information and communications technology user … policies/finance branch... · 2.4 procurement of...

January 2013

Information and Communications Technology User Policy Manual

VRA ICT User Policy Manual Page 1

Table of Contents

FOREWORD ......................................................................................................................................... 5

POLICY OBJECTIVES ........................................................................................................................ 6

SCOPE OF POLICY ............................................................................................................................. 7

1. ACCESS CONTROL ..................................................................................................................... 8

1.1 Authorisation ........................................................................................................................... 8

1.2 Monitoring............................................................................................................................... 8

1.3 Reporting Security Issues ........................................................................................................ 9

1.4 Telecommunication ................................................................................................................. 9

1.5 User Registration ................................................................................................................... 10

1.6 User De-registration .............................................................................................................. 10

1.7 Password ............................................................................................................................... 11

1.8 General Password Construction Guidelines .......................................................................... 11

1.9 Password Protection Standards ............................................................................................ 12

1.10 Use of Passwords and Passphrases for Remote Access Users .............................................. 13

1.11 Passphrases ........................................................................................................................... 13

1.12 Lost Passwords ...................................................................................................................... 14

1.13 Remote Access ...................................................................................................................... 14

1.14 Virtual Private Network (VPN) .............................................................................................. 14

1.15 Acceptable Use Policy ........................................................................................................... 14

1.16 Unacceptable Use Policy ....................................................................................................... 15

1.17 Third Party Connections ........................................................................................................ 16

2. HARDWARE AND SOFTWARE ............................................................................................... 17

2.1 ICT Equipment ....................................................................................................................... 17

2.2 Lost or Stolen ICT Equipment ................................................................................................ 17

2.3 Maintenance of ICT Equipment (s) ....................................................................................... 17


2.4 Procurement of ICT equipment ............................................................................................ 18

2.5 Removal of Equipment (Internally/Externally) ..................................................................... 18

2.6 Handling of Equipment ......................................................................................................... 19

2.7 Portable Devices .................................................................................................................... 19

2.8 Assignment/Distribution of ICT Facilities .............................................................................. 19

2.9 Disposal/Replacement of ICT Systems .................................................................................. 19

2.10 Software Compliance ............................................................................................................ 19

2.11 Software Licensing and Intellectual Property ....................................................................... 20

2.12 Use of Shareware and Freeware ........................................................................................... 20

2.13 Data Protection Legislation ................................................................................................... 20

2.14 Ownership and Responsibilities ............................................................................................ 20

3. ELECTRONIC MESSAGING AND COLLABORATION ........................................................ 21

3.1 Electronic Messaging ............................................................................................................. 21

3.2 Unacceptable Use ................................................................................................................. 21

3.3 E-Mail Disclaimer ................................................................................................................... 22

3.4 Supported E-Mail Client ........................................................................................................ 22

3.5 E-mail Addressing .................................................................................................................. 22

3.6 Expiration and Deletion of Account ...................................................................................... 22

3.7 Reactivation of Designation Account .................................................................................... 23

3.8 Attachments to E-Mail Messages ......................................................................................... 23

3.9 Default E-Mail Message Set-Up ............................................................................................ 23

3.10 Carbon Copying / Blind Carbon Copying / Forwarding ......................................................... 23

3.11 Size of User Mailbox .............................................................................................................. 23

3.12 Privacy ................................................................................................................................... 24

3.13 Data Retention ...................................................................................................................... 24

3.14 Message Monitoring ............................................................................................................. 24

3.15 Incidental Disclosure ............................................................................................................. 24


4. DOCUMENT MANAGEMENT .................................................................................................. 25

4.1 Document Workflow ............................................................................................................. 25

4.2 Electronic Document Creation/Authoring /Collection ......................................................... 25

4.3 Document Review and Approval ........................................................................................... 25

4.4 Document Release ................................................................................................................ 25

4.5 Document Storage/Protection/Organization/Use Policy ..................................................... 26

4.6 Principles of Data Protection ................................................................................................ 26

4.7 Document Expiration/Disposal/Archival ............................................................................... 27

4.8 Cataloguing Policy ................................................................................................................. 27

5. SECURITY ................................................................................................................................... 28

5.1 Acceptable Use ...................................................................................................................... 28

5.2 Internet Security .................................................................................................................... 28

5.3 Virtual Private Network (VPN) .............................................................................................. 28

5.4 Anti-Virus and Firewall .......................................................................................................... 29

5.5 Information Sensitivity .......................................................................................................... 29

5.6 System Backup and Recovery ............................................................................................... 29

5.7 Business Continuity and Disaster Recovery .......................................................................... 30

6. SERVICE DESK .......................................................................................................................... 31

6.1 Service Desk .......................................................................................................................... 31

7. TRAINING ................................................................................................................................... 32

7.1 Training Plans ........................................................................................................................ 32

8. POLICY GOVERNANCE ........................................................................................................... 33

8.1 Policy Implementation .......................................................................................................... 33

8.2 Non-Compliance .................................................................................................................... 33

8.3 Enforcement .......................................................................................................................... 33

8.4 Policy Review ......................................................................................................................... 33

8.5 Policy Update ........................................................................................................................ 34


9. ADDITIONAL RESOURCES ..................................................................................................... 35

ACRONYMS ....................................................................................................................................... 36

GLOSSARY ........................................................................................................................................ 37


FOREWORD The rapid advancements in Information Communication Technology (ICT) have radically changed the world’s economic landscape resulting into a new society based on information and knowledge. This has further yielded new avenues of development, employment, productivity, efficiency and enhanced economic growth.

Globally, ICT has become a major tool for job creation, raising productivity, increasing incomes and opening opportunities for human development. Extensive application of ICT now provides opportunities for new ways of better and effective governance to create wealth, thus contributing significantly to poverty alleviation and sustenance of macroeconomic stability.

The Volta River Authority (VRA) is employing ICT to achieve the following key objectives of the Authority and VRA recognizes information as a resource which must be generated, collected, organized, leveraged, secured and preserved for economic prosperity. VRA ICT User Policy therefore exists to maintain, secure, and ensure legal and appropriate use of the Authority’s Information and Communications Technology infrastructure.

MIS Director shall be responsible for the coordination and implementation of all policies stated in this document unless otherwise expressly stated.

The MIS Director, in consultation with the MIS Management shall advice the Authority on ICT issues. The MIS Directorate shall also maintains links with the National Information Technology Agency (NITA), which has the legal mandate to set ICT standards in the country.

.


POLICY OBJECTIVES

The Authority's ICT facilities provide tools for the effective and efficient execution of work. Users of VRA's ICT facilities are required to comply with the tenets of the policy to protect the integrity and use of the infrastructure.

Users agree to comply with applicable laws of Ghana and refrain from engaging in any activity that would subject the Authority to legal liability .

To protect the integrity of VRA's ICT facilities and its Users against unauthorised or improper use:

a. VRA has the right to investigate use of the facilities in violation of the Authority’s rules and policy;

b. VRA reserves the right, without notice, to limit or restrict any individual's use, and to inspect, copy, remove, or otherwise alter any data, file, or system resource which may undermine authorised use, or which is in violation of the Authority’s rules or policy.

c. MIS Director also reserves the right to periodically authorise, without notice, the examine any system and usage as well as authorisation history as a necessary step to protect the infrastructure.

VRA reserves the right to amend this policy to bring it into compliance with the applicable laws of Ghana.


SCOPE OF POLICY AND DOCUMENT INFORMATION Scope of Policy This policy applies to all employees, contractors, consultants, temporaries/casuals, and other workers at VRA, including all personnel affiliated with third parties. This policy applies to all ICT facilities that is owned or leased by VRA.

Copyright This document is the property of Volta River Authority (VRA). All rights reserved. No part of the document may be reproduced, stored, transmitted, in any form or by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of VRA.

Document Owner The VRA Management Information Systems (MIS) Director owns this document and is solely responsible for its content.

Version Control The following table refers to Version, Date and Revisions.

Version Date Revisions 0.1 12/12/12 eSolutions Consulting

0.2 14/12/12 Ag. Director, MIS

Approval The table below shows the approval and authorisation.

Approved By Effective Date

Chief Executive 27/02/2013


1. ACCESS CONTROL

1.1 Authorisation

1.1.1 VRA shall have a comprehensive control system for granting Network, Internet, Systems, Data and Application access to both staff and authorised non-staff. Access for the use of ICT facilities may be granted by the MIS Director or his/her authorised representative.

Procedures and Guidelines

i. The Head of Department or authorized representative shall be responsible for requesting access from the MIS Director or authorised representative for new Users.

ii. The Head of Department requesting for new User access shall duly fill a User Request Form available online and submit to MIS Director.

iii. The MIS Director shall ensure that appropriate access is granted and the Head of the requesting officer’s Department/Unit notified.

iv. The end-User is furnished with the ICT Policy and signs onto it.

1.2 Monitoring

To ensure that ICT facilities are secure and efficient:

1.2.1 MIS Director shall ensure the monitoring of facilities and User rights.

1.2.2 MIS Director shall take emergency action to safeguard the integrity and security of the facilities, including termination of a programme, job, or on-line session, or temporarily alter User account names and passwords.

1.2.3 All security-related events on critical or sensitive systems shall be logged and audit trails saved.

1.2.4 The MIS Director may suspend any person from using the facilities if found to be:

i. responsible for wilful or gross negligent damage to any ICT facilities; ii. in possession of confidential information obtained improperly through ICT

usage; iii. responsible for wilful destruction of information through ICT usage; iv. responsible for deliberate interruption of normal services provided by the ICT

Directorate; v. responsible for the infringement of any Intellectual Property rights;

vi. gaining or attempting to gain unauthorised access to accounts and passwords; vii. gaining or attempting to gain access to restricted areas (guidelines) without the

permission of the Director;


viii. responsible for inappropriate use of the facilities (provide guidelines for inappropriate use).

Note: All the above offences under this section are considered as major offences, for which major penalties shall apply as defined in VRA’s staff Code of Conduct.

1.2.5 Restoration of a suspended person to further use of ICT facilities will be dependent on approval by the Deputy Chief Executive Finance in consultation with MIS Director and Head of the respective department.

1.3 Reporting Security Issues

1.3.1 Anyone who identifies security issues shall immediately notify the ICT Service Desk where:

i. Sensitive information is in danger of being lost or disclosed to unauthorised persons, is lost, disclosed to unauthorised persons, or suspected of being lost or disclosed to unauthorised persons.

ii. Unauthorised use of information systems has taken place, or is suspected of having taken place.

iii. Passwords or other system access control mechanisms are lost, stolen, or disclosed, or are suspected of being lost, stolen, or disclosed or in danger of being lost or disclosed.

iv. There is any unusual systems behaviour, such as missing files, frequent system crashes, misrouted messages.

v. Anyone with knowledge of a security issue shall only discuss the issue with the MIS Director or persons identified by the MIS Director.

vi. Users shall not attempt to probe or probe computer security mechanisms. Any person in possession of files containing hacking tools or other suspicious material without the prior written authority of the MIS Director may be subject to disciplinary procedures. The possession of the files shall be taken as prima facie evidence of unauthorised hacking activity.

1.3.2 The MIS Director or persons identified by the MIS Director shall ensure that all security issues are kept confidential.

1.4 Telecommunication

1.4.1 All VRA provided smartphones shall be used for official business. Usage shall be restricted to VRAs approved quota and any excess usage shall be paid for by User.


i. Heads of Departments/Units should apply to the Deputy Chief Executive (Finance) on behalf of the officer.

ii. The MIS Director then applies for the phones from the vendor.


iii. The MIS Director or authorized representative registers the phones and delivers to the officer.

iv. Faults on all official smartphones shall be reported to the MIS Service Desk and the malfunctioning device shall be submitted for necessary attention.

Lync Service

1.4.2 The use of the Lync service shall be guided by the same rules on electronic messaging policy (Section 3.0 of this document)

Fixed Line Telephone

1.4.3 All internal calls shall be done through the fixed line intercom.

1.4.4 The destination of all calls going outside the Authority (made from the Authority’s fixed line) shall be restricted based on rank and or schedule to be determined by MIS Director or his designated representative.

1.4.5 Excessive phone bills as defined in Administrative instructions shall be investigated and appropriate sanctions applied.

1.5 User Registration

1.5.1 Only authorised persons will be registered on VRA ICT facilities.


i. New Users shall register to access VRA ICT basic facilities through the Human Resources Department

ii. All Heads of Departments shall complete the User Registration Form online through VRA Portal on behalf of their subordinates to the MIS Director with the User needs.

iii. The MIS Director shall ensure that the request for providing a service to the User is worked on and communicated to the User within 24 hours.

1.5.2 All Users shall be assigned Basic Access rights.

1.5.3 Any additional rights other than the Basic Access rights may be requested for by a VRA User through their Head of Department\Unit. Approval may be granted by the MIS Director subject to the procedures and guidelines as referred to in (i) and (ii) of clause 1.5.1.

1.6 User De-registration

1.6.1 Users shall be de-registered when found to be Ineligible.


1.6.2 Ineligible Users are those who have completed their contracts, been interdicted, dismissed, vacated their posts, are indisposed for at least four (4) months, on leave of absence, retired or dead.


i. The Director of Human Resource (HR) shall immediately inform the MIS Director to de-register the said User by filling the de-registration Form.

ii. The MIS Director shall accordingly de-register the person/s involved and inform the Director of HR.

1.7 Password

1.7.1 All ICT systems will be protected by passwords.

1.7.2 Decryption of passwords is not permitted, except by authorised officer performing security reviews or investigations.

1.7.3 Accounts of ineligible Users shall be immediately disabled.


Passwords must have a minimum of 8 characters in length

i. Passwords shall contain a minimum of three of the following combinations; uppercase alphabetic, lowercase alphabetic, numeric and special characters.

ii. All passwords shall contain a minimum of both alpha and numeric characters and must be enforced at both application and operating system levels.

iii. All User passwords (e.g., e-mail, web, desktop computer, etc.) shall be changed every two (2) months.

iv. Passwords shall not be inserted into e-mail messages or other forms of electronic communication.

v. Temporary passwords shall be required to be changed at 1st logon. vi. Passwords shall be kept highly confidential.

a) change passwords whenever there is any indication of possible system or password compromise;

b) do not include passwords in any automated log-on process, e.g. stored in a macro or function key;

c) do not share individual User passwords; d) do not use the same password for business and non-business purposes.

1.8 General Password Construction Guidelines

Passwords are used for various purposes at VRA. Some of the more common uses include: User level accounts, web accounts, e-mail accounts, screen saver protection, voicemail password, etc. Everyone should be aware of how to select strong passwords. 1.8.1 Poor, weak passwords have the following characteristics:


i. The password contains less than eight (8) characters ii. The password is a word found in a dictionary (English or foreign) iii. The password is a common usage word such as:

a. Names of family, pets, friends, co-workers, fantasy characters, etc. b. Computer terms and names, commands, sites, companies, hardware, software. c. The words "VRA ", "accra", "ghana" or any derivation. d. Birthdays and other personal information such as addresses and phone

numbers. e. Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc. f. Any of the above spelled backwards. g. Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

1.8.2 Strong passwords have the following characteristics:

a. Contain both upper and lower case characters (e.g., a-z, A-Z) b. Have digits and punctuation characters as well as letters e.g., 0-9,

!@#$%^&*()_+|~-=\`{}[]:";'<>?,./) c. Are at least fifteen (15) alphanumeric characters long and is a passphrase

(Ohmy1stubbedmyt0e). d. Are not a word in any language, slang, dialect, jargon, etc. e. Are not based on personal information, names of family, etc. f. Passwords should never be written down or stored on-line. Try to create

passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation.

NOTE: Do not use either of these examples as passwords!

1.9 Password Protection Standards

1.9.1 The same password shall not be used for VRA accounts as for other non-VRA access (e.g., personal ISP account, option trading, benefits, etc.). Where possible, don't use the same password for various VRA access needs. For example, select one password for the Social/Private systems and a separate password for IT Official systems.

1.9.2 The VRA passwords shall not be shared with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, confidential VRA information.

1.9.3 Here is a list of "don’ts":

i. Don't reveal a password over the phone to ANYONE ii. Don't reveal a password in an e-mail message

iii. Don't reveal a password to the boss iv. Don't talk about a password in front of others v. Don't hint at the format of a password (e.g., "my family name")


vi. Don't reveal a password on questionnaires or security forms vii. Don't share a password with family members

viii. Don't reveal a password to co-workers while on vacation

1.9.4 If someone demands a password, they should be referred to the MIS Service Desk in the first instance.

1.9.5 The "Remember Password" feature of applications (e.g., Eudora, Outlook, Netscape Messenger) shall not be used.

1.9.6 Passwords shall not be written down and stored anywhere in your office. Passwords shall not be stored in a file on ANY computer system (including Smart Phones / Tablets) without encryption.

1.9.7 If an account or password is suspected to have been compromised, report immediately to ICT Service Desk and change all passwords as soon as possible.

1.9.8 Password cracking or guessing may be performed on a periodic or random basis by Information Security or its delegates. If a password is guessed or cracked during one of these scans, the User will be required to change it.

1.10 Use of Passwords and Passphrases for Remote Access Users

Access to the VRA Networks via remote access shall be controlled using either a one-time password authentication or a public/private key system with a strong passphrase.

1.11 Passphrases

a. An alternative to using a “password” is to use a “passphrase”. A passphrase is a sequence of words strung together to create a "password".

b. Passphrases are generally used for public/private key authentication. A public/private key system defines a mathematical relationship between the public key that is known by all, and the private key, that is known only to the User. Without the passphrase to "unlock" the private key, the User cannot gain access.

c. Passphrases are not the same as passwords. A passphrase is a longer version of a password and is, therefore, more secure. A passphrase is typically composed of multiple words. Because of this, a passphrase is more secure against "dictionary attacks."

d. A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters. An example of a good passphrase: 1. “Ilove2goFastInMyCar!” 2. "The*?#>*@TrafficOnThe101Was*&#!#ThisMorning"

e. All of the rules above that apply to passwords apply to passphrases.


1.12 Lost Passwords

1.12.1 Employees shall report to ICT Service Desk whenever they: i. forget their password or

ii. identify that their password have been tampered with.

1.13 Remote Access

1.13.1 All remote access/third party connections need authorisation, after risk analysis by VRA’s MIS Director. Third Party Connections to VRA’s network shall not be allowed unless authorised by the MIS Director. Authorisation shall be documented by the MIS Director.


i. Requesters shall fill authorization Forms which shall be certified by the MIS Director before accessing VRA’s network.

1.13.2 All third party connections are owned by VRA and shall be reviewed and approved in advance as part of the authorisation process

1.13.3 It is the responsibility of Users (including but not limited to contractors, suppliers, vendors, agents) with remote access privileges to VRA’s network to ensure that their remote access connection is in line with the provisions in this document.

1.13.4 The following policies under Password and Internet/Virtual Private Network Security Policy provides further details of protecting information when accessing the VRA network via remote access methods, and acceptable use of VRA's network.

1.14 Virtual Private Network (VPN)

VPN is considered a de facto extension of the VRA network. Any machine, personal or otherwise externally owned or operated, that connects to the VRA network through the VPN is subject to the same standards and rules that govern the Authority-owned equipment.

1.15 Acceptable Use Policy

1.15.1 Users shall use only the computers, computer accounts, and computer files for which they have been authorised.

1.15.2 Users shall be individually responsible for appropriate use of all resources assigned to each User, including the computer, the network address or port, software and hardware. Therefore, User(s) shall be accountable to the Authority for all use of such resources.


1.15.3 VRA shall be bound by its contractual and license agreements respecting certain third party resources; User(s) are expected to comply with all such agreements when using such resources.

1.15.4 Users shall not attempt to access restricted portions of the network, an operating system, security software or other administrative applications without appropriate authorization by the MIS Director.

1.15.5 Users shall comply with the policies and guidelines for any specific set of resources to which User(s) have been granted access. When other national ICT policies are more restrictive than this policy, the more restrictive policy takes precedence.

1.15.6 Users shall not use tools that are normally used to assess security or to attack computer systems or networks (e.g., password 'crackers,' vulnerability scanners, network sniffers, etc.) network and/or computing systems, unless you have been specifically authorized to do so by the MIS Director.

1.16 Unacceptable Use Policy

The following shall constitute Unacceptable Use Policy:

1.16.1 Posting, transmission, re-transmission, or storing material on or through any of VRA's systems or services that shall be: a. in violation of any Public Service Code, National Laws and Regulations

(including rights protected by copyright or other intellectual property or similar laws or regulations);

b. threatening or abusive; c. obscene; d. indecent; or e. defamatory

1.16.2 Release of corporate information without the express prior written consent of the Chief Executive or his representative.

1.16.3 Actions that restrict or inhibit others of accessing VRA’s network.

1.16.4 Introduction of malicious programs into the VRA network (e.g., viruses, trojan horses, worms).

1.16.5 Causing or attempting to cause security breaches or disruptions of Internet communications. Examples of security breaches include but are not limited to accessing data of which the User is not an intended recipient, or logging into a server or account that he/she is not expressly authorized to access. Examples of disruptions include but are not limited to port scans, flood pings, packet spoofing and forged routing information.


1.16.6 Accessing file sharing sites or software (e.g. torrents) to download films, music, and videos through the VRA Internet service.

1.16.7 Accessing personal social media sites such as Facebook and Twitter through the VRA Internet service.

1.16.8 Executing any form of network monitoring that will intercept data not intended for the User.

1.16.9 Circumventing User authentication or security of any host, network or account.

1.16.10Interfering with or denying service to any authorized User (e.g., denial of service attack).

1.16.11Using any program/script/command, or sending messages of any kind, designed to interfere with, or to disable a User's terminal session.

1.16.12 Sending unsolicited mail messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material

1.17 Third Party Connections

1.17.1 The MIS Director shall have control over all third party connections as part of the authorization process

Procedures and Guidelines i. All third parties intending to connect to VRA ICT infrastructure shall apply to the

MIS Director for authorisation.


2. HARDWARE AND SOFTWARE

2.1 ICT Equipment

2.1.1 Only authorised persons shall be allowed to use ICT equipment, both on and off VRA premises.

2.1.2 All Users of ICT equipment shall ensure the protection of equipment in their possession or under their control against accidental, negligent or deliberate damage or theft.

2.1.3 Removal of all ICT equipment (with the exception of laptops) from its original location to another location shall require prior authorisation.


i. Users shall inform the MIS Service Desk on the relocation of equipment. ii. The Service Desk Analyst or the end User fills a Service Request form

through the Self Service system for the equipment to be moved. iii. The completed and approved Relocation Form is submitted to the ICT

Technician to carry out the relocation. iv. The security officer does the necessary checks in consonance with the

relocation form requirements and in collaboration with the ICT Technician and logs the serial number of the equipment.

v. The receiving officer signs the relocation form upon receipt of the equipment and returns it to the MIS Service Desk.

vi. The MIS Director shall develop and disseminate standard procedures on usage of ICT equipment to all Users.

2.1.4 The MIS Director shall regularly maintain an updated inventory of all ICT equipment detailing among others their location, allocation, and re-allocation.

2.2 Lost or Stolen ICT Equipment

2.2.1 Users shall report the details of all lost or stolen ICT equipment through the MIS Service Desk, which will then be escalated to the MIS Director.

2.2.2 In addition, users shall also report all lost or stolen ICT equipment to their Head of Department/Unit.

2.3 Maintenance of ICT Equipment (s)

2.3.1 The CS&T Section of the MIS Department shall be responsible for the maintenance of all ICT equipment.


2.3.2 Users shall not place ICT equipment in areas susceptible to water seepage, dust, sunlight, high humidity and temperature, and salinity.

2.3.3 Users shall not take ICT equipment to a third party for repairs or maintenance.


i. User shall report faulty equipment to the MIS Service Desk, ii. Client Service & Training (CST) support staff completes a works order form in

triplicate. iii. CST support staff arranges for the equipment to be delivered to vendor for

repairs or maintenance. iv. The User takes delivery of equipment from ICT/CST support staff after repairs.

2.4 Procurement of ICT equipment

2.4.1 The MIS Director in collaboration with the Head of Procurement shall be responsible for the procurement of all ICT equipment.


i. All procurement of ICT equipment shall go through MIS Directorate for recommended specifications.

ii. Equipment procured/acquired without consultation with MIS Directorate shall not be supported on VRA ICT infrastructure.

iii. No procured ICT equipment shall be admitted to the Authority without validation of technical specification by the MIS Directorate.

2.5 Removal of Equipment (Internally/Externally)

2.5.1 Removal of any ICT equipment (other than portable devices assigned to individuals) from its normal place of use must be authorised by the MIS Director and logged in the Equipment Movement Log book by MIS Directorate and by the Service Desk prior to its removal. Details should include equipment specifications, name of User or where the equipment is being moved from and to, why it is being moved and the date of removal and replacement.

2.5.2 Users shall always exercise good judgment to safeguard the equipment. Equipment must never be left unattended in public places.


2.6 Handling of Equipment

2.6.1 Damage to ICT equipment as a result of negligence determined by MIS Director on the part of Users shall attract appropriate sanctions. These shall include but not limited to refund of cost/charges, and other administrative disciplinary actions.

2.7 Portable Devices

2.7.1 The MIS Director shall regulate the use of Portable Digital Devices within VRA network.


i. External partners, consultants, etc. shall seek approval from MIS Director before connecting non-VRA portable devices onto the ICT infrastructure.

2.8 Assignment/Distribution of ICT Facilities

2.8.1 The MIS Director or authorized representative shall be solely responsible for the assignment/distribution of ICT facilities.

2.9 Disposal/Replacement of ICT Systems

2.9.1 MIS Director will renew/replace ICT facilities (subject to funding) on at least a three to four year rolling timetable from the time of use/purchase.

2.9.2 MIS Director shall ensure the security processing of equipment prior to their being sent to the Stores for disposal.


i. Storage devices are retrieved and back up data taken. ii. Storage devices shall be wiped or formatted to leave no traces of official

documents on system.

2.9.3 The MIS Director shall ensure that data files are deleted prior to redistribution.

2.10 Software Compliance

2.10.1 Users shall not load any unlicensed and unauthorised software onto any ICT equipment.

2.10.2 Users shall seek prior approval from MIS Director to place essential software on the approved list.



i. Users shall complete software request form and submit to MIS Director through their Head of Department/Unit prior for approval.

2.10.3 MIS Director shall ensure that access to software download is restricted.

2.10.4 Users shall not allow or encourage the copying of VRA licensed software and/or associated documentation.

2.10.5 Users are prohibited from downloading or accessing offensive and inappropriate materials.

2.10.6 All hardware and software supplied to Users by VRA is the property of VRA and as such may at any time, without prior notice, be subject to audit review.

2.11 Software Licensing and Intellectual Property

2.11.1 Users shall strictly abide by Intellectual Property laws and restrictions detailed by software manufacturer.

2.12 Use of Shareware and Freeware

4.2.1 MIS Director shall approve all shareware and freeware for use on ICT facilities.


i. This approval shall be done by updating the approved software list.

2.13 Data Protection Legislation

2.13.1 Users must not disclose or use computerized personal data for any purpose which contravenes national or international legislation. All Users who have the responsibility for managing this data must be aware of their responsibilities under such legislation.

Refer to Data Protection Act 2012, (Act 843)

2.14 Ownership and Responsibilities

2.14.1 MIS Director shall be responsible for all internal servers deployed at VRA. and shall ensure that VRA ICT establishes and maintains approved server configuration guides.


3. ELECTRONIC MESSAGING AND COLLABORATION

3.1 Electronic Messaging

3.1.1 All Users shall be given VRA E-mail addresses and shall be used for all official communications.


i. Users shall be provided with e-mail address based on the naming convention [email protected], e.g. Kofi Mensah’s email address will be [email protected]

3.1.2 Users shall be provided with e-mail addresses based on the naming convention i.e., The e-mail system is VRA's property, and all copies of messages created, sent, received or stored on the system are and remain the property of VRA.

VRA maintains its e-mail system solely for official purposes.

3.2 Unacceptable Use

3.2.1 Sharing of password is strictly prohibited.

3.2.2 The following actions and uses of the e-mail system are explicitly forbidden:

i. Personal use that creates a direct cost for the Authority. ii. Usage of the system for personal monetary gain or for commercial purposes

that is not related to work. iii. Sending of unsolicited bulk mail messages of a personal nature. iv. Propagation of chain letters. v. Advertising of personal items.

vi. Use of private e-mail accounts for official e-mails. vii. Capturing and "opening" of electronic mail, except by authorised Users to

diagnose and correct delivery problems. viii. Use of electronic mail to harass or intimidate others.

ix. Sending copies of documents in violation of Intellectual Property laws and regulations.

x. Inclusion of the work of others into electronic mail communications in violation of Intellectual Property laws and regulations.

xi. To interfere with others to conduct the Authority’s business. xii. Use of electronic messaging systems for any purpose restricted or prohibited

by Intellectual Property laws or regulations. xiii. "Spoofing" i.e., constructing an electronic mail communication so it appears to

be from someone else.


xiv. "Snooping" i.e., obtaining access to the files or electronic mail of others for the purpose of satisfying idle curiosity, with no substantial business purpose.

xv. Subscribing to mailing lists, discussion groups, a list-server, or other such bulk mailing services, for private purposes.

xvi. Attempting unauthorised access to electronic mail or attempting to breach any security measures on any electronic mail system, or attempting to intercept any electronic mail transmissions without proper authorisation.

xvii. Using a password or code to access a file, or retrieve stored information, unless authorised to do so.

xviii. Frivolous usage of the e-mail system. i.e. introduce, distribute, propagate or create viruses.

xix. Subscribing to third party mail systems and use of such mail systems from the premises of the VRA, unless directly related to an official need or objective.

xx. Except where authorised retrieving and reading of any e-mail messages that are not addressed to the User.

3.3 E-Mail Disclaimer

3.3.1 Users may not transmit personal opinions as those of VRA, nor make any statement that may be construed to be a statement from VRA.

3.4 Supported E-Mail Client

3.4.1 The Authority shall only support approved e-mail clients as specified in the approved software list.

3.5 E-mail Addressing

3.5.1 MIS Director shall provide the format for e-mail addresses.

Refer to e-mail addressing convention (3.1).

3.6 Expiration and Deletion of Account

3.6.1 An account shall be considered expired and deactivated immediately under the following conditions:

i. The officer resigns from the service; ii. The officer retires from the service; iii. The officer is no longer in a position to perform his/her duties (missing, death,

etc.). 3.6.2 An account that does not fall under clause 3.7.1 shall be deemed to have expired if

inactive for a period of one (1) year if no intimation otherwise is given to the MIS Director. To reactivate the said User account, approval shall be sought from MIS Director.


3.6.3 Data and information under these clauses 3.7.1 shall be retained and or archived based on Data Protection Laws. Subsequently, all formalities will need to be completed all over again for the recreating of the said account with the same ID subject to availability.

3.6.4 The Director, HR shall inform the MIS Director when either of the above conditions is triggered.

3.6.5 In case information is not sent on time MIS Director shall not be held responsible if the account is misused.

3.7 Reactivation of Designation Account

3.7.1 The user’s department shall inform the MIS Director of the successor to a deactivated account to allow for activation for the new designated officer.

3.8 Attachments to E-Mail Messages

3.8.1 Size of attachments to electronic messaging shall be controlled to avoid clogging the system. The maximum size of an email attachment shall be 10MB.

3.9 Default E-Mail Message Set-Up

3.9.1 E-mail account shall be created by the MIS Directorate upon request by the Director Human Resources as stipulated under clauses 6.

3.10 Carbon Copying / Blind Carbon Copying / Forwarding

3.10.1 Carbon Copying (CC) should only be done for individuals who need to have access or knowledge of the content of the message being sent, but are not required to respond or act on the message.

3.10.2 Blind Carbon Copying (BCC) shall be deactivated for E-mails but on exceptional cases Users would be permitted to use the facility after justification to the MIS Director.

3.10.3 Forwarded message shall only be sent to authorised persons and shall copy the originator of such message.

3.11 Size of User Mailbox

3.11.1 Each User e-mail box size shall be restricted to 2 GB.


3.12 Privacy

3.12.1 Users shall not intercept or disclose, or take part in intercepting or disclosing electronic messages. VRA reserves the right to authorize the interception or disclosure of electronic messages.


i. Prior authorization shall be sought from the Deputy Chief Executive Finance.

3.13 Data Retention

3.13.1 E-mail messages shall be retained for at least six (6) years as specified by the Electronic Transactions Act, 2008, Act 772 section 8.

3.14 Message Monitoring

3.14.1 The use of the e-mail system shall be subject to monitoring for security and/or network management reasons to support operational, maintenance, auditing, security and investigative activities. Users may also be subject to limitations on their use of such resources.

3.14.2 Users shall structure their communications in recognition of the fact that the content of electronic communications may from time to time be examined.


i. The Deputy Chief Executive Finance shall authorize the examination of e-mail messages after being notified by the MIS Director of an exigency.

3.15 Incidental Disclosure

3.15.1 The content of a User’s communication may be reviewed during the course of problem resolution.


4. DOCUMENT MANAGEMENT

4.1 Document Workflow

4.1.1 Director, Projects & System Monitoring shall register all documents and electronically capture them.


i. All official documents coming to the Authority shall be received at the registry.

ii. The documents shall be registered and scanned and sent to the Director, Projects & System Monitoring.

iii. Director, Projects & System Monitoring shall ensure the re-distribution of the document to the appropriate Department/Unit.

iv. The Head of Department/Unit shall ensure final delivery of document. Confidential Documents

i. All Confidential documents shall be registered, scanned and delivered at the addressee’s secretariat.

4.1.2 All personal letters shall be registered and delivered directly to addressee without scanning.

4.2 Electronic Document Creation/Authoring /Collection

4.2.1 VRA shall establish policies to authenticate Users and determine the integrity of each type of electronic record.

4.2.2 All official documents/records shall be created, copied, scanned or generated using the approved standards by NITA in the Inter-operability Framework.

4.3 Document Review and Approval

4.3.1 All official documents/records shall be reviewed and approved in accordance with VRA’s current approval hierarchy.

4.4 Document Release

4.4.1 VRA shall restrict distribution of documents, records, data and resources generated on or reposed on ICT facilities where national security or VRA resources may be placed at risk or where there are issues of sedition, Intellectual Property rights infringements or libel.



i. Refer to Information Sensitivity Policy document (Section 8) on how to handle such documents.

ii. Only Users with signed confidentiality agreement who have a business need to know shall receive or distribute these types of documents.

iii. If mobile devices or e-mails for high/medium risk data or business information must be used then secure encryption software should be used.

iv. Hardcopy or any mode of transmission of “sensitive data or information” shall be labeled as such.

v. Non-email electronic transmission to and from VRA shall be secured. vi. All confidential information shall be stored on approved storage devices.

Sensitive data that are stored on local hard drives, removable media and/or mobile computing devices must be secured.

vii. Only individual designated with approved access and signed confidentiality agreements that have a business need to know shall receive, distribute or have in their possession this type of data which can be accessed only from a controlled access area.

4.5 Document Storage/Protection/Organization/Use Policy

4.5.1 Users shall preserve the integrity of electronic information at all times.


i. All computers and the information they contain shall be effectively protected against unauthorised access.

ii. Portable or laptop computers shall not be left unattended in public places. iii. When travelling, portable computers shall be carried as hand luggage for

security and protection against unnecessary violent handling. iv. Portable or laptop computers for loan will be kept in the MIS Directorate

office when not in use. v. Hard copy or soft copy information shall not be left unattended in an open

office environment as this is vulnerable to unauthorised access, malicious and accidental damage and natural disasters.

vi. Mobile drives, tape cartridges and other magnetic media shall be stored in locked filling cabinets when not in use and after working hours.

vii. Users shall not take computer and network hardware or software home without written authorisation by the MIS Director.

viii. ICT Equipment (i.e. Laptop, PC viewer, PowerPoint Projector) and software will be on loan for work related activities only and will be on booking schedule.

4.6 Principles of Data Protection


4.6.1 Users processing personal data shall abide by the following principles of good data protection practice. The data must be:

i. Fairly and lawfully processed; ii. Processed for limited purposes; iii. Adequate, relevant and not excessive;

a. Accurate; b. Kept according to law but not kept longer than necessary.

iv. Processed in accordance with the data subject's rights; v. Secure.

4.6.2 The data shall not be transferred without adequate protection as provided in the laws of Ghana;

Refer to Data Protection Act 2012, Act 843.

4.7 Document Expiration/Disposal/Archival

4.7.1 Documents created or reproduced in any manner shall be categorized to conform to the classifications of the Public Records Administration and Archives Department (PRAAD).

Refer to the Electronic Transactions Act 2008, Act 772.

4.8 Cataloguing Policy

4.8.1 For the purposes of proper cataloguing, all information shall be hosted in hard copy formats to ensure quick retrieval to supplement the electronic version of the information when required.


i. VRA shall ensure the establishment of a Library for such (hardcopy) documents.

ii. All documents shall be labeled with unique catalogue Id’s.


5. SECURITY

5.1 Acceptable Use

5.1.1 All Users who are granted access to VRA ICT facilities or services shall use these facilities and services in an appropriate and responsible manner.

5.1.2 VRA reserves the right to record and monitor activities and limit, restrict, cease, or extend access to ICT facilities.

5.1.3 Dos & Don’ts (Refer to acceptable use under REMOTE ACCESS)

Privileged Usage Access

5.1.4 Privileged access shall be given to selected authorized persons.

5.1.5 Privileged usage access shall be used prudently and appropriately at all times.

5.1.6 Prohibited actions include, but are not limited to: 1. Casual browsing of other Users’ e-mail, directories and the contents of these

directories; 2. Performing activities that would lead to an unauthorized level of access.

5.2 Internet Security

5.2.1 All connections to the Internet shall go through a secured connection point to ensure that the network is protected.


3. The use of a DMZ, Firewalls and Proxy Servers shall be maintained and upgraded periodically.

5.3 Virtual Private Network (VPN)

5.3.1 VPN shall be controlled among other things to prevent multiple unauthorized connections from one point.

5.3.2 Users shall not be allowed to connect to ICT network through VPN without first ensuring that all the technology is protected by up to date anti-virus software.

5.3.3 All internet sites that may interfere with the smooth flow of internet traffic shall be blocked.


5.4 Anti-Virus and Firewall

5.4.1 Only up-to-date approved Anti-virus software shall be installed on ICT Systems at all times.


i. All machines and existing workstations shall have the current antivirus installed.

ii. System Administrator shall ensure that all machines are connected to the domain.

5.4.2 Immediately a virus incident is detected, the User shall alert the MIS Service Desk for resolution.

5.5 Information Sensitivity

5.5.1 MIS Directorate shall implement mechanisms for protecting information at varying sensitivity levels:

a. Low Sensitivity b. Medium Sensitivity c. High Sensitivity

5.5.2 Users shall protect the storage of official information on ICT Systems from unauthorized persons.


i. Passwords shall be used to sync removable storage devices to only approved official machines.

ii. Highly sensitive data should be stored on encrypted storage devices. iii. Official information should not be stored on private storage devices. iv. MIS Directorate shall embark on a data security sensitization for end-

Users.

5.6 System Backup and Recovery

5.6.1 Backup of all systems shall be taken on daily, weekly and monthly basis and stored in a safe place.

5.6.2 The copies of the backup shall be stored at a secure location or premises away in a different facility from the system or the Data Centre.



v. MIS Director shall be responsible for the scheduling of daily, weekly and monthly backups.

vi. The System Administrator shall backup all relevant data and the backup tested periodically as part of document process.

vii. In order to backup database applications, these applications may be shut down before the backup operation.

viii. All backup tapes shall be kept in a fire proof safe at a location away from the Data Centre.

ix. Backup may be handled with the same security precaution as the data itself

5.7 Business Continuity and Disaster Recovery

5.7.1 The MIS Directorate shall have a Business Continuity and Disaster Recovery Plan to ensure the ability to continue business-critical activities in the event of any disaster.


6. SERVICE DESK

6.1 Service Desk

6.1.1 There shall be an established Service Desk to provide Users with a single point of contact to receive help on various ICT issues. The ICT issues comprise incidents, problems, requests, and change management.

6.1.2 Users must route all calls through the Service Desk. Any call for help outside the Service Desk will not be addressed.


i. User calls Service Desk

ii. Service Desk officer receives and logs calls to a System Centre application.

iii. Service Desk Officer assigns call to support staff

iv. Support staff resolves the incident and log the solution to the System Centre application.

v. Service Desk Officer reports back to User

vi. If Support staff is unable to resolve the incident, it is escalated to the Systems Administrator

vii. The System Administrator shall escalate the incident to the appropriate vendor if the incident cannot be resolved in house


7. TRAINING

7.1 Training Plans

7.1.1 The MIS Director in collaboration with the Director, HR shall develop a Training Plan that will meet the training needs of VRA Users.

7.1.2 The Training Plan shall focus on the following:

i. Provide all Users with on-going technical and User training for the supported applications either locally or overseas.

ii. Provide the opportunity for all employees to improve their job performance and raise productivity in pursuit of continuous success and efficiency.

iii. Develop and maintain specialised refreshers e-learning programmes

7.1.3 All Users shall be ensured equality of access to training and development.


i. Appropriate training programmes shall be identified through a thorough needs assessment and communicated to the HR Department of VRA.

ii. Relevant Users, both technical and functional shall be trained whenever a new product is deployed.

iii. Identify specialised e-learning programme tools for Users.

iv. Develop e-manuals to assist Users with the training.


8. POLICY GOVERNANCE

8.1 Policy Implementation

8.1.1 The Deputy Chief Executive Finance shall delegate the MIS Director to be responsible for distributing (communicating) and creating the awareness of the new VRA ICT User Policy to all employees.

8.2 Non-Compliance

8.2.1 MIS with the support of Audit Department shall audit compliance with this Policy periodically and take necessary action to protect the integrity of the system. A User’s access may be suspended or permanently removed based on the results of a compliance audit.

8.3 Enforcement

8.3.1 Users who violate this policy may be disciplined including termination of appointment.

8.4 Policy Review

8.4.1 At established checkpoints (At least once every year or if deemed necessary), the MIS Director shall meet with members of the ICT User Policy Committee to measure the ICT User Policy performance against expectations.

ICT User Policy Committee

The committee shall comprise of the following:

i. MIS Director ii. Director, Audit iii. Director, Legal iv. Director, Human Resources v. Head of Corporate Communications Unit

vi. Heads of MIS Sections

8.4.2 This review shall include assessing opportunities for improvement and the need for changes to the ICT User Policy.

Procedure and Guidelines


MIS Director is responsible for ensuring minutes of the meeting are taken. The meeting agenda will include the following reports from MIS Director and appropriate IT staff:

i. Results of audits;

ii. User feedback;

iii. Process performance and results of checkpoint reviews;

iv. Status of preventive and corrective actions;

v. Follow-up actions from previous management reviews;

vi. Changes that could affect the ICT User Policy; and

vii. Recommendations for improvement.

8.5 Policy Update

8.5.1 After review of the ICT User Policy, MIS Director shall be responsible for implementing required updates.


9. ADDITIONAL RESOURCES


ACRONYMS VRA - Volta River Authority ICT - Information Communication Technology PSTN - Public Switched Telephone Network ISDN - Integrated Services Digital Network VPN - Virtual Private Network RA - Risk Assessment eGIF - Electronic Government Interoperability Framework RTF - Rich Text Format HTTP - Hyper Text Transmission Protocol IMAP - Internet Message Access Protocol HTML - Hyper Text Markup Language POP3 - Post Office Protocol Version 3 Bcc - Blind Carbon Copy Cc - Carbon Copy


GLOSSARY Access control: A system which enables an authority to control access to areas and resources in a given physical facility or computer-based information system. An access control system, within the field of physical security, is generally seen as the second layer in the security of a physical structure. Antivirus or anti-virus software: An application used to prevent, detect, and remove malware, including but not limited to computer viruses, computer worm, Trojan horses, spyware and adware. Authorized Persons: Any staff or non-staff members approved by Deputy Chief Executive Finance or his designated representative. Authentication: – see Access Control. Backup: The process of making copies of data so that these additional copies may be used to restore the original after a data loss event. Basic access: Refers to either an e-mail service, unified communication service, internet access, or basic productivity applications such as Microsoft Office and Adobe Reader. Calendaring: Using an application to capture, plan and organize events, and provides the User an electronic version of the normal or usual hard copy calendar. Carbon copying: abbreviated cc or c.c., is the technique of using carbon paper to produce one or more copies simultaneously during the creation of paper documents. With the advent of e-mail, the term has also come to refer to simultaneously sending copies of an electronic message to secondary recipients. Computer network: A collection of computers and devices interconnected by communications channels that facilitate communications and allows sharing of resources and information among interconnected devices.

Concurrent Versions System (CVS): Concurrent Versions System is a process of sharing, saving and recovering version information for people using code.

Contact Lists: A list of all staff with corresponding E-mail Addresses and Details (Dept., Rank, Room No., Postal Address, Phone/Fax No. etc.) Contact Sharing: Refers to e-mail Addresses availed for official use. Database: An organized collection of data for one or more purposes, usually in digital form. The data are typically organized to model relevant aspects of reality (for example, the availability of rooms in hotels), in a way that supports processes requiring this information (for example, finding a hotel with vacancies).


Digital Asset Management: This consists of management tasks and decisions surrounding the ingestion, annotation, cataloguing, storage, retrieval and distribution of digital assets. Digital photographs, animations, videos and music are samples of media asset management

Document: A broadly used term that refers to word-processing files, e-mail messages, spread sheets, database tables, faxes, business forms, images, or any other collection of organized data. Documents are also referred to as 'records.'

Document Imaging: A system for converting paper documents into an electronic or digital format. Techniques such as scanning and Optical Character Recognition etc. are some of the methods that are typically used.

Document Lifecycle: The period of time between when a document is created and when it is destroyed or archived

Document Management: The process of managing documents and other means of information such as images from creation, review, storage to its dissemination. It also involves the indexing, storage and retrieval of documents in an organized method.

Document Management Systems: A system that enable you to store documents electronically. This facilitates the process of retrieving, sharing, tracking, revising, and distributing documents and the information they contain. A complete Electronic Document Management System (EDMS) provides you with all the software and hardware required to insure that you maintain control over all your documents, both scanned images, and files that were created on a computer—like spread sheets, word processing documents and graphics. A complete EDMS includes document imaging, OCR, text retrieval, workflow, and Computer Output to Laser Disk capabilities.

Document Retrieval: The process by which you can search and 'retrieve' an archived document from a database. This is done by entering information in a database query screen to locate the file you are after. The Document Management System will then retrieve the document and let you work on it, whilst preventing other people from making changes. Electronic Mail: A method of exchanging digital messages by telecommunication. Electronic Messaging: The process of communicating on a computer network Equipment: Any device or instrument used to perform an IT service. Forwarding : Resending of an E-mail message to another E-mail Address. Service Desk: This is an information and assistance resource that troubleshoots problems with computers or similar products. Corporations often provide Service Desk support to their customers via a toll-free number, website and/or e-mail. There are also in-house Service Desks geared toward providing the same kind of help for employees only. Some schools offer classes in which they perform similar tasks as a Service Desk. In the Information Technology Infrastructure Library, within companies adhering to ISO/IEC 20000 or seeking to implement IT Service Management best


practice, a Service Desk may offer a wider range of User centric services and be part of a larger Service Desk. Intellectual Property (IP): Any form of original creation that can be bought or sold – from music to machinery. The four main types of IP rights are patents, trademarks, designs and copyright Mailbox: A repository in computer memory where e-mails are stored for a single User. Meeting Scheduling: The process of finding a suitable time for an event such as a meeting, conference, or trip electronically.

Metadata: This is data about data, or information known about the image in order to provide access to the image. Usually includes information about the intellectual content of the image, digital representation data, and security or rights management information.

User: Anyone who is authorised to access VRA ICT facilities.

National Laws and Regulations: laws and regulations of the Republic of Ghana.

New User: Anybody who has not been defined on or given access to VRA ICT facilities but after following the procedures and guidelines in clause 1.5.1 is granted access.

Paperless Office: A workplace with almost all communication and processes computerised.

Protocol (communications): A formal description of digital message formats and the rules for exchanging those messages in or between computing systems and in telecommunications. Recordkeeping: can be described as a systematic compilation of similar information in an office setting, and stored in files/folders for the purpose of office administration.

Scanning: This is a process of using a scanner or other device to create a digital representation or electronic photograph of an image.

Snooping: To have an unauthorized access to another person’s computer or data. Software license (or software license in commonwealth usage): A legal instrument (usually by way of contract law) governing the usage or redistribution of software. All software is copyright protected, except material in the public domain. Spoofing: An E-mail message whose sender address appears as though it is coming from a different person or source. User(s): Anyone who has been given authorized access to VRA ICT facilities. Willful or gross negligent damage shall include but not limited to:

• using your access to perform unacceptable actions;


• use other officers access for accessing the systems; • blatant violation of a legal duty with respect to the legal use of the systems;

• failure to exercise reasonable care in accessing the ICT facilities.

Workflow : Speaks of the flow of work between people or individuals in an organisation, allowing it to be defined and monitored. In document management terms, workflow is usually used in the context of monitoring the creation, distribution and retrieval of documents.

Workflow Software: allows institutions to move electronic documents along a User-defined 'routing' path, from one workstation to the next, around a local or wide-area network. Once the document arrives at any given workstation, the receiver can add notations to, or modify, the document as they see fit.

XML (extensible mark-up language): A key digital technology which focuses on data formatting and document processing, enabling active content delivery.