ndege Chai Sacco Ltd policies;
3. Legal action according to applicable laws and contractual agreements.
Network Monitoring: Ndege Chai Sacco Ltd employs monitoring software for the purpose of
enforcing acceptable use policies. This includes blocking access to certain Web sites for which
access is deemed to be a contravention of these policies.
Amended November 2018 16
Acknowledgement of Policy Acceptance
I hereby acknowledge that I have read and understand the Limited Personal Use of Network
Resources. I agree to abide by this policy and ensure that persons working under my supervision
abide by this policy. I understand that if I violate such rules, I may face legal or disciplinary
action according to applicable laws or departmental policy.
Name: ………………………………………… Designation………………………………..
Signature: …………………… Date: ……………………
Amended November 2018 17
Amended November 2018 18
PRINTER POLICY
Purpose
Printers represent one of the highest equipment expenditures at Ndege Chai Sacco Ltd. The goal
of this policy is to facilitate the appropriate and responsible business use of Ndege Chai Sacco
Ltd’s printer assets, as well as control Ndege Chai Sacco Ltd’s printer cost of ownership by
preventing the waste of paper, toner, ink, and so on.
Scope
This Printer Policy applies to all employees of Ndege Chai Sacco Ltd, as well as any contract
employees in the service of Ndege Chai Sacco Ltd who may be using Ndege Chai Sacco Ltd
networks and equipment.
General Policy
1. Printers are to be used for documents that are relevant to the day-to-day conduct of business
at Ndege Chai Sacco Ltd. Ndege Chai Sacco Ltd printers should not be used to print personal
documents.
2. Installation of personal printers is generally not condoned at NdegeC hai Sacco Ltd due to
the cost of maintaining and supporting many dispersed machines. In certain circumstances,
however, where confidentiality, remote location, the need to print a large number of low
volume print jobs, or other unusual situation is at issue, personal printers may be allowed.
3. Do not print multiple copies of the same document – the printer is not a copier and typically
costs more per page to use. If you need multiple copies, print one good copy on the printer
and use the photocopier to make additional copies.
4. If you print something, please pick it up in a timely fashion. If you no longer want it, please
dispose of it appropriately (i.e. recycle).
5. If you come across an unclaimed print job, please stack it neatly stating the nature if print
out. All unclaimed output jobs will be discarded after 3 days.
6. Make efforts to limit paper usage by taking advantage of duplex printing (i.e. double-sided
printing) features offered by some printers and other optimization features (e.g. printing six
PowerPoint slides per page versus only one per page).
7. Make efforts to limit toner use by selecting light toner and lower dpi default print settings.
8. Avoid printing large files, as this puts a drain on network resources and interferes with the
ability of others to use the printer. Please report any planned print jobs in excess of 100 pages
to the ICT department so that the most appropriate printer can be selected and other users can
be notified.
9. If printing a job in excess of 25 pages, please be at the printer to collect it when it comes out
to ensure adequate paper supply for the job and that the output tray is not overfull (i.e. you
may need to remove some of the output before the print job is finished).
10. Avoid printing e-mail messages. This is wasteful. Instead, use the folders and archiving
functionality in your e-mail application to organize and view your messages.
11. Avoiding printing a document just to see what it looks like. This is wasteful.
12. Avoid re-using paper in laser printers, as this can lead to paper jams and other problems with
the machine.
13. Many printers do not support certain paper types, including vellum, transparencies, adhesive
labels, tracing paper, card stock, or thicker paper. If you need to use any of the paper types,
consult with IT.
Amended November 2018 19
14. Color printing is typically not required by general business users. Given this selective need,
as well as the high cost per page to print color copies, the number of color-capable printers
available has been minimized. You are strongly encouraged to avoid printing in color when
monochrome (black) will do.
15. Printer paper and Toner cartridges are available at HQ.
16. If you encounter a physical problem with the printer (paper jam, out of toner, etc.) and are
not “trained” in how to fix the problem, please do not try. Instead, report the problem to IT or
ask a trained co-worker for help.
17. Report any malfunction of any printing device to ICT as soon as possible.
Enforcement
Any employee who is found to have violated this policy may be subject to disciplinary action, up
to and including termination of employment.
Amended November 2018 20
Amended November 2018 21
Employee Declaration
I have read and understand the above Printer Policy, and agree to adhere to the rules outlined
therein.
Name: ………………………………………… Designation………………………………..
Signature: …………………… Date: ……………………
Amended November 2018 22
ANTI-VIRUS POLICY
Purpose
A virus is a piece of potentially malicious programming code that will cause some unexpected or
undesirable event. Viruses can be transmitted via e-mail or instant messaging attachments,
downloadable Internet files, diskettes, and CDs. Viruses are usually disguised as something else,
and so their presence is not always obvious to the computer user. A virus infection can be very
costly to Ndege Chai sacco in terms of lost data, lost staff productivity, and/or lost reputation.
As a result, one of the goals of Ndege chai Sacco Ltd.is to provide a computing network that is
virus-free. The purpose of this policy is to provide instructions on measures that must be taken
by Ndege chai Sacco Ltd employees to help achieve effective virus detection and prevention.
Scope
This policy applies to all computers that are connected to the Ndege chai Sacco Ltd network via
a standard network connection, wireless connection, modem connection, or virtual private
network connection. This includes both SACCO-owned computers and personally-owned
computers attached to the Ndege chai Sacco Ltd network. The definition of computers includes
desktop workstations, laptop computers, handheld computing devices, and servers.
General Policy
1. Currently, Ndege chai Sacco Ltd has license – Kaspersky Antivirus. Licensed copies of
Kaspersky can be obtained ICT department. The most current available version of the
anti-virus software package will be taken as the default standard.
2. All computers attached to the Ndege chai Sacco Ltd network must have standard,
supported anti-virus software installed. This software must be active, be scheduled to
perform virus checks at regular intervals, and have its virus definition files kept up to
date.
3. Any activities with the intention to create and/or distribute malicious programs onto the
Ndege chai Sacco Ltd network (e.g. viruses, worms, Trojan horses, e-mail bombs, etc.)
are strictly prohibited.
4. If an employee receives what he/she believes to be a virus or suspects that a computer is
infected with a virus, it must be reported to the ICT department immediately to
helpdesk@ndegechaisacco.com. Report the following information (if known): virus
name, extent of infection, source of virus, and potential recipients of infected material.
5. No employee should attempt to destroy or remove a virus, or any evidence of that virus,
without direction from the ICT department.
6. Any virus-infected computer will be removed from the network until it is verified as
virus-free.
Rules for Virus Prevention
1. Always run the standard anti-virus software provided by Ndege Chai Sacco Ltd.
2. Never open any files or macros attached to an e-mail from an unknown,
suspicious, or untrustworthy source.
3. Never open any files or macros attached to an e-mail from a known source (even a
coworker) if you were not expecting a specific attachment from that source.
Amended November 2018 23
4. Be suspicious of e-mail messages containing links to unknown Web sites. It is
possible that the link is a malicious executable (.exe) file disguised as a link. Do
not click on a link sent to you if you were not expecting a specific link.
5. Never copy, download, or install files from unknown, suspicious, or untrustworthy
sources or removable media.
6. Avoid direct disk sharing with read/write access. Always scan External disks for
viruses before using it.
7. If instructed to delete e-mail messages believed to contain a virus, be sure to also
delete the message from your Deleted Items or Trash folder.
8. Back up critical data and systems configurations on a regular basis and store
backups in a safe place.
9. Regularly update virus protection on personally-owned home computers that are
used for business purposes. This includes installing recommended security patches
for the operating system and other applications that are in use.
ICT Department Responsibilities
The following activities are the responsibility of the Ndege Chai Sacco Ltd ICT department:
1. The ICT department is responsible for maintaining and updating this Anti-Virus Policy.
Copies of this policy will be posted at e-notice board. Check this location regularly for
updated information.
2. The ICT department will keep the anti-virus products it provides up-to-date in terms of
both virus definitions and software version in use.
3. The ICT department will apply any updates to the services it provides that are required to
defend against threats from viruses.
4. The ICT department will install anti-virus software on all Ndege chai Sacco Ltd owned
and installed desktop workstations, laptops, and servers.
5. The ICT department will assist employees in installing anti-virus software according to
standards on personally-owned computers that will be used for business purposes. The
ICT department [may/may not] provide anti-virus software in these cases.
6. The ICT department will take appropriate action to contain, remove, and assist in
recovery from virus infections. In order to do so, the ICT department may be required to
disconnect a suspect computer from the network or disconnect an entire segment of the
network.
7. The ICT department will perform regular anti-virus sweeps of system files.
8. The ICT department will attempt to notify users of Ndege Chai Sacco Ltd systems of any
credible virus threats via e-mail or telephone messages. Virus reports will not be acted
upon until validated. Employees should not forward these or any virus warning messages
in order to keep network traffic to a minimum.
Department and Individual Responsibilities
The following activities are the responsibility of Ndege Chai Sacco departments and employees:
1. Departments must ensure that all departmentally-managed computers have virus
protection that is in keeping with the standards set out in this policy.
2. Departments that allow employees to use personally-owned computers for business
purposes must implement virus protection processes and procedures that are in keeping
with the standards set out in this policy.
Amended November 2018 24
3. All employees are responsible for taking reasonable measures to protect against virus
infection.
4. Employees must not attempt to either alter or disable anti-virus software installed on any
computer attached to the Ndege Chai Sacco network without the express consent of the
ICT department.
Enforcement
Any employee who is found to have violated this policy may be subject to disciplinary action, up
to and including termination of employment.
Amended November 2018 25
Amended November 2018 26
Declaration of Understanding
I have read, understand, and agree to adhere to Ndege chai Sacco Ltd.’s Anti-Virus Policy.
Name: ………………………………………… Designation………………………………..
Signature: …………………… Date: ……………………
Amended November 2018 27
SOFTWARE INSTALLATION POLICY
Introduction
The goal of the ICT Department is to provide stable technology solutions that perform well, and
appropriately address business needs. However, a lack of standard policy as regards what
software titles can be installed on SACCO personal computers has hindered provision of
excellent service to all end users and departments.
The purpose of this Software Installation Policy is to address all relevant issues pertaining to
appropriate software installation and deployment on Ndege Chai Sacco Ltd computing systems.
This policy is a living document and may be amended at any time. Any questions regarding this
policy should be directed to helpdesk@ndegechaisacco.com
Supported Software
The following is a list of fully supported, standard software installed on all SACCO-owned
personal computers:
1. Microsoft Windows XP, windows 7, windows 10
2. Microsoft Windows 2003 server and windows server 2012 Edition.
3. Microsoft Office 2007
4. Microsoft Office 2010
5. Microsoft Outlook 2010
6. Microsoft Outlook 2007
7. Microsoft Internet Explorer 7.0 and later
8. Firefox
9. Microsoft Windows Media Player 10.0
10. Kaspersky Antivirus Corporate Edition
11. Adobe Acrobat Reader 5
12. WinZip 8.1
13. Crystal Reports
Amended November 2018 28
14. Fine Xtreme
15. DMS Fortis
16. VM ware virtuals
Other supported software titles, available upon request, include:
1. Microsoft Project 2007
2. Microsoft Visio 2007
3. Linux
Restricted software titles available to individuals with a demonstrable business need include:
1. Cisco VPN Client
2. Remote Desktop
3. Team Viewer
The ICT Department does not provide support for any software titles not listed above. The ICT
Department expressly forbids installation of the following software:
1. Privately owned software.
2. Internet downloads.
3. Pirated copies of any software titles.
4. Any title not listed in this policy.
5. Any software not installed according to the procedures set out in this policy.
Software Requests
If you would like to have software installed on your system, approval must be obtained from ICT
Manager. This includes all software titles listed above, currently unlisted titles, and privately
owned and licensed titles. The ICT Department reserves the right to reject any software
installation request for any reason.
Please fill out a copy of the Software Request Form located at the end of this policy and return it
to your Department Manager for forwarding to the ICT Department.
Software Installation
Software titles are to be installed on SACCO-owned equipment by ICT staff member, or under
[his/her] direct supervision. However, there are a few titles that may be downloaded and installed
by end users without supervision. These are limited to:
1. Adobe Acrobat Reader 12
Amended November 2018 29
2. WinZip 8.1
All software installed on Ndege Chai Sacco Ltd systems (including all commercial and
shareware products) must be used in compliance with all applicable licenses, notices, contracts,
and agreements.
The ICT Department reserves the right to uninstall any unapproved software from a SACCO-
owned machine.
Periodic Audits
The ICT Department reserves the right to monitor software installation and usage on Ndege Chai
Sacco Ltd.’s computer systems. The ICT Department will conduct periodic audits to ensure
compliance with this Software Installation Policy. Unannounced, random spot audits may be
conducted as well. During such audits, scanning and elimination of computer viruses may also be
performed. Other unsanctioned software may also be uninstalled at this time.
Non-Compliance Penalties
Penalties for violation of this policy will vary depending on the nature and severity of the
violation. Penalties include:
1. Disciplinary action, including, but not limited to, reprimand, suspension and/or
termination of employment.
2. Civil or criminal prosecution under applicable law(s).
Amended November 2018 30
Amended November 2018 31
Employee Acknowledgement
I have read and understand NdegeChai Sacco Ltd’s Software Installation Policy. I agree to abide
by it as consideration for continued employment by NdegeChai Sacco Ltd. I understand that
violation of any of the above policies may result in my termination.
Name: ………………………………………… Designation………………………………..
Signature: …………………… Date: ……………………
Amended November 2018 32
REMOTE ACCESS POLICY AND AGREEMENT
Purpose
The purpose of this policy is to define standards, procedures, and restrictions for connecting to
Ndege Chai Sacco Ltd’s internal network(s) from external hosts via remote access technology,
and/or for utilizing the Internet for business purposes via third-party wireless Internet service
providers (a.k.a. “hotspots”). Ndege Chai Sacco Ltd’s resources (i.e. corporate data, computer
systems, networks, databases, etc.) must be protected from unauthorized use and/or malicious
attack that could result in loss of information, damage to critical applications, loss of revenue,
and damage to our public image. Therefore, all remote access and mobile privileges for Ndege
Chai Sacco Ltd employees to enterprise resources – and for wireless Internet access via hotspots
– must employ only SACCO-approved methods.
Scope
This policy applies to all Ndege Chai Sacco Ltd employees, seasonals , and other agents who
utilize SACCO- or personally-owned computers to remotely access the organization’s data and
networks. Employment at Ndege Chai Sacco Ltd does not automatically guarantee the granting
of remote access privileges.
Any and all work performed for Ndege Chai Sacco Ltd on said computers by any and all
employees, through a remote access connection of any kind, is covered by this policy. Work can
include (but is not limited to) e-mail correspondence, Web browsing, utilizing intranet resources,
and any other SACCO application used over the Internet. Remote access is defined as any
connection to Ndegec Chai Sacco Ltd’s network and/or other applications from off-site
locations, such as the employee’s home, a hotel room, airports, cafés, satellite office, wireless
devices, etc.
Supported Technology
All remote access will be centrally managed by Ndege Chai Sacco Ltd’s IT department and will
utilize encryption and strong authentication measures. Remote access connections covered by
this policy include (but are not limited to) Internet dial-up modems, frame relay, ISDN, DSL,
VPN, SSH, cable modems, proprietary remote access/control software, etc.
Eligible Users
All employees requiring the use of remote access for business purposes must go through an
application process that clearly outlines why the access is required and what level of service the
employee needs should his/her application be accepted. Application forms must be approved and
signed by the department head before submission to the ICT department.
Employees may use privately owned connections (under ‘Supported Technology’) for business
purposes. If this is the case, the ICT department must approve the connection as being secure and
protected. However, the SACCO’s ICT department cannot and will not technically support a
third-party ISP connection or hotspot wireless ISP connection. All expense forms for
reimbursement of cost (if any) incurred due to remote access for business purposes (i.e. Internet
connectivity charges) must be submitted to the appropriate unit or department head. Financial
reimbursement for remote access is not the responsibility of the ICT department.
Policy and Appropriate Use
It is the responsibility of any employee of Ndege Chai Sacco Ltd with remote access privileges
to ensure that their remote access connection remains as secure as his or her network access
within the office. It is imperative that any remote access connection used to conduct Ndege Chai
Amended November 2018 33
Sacco Ltd business be utilized appropriately, responsibly, and ethically. Therefore, the following
rules must be observed:
1. General access to the Internet by residential remote users through Ndege Chai Sacco
Ltd’s network is permitted. However, both the employee and his/her family members
using the Internet for recreational purposes through SACCO networks are not to violate
any of Ndege Chai Sacco Ltd’s Internet acceptable use policies.
2. Employees will use secure remote access procedures. This will be enforced through
public/private key encrypted strong passwords in accordance with Ndege Chai Sacco
Ltd’s password policy. Employees agree to never disclose their passwords to anyone,
particularly to family members if business work is conducted from home.
3. All remote computer equipment and devices used for business interests, whether personal
or SACCO-owned, must display reasonable physical security measures. Computers will
have installed whatever antivirus software deemed necessary by Ndege Chai Sacco Ltd’s
ICT department.
4. Remote users using public hotspots for wireless Internet access must employ for their
devices a SACCO-approved personal firewall, VPN, and any other security measure
deemed necessary by the ICT department. VPNs supplied by the wireless service
provider should also be used, but only in conjunction with Ndege Chai Sacco Ltd’s
additional security measures.
Hotspot and remote users must disconnect wireless cards when not in use in order to
mitigate attacks by hackers, wardrivers, and eavesdroppers.
Users must apply new passwords every business/personal trip where SACCO data is
being utilized over a hotspot wireless service, or when a SACCO device is used for
personal Web browsing.
5. Any remote connection (i.e. hotspot, ISDN, frame relay, etc.) that is configured to access
Ndege Chai Sacco Ltd resources must adhere to the authentication requirements of Ndege
Chai Sacco Ltd’s ICT department. In addition, all hardware security configurations
(personal or SACCO-owned) must be approved by Ndege Chai Sacco Ltd’s ICT
department.
6. Employees, contractors, and temporary staff will make no modifications of any kind to
the remote access connection without the express approval of Ndege Chai Sacco Ltd’s IT
department. This includes, but is not limited to, split tunneling, dual homing, non-
standard hardware or security configurations, etc.
7. Employees, contractors, and temporary staff with remote access privileges must ensure
that their computers are not connected to any other network while connected to Ndege
Chai Sacco Ltd’s network via remote access, with the obvious exception of Internet
connectivity.
8. In order to avoid confusing official SACCO business with personal communications,
employees, contractors, and temporary staff with remote access privileges must never use
Amended November 2018 34
non-SACCO e-mail accounts (eg. Hotmail, Yahoo, etc.) to conduct Ndege Chai Sacco
Ltd business.
9. No employee is to use Internet access through SACCO networks via remote connection
for the purpose of illegal transactions, harassment, competitor interests, or obscene
behavior, in accordance with other existing employee policies.
10. All remote access connections must include a “time-out” system. In accordance with
Ndege Chai Sacco Ltd’s security policies, remote access sessions will time out after 5
minutes of inactivity, and will terminate after 1 hour of continuous connection. Both
time-outs will require the user to reconnect and re-authenticate in order to re-enter
SACCO networks. Should a remote user’s account be inactive for a period of five days,
access account privileges will be suspended until the ICT department is notified.
11. If a personally- or SACCO-owned computer or related equipment used for remote access
is damaged, lost, or stolen, the authorized user will be responsible for notifying their
manager and Ndege Chai Sacco Ltd’s IT department immediately.
12. The remote access user also agrees to immediately report to their manager and Ndege
Chai Sacco Ltd’s ICT department any incident or suspected incidents of unauthorized
access and/or disclosure of SACCO resources, databases, networks, etc.
13. The remote access user also agrees to and accepts that his or her access and/or connection
to Ndege Chai Sacco Ltd’s networks may be monitored to record dates, times, duration of
access, etc., in order to identify unusual usage patterns or other suspicious activity. As
with in-house computers, this is done in order to identify accounts/computers that may
have been compromised by external parties.
14. Ndege Chai Sacco Ltd will not reimburse employees for business-related remote access
connections made on a pre-approved privately owned ISP service.
Policy Non-Compliance
Failure to comply with the Remote Access Policy and Agreement may result in the suspension of
remote access privileges, disciplinary action, and possibly termination of employment.
Amended November 2018 35
Employee Declaration
I have read and understand the above Remote Access Policy and Agreement, and consent to
adhere to the rules outlined therein.
Name: ………………………………………… Designation………………………………..
Signature: …………………… Date: ……………………
Manager Signature ………………………….. Date …………………………..
ICT Administrator Signature …………………….. Date……………………….
Amended November 2018 36
FIREWALL POLICY
Purpose
Ndege Chai Sacco Ltd operates perimeter firewalls between the Internet and its private internal
network in order to create a secure operating environment for Ndege Chai Sacco Ltd’s computer
and network resources. A firewall is just one element of a layered approach to network security.
The purpose of this Firewall Policy is to describe how Cisco Pix 515e firewall will filter Internet
traffic in order to mitigate risks and losses associated with security threats, while maintaining
appropriate levels of access for business users.
The Firewall Policy is subordinate to Ndege Chai Sacco Ltd’s general Security Policy, as well as
any governing laws or regulations.
Scope
This Firewall Policy refers specifically to the Cisco Pix 515e firewall.The firewall will (at
minimum) perform the following security services:
1. Access control between the trusted internal network and untrusted external networks.
2. Block unwanted traffic as determined by the firewall rule set.
3. Hide vulnerable internal systems from the Internet.
4. Hide information, such as system names, network topologies, and internal user IDs,
from the Internet.
5. Log traffic to and from the internal network.
6. Provide robust authentication.
7. Provide virtual private network (VPN) connectivity.
Amended November 2018 37
All employees of Ndege Chai Sacco Ltd are subject to this policy and required to abide by it.
Responsibilities
ICT Department is responsible for implementing and maintaining Ndege Chai Sacco Ltd
firewalls, as well as for enforcing and updating this policy. Logon access to the firewall will be
restricted to a primary firewall administrator and one designee. Password construction for the
firewall will be consistent with the strong password creation practices outlined in Ndege Chai
Sacco Ltd’s Password Policy.
Policy
The approach adopted to define firewall rule sets is that all services will be denied by the firewall
unless expressly permitted in this policy. The Cisco Pix 515e firewall permits the following
outbound and inbound Internet traffic.
1. Outbound – All Internet traffic to hosts and services outside of Ndege Chai Sacco Ltd
2. Inbound – Only Internet traffic from outside Ndege Chai Sacco Ltd that supports the
business mission of Ndege Chai Sacco Ltd as defined security policy
Operational Procedures
NdegeChai Sacco Ltd employees may request changes to the firewall’s configuration in
order to allow previously disallowed traffic. A firewall change request form, with full
justification, must be submitted to the ICT department for approval. All requests will be
assessed to determine if they fall within the parameters of acceptable risk. Approval is
not guaranteed as associated risks may be deemed too high. If this is the case, an
explanation will be provided to the original requestor and alternative solutions will be
explored.
Ndege Chai Sacco Ltd employees may request access from the Internet for services
located on the internal Ndege Chai Sacco Ltd network. Typically, this remote access is
handled via a secure, encrypted virtual private network (VPN) connection.
VPN sessions will have an absolute timeout length of 5minutes. An inactivity timeout
will be set for ten minutes. At the end of these timeout periods, users must re-authenticate
to continue or re-establish their VPN connection. A VPN connectivity request form, with
full justification, must be submitted to the ICT department for approval. Approval is not
guaranteed.
From time to time, outside vendors, contractors, or other entities may require secure,
short-term, remote access to NdegeChai Sacco Ltd’s internal network. If such a need
arises, a third-party access request form, with full justification, must be submitted to the
ICT department for approval. Approval is not guaranteed.
Turnaround time for the above stated firewall reconfiguration and network access
requests is 2 days from the receipt of the request form.
Enforcement
Wherever possible, technological tools will be used to enforce this policy and mitigate security
risks. Any employee who is found to have violated this policy may be subjected to disciplinary
action, up to and including termination of employment.
Amended November 2018 38
Agreement
I have read and understand the Firewall Policy. I understand if I violate the rules explained
herein, I may face legal or disciplinary action according to applicable law or SACCO policy.
Name: ………………………………………… Designation………………………………..
Signature: …………………… Date: ……………………
Amended November 2018 39
DOWNTIME POLICY
Purpose
Ndege Chai Sacco Ltd is committed to ensuring reliable information technology services. In
order to meet this objective, Ndege Chai Sacco Ltd systems may need to be taken offline to
maintain or improve system performance, safeguard data, or to respond to emergency situations.
The goal of this policy is to explain those circumstances during which downtime may occur,
anticipated durations of downtime events, and procedures for notifying affected users.
Planned Downtime
From time to time, it will be necessary to make systems unavailable for the purpose of
performing upgrades, maintenance, or housekeeping tasks. The goal of these tasks to is to ensure
maximum system performance and prevent future system failures. The following activities fall
within the definition of Planned Downtime:
1. Application of patches to operating systems and other applications in order to fix
vulnerabilities and bugs, add functionality, or improve performance.
2. Monitoring and checking of system logs.
3. Security monitoring and auditing.
4. Disk defragmentation, disk cleanup, and other general disk maintenance operations.
5. Required upgrades to system physical memory or storage capacity.
6. Installation or upgrade of applications or services.
7. System performance tuning.
8. Regular backup of system data for the purpose of disaster recovery.
In the event that any of these activities will require downtime to perform, every effort will be
made to perform the procedure during off-hours in order to minimize the impact on those who
use the affected systems or services.
On occasion, it may be necessary to have Planned Downtime during regular business hours,
namely if outside personnel are required to perform more elaborate procedures. If this is the case,
then the Planned Downtime will be communicated to identified users of affected resources using
the Notification of Downtime mechanism described below.
Emergency Downtime
Unexpected circumstances may arise where systems or services will be interrupted without prior
notice. Every effort will be made to avoid such circumstances. However, incidences may arise
involving a compromise of system security, the potential for damage to equipment or data, or
emergency repairs. If the affected system(s) cannot be brought back online within 30 minutes
affected users will be contacted via the Notification of Downtime mechanism described below.
Notification of Downtime
Amended November 2018 40
Users will be notified of downtime according to the following procedure:
1. The system administrator for the system in question is responsible for notifying all
identified users of Planned Downtime, as well as any unplanned interruptions to
system availability as they occur.
2. The system administrator will first notify all affected users via e-mail. All users are
responsible for checking email for downtime and system status notifications. In the
event that the email is unavailable due to Emergency Downtime, the system
administrator will contact department heads by telephone to inform them of the
situation.
3. If general maintenance procedures will cause Planned Downtime during regular
business hours, and the procedure will last less than 2 hours, then the system
administrator must notify system users 72 hours prior to the Planned Downtime.
4. If Planned Downtime beyond general maintenance is scheduled that will last longer
than 2 hours then the system administrator must give 4 business days notice for every
day of anticipated system unavailability. This step must be taken regardless of whether
the downtime is scheduled to take place during off hours or regular business hours.
5. In the event of Emergency Downtime, the system administrator will use his/her
discretion in notifying end users of the situation. In emergency circumstances where
time is of the essence, it may not be possible for the system administrator to engage in
normal downtime notification activities. When emergency measures are completed, or
if 2 hours has elapsed with no resolution, then the system administrator will contact all
users with information on system status and/or information on additional expected
downtime.
All downtime announcements will provide the following information:
1. Systems and services that are affected, as well as suggested alternatives to them (if
any).
2. Start and end times of the Planned Downtime period, or estimated time to recovery in
the event of Emergency Downtime.
3. The reasons why the downtime is taking place.
4. Any ongoing problems that are anticipated as a result of the downtime event.
Requests for Availability
If you foresee critical need of a system during a period of Planned Downtime, then contact ICT
in advance to make an appeal. The utmost effort will be made to reschedule the downtime or
make alternative arrangements for required resources.
Amended November 2018 41
SERVER BACKUP POLICY
Introduction
Data is one of Ndege Chai Sacco Ltd.’s most important assets. In order to protect this asset from
loss or destruction, it is imperative that it be safely and securely captured, copied, and stored.
The goal of this document is to outline a policy that governs how and when data residing on
SACCO servers will be backed up and stored for the purpose of providing restoration capability.
In addition, it will address methods for requesting that backed up data be restored to individual
systems.
What Is Backed Up
This policy refers to the backing up of data that resides on Ndege Chai Sacco Ltd’s servers.
Servers and the files and/or data types on these servers that are covered by this policy include:
1. Fine Xtreme Application Server
2. Microsoft Exchange Server
3. Domain Controller Server
4. DMS server
This policy does not refer to backing up of data that resides on individual PC or notebook hard
drives. Responsibility for backing up data on local desktop systems or laptops rests solely with
the individual user. It is strongly encouraged that end users save their data to the appropriate
server listed above in order that their data is backed up regularly in accordance with this policy.
In addition, files that are left open at the time the backup procedure is initiated may not be
backed up. End users are reminded to save and close all files, as well as all related applications,
prior to the backup procedure window.
It is the responsibility of server administrators to ensure that all new servers be added to this
policy, and that this policy be applied to each new server’s maintenance routine. Prior to
deploying a new server, a full backup must be performed and the ability to perform a full
restoration from that backup confirmed. Prior to retiring a server, a full backup must be
performed and placed in permanent storage.
Backup Schedule
Backups are conducted automatically. The backup is done to a shared folder then later
transferred to a USB external disk for storage
The servers listed above must be backed up according to the following procedure. This method
ensures that no more than one day’s working data will be missing in the event of a data loss
incident:
All backup media are to be labeled using the following labeling conventions:
Labeling convention is MMDDYYYY
All backup media stored on site are to be stored in data safe in FOSA
All backup media stored off site are to be stored in the location chosen by the society.
Operation Manager will provide the necessary transport for the taking of Backup.
Amended November 2018 42
All backups will take place between the hours of 4.00 a.m to 5.00 a.m. This timeframe has been
selected to minimize the impact of server downtime on end users that may be caused by the need
to take servers offline in order to perform the backup itself. If this backup schedule in some way
interferes with a critical work process, then the affected user(s) is to notify the ICT Department
so that exceptions or alternative arrangements can be made.
Incremental backups (only files changed since the last backup) will be performed daily, Monday
through Saturday .These External USB Hard Disk will be stored onsite during the following
backup cycle.
A full backup will be performed each Friday. This External USB Hard Disk will be stored on site
during the following backup cycle. At the end of the latter cycle, the weekly External USB Hard
Disk will be removed to a predetermined offsite location for storage.
All server backups performed must be noted in the server backup log immediately upon
completion. All server backup log sheets must be kept in an appropriately labeled three-ring
binder in an agreed-upon, centralized location. The log must include:
1. Server name,
2. Date and time of backup,
3. Name of administrator performing the backup,
4. Files backed up and/or skipped,
5. Software used to perform the backup,
6. Backup medium used and its label/name, and
7. Whether the backup was successful or not.
If, for some reason, the backup cannot be completed, is missed, or crashes, then it must be
completed by 7:00 a.m. the following morning. The reason for non-completion of the originally
scheduled backup must be noted in the server backup log. In addition, if a backup fails more than
one day in a row, end users in the organization must be notified.
If an External USB Hard Disk is discovered to be damaged or corrupt, then the External USB
Hard Disk must be destroyed to prevent further use and replaced with a new one.
Managing Restores
The ultimate goal of any backup process is to ensure that a restorable copy of data exists. If the
data cannot be restored, then the process is useless. As a result, it’s essential to regularly test
one’s ability to restore data from its storage media.
All daily External USB Hard Disks must be tested at least once every 2nd week of the
month to ensure that the data they contain can be completely restored.
Data will be restored from a backup if:
1. There is an intrusion or attack.
2. Files have been corrupted, deleted, or modified.
3. Information must be accessed that is located on an archived backup.
Amended November 2018 43
4. Hardware Failure.
In the event a data restore is desired or required, the following policy will be adhered to:
1. The individual responsible for overseeing backup and restore procedures is Systems
Administrator and Operation Manager. If a user has a restore request, they shall give
a written request to the System Administrator and Operation Manager detailing the
reason for the restore.
2. In the event of unplanned downtime, attack, or disaster, the system Administrator
shall be contacted who will then contact Lanstar Technologies Ltd for full
restoration procedures.
3. In the event of a local data loss due to human error, the end user affected must
contact the IT Department and request a data restore. The end user must provide the
following information:
Name.
Contact information.
Name of file(s) and/or folder(s) affected.
Last known location of files(s) and/or folder(s) affected.
Extent and nature of data loss.
Events leading to data loss, including last modified date and time (if
known).
Urgency of restore.
4. Depending on the extent of data loss, a daily External USB Hard Disk, weekly
External USB Hard Disk, or combination of both will need to be used. The timing in
the cycle will dictate whether or not these External USB Hard Disks are onsite or
offsite. External USB Hard Disks must be retrieved by the server administrator or
pre-determined replacement. If External USB Hard Disks are offsite and the restore
is not urgent, then the end user affected may be required to wait up to 5.00 p.m for
the External USB Hard Disk(s) to be retrieved.
5. If the data loss was due to user error or a lack of adherence to procedure, then the
end user responsible may be required to participate in a tutorial on effective data
backup practices.
Amended November 2018 44
Declaration of Understanding
I have read, understand, and agree to adhere to NdegeChai Sacco Ltd’s Server Backup Policy.
Name: ………………………………………… Designation………………………………..
Signature: …………………… Date: ……………………
Amended November 2018 45
ICT ASSET DISPOSAL POLICY
Purpose
The purpose of this policy is to establish and define standards, procedures, and restrictions for
the disposal of non-leased ICT equipment in a legal, cost-effective manner. Ndege Chai’s
surplus or obsolete ICT assets and resources (i.e. desktop computers, servers, databases, etc.)
must be discarded according to legal requirements and environmental regulations through the
appropriate external agents. Therefore, all disposal procedures for retired ICT assets must adhere
to SACCO-approved methods.
Scope
This policy applies to the proper disposal of all non-leased Ndege Chai ICT hardware, including
PCs, printers, handheld devices, servers, databases, hubs, switches, bridges, routers, and so on.
SACCO-owned surplus hardware, obsolete machines, and any equipment beyond reasonable
repair or reuse are covered by this policy. Where applicable, it is desirable to achieve some
residual value of the ICT asset in question through reselling, auctioning, donation, or
reassignment to a less-critical function.
Definitions
“Non-leased” refers to any and all ICT assets that are the sole property of Ndege chai
Sacco Ltd; that is, equipment that is not rented, leased, or borrowed from a third-party
supplier or partner SACCO.
“Disposal” refers to the reselling, reassignment, recycling, donating, or throwing out of
ICT equipment through responsible, ethical, and environmentally sound means.
“Obsolete” refers to any and all equipment over 7 years old and/or that which no longer
meets requisite functionality.
“Surplus” refers to hardware that has been replaced by upgraded equipment or is
superfluous to existing requirements.
“Beyond reasonable repair” refers to any and all equipment whose condition requires
fixing or refurbishing that is likely cost equal to or more than total replacement.
Guidelines
Disposal and disposal procedures of all ICT assets and equipment will be centrally managed and
coordinated by Ndege Chai’s ICT department. Ndege Chai’s ICT department is also responsible
for backing up and then wiping clean of SACCO data in all IT assets slated for disposal, as well
as the removal of SACCO tags and/or identifying labels. The ICT department is in charge of
selecting and approving external agents for recycling hardware and/or sanitizing hardware of
harmful toxins before shipment to landfills.
Practices
Acceptable methods for the disposal of ICT assets are as follows:
a) Sold to existing staff.
b) Sold as scrap to a licensed dealer.
c) Used as a trade-in against cost of replacement item.
d) Reassigned to a less-critical business operation function.
e) Donated to schools, charities, and other non-profit organizations.
Amended November 2018 46
f) Recycled and/or refurbished to leverage further use (within limits of reasonable repair).
g) Discarded as rubbish in a landfill after sanitized of toxic materials by approved service
provider.
Policy
It is the responsibility of any employee of Ndege Chai Sacco Ltd’s ICT department with the
appropriate authority to ensure that ICT assets, equipment, and hardware are disposed of
according to one or more of the methods prescribed above. It is imperative that any disposals
performed by Ndege Chai Sacco Ltd. are done appropriately, responsibly, and ethically, as well
as with SACCO resource planning in mind. The following rules must therefore be observed:
Obsolete IT Assets: As prescribed above, “obsolete” refers to any and all computer or
computer-related equipment over 7 years old and/or equipment that no longer meets requisite
functionality. Identifying and classifying ICT assets as obsolete is the sole province of Ndege
Chai Sacco Ltd’s ICT department. Decisions on this matter will be made according to Ndege
Chai Sacco Ltd’s purchasing/procurement strategies. Equipment lifecycles are to be determined
by ICT asset management best practices (i.e. total cost of ownership, required upgrades, etc.).
Reassignment of Retired Assets: Reassignment of computer hardware to a less-critical role is
made at the sole discretion of Ndege Chai Sacco Ltd’s ICT department. It is, however, the goal
of Ndege Chai Sacco Ltd. to – whenever possible – reassign ICT assets in order to achieve full
return on investment (ROI) from the equipment and to minimize hardware expenditures when
feasible reassignment to another business function will do instead.
Trade-Ins: Where applicable, cases in which a piece of equipment is due for replacement by a
newer model, reasonable actions must be taken to ensure that a fair and market trade-in value is
obtained.
Income Derived from Disposal: Whenever possible, it is desirable to achieve some residual
value from retired or surplus IT assets. Any and all receipts from the sale of ICT assets must be
kept and submitted to the appropriate department. Income derived from sales to staff, the public
must be fully receipted and monies sent to Ndege Chai Sacco Ltd’s finance department. Sales to
staff should be advertised through the SACCO intranet or via e-mail. Auctioning methods will be
chosen as a joint decision between Ndege chai Sacco Ltd.’s ICT manager and the Board of
Directors.
Cannibalization and Assets Beyond Reasonable Repair: The ICT manager is responsible for
verifying and classifying any ICT assets beyond reasonable repair. Equipment identified as much
should be cannibalized for any spare and/or working parts that can still be put to sufficient use
within the organization. The ICT department will inventory and stockpile these parts. Remaining
parts and/or whole machines unfit for use or any other disposal means will be sold to an
approved scrap dealer or salvaging SACCO.
Decommissioning of Assets: All hardware slated for disposal by any means must be fully wiped
clean of all SACCO data. Ndege Chai Sacco Ltd’s ICT department will assume responsibility for
decommissioning this equipment by deleting all files, SACCO-licensed programs, and
applications using a pre-approved disk-sanitizer. This sanitizer must completely overwrite each
and every disk sector of the machine with zero-filled blocks. In addition, any property tags or
identifying labels must also be removed from the retired equipment.
Amended November 2018 47
Harmful Substances: Hazardous materials such as lead, mercury, bromine, cadmium, etc. must
be thoroughly removed from computer hardware before shipment to a landfill as rubbish. The
ICT department may perform this action itself using government-approved disposal methods, or
hire an accredited disposal SACCO specializing in this service. No matter what the route taken,
the removal and discarding of toxins from Ndege chai Sacco Ltd.’s equipment must be in full
compliance with local and NEMA laws.
Donations: ICT assets with a net residual value of less than Ksh 10,000 that are not assigned for
reuse, discarding, or sale to employees or external buyers, may be donated to a SACCO-
approved school, charity, or other non-profit organization (i.e. a distributor of free machines to
Schools and Children homes). All donations must be authorized by Ndege chai Sacco Ltd. All
donation receipts must be submitted to the Finance department for taxation purposes.
Amended November 2018 48
CHANGE MANAGEMENT POLICY
Introduction
Information technology infrastructure is critical to the effective operation of Ndege Chai Sacco
Ltd. The Information Technology Department project strives to continually maintain and
improve this vital resource. However, as our infrastructure (and our SACCO) has grown, it has
become more complex. As our interdependencies – between systems, between people, and
between people and systems – continue to grow, it is essential that we carefully manage changes
to the infrastructure. Even the most well-intentioned change can cause unexpected hardship to
technology users if the implications of the change are not mapped out in advance.
Purpose
The purpose of the Change Management Policy is to manage changes in a rational and
predictable manner so that staff can plan accordingly. Changes require serious forethought,
careful monitoring, and follow-up evaluation to reduce negative impact to the user community
and to increase the value of our vital Information Technology infrastructure. The purpose of this
policy is not to frustrate change or to question the rationale of changes. Rather, it is to make sure
that changes have their intended impact while avoiding unintended consequences.
Scope
This policy covers all changes to hardware, software, or applications in the shared ICT
infrastructure of Ndege Chai Sacco Ltd. This includes modification, changes, or additions to our
network services (LAN/WAN), server hardware and software, and support facilities (such as
electricity) for our ICT infrastructure. Any change that might affect the ICT infrastructure upon
which Ndege Chai Sacco Ltd personnel rely to conduct normal business operations are within the
scope of this policy.
Changes to the ICT Infrastructure can be necessary for many reasons, ranging from the need to
fix a hardware problem to the need to update software. Here is a non-exhaustive list of change
sources:
Periodic maintenance.
User requests.
Hardware and/or software upgrades.
Acquisition of new hardware and/or software.
Other changes or modifications to the infrastructure.
Environmental changes (such as changes to the electrical system).
Operations schedule changes.
Change Management Group
The Change Management Group (CMG) will receive all requests for change. Requests for
changes must be made through the change request form. The Change Management Group will
have the following terms of reference.
1. They will be responsible for mapping out the potential impact of the change of
various stakeholders.
2. They will be responsible for communicating with all stakeholders critical
information about how a given change will impact their work.
Amended November 2018 49
3. They will establish the urgency and potential impact of a proposed change.
High impact changes, for example, might require downtime outside of regular
maintenance cycles.
4. For changes to critical hardware and software systems, the group will establish
testing and approval criteria in advance of making the change to the IT
infrastructure.
5. The group will be responsible for properly documenting all changes and will be
accountable for all changes. The group will maintain a change log that
documents all requests for change, plans and scheduling for the change, and
outcomes.
6. The group will maintain regular contact with stakeholders through Ndege Chai
Sacco ltd’s Information Technology governance committee, as well as directly
with heads and/or user committees of business units impacted by technology
changes.
Change Management Process
The change management process will include the following steps. Each of these steps must be
completed for every change.
1. Requestor fills out change management form.
The form includes space for a detailed description of the proposed change, the
systems involved, the business units impacted, and the location impacted. The
requestor also makes an initial estimation of the urgency and potential risk of the
change, how much implementing the change will cost, and how much downtime the
change may require.
2. The change management group reviews and approves the change.
At its meeting the change management group will review the Request for Change.
The group will evaluate the requestor’s proposal in light of their knowledge of Ndege
Chai Sacco Ltd technologies, business processes, and interdependencies. They may
adjust some of the estimates.
3. The change management committee can send the request back to the requestor
for further detail and study, if needed. Reasons for sending a request back can include
the following:
Inadequate planning.
Inadequate fall back plans (in case change fails).
The timing of the change will negatively impact a key business process, such as year-end
accounting.
Adequate resources are not readily available for the project.
Staff is not available to make the change in the time specified.
4. The change management group assigns responsibility for making the change. If
the request is approved, the change management group will assign responsibility for
Amended November 2018 50
making the change to qualified personnel. They will establish specifications and
testing requirements depending on the nature of the change.
5. The change management group will communicate with stakeholders. The change
management group will make sure that all stakeholders are aware of the nature and
potential impact of the proposed change. For changes requiring downtime outside of
regular maintenance cycles the group will also get feedback from stakeholders on
appropriate scheduling of downtime.
6. The change management group will track progress on the proposed changes and
have final approval. Personnel tasked with working on the change will report back
to the group regarding progress on planning and testing. When the proposed change
has been tested, and appropriate fallback has been planned in case of a problem, the
group will approve the change. They will schedule the change – if it requires time
outside of regular maintenance cycles – and will communicate with stakeholders.
7. The change management group will perform a follow-up on all changes.The
change management group will perform post-mortems on all changes. Successful
changes, as well as reasons why a change did not go through as planned, and lessons
learned from the experience will be included in the change log.
Change Control – Freezes & Risk Evaluation Policy
Purpose
The purpose of this policy is to ensure that ICT staff recognizes that changes to computer
systems tend to destabilize those systems. It is Ndege Chai Sacco Ltd’s experience that there will
be at least some systems errors attributable to the Systems Requests that were not captured and
resolved during the Acceptance Testing phase. There also may be critical last-minute changes
associated with a Systems Request for various reasons.
Therefore, it is the purpose of this policy to place restrictions on the number and complexity of
systems changes for periods of time around key schedule systems activities (e.g. month-ends,
year-ends). Such restrictions are prudent to address errors.
Changes
A “change” is defined as anything that impacts the total base processing solution (both business
and technology), including:
Enterprise applications.
Transactional software.
System software.
Data center hardware.
Middle-tier hardware.
Infrastructure and architecture components.
Amended November 2018 51
Bottom-level hardware (printers, desktop PCs, etc.).
Outsourced services or components critical to operations.
Freeze Types
There are two types of freezes: “soft” and “hard.” Change control procedures at Ndege Chai
Sacco Ltd apply the Soft Freeze during periods associated with month-ends, while the Hard
Freeze is applicable for periods of time surrounding year-end activities. Freeze characteristics are
as follows:
Soft Freeze
During a Soft Freeze period, the following rules will apply:
The “Risk Evaluation Matrix” must be completed for all proposed changes and submitted
to ICT.
Non-essential functionality included with any changes must be easily removed should
any problems arise.
Approval to implement changes (other than emergency fixes) must be obtained from the
project manager or sponsor responsible for submitting the original Systems Request.
Hard Freeze
During a Hard Freeze period, the following rules will apply:
Non-essential changes will not be applied unless under extraordinary circumstances.
The “Risk Evaluation Matrix” below must be completed for all proposed changes with
ICT.
Approval to implement changes (other than emergency fixes) must be obtained from the
project manager or sponsor responsible for submitting the original Systems Request and
the Board.
Timing of Freezes
Type of Freeze Starts Ends
Soft Freeze at month- Friday before a month-end Friday following a month-end
end period period
Soft Freeze at year- 1 November 30 November
end
Hard Freeze at year- 1 December 31 December
end
Risk Evaluation Matrix
The goals of the Risk Evaluation Matrix are to:
Identify: Search for, identify, and locate risks before they become problems.
Amended November 2018 52
Analyze: Transform risk data into decision-making information and analysis (e.g. by evaluating
impacts, probabilities, timeframes, etc.).
Plan: Transform risk information into decision and mitigation actions (both present and future),
and to implement those actions.
Track: Monitor the risk indicators and mitigation actions.
Control: Correct for deviations from the risk mitigation plans.
Communicate: Provide information and feedback (both internal and external) to the Systems
Request owner on the risk activities, current risks, and emerging risks.
The Risk Evaluation Matrix process can be either simple or complex. Ndege Chai Sacco Ltd’s
Risk Evaluation Matrix is focused on high-level assessment of risk. Depending on the results –
or level of comfort – gained from this high-level exercise, a more complex evaluation process
may be required before an informed decision can be made by the appropriate individual(s).
The Risk Evaluation Matrix involves breaking down the Systems Request into small, clearly-
defined pieces (by functionality, layer, or other combination). The matrix creator will also:
Assign a risk ID (simply a consecutive numbering identifier).
Create a risk statement (e.g. “External data sources may not be available on time”).
Assign an impact code:
5 Very Severe – business continuity is threatened
4 Severe – non-achievement or significant degradation of technical
performance
3 Moderate – some reduction in technical performance, and a workaround
may exist
2 Low – minimal to small reduction in technical performance
1 Very Low – an awkward workaround exists to support the process for a
short duration
Assign a probability code:
5 Very High
4 High Probability
3 Moderate
2 Unlikely
1 Very Unlikely
With the information gained through the risk evaluation process, the ICT department, its leader,
and the Systems Request owner can together create a plan for mitigating the risks associated with
Amended November 2018 53
the proposed change. Both the risk evaluation and the change plan should be presented to the
appropriate individual for approval.
Conclusion
Ndege Chai Sacco Ltd firmly believes that the combination of Freezes and Risk Evaluation
Matrix represents a prudent response to concerns regarding system changes. Additionally, Ndege
Chai Sacco Ltd feels that the risk evaluation process does handcuff the business and further
allows a mitigated risk acceptance of certain changes by the business.
Computer equipment/systems Use:
No taking of any drink near the key board and mouse.
After use the computer and the power supply must be shut down.
Every user is responsible for his/her own machine and any malfunctioning must be
reported immediately to the head of IT Department.
No use of diskettes/flash disks/CDs/DVDs in the organization computer at all times
except those provided/permitted by the IT department.
No form of writing should be made to a computer and its peripherals at any one time.
All computer equipment leaving the office premises for any reason (e.g. for repairs,
laptop for use outside the office premises) must be recorded with the systems
administrator or operations manger. The same must be recorded when they are returned.
An up to date inventory of all society computer equipment shall be maintained by the
systems administrator, showing the location and functional state/condition of every
equipment.
Health & Safety Policy
Employer regulations
The law states that an employer must provide or ensure:
Tilt able screens
Anti-glare screen filters
Adjustable chairs
Foot supports
Lighting must be suitable with no glare or reflections
Workstations are not cramped
When working on a computer there are frequent breaks
Appropriate eye and eyesight tests by an optician
There should be no trailing wires
Electrical sockets must not be overloaded
There must be adequate space around the machine
Heating and ventilation must be suitable
Workstations must be strong enough to support the computers
Amended November 2018 54
Employee regulations
Food and drink should not be placed near a machine
Switch off PC including monitor when done with the day’s work
Possible dangers and solutions
Within Information and Communication Technology it is important that people have an
awareness of the various health and safety issues. Steps should also be taken towards preventing
common problems rather than trying to cure them at a later date.
Back problems
Many computer users suffer serious back problems. This is probably due to a poor posture or an
awkward position while sitting at a computer.
Solutions
A fully adjustable chair should avoid poor posture
Footrests can reduce these problems
Screens should tilt and turn to a position that avoids awkward movements
Repetitive Strain Injury (RSI)
Repetitive Strain Injury (RSI) is damage to the fingers, wrists and other parts of the body due to
repeated movements over a long period of time.
Solution
To prevent RSI, make sure your posture is correct, use wrists rests and have a five-minute
break from typing every hour.
Eyestrain
Eyes can become strained after staring at a computer screen for a long time, particularly if
working in bad light, in glare or with a flickering screen.
Solutions
Screen filters can remove a high percentage of the harmful rays emitted from a computer
screen
Use screens that do not flicker
Take regular breaks - do not work for more than one hour without a break
Lighting must be suitable and blinds fitted to windows to reduce glare
Ozone irritation
Health experts have suggested that ozone emitted from laser printers can lead to breathing
problems.
Solution
It is recommended that laser printers should be situated at least one metre away from
where people are sitting and there should be good ventilation in the area
Amended November 2018 55
Amended November 2018 56
Employee Acknowledgement
I have read and understood Ndege Chai Sacco ICT Policies as follows:
Ndege Chai Sacco End User ICT Policies and Procedures
1. Password Policy
2. E-mail communication and Internet usage policy
3. Personal Network usage and Printer Policy
4. Anti-virus policy
5. Software install policy
6. Remote Access and Firewall Policy
7. Downtime and Back up policy
8. Asset Disposal and Change Management policy
9. Health and Safety policy.
I agree to abide by it as a consideration for continued employment by Ndege Chai
Sacco. I understand that violation of any of the above policies may result in disciplinary action in
cluding my termination.
Name: ………………………………………… Designation………………………………..
Signature: …………………… Date: ……………………
Amended November 2018 57
You might also like
- Electronic Communication Technologies ProcedureNo ratings yetElectronic Communication Technologies Procedure5 pages
- Information Security Acceptable Use Policy: 1.0 OverviewNo ratings yetInformation Security Acceptable Use Policy: 1.0 Overview4 pages
- Acceptable Use of Computer Resources Policy Draft100% (1)Acceptable Use of Computer Resources Policy Draft8 pages
- Afghanistan Justice Organization IT Policies and ProceduresNo ratings yetAfghanistan Justice Organization IT Policies and Procedures11 pages
- Acceptable Use (Computer Systems) Policy TemplateNo ratings yetAcceptable Use (Computer Systems) Policy Template5 pages
- DOE ICT Acceptable Usage and Security Policy Final DraftNo ratings yetDOE ICT Acceptable Usage and Security Policy Final Draft21 pages
- (Document Title) Notice: Version No. Date Type of Changes Owner/Author Date of Review / ExpiryNo ratings yet(Document Title) Notice: Version No. Date Type of Changes Owner/Author Date of Review / Expiry18 pages
- KEC - Information Technology Policy - 20110428 Read OnlyNo ratings yetKEC - Information Technology Policy - 20110428 Read Only11 pages
- 2024 Employee Handbook - Jan2024 - Final - 20No ratings yet2024 Employee Handbook - Jan2024 - Final - 202 pages
- Policy Document IT Access Policy: (Date)No ratings yetPolicy Document IT Access Policy: (Date)10 pages
- BATWAA Acceptable Use Policy For IT Systems - EnglishNo ratings yetBATWAA Acceptable Use Policy For IT Systems - English8 pages
- sw-1717406334-FINAL CREATION OF ICT SECURITY POLICY - TECHNICAL GUIDE-REVIEWED - 24.05.2024No ratings yetsw-1717406334-FINAL CREATION OF ICT SECURITY POLICY - TECHNICAL GUIDE-REVIEWED - 24.05.202412 pages
- Policy On Network Security and Access V1.00100% (2)Policy On Network Security and Access V1.0015 pages
- Computing in Communication Networks: From Theory To Practice 1st Edition Frank Fitzek Instant Download100% (7)Computing in Communication Networks: From Theory To Practice 1st Edition Frank Fitzek Instant Download53 pages
- Buy Ebook Serverless Beyond The Buzzword: A Strategic Approach To Modern Cloud Management 1st Edition Thomas Smart Cheap Price100% (4)Buy Ebook Serverless Beyond The Buzzword: A Strategic Approach To Modern Cloud Management 1st Edition Thomas Smart Cheap Price66 pages
- Cableiq Reporter: Getting Started GuideNo ratings yetCableiq Reporter: Getting Started Guide14 pages
- Mount The Panorama ESXi Server To An NFS DatastoreNo ratings yetMount The Panorama ESXi Server To An NFS Datastore3 pages
- Wisconsin Public Library Standards 6th Edition 2018 FINALNo ratings yetWisconsin Public Library Standards 6th Edition 2018 FINAL49 pages
- Kubernetes Commands Cheat Sheet 1713575425No ratings yetKubernetes Commands Cheat Sheet 17135754256 pages
- Wincc V7.3 - Simple Sample: Calling A Script by A Tag ChangeNo ratings yetWincc V7.3 - Simple Sample: Calling A Script by A Tag Change2 pages
- Information and Communication TechnologyNo ratings yetInformation and Communication Technology2 pages
- Understanding Smart City-A Data-Driven Literature Review: SustainabilityNo ratings yetUnderstanding Smart City-A Data-Driven Literature Review: Sustainability23 pages
- Booking Confirmation On IRCTC, Train - 22661, 08-Dec-2021, 1A, MS - TPJNo ratings yetBooking Confirmation On IRCTC, Train - 22661, 08-Dec-2021, 1A, MS - TPJ2 pages
- It430 Solved Mcqs Final Term by Junaid-1No ratings yetIt430 Solved Mcqs Final Term by Junaid-114 pages
- When The Flyff Game Has Made - Google SearchNo ratings yetWhen The Flyff Game Has Made - Google Search1 page
- Think Trace - New MultiImageStreamCompleter. - FN - Firebase ConsoleNo ratings yetThink Trace - New MultiImageStreamCompleter. - FN - Firebase Console1 page