Transcription
ICT POLICYDocument NoCSIR-MS-POL-ICT-001 REV02Revision Status02Arthur A. MadonselaPrepared byChief Information Officer (CIO)Last Review Date29 January 2019Effective Date09 April 2019Approved byCSIR BoardDate Approved09 April 2019File Plan Number forRelated Records1/2/1CSIR-MS-POL-ICT-001 REV02Page 1 of 15
TABLE OF CONTENTSDOCUMENT CHANGE HISTORY . 4DEFINITIONS . 5LIST OF ABBREVIATIONS . 7PURPOSE . 8SCOPE . 8OBJECTIVES. 8EFFECTIVE DATE . 8REFERENCE DOCUMENTATION. 9COMPLIANCE WITH POLICY . 9EXEMPTIONS . 10ROLES AND RESPONSIBILITIES . 1011.1.CSIR Board . 1011.2.CSIR Board’s Audit and Risk Committee (ARC) .1011.3.CSIR Executive Management (Exco) . 1111.4.CSIR Management . 1111.5.Chief Information Officer (CIO) . 1111.6.Employees . 11POLICY STATEMENTS . 1112.1.ICT Management. 1112.2.ICT Organisation . 1112.3.ICT for Business Use. 1212.4.Personally-Owned ICT Resources. 1212.5.ICT Asset Management . 1212.6.Privileged or Administrative Rights . 1212.7.Protection of Information . 1212.8.Information Systems Acquisition, Development and Maintenance . 1312.9.Systems Planning and Acceptance . 1312.10.Physical and Environmental . 1312.11.Backup and Recovery . 1312.12.Third-party Management . 1412.13.ICT Service Continuity Management . 1412.14.Change Management and Release Management. 1412.15.Availability and Capacity Management . 1412.16.Configuration Management . 1412.17.Service Management . 1412.18.Problem and Incident Management . 1512.19.Cloud Services . 15CSIR-MS-POL-ICT-001 REV02Page 2 of 15
12.20.Mobile Services . 1512.21.ICT Hosted Services. 1512.22.Knowledge Management . 15CSIR-MS-POL-ICT-001 REV02Page 3 of 15
DOCUMENT CHANGE HISTORYPUBLICATIONDATE17 February 2011AUTHORCHANGE DESCRIPTIONArthur A. MadonselaREVISIONNO0121 January 2019Arthur A. Madonsela02Revised with relevant changesas advised by PRDC (05December 2018) and OPCO(16 January 2019) and EXCO(28 January 2019)CSIR-MS-POL-ICT-001 REV02Board Approved PolicyPage 4 of 15
DEFINITIONSTermAcceptance criteriaAccess controlAvailabilityBest practiceBusiness ContinuityManagement (BCM)Business ContinuityPlan agementProcessInformation AssetDefinitionDefined and measurable terms of what must be done for aninformation system to be acceptable to affected users oremployees, especially in terms of functionalityA process or control through which access is restricted toauthorised individual users, applications, third parties orinformation systems.Ensuring timely and reliable access to and use of information.Recommendations or solutions that are considered the mostdesirable or preferred.A management process followed to identify risks, threats andvulnerabilities that can impact the CSIR’s continued operationsand provides a framework for building resilience and thecapability for an effective response and/or recovery. Matters ofICT service continuity management are considered a key aspectof this process.A plan detailing measures, procedures, controls and/orarrangements used by an organisation to respond to thedisruption of critical business processes and services. It isdependent on the disaster recovery process or plan forrestoration of critical systems.The act or process by which data and/or information isdetermined to be of a particular category or class.The principle that information is not made available or disclosedto unauthorised individuals, entities or processes.A set of values, numbers, characters, words or other elementsthat may be interpreted or processed in order to produceinformation.An unplanned event causing great damage or loss of informationresources or the capability to perform certain functions.A documented process or set of procedures to recover andprotect a business IT infrastructure in the event of a disaster.Any text, voice, sound, image, or video message sent over anelectronic network, such as e-mail, instant message (IM), SMS,WhatsApp, BBM message, unified communication and videoconferencing.For the purpose of this document only, the term employee isconsidered to include all permanent and/or temporary individualsemployed or appointed by the CSIR.An occurrence of or change in a particular set of circumstances.A person or entity associated with the Third-party.A document that provides recommended but not mandatoryadvice regarding practices in a given situation, scenario or topic.An identified occurrence of an adverse event, indicating apossible breach of policy, failure of controls, or previouslyunknown situation that may have an impact on the informationsecurity and privacy responsibilities of an organisation.A formal documented set of steps or instructions in order to beable to respond, to mitigate, or handle an incident and theconsequences thereof.An information asset is a valuable or useful object, whichincludes:CSIR-MS-POL-ICT-001 REV02Page 5 of 15
InformationProcessing FacilityInformationResourceInformation SystemInformation SystemLifecycleInformation SecurityInformation SecurityManagementSystemInformation SecurityPolicyIntegrityICT OrganisationICT ServiceTechnology assets (databases, data files, electronicdocuments, software, development tools and utilities) Physicalassets(computerequipment,communications equipment, or computer media)Any information system, service, infrastructure or the physicallocation that they are housed in.Any data/information in electronic, physical, verbal or audiovisual form or any hardware, software or information processingfacilities that makes possible the use, handling, transfer and/orstorage of data/information.An application, service, information technology asset, or anyother information handling component.A process for planning, creating, testing, implementing,maintaining and retiring an information system.All measures taken to protect the confidentiality, integrity,availability, resilience, authenticity and non-repudiation ofinformation resources. The scope of information security includescybersecurity.Part of the overall management system, based on a businessrisk approach, to establish, implement, operate, monitor, review,maintain, and improve information security.A set of statements which express management’s intent for theimplementation,maintenance,and improvementof itsinformation security.The property of information that describes its accuracy andcompleteness, especially as impacted by unauthorised modification.Formally approved ICT service entity/structure that includes, but notlimited to, management, staff, processes, etc; as it isorganised to service the CSIRA means of delivering value to the business by facilitating theachievement of the outcomes and objectives of the businessThese are typically provisioned through the user of ICTinfrastructure, business application systems etc.Least PrivilegeManagementMobile DeviceMustNeed-to-KnowPersonal DeviceGiving an employee only those privileges that are essential forthe employee’s role/function.Employees who are responsible for managing the organisation,and/or functions or people within the organisation.These individuals are often responsible for setting the strategy of theorganisation or function, and for coordinating the efforts of itsemployees to accomplish its objectives through the application ofavailable resources, such as financial, natural, technological, andhuman resources.A handheld, portable computing device which includes, but is notlimited to, cell phones, smart phones, tablets.An action/control that is mandatory.The principle that restricts access to information resources onlyto those who require access to that information in order toperform their [job] responsibilities.Refers to electronic equipment that has a processing capability andis owned by an individual/employee and is not owned by theCSIR-MS-POL-ICT-001 REV02Page 6 of 15
ntLevelStandardSupplier ssVulnerabilityCSIR. Often this refers to a desktop, laptop, tablet orsmartphone.A series of activities or tasks that contribute to the fulfilment of atask.A measure of the extent to which an entity is threatened by apotential circumstance or event.A role identified as being vital to the organisation, and thecompromise of which will endanger the effective functioning ofthe organisation.Specific responsibilities of the service provider, including thesatisfaction ofany relevantinformation privacy/securityrequirements, and sets the customer’s expectations regardingthe quality of service to be provided.A document that provides specific, low-level mandatory controls thathelp enforce and support policies.A document that is used for an appointment of a third party toprovide services to an organisation.A person or entity other than the CSIR and its EmployeesA circumstance or event that has the potential to exploitvulnerabilities and violate information security.The sending and/or sharing of information.Gaining access to an information resource without permission.A lack of or weakness in the design, implementation, operation ofa control that could expose information resource to threats orrisks.LIST OF CSIRDRPECTICTIPISISOITILMISSPOPIAPRDCRICASLAFull termFourth Industrial RevolutionAudit and Risk CommitteeBusiness Continuity ManagementBusiness Continuity PlanThe CSIR BoardChief Information OfficerControl Objectives for Information and Related TechnologiesCouncil for Scientific and Industrial ResearchDisaster Recovery Process/ PlanElectronic Communications and Transactions Act 25 of 2002Information and Communications TechnologyIntellectual PropertyInformation SecurityInternational Organization of StandardizationInformation Technology Infrastructure Library (IT Service ManagementFramework)Minimum Information Security StandardsProtection of Personal Information Act 4 of 2013Policy Review and Development CommitteeRegulation of Interception of Communications and Provision ofCommunication-related Information Act 70 of 2002Service Level AgreementCSIR-MS-POL-ICT-001 REV02Page 7 of 15
PURPOSEThe purpose of this policy is to articulate the CSIR’s position on the use of InformationCommunication and Technology (ICT) information systems, resources and services, as wellas the CSIR’s expectation for the management and operations of such during the course ofbusiness operations.Equally important, the policy is intended to align ICT investments and service activities to theenablement and support of the CSIR Business Strategy.SCOPEThis ICT policy applies to all CSIR employees including permanent, temporary, Third-partycontractors, Fourth-parties, consultants, auditors, interns, and studentship holders of theCSIR who have access to and make use of the CSIR ICT information systems, resourcesand services, and/or personal devices that contain CSIR information or are used to accessICT business services.This ICT policy is supported by and must be read in conjunction with the other CSIR policiesand standards, including but not limited to, the CSIR Information Security Policy, PrivacyPolicy, and Acceptable Use Standard.OBJECTIVESThe objectives of this policy are to ensure that ICT delivers value to the CSIR; through:i.ii.iii.iv.v.Optimal, efficient and effective usage of ICT to improve the CSIR’s performance andcompetitiveness, as well as support the business strategy, goals, objectives andrequirementsEnsuring the integrity, reliability, availability, and expected performance of the CSIRICT applications, systems and related infrastructureUnderstanding and management of the risks, benefits and constraints resulting fromthe utilisation of ICT within CSIRProvision and implementation of appropriate governance regime(s) in line withapplicable codes of governance practiceCompliance with applicable ICT-related legislation, regulations, rules, codes andstandardsEFFECTIVE DATEThis policy is valid from the “Effective Date” outlined herein and is valid until further notice.CSIR-MS-POL-ICT-001 REV02Page 8 of 15
REFERENCE DOCUMENTATIONThis document is in support of or is supported by, amongst others, the following:Number19.20.Name of the Regulation /DocumentConditions of ServiceInformation Security PolicyInformation Privacy PolicyAcceptable Use StandardCSIR Approval FrameworkProcurement PolicyIntellectual Property and Technology Transfer PolicyRecords Management PolicyScientific Research Council Act (Act No 46 of 1988)The National Key Point Act, 1980 (Act No. 102 of1980)Public Finance Management Act (Act No.1 of 1999 asamended by Act 29 of 1999)The Regulation of Interception of Communicationsand Provision of Communication-relatedInformation Act (Act No. 70 of 2002) (“RICA”)Promotion of Access to Information Act (Act No.2 of2000)Electronic Communications and Transactions Act (ActNo 25 of 2002)Disaster Management Act (Act No. 57 of 2002)The National Strategic Intelligence Act (Act No. 39 of1994)Electronic Communications and Transactions Act 25of 2002 (ECT)Protection of Personal Information Act 4 of 2013(POPIA)Minimum Information Security Standards (MISS)COBIT 5 (Control Objectives for Information and21.Related Technologies) – ISACA IT FrameworkITIL (Information Technology Infrastructure Library) IT1.2.3.4.5.6.7.8.9.10.ReferenceCSIR 5.16.17.18.Best Practice22.23.Service Management FrameworkISO 9001 – Quality management systemsRequirementsThe King IV Code on Corporate Governance–COMPLIANCE WITH POLICYAll CSIR employees must comply with this policy and supporting standards, processes,procedures and guidelines. Failure and/or refusal to abide by this policy may be deemed asmisconduct, which may result in an investigation and/or disciplinary action against anemployee, grounds for termination of a contract or refusal by the CSIR to enter into acontract. A claim of ignorance as to the existence and/or application of this policy cannot begrounds for justification of non-compliance.CSIR-MS-POL-ICT-001 REV02Page 9 of 15
If any provision of this policy is rendered invalid under law, such provision must be deemedmodified or omitted to the extent necessary, and the remainder of this policy must continueto be enforceable and in full effect.While the CSIR respects the privacy of its employees, it reserves the right to audit and/ormonitor their handling of, or activities on, its information resources. It further reserves theright to monitor and/or audit the content of any information stored, processed, transmitted orhandled by employees using the CSIR’s information resources and/or personal devices thatcontain CSIR information.Where the CSIR has reasonable grounds to suspect that its information security has been/isbeing compromised and/or the information security policy has been breached, the CSIRreserves the right to: Intercept and peruse any data sent, received, or stored by any employee (includingany attachment to it) and to monitor the use of its information resources, including,but not limited to, Internet access, email use, hard drives, network drives, and othercomputing systems; andConduct inspections of the information resources without advance notice to allemployees. EXEMPTIONSExemptions, exceptions or deviations from this policy will only be considered insofar as theyare lawful and do not compromise the CSIR’s legal obligations and duties. Approval forexemptions, exceptions or deviations from this policy, if warranted and lawful, must besubmitted in writing for approval by the Board or by delegation to EXCO.ROLES AND RESPONSIBILITIESThe roles and responsibilities associated with this policy are outlined below. These roles andfunctions shall be responsible for collaboratively giving effect to the organisational,operational processes and technology aspects required by the CSIR to drive compliancewith this ICT policy throughout the organisation. More details on the specific roles,responsibilities, activities and tasks related to ICT are defined and documented in supportingstandards and approved documents.Management must review these roles and responsibilities periodically, and whenever thereis a change in the legislative or regulatory landscape which may have an impact on ICToperations and activities, and update the policy accordingly.11.1. CSIR BoardWith respect to this policy, the CSIR Board is responsible for:i.Approval of the ICT policy.11.2. CSIR Board’s Audit and Risk Committee (ARC)With respect to this policy, the CSIR Board ARC is responsible for:i.Providing oversight for the effective implementation of the ICT policy.CSIR-MS-POL-ICT-001 REV02Page 10 of 15
11.3. CSIR Executive Management (Exco)The CSIR Exco is responsible for:i.ii.Ensuring that an effective ICT policy has been documented and implemented.Reviewing and recommending the ICT policy for CSIR Board approval.11.4. CSIR Managementi. Executives, managers, supervisors and/or any person mandated with theresponsibility to manage staff must understand the ICT policy requirements asthey apply to their areas of responsibility and must ensure that their staffdischarges their ICT responsibilities accordingly.11.5. Chief Information Officer (CIO)The CIO of the CSIR is responsible for:i.ii.The development and implementation of any ICT strategy, policies, standards,processes, procedures as may be necessary for compliance with this policy orany legal obligationsAssessment and management of ICT risks11.6. Employeesi.ii.All employees (as defined in the Definitions) must take responsibility forprotecting their own and the CSIR’s information assets.All employees must understand and comply with the provisions of this ICT policyas well as supporting ICT standards, processes and procedures. Where required,ICT responsibilities must be included and documented in job roles andresponsibility descriptions.POLICY STATEMENTSThe policy statements below describe the appropriate controls and mechanisms that mustbe put in place to adequately support the CSIR’s business operations. These policystatements are aligned with generally accepted practices for ICT.12.1. ICT ManagementIn order to ensure that there are appropriate and effective ICT controls andmechanisms across the CSIR, ICT management must ensure alignment of serviceswith business requirements and these services must support the delivery of thebusiness strategy, goals, objectives and requirements at all times.12.2. ICT OrganisationProvisions must be made to ensure that the ICT organisation, and supportingcapabilities and resources (people, process and technology), are adequatelycapacitated to support the overall delivery of the CSIR business strategy, goals,objectives and requirements.CSIR-MS-POL-ICT-001 REV02Page 11 of 15
Additionally, roles and responsibilities for various ICT functions must be clearlydefined, documented and communicated. Where certain ICT services or functions aredecentralised or shared across the CSIR, such responsibilities must be clearly definedto minimise ambiguity or unnecessary duplication of effort or resources.12.3. ICT for Business UseThe use of CSIR ICT services are primarily for business purposes. The CSIR allowslimited personal use of its information resources, however, in order to protect itsbusiness interests it may monitor, audit, examine or investigate the use and content ofits information resources. To this end, employees should be aware that anyexpectation of privacy they have while using the CSIR’s information resources islimited.12.4. Personally-Owned ICT ResourcesEmployees who choose to make use of personally-owned devices for CSIR businesspurposes connect to consume CSIR information resources or business services mustcomply with the relevant policies and standards. Bearing in mind that where apersonally-owned device is authorised for use of business services, the ICT support ofthat device will be on a “best effort” basis.12.5. ICT Asset ManagementIn order to ensure adequate and efficient control of ICT assets, the standardisation andmanagement of all ICT resources, the reduction of total cost of ownership and astreamlined ICT support service, the acquisition of all ICT assets (hardware andsoftware including licenses) must be facilitated by the ICT Services Centre in line withthe CSIR Procurement Policy. Mechanisms and structures must be put in place tomanage the standardisation of ICT and related information assets where possible.Additionally, software installed on any CSIR ICT asset must only be installed followingformal authorisation to do so, and must be done in strict compliance with the applicablelicense(s) and/or associated agreements.12.6. Privileged or Administrative RightsAll employees will be granted basic/standard user access rights to CSIR informationresources in accordance with the principal of “least privilege”. Where privileged oradministrator rights are required, a formal process for requesting these rights must befollowed. Such rights and entitlements must be reviewed on a periodic basis, andremoved when no longer required. The CSIR may remove such rights or entitlementsin the event of misuse.12.7. Protection of InformationAll devices, whether CSIR or personally-owned, which store or have access to CSIRinformation or business services must have the necessary information protectionCSIR-MS-POL-ICT-001 REV02Page 12 of 15
controls (such as encryption) required to safeguard the information. Where this is aCSIR-owned device, these safeguards must be implemented and managed by the ICTServices Centre.Specifically, employees are prohibited from making use of forensic software or anyother tools which may attempt to defeat or circumvent controls or otherwise destroyCSIR information stored on a CSIR-owned device.12.8. Information Systems Acquisition, Development and MaintenanceTo ensure that information systems are managed across their entire lifecycle a formalinformation system acquisition, development and/or maintenance process must bedocumented and implemented.12.9. Systems Planning and AcceptanceTo ensure that all business requirements are considered as an integral part of thedevelopment, procurement and maintenance of information systems used by the CSIR,Business, user and functional requirements must be defined and incorporated into thearchitecting, design and planning of an information system from its initiation.Additionally, key stakeholders must be identified at the onset of the project or initiative.Acceptance or production criteria must be defined for all new information systems,upgrades and/or new versions or releases, and must be met prior to the acceptanceand rollout of the information system. An assessment against all requirements must becompleted and accepted by stakeholders before an information system can beaccepted as production ready.12.10. Physical and EnvironmentalIn order to ensure the correct operations of the CSIR’s information resources, allinformation systems must be installed within an appropriate facility that meets therequirements of that information system; and all ICT equipment and all related physicalinfrastructure and environmental equipment must be correctly maintained andoperated.12.11. Backup and RecoveryIn order to protect the CSIR’s information resources against loss and/or damage and toensure that information resources can be recovered if they are lost and/or damaged, allinformation resources, that the CSIR requires to carry out its daily operations, must besecurely backed up at appropriate intervals. This includes, but is not limited to,applications, operating systems, databases, hardware and software configurations, logfiles, and any other relevant data.CSIR-MS-POL-ICT-001 REV02Page 13 of 15
12.12. Third-party ManagementIn order to protect the CSIR information resources accessible to or services providedby third parties, and to maintain an agreed level of control and service delivery in linewith service level agreements (SLA) and/or supplier agreements, a contract must beentered into between the CSIR and all third parties providing ICT services to or havingaccess to any of the CSIR’s information resources, to ensure that the CSIR’s interestsare protected and that all CSIR requirements have been contracted between bothparties.12.13. ICT Service Continuity ManagementIn order to ensure that the CSIR has the ability to restore the availability of informationresources in a timely manner, ICT service continuity management plans, processesand procedures must be developed and maintained in order to ensure that there areservice continuity measures and contingencies in case of an adverse event, and toensure that information resources are sufficiently resilient. ICT service continuityrequirements must be addressed within the CSIR’s overall business continuity plansand processes, and must align with the CSIR Information Security Policy and any otherrelevant Policies.12.14. Change Management and Release ManagementChange and release management controls and mechanisms must be in place togovern all changes to CSIR’s information systems, ensure that ICT changes areimplemented in a controlled manner and minimise the likelihood of undesireddisruptions of business operations as a result of information system changes.12.15. Availability and Capacity ManagementControls and mechanisms must be in place to ensure that ICT services and solutionsare optimised to meet existing and future availability, performance and capacityrequirements and demands. Processes must be defined to continuously identify andaddress ICT service availability as well as capacity requirements and concerns.12.16. Configuration ManagementControls and mechanisms must be in place to ensure that documentation related to thedesign and configuration of information systems is documented, approved andmaintained.12.17. Service ManagementControls and mechanisms must be in place to ensure that ICT services are alignedwith business requirements and expectations and that these services are rendered inalignment with agreed/defined operating and service level agreements. Theseagreements must be monitored and reviewed on a regular basis.CSIR-MS-POL-ICT-001 REV02Page 14 of 15
12.18. Problem and Incident ManagementTo ensure a consistent approach to the management of ICT problems and incidents,an ICT problem management regime (i.e. approach and relevant processes) must beimplemented and maintained in order to ensure that recurring problems and incidentsare addressed in a timely and organised manner.12.19. Cloud ServicesWhile acknowledging the po
information resources. The scope of information security includes cybersecurity. Information Security Management System Part of the overall management system, based on a business risk approach, to establish, implement, operate, monitor, review, maintain, and improve information security. Information Security Policy
![Baseline IT Security Policy [S17] - GovCERT](/img/42/s17-v7-en.jpg)
