Frequently Asked Question
NRF ICT POLICY DISCLAIMER
The National Research Foundation (NRF) provides its employees with the necessary Information and Communication Technology (ICT) Infrastructure to successfully conduct business. As an organisation, it acknowledges the occasional private use of such resources, however the NRF owns the product of all activities conducted on ICT infrastructure and reserves the right to monitor all activities that occur on NRF ICT infrastructure.
Any suspected abuse of NRF ICT infrastructure may lead to the restriction and or withdrawal of any or all the privileges. Abuse or misuse may also result in disciplinary action in terms of the Disciplinary Code and Procedure (HR-WRM406). Users should be aware that a significant breach of this policy may represent gross misconduct under the NRF’s disciplinary procedures and could lead to dismissal. Violations could also amount to criminal offences and lead to prosecution.
GENERAL OVERVIEW
Overview
The NRF views information as a strategic asset, and as such it must be managed in accordance with legislation, best practice, and the policies of the organisation. The following policies have been developed in order to protect users, ICT Infrastructure, and the information assets of the organisation by clearly communicating a set of rules and or minimum standards. The aim of the consolidated suite of ICT policies is to provide NRF ICT professionals and users with a holistic view of policy choices and requirements of the organisation.
The Role of the ICT Departments in the NRF
The Corporate ICT & KR Directorate has an organisation wide oversight and co-ordination role. Charged with establishing the overarching ICT governance and cyber security framework for the organisation, the Corporate ICT Department is responsible for the development of policies, guidelines, and standard operating procedures (SOPs) as a prescribed minimum standard that all business units must adhered to. All policies and framework are developed in line with the applicable legislation and the King IV Report on Corporate Governance, the Corporate ICT & KR Directorate provides assurance to the NRF Board on all ICT related matters.
The National Research Facilities and SAASTA are operational business units of the NRF that execute specific mandates related to their areas of expertise. The ICT Departments of the National Research Facilities and SAASTA form part of the operational structure of their respective business units. All ICT departments of the NRF are represented in the NRF Information Technology and Cybersecurity Committee, with Corporate ICT & KR Directorate chairing and providing the secretariate function. The Information Technology and Cybersecurity Committee is responsible for reviewing and making input into policies and SOPs, developing standards for monitoring of ICT assets and infrastructure, and collectively responding to cyber threats that impact the NRF.
All ICT departments are fully responsible for the unique ICT requirements based on their individual business units mandates and operating conditions. The Corporate ICT & KR Directorate aims to support such activities as far as practical and ultimately ensures compliance with the suite of ICT policies as a minimum standard. Where operational and scientific requirements require a deviation from policy, these concessions can be considered based on engagement with the relevant Business Unit and where necessary the relevant Division Head.
ICT Compliance
As per the King VI Report on Corporate Governance for South Africa, Principle 12 deals with technology and information governance and states that the governing body should govern technology and information in a way that supports the organisation setting and achieving its strategic objectives. The governing body is encouraged to assume responsibility for how information and technology is approached in the organisation and maintain oversight of the management of technology and information.
The consolidated suite of ICT Policies aims to provide an enabling governance framework and management structure in order to:
Provide assurance to the governing body that the ICT infrastructure, systems, and services are efficiently utilised in achieving the mandate of the organisation;
Ensure that information is protected in line with legislation, including but not limited to, POPIA, NARSSA, etc. Refer to the Information Management Compliance Universe.
Ensure all users defined NRF staff members, consultants, fixed term contractors, service providers, and other stakeholders, including visitors interacting with the NRF, and ultilising NRF ICT infrastructure, understand their roles and responsibilities and as such utilise ICT resources responsibly and in accordance with the policies.
Scope
The consolidated suite of ICT Policies applies to all ICT professionals and where applicable, NRF staff, consultants, fixed term contractors, service providers and other stakeholders, including visitors interacting with the NRF and utilising NRF ICT resources in some form.
ACCEPTABLE USE OF COMPUTER EQUIPMENT: ICT-ACU101
Purpose
The NRF recognises information as a strategic asset and such is committed to protecting its employees, stakeholders, and the company from illegal or damaging actions by individuals, either knowingly or unknowingly. The purpose of this policy is to outline the acceptable use of computer equipment, systems, and infrastructure at the NRF.
Policy Statement
The organisation aims to ensure that all NRF ICT infrastructure including software, hardware, networks, and systems are utilised efficiently in support of achieving the goals and objectives and ultimately the mandate of the NRF. Users of ICT infrastructure include all NRF staff, consultants, fixed term contractors, service providers and other stakeholders, including visitors interacting with the NRF platforms and databases.
Policy
This policy applies wholly to RISA and Corporate and aims to set a minimum standard for all other business units who may customise this policy in line with their specific operating circumstances and requirements.
Responsible Use
The NRF views information as a strategic asset, and as such, all information generated by or for the NRF. Thus, all information shared with the NRF in the course of executing its mandate, must be protected. In this regard all users of NRF computer equipment must:
Ensure that passwords must meet the requirements of the password policy and must not be shared;
Ensure that computers including laptops and workstations are secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging-off (control-alt-delete for Windows users) when unattended;
Ensure that information remains secure, and the devices remain protected. If there are any notifications relating to security updates, contact your local ICT Support Team immediately;
Adhere to the Vulnerability Management policy;
Take note of all directives issued by Corporate and or your local ICT departments pertaining to potential e-mail and other threats that may lead to various phishing attacks;
Prohibited Activities
The following activities are strictly prohibited:
Any action that may be deemed illegal and or harmful to another person or party;
Violations of the rights of people or parties through copyright, trade secret, patent photographs or other intellectual property right infringements including but not limited to unauthorised distribution of information;
The unauthorised copying, printing and or distribution of personal information;
Installation and or of distribution of "pirated" or other software products that are not appropriately licensed for use by the NRF;
Exporting of software, encryption software technical information and or technology, in violation of international or regional export control laws;
Introduction of malicious programs onto NRF networks or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.);
Using an NRF computing assets to actively engage in viewing, procuring, or transmitting material of a sexual, inflammatory, discriminatory and or harmful nature;
Making fraudulent offers of products, items, or services originating from any NRF account.
Making statements about warranties, expressly or implied;
Effecting any security breaches or disruptions of network communication at the NRF or at any other organisations. Where security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, ping floods, packet spoofing, denial of service, and forged routing information for malicious purposes;
Introduction of personal devices on to the closed network;
Port scanning or security scanning is expressly prohibited;
Executing any form of network monitoring and or scanning which will intercept data not intended for the user without the necessary authorisation;
Circumventing user authentication or security of any host, network, or account;
Interfering with or denying service to any user (for example, denial of service attack);
Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the Internet/Intranet/Extranet;
Providing lists without the express permission from management parties outside the NRF.
Note: An employee may, from time to time, receive a specific exemption from one or more of the restrictions during the course of their legitimate job responsibilities. Only an Executive or Managing Director or a Division Head may provide such exemption.
Social Networking
The NRF has taken the decision to allow the accessing of social networks on NRF Infrastructure however:
Users are required to maintain reasonable limits as defined by the business unit;
Since all NRF networks are monitored, any activities that may be deemed harmful and or abusive may result in a suspension of privileges and or disciplinary action.
Consequence Management
The suspected abuse or misuse of computer equipment may result in the immediate suspension of some or all privileges and can also result in disciplinary action in terms of the Disciplinary Code and Procedure (HR-WRM406).
Links to Other Policies
This policy is part of the NRF policy framework and must be read with the following supporting policies and or statements of best practice as follows:
Table 2: Applicable Policies and Statements of Best Practice
NRF Policies | Best Practice | ||
1. | POPIA Policy | 1. | POPIA Compliance Framework |
2. | Records Management Policy | ||
3. | Consolidate Human Resources Policies | ||
4. | Email Policy IT-EM101 | ||
Definitions
Terms | Definition |
|---|---|
ICT Infrastructure: | NRF ICT Infrastructure refers to information and communications technology infrastructure and systems including software, hardware, networks, and websites that are used to execute the mandate of the organisation. |
Information | Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audio-visual. |
Social Networks | The term social networks are online platform which people use to build social networks or social relationships with other people who share similar personal or career content, interests, activities, backgrounds, or real-life connections. |
Spam | Digital junk mail in the form of unsolicited communications sent in bulk over the internet or through any electronic messaging system |
Monitoring | The process of reviewing, analysing, and managing network traffic for any abnormality or process that can affect network performance, availability and/or security. |
Chain email or letter | Email sent to successive people. Typically the body of the note has direction to send out multiple copies of the note that promises good luck or money if the direction is followed. |
Malware | A type of malicious code or program written to cause disruption to a computer, server, client or computer network, leak private information, gain unauthorised access to information or systems, deprive users access to information or which unknowingly interferes with the user’s computer security and privacy. |
Virus warning | Email containing warnings about virus or malware. |
Unauthorised Disclosure | The intentional or unintentional sharing of information that is protected with any party who does not have a need to know or who is not contractually authorised to access the information. |
Users | NRF staff, consultants, fixed term contractors, service providers and other stakeholders, including visitors interacting with the NRF platforms and databases |
EMAIL POLICY: ICT-EM101
Purpose
The Email Policy of the National Research Foundation (NRF) aims to ensure that the email infrastructure of the organisation is recognised as a business communication tool and thus used in a responsible, effective, and lawful manner. As with all ICT infrastructure, email infrastructure must be used to achieve the objectives and goals of the National Research Foundation (NRF) and in alignment with the NRF Values.
Policy Statement
All NRF email users, including staff members, consultants, fixed term contractors, and other stakeholders, including visitors interacting with the NRF, have a responsibility to adhered to the NRF Code of Ethics Values and Business Conduct, and ensure that the electronic resources, and specifically the email infrastructure, is used in a responsible and productive manner.
Policy
This policy applies to RISA and Corporate and aims to set a minimum standard for all other business units who may customise this policy in line with their specific operating circumstances and requirements.
Responsible Use of Email Infrastructure
All emails distributed on the NRF email infrastructure including personal emails are the property of the NRF;
Email users should have no expectation of privacy in anything created, stored, sent, or received on the organisations email infrastructure;
Emails sent or received on NRF infrastructure may be subject to the Promotion of Access to Information Act (Act 2 of 2000 as amended) and as such may be shared with third parties if necessary;
Emails may be monitored without prior notification if the NRF deems such necessary.
Prohibited Activities
The following activities are prohibited:
Sending any messages which may be deemed unlawful pursuant to the applicable laws of any governing jurisdiction;
Signing up for illegal, unreliable, disreputable, or suspicious websites and services;
Sending unauthorised marketing content or solicitation emails;
Sharing of material that is protected through copyright, trade secret, patent, or other forms of intellectual property protections also known as unauthorised disclosure;
The unauthorised copying, printing and or distribution of personal information;
Sharing insulting, racist, discriminatory, or offensive messages and content;
Intentionally spamming other people’s emails, including coworkers;
Sharing content protected by copyright without permission;
Sharing links to inappropriate content including but not limited to content of a sexual, inflammatory, discriminatory and or harmful nature.
Users are cautioned to be vigilant and not open emails and or attachments from unknown senders as these may contain virus’s other forms of cyber threats.
The sending of any personal information in the body of an email and or attachments must be subject to the Protection of Personal Information Act (Act 4 of 2013 as amended) and the organisations policies and frameworks.
Consequence Management
The suspected abuse or misuse of email infrastructure may result in the immediate suspension of some or all privileges and can also result in disciplinary action in terms of the Disciplinary Code and Procedure (HR-WRM406).
Links to Other Policies
This policy is part of the NRF policy framework and must be read with the following supporting policies and or statements of best practice as follows:
Table 3: Applicable Policies and Statements of Best Practice
NRF Policies | Best Practice | ||
1. | POPIA Policy | 1. | POPIA Compliance Framework |
2. | Records Management Policy | ||
3. | Consolidate Human Resources Policies | ||
4. | ICT Acceptable Use of Computer Equipment Policy: ICT-ACU101 | ||
5. | Password Policy: ICT-PAS101 | ||
Definitions
Terms | Definition |
|---|---|
ICT Infrastructure | NRF ICT Infrastructure refers to information and communications technology infrastructure and systems including software, hardware, networks, and websites that are used to execute the mandate of the organisation. |
Information | Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audio-visual. |
Messages distributed by electronic means from one computer user to one or more recipients via a network. | |
Personal Information | Refers to any information relating to an identifiable, living, natural person or where applicable, an identifiable existing juristic person |
Special Personal Information | Relates to religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information. |
Spam | Digital junk mail in the form of unsolicited communications sent in bulk over the internet or through any electronic messaging system |
Monitoring | The process of reviewing, analysing, and managing network traffic for any abnormality or process that can affect network performance, availability and/or security. |
Chain email or letter | Email sent to successive people. Typically the body of the note has direction to send out multiple copies of the note that promises good luck or money if the direction is followed. |
Malware | A type of malicious code or program written to cause disruption to a computer, server, client or computer network, leak private information, gain unauthorised access to information or systems, deprive users access to information or which unknowingly interferes with the user’s computer security and privacy. |
Virus warning | Email containing warnings about virus or malware. |
Unauthorised Disclosure | The intentional or unintentional sharing of information that is protected with any party who does not have a need to know or who is not contractually authorised to access the information. |
Users | NRF staff, consultants, fixed term contractors, service providers and other stakeholders, including visitors interacting with the NRF platforms and databases |
PASSWORD POLICY: ICT-PAS101
Purpose
The purpose of this policy is to establish a standard for the creation and maintenance of strong passwords, the security of those passwords, and the frequency with which passwords are changed. In this regard, the NRF has adopted the relevant aspects of the National Institute of Standards and Technology (NIST) 800 Special Publication 63 B where applicable.
Policy Statement
The aim of this policy is to set out rules to improve cyber security by ensuring that all users create dependable and secure passwords that are then appropriately stored, utilised, and managed to maintain security and integrity. Users include all NRF staff members, consultants, fixed term contractors, and other stakeholders, including visitors interacting with the NRF who have access to NRF ICT infrastructure.
Policy
This policy applies to RISA and Corporate and aims to set a minimum standard for all other business units who may customise this policy in line with their specific operating circumstances and requirements.
Password Management
All system-level passwords e.g. root, enable NT admin, application administration accounts, key rotation etc., must be changed on a yearly basis;
All user-level passwords related to business systems including the ERP system, EDRMS, email, intranet etc. will not expire contingent on the NIST - Digital Identity Guideline being fully implemented on the back end;
User accounts that have system-level privileges through group memberships or programs such as "sudo" must have a unique password i.e. different from all other accounts held by that user;
Passwords that are shared electronically, should not be shared with the username in the same communication;
System level passwords should only be shared over end-to-end encrypted platforms e.g. GNU Privacy Guard (GPG) encryption standard;
Where Simple Network Management Protocol (SNMP) is used, the community strings must be defined as something other than the standard defaults of "public," "private" and "system" and must be different from the passwords used to log in interactively. A keyed hash must be used where available (e.g., SNMPv3); and
All user-level and system-level passwords must conform to the guidelines described below.
GENERAL PASSWORD CONSTRUCTION
Passwords are used for various purposes at the NRF including business systems such as the ERP system, web accounts, email accounts, screen saver protection, voicemail password, and local router logins. All NRF passwords will have the following characteristics:
Contain both upper- and lower-case characters (e.g., a-z, A-Z)
All ASCII/ Unicode characters should be allowed, including spaces e.g.! @ # $ # T
Must be at least 8 (eight) alphanumeric characters;
Is not based on personal information i.e. names of family, pets, etc.
PASSWORD MANAGEMENT
User level passwords should never be written down;
Passwords that are stored electronically should be stored on encrypted platforms;
Try to create passwords that can be easily remembered by yourself. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation - Do not use either of these examples as passwords!
Do not use the same password for NRF accounts as for other non-NRF access;
Do not use the remember password feature on your browser; and
Do not share your password with anyone else.
Application Development Standards (Code Developers)
Application developers must ensure their programs contain the following security precautions. Applications:
Should support authentication of individual users, not groups
Should store passwords in encrypted form
Should provide for some sort of role management
Consequence
The suspected abuse or misuse of password management protocols may result in the immediate suspension of some or all privileges and can also result in disciplinary action in terms of the Disciplinary Code and Procedure (HR-WRM406).
Links to Other Policies
This policy is part of the NRF policy framework and must be read with the following supporting policies and or statements of best practice as follows:
Table 4: Applicable Policies and Statements of Best Practice
NRF Policies | Best Practice | ||
1. | Consolidate Human Resources Policies | 1. | National Institute of Standards and Technology (NIST) 800 Special Publication 63 B |
2. | ICT Acceptable Use of Computer Equipment Policy: ICT-ACU101 | ||
3. | Email Policy IT-EM101 | ||
Definitions
Terms | Definition |
ICT Infrastructure | NRF ICT Infrastructure refers to information and communications technology infrastructure and systems including software, hardware, networks, and websites that are used to execute the mandate of the organisation. |
Information | Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audio-visual. |
Messages distributed by electronic means from one computer user to one or more recipients via a network. | |
Monitoring | The process of reviewing, analysing, and managing network traffic for any abnormality or process that can affect network performance, availability and/or security. |
Personal Information | Refers to any information relating to an identifiable, living, natural person or where applicable, an identifiable existing juristic person |
Special Personal Information | Relates to religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information. |
Users | NRF staff, consultants, fixed term contractors, service providers and other stakeholders, including visitors interacting with the NRF platforms and databases |
LOGICAL ACCESS POLICY: ICT-LOG101
Overview
The National Research Foundation (NRF) provides various levels of access to ICT Infrastructure for authorised users in order to facilitate the day to day activities of the organisation.
Logical access control measures are put in place in order to prevent the possible compromise of information, ICT assets and facilities under the control of the NRF, as a means to protect NRF information and its communications infrastructure in general.
Policy Statement
The NRF views information as a strategic assets. This policy aims to protect information in electronic form by means of a logical access policy that governs the security roles and privileges awarded to users based on their user requirements and levels of authority. This policy applies to all NRF staff, consultants, fixed term contractors, service providers and other stakeholders, including visitors interacting with the NRF and utilising NRF ICT resources in some form.
Policy
This policy applies to RISA and Corporate and aims to set a minimum standard for all other business units who may customise this policy in line with their specific operating circumstances and requirements.
User Accounts
All users will receive one NRF Account which will:
Provide access to the user’s assigned computer equipment;
Allow the user to log into the email infrastructures; and
Allow the user to access various business and ICT systems and platforms with the same or different login credential depending on the specific security requirements
Requesting Access
User accounts for new employees are requested by the relevant managers as part of the ‘on boarding’ processes, at least two weeks prior to the date of initiation;
Accounts must be formally requested via the helpdesk by the line manager using the approved templates;
Security roles and privileges will be determined by the line manager in consultation with the relevant system or process owners and it will be based on the users job function requirements and level of authority;
The relevant Human resources function must provide the relevant staff information in order to create an Active Director (AD) credential;
All access will be governed by the AD credentials;
Access to Enterprise Resource Planning (ERP) system must be requested through the ERP Management Office (EMO) that resides withing the Corporate ICT & Knowledge Resources Directorate;
The onus remains with the user and the relevant line management to report any changes or required terminations of access to the relevant ICT Department and the EMO.
Process to Terminate an Account
On termination of employment for whatever reason, the ICT Department must be notified by the line manager;
Accounts will be disabled, and users will be removed from all access to groups on the day after the date of termination;
If an ICT Department staff member terminates employment:
All shared system accounts must be changed on all systems on the day of termination;
All accounts should be audited by the supervisor/ team leader or ICT Manager to ensure that the process of handover and termination was executed in line with the relevant Standard Operating Procedures (SOP);
All ICT Departments must have an SOP dealing with the handover and termination of ICT staff.
Consequence
The suspected abuse or misuse of logical access protocols may result in the immediate suspension of some or all privileges and can also result in disciplinary action in terms of the Disciplinary Code and Procedure (HR-WRM406).
Links to Other Policies
This policy is part of the NRF policy framework and must be read with the following supporting policies and or statements of best practice as follows:
Table 5: Applicable Policies and Statements of Best Practice
NRF Policies | Best Practice | ||
1. | Consolidate Human Resources Policies | ||
2. | ICT Acceptable Use of Computer Equipment Policy: ICT-ACU101 | ||
Definitions
Terms | Definition |
ICT Infrastructure | NRF ICT Infrastructure refers to information and communications technology infrastructure and systems including software, hardware, networks, and websites that are used to execute the mandate of the organisation. |
Information | Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audio-visual. |
Active Directory | Uses a structured data store as the basis for a logical, hierarchical organisation of directory information |
Users | NRF staff, consultants, fixed term contractors, service providers and other stakeholders, including visitors interacting with the NRF platforms and databases |
ICT DATA CENTRE POLICY: ICT-DEC101
Overview
The National Research Foundation (NRF) provides ICT infrastructure to authorised users in order to facilitate the effective operation of all business units. The local data centres at the various business units form the heart of the ICT infrastructure and as such must remain secure and controlled environments.
Policy Statement
The purpose of this policy is set out the level of security, access and conduct when dealing with NRF ICT Data Centres that will apply to all NRF staff, consultants, contractors, and service providers.
Policy
Roles and Responsibilities
It is the responsibility of the local ICT Manager to ensure:
The policy is enforced and complied with;
Data Centers have the necessary physical access control infrastructures to enforce the execution of this policy;
Maintain access logs and a record of activities performed in the Data center; and
Maintain and audit trail of access provided to relevant users include quarterly reviews of access lists and terminations as necessary.
Access Control
Access credentials to NRF ICT Data Centres will be provided to ICT staff responsible for infrastructure or as needed;
Consultants and or Service providers will be provided access on a temporary basis for specific interventions and or projects;
Any visitors who require once of access for whatever reason, must be accompanied by an authorised staff member at all times;
All requests for access to NRF ICT Data Centers, must be approved by the relevant delegated authority and filed as a record;
Access credentials and logs to NRF ICT Data Centers must be monitored and reviewed by the responsible ICT Manager on a quarterly basis;
In the event of an unauthorised access, the incident must be reported to the relevant ICT Manager immediately. The ICT manager will:
Fully investigate the incident;
Prepare and incident report for Executive Management that will be submitted within 48 hours of the breach.
Support executive management in the implementation of any actions or consequences as a result of the breach.
Safety and Hygiene
All business units must have an approved suite of Standard Operating Procedures (SOP) that detail the following:
Maintenance activities including a preventative maintenance schedule for the year to be kept updated, including rules of new installations of equipment etc.;
Management and maintenance of the fire retarding systems by licensed professional;
Management and maintenance of the uninterruptible power supply (UPS) systems by licensed professional;
Power supply in the NRF ICT Data Centre and the fact that running lead cords etc. is strictly prohibited, and only a licensed and certified electrical contractor may make changes to the electrical wiring etc.;
A house keeping schedule that includes signage where necessary to reinforce that there will be:
No eating or drinking in the NRF ICT Data Centre;
No use of electrical equipment other than what is authorised for use in the Data Center.
All visitors, contractors, service providers and new staff must be inducted on the rules of the Data Centre including the safety, hygiene, and housekeeping protocols
Consequence
The suspected abuse or misuse of any ICT infrastructure may result in the immediate suspension of some or all privileges and can also result in disciplinary action in terms of the Disciplinary Code and Procedure (HR-WRM406).
Links to Other Policies
This policy is part of the NRF policy framework and must be read with the following supporting policies and or statements of best practice as follows:
Table 6: Applicable Policies and Statements of Best Practice
NRF Policies | Best Practice | ||
1. | Consolidate Human Resources Policies | 1. | |
Definitions
Terms | Definition |
ICT Infrastructure | NRF ICT Infrastructure refers to information and communications technology infrastructure and systems including software, hardware, networks, and websites that are used to execute the mandate of the organisation. |
Information | Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audio-visual. |
Users | NRF staff, consultants, fixed term contractors, service providers and other stakeholders, including visitors interacting with the NRF platforms and databases |
VULNERABILITY MANAGEMENT POLICY: ICT-VUM101
Overview
The National Research Foundation (NRF) provides ICT infrastructure to authorised users in order to facilitate the effective operation of all business units. All ICT infrastructure must be monitored and protected against vulnerabilities to ensure Integrity, Information security and high availability.
Vulnerability management is a security practice designed to discover and mitigate information technology vulnerabilities that may exist by proactively managing vulnerabilities and thus reducing the likelihood of exploitation.
Policy Statement
This policy enforces the requirement to continuously monitor all ICT infrastructure information systems for vulnerabilities in order to make the necessary changes to reduce the potential for exploitation.
Policy
The monitoring strategy must be based on the up-to-date infrastructure or systems inventory and contextualized by best practices.
MONITORING FOR VULNERABILITIES AND THREATS
NRF ICT Departments must continuously monitor sources of threats and vulnerabilities from internal and external security sources;
A timely review of the vulnerability data must be conducted;
A vulnerability analysis must be performed against the latest infrastructure inventory requirements.
Applicable vulnerabilities must be categorized according to a vulnerability classification that should consist of urgent, routine or not applicable.
REMEDIATION AND MITIGATION OF VULNERABILITIES
A process has been introduced to remediate vulnerabilities based on significance;
Automated patch management tools should be used, where applicable, to expedite the distribution of patches to systems; and
Action plans to remediate all verified vulnerabilities should be developed and maintained on a continuous basis.
VULNERABILITY PROCESS MANAGEMENT
All ICT Departments in the various business units must have a documented vulnerability management process that must be maintained on an ongoing basis; and
Vulnerability remediation must be verified through network and host vulnerability scanning.
Consequence
The suspected abuse or misuse of any ICT infrastructure may result in the immediate suspension of some or all privileges and can also result in disciplinary action in terms of the Disciplinary Code and Procedure (HR-WRM406).
Links to Other Policies
This policy is part of the NRF policy framework and must be read with the following supporting policies and or statements of best practice as follows:
Table 7: Applicable Policies and Statements of Best Practice
NRF Policies | Best Practice | ||
1. | Consolidate Human Resources Policies | 1. | Cyber Security Framework |
2. | ICT Disaster Recovery Policy: IT-IDR101 | ||
3. | |||
Definitions
Terms | Definition |
|---|---|
ICT Infrastructure | NRF ICT Infrastructure refers to information and communications technology infrastructure and systems including software, hardware, networks, and websites that are used to execute the mandate of the organisation. |
Information | Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audio-visual. |
Monitoring | The process of reviewing, analysing, and managing network traffic for any abnormality or process that can affect network performance, availability and/or security. |
Vulnerability | Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. |
Threat / Cyber Threat | Any circumstance or event with the potential to adversely impact organisational operations, assets, information assets or individuals through an information system via unauthorised access, destruction, disclosure, modification of information, and/or denial of service. |
Malware | A type of malicious code or program written to cause disruption to a computer, server, client or computer network, leak private information, gain unauthorised access to information or systems, deprive users access to information or which unknowingly interferes with the user’s computer security and privacy. |
Virus warning | Email containing warnings about virus or malware. |
Unauthorised Disclosure | The intentional or unintentional sharing of information that is protected with any party who does not have a need to know or who is not contractually authorised to access the information. |
ICT DISASTER RECOVERY POLICY: ICT-IDR101
Overview
The National Research Foundation (NRF) views information as a strategic asset as such any loss of information as a result of damage or a threat to NRF ICT infrastructure is unacceptable. For this reason, the NRF Business Continuity Management (BCM) plan includes an ICT Service Continuity Management (ITSCM) plan with a goal of setting out the agreed disaster recovery actions and methods to enable the organisation to regain use of ICT infrastructure and specifically, identified critical systems, as soon as possible after a disaster occurs to ensure business can continue.
Policy Statement
This policy sets out the necessary set up and processes required to ensure that the NRF can effectively respond to and recover from an event that negatively affects business operations.
Policy
This policy applies to ICT infrastructure at RISA and Corporate and aims to set a minimum standard for all other business units who may customise this policy in line with their specific operating circumstances and requirements.
Disaster Recovery Plans
ICT Managers at all NRF business units must ensure that a risk-based IT Service Continuity Management plan is prepared, approved by Executive management, and implemented to form part of the Business Continuity Management (BCM) plan of the business unit;
The ICT Manager must ensure that:
All systems and databases including applications and servers are backed up based on a documented and approved backup strategy and related schedule;
Backup media must be stored in a location other than the NRF ICT Data Centre;
A list of support contracts for all systems and applications must be accessible;
All Data Centre design solutions include Uninterruptable Power Supply (UPS) units within the NRF ICT Data Centre as well as a continuous auxiliary power supply as far as possible;
All critical networks are designed with remote/ offsite access in mind;
Part of the IT Service Continuity Management plan must include a temporary computer room at an offsite location in the event that the local NRF ICT Data Centre and or site becomes unusable in the event of a disaster;
All documented Standard Operating Procedures (SOP) must be available to ensure ease of access and continuity in the event of a disaster.
Support
All ICT Managers must provide input to the consolidated NRF BCM strategy and plan;
All ICT Managers will have a list of emergency contacts that will provide access to ICT personnel in the event of a disaster.
Consequence
The suspected abuse or misuse of any ICT infrastructure may result in the immediate suspension of some or all privileges and can also result in disciplinary action in terms of the Disciplinary Code and Procedure (HR-WRM406).
Links to Other Policies
This policy is part of the NRF policy framework and must be read with the following supporting policies and or statements of best practice as follows:
Table 8: Applicable Policies and Statements of Best Practice
NRF Policies | Best Practice | ||
1. | Consolidate Human Resources Policies | 1. | Cyber Security Framework |
2. | Vulnerability Management Policy: ICT-VUM101 | ||
3. | Data Redundancy Policy: IT-DRE101 | ||
Definitions
Terms | Definition |
|---|---|
ICT Infrastructure | NRF ICT Infrastructure refers to information and communications technology infrastructure and systems including software, hardware, networks, and websites that are used to execute the mandate of the organisation. |
Information | Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audio-visual. |
Disaster Recovery | An organization's ability to respond to and recover from an event that negatively affects business operations. |