CHAPTER 1. ICT ACCEPTABLE USE POLICY
• 1.1 INTRODUCTION
FCT-IRS provides computer devices, networks, and other electronic information systems to meet missions, goals, and initiatives and must manage them responsibly to maintain the confidentiality, integrity, and availability of its information assets. This policy requires the users of information assets to comply with the Organization’s policies and objectives and protect the Organization against damaging legal issues.
• 1.2 OBJECTIVE
The objective of this policy is to establish acceptable and unacceptable guide on the use of electronic devices and network resources belonging FCT- IRS.
• 1.3 SCOPE
This policy applies to employees, contractors, consultants, temporaries and other workers at FCT-IRS, including all personnel affiliated with third parties. This policy applies to information assets owned or leased by FCT-IRS, or to devices that connect to FCT-IRS network or reside in any of the FCT-IRS site.
• 1.4 POLICY STATEMENT GENERAL REQUIREMENTS
A user is responsible for exercising good judgment regarding appropriate use of FCT-IRS resources in accordance with FCT-IRS policies, standards, and guidelines. FCT-IRS resources may not be used for any unlawful or prohibited purpose.
For security, compliance, and maintenance purposes, authorized personnel may monitor and carry out Information security audit. Information Security prohibits actively blocking authorized audit scans. Firewalls and other blocking technologies must permit access to the scan sources.
All FCT-IRS information both in hard and electronic copy shall be classified in accordance with FCT-IRS information classification and shall be protected by employees and third parties as determined by the assigned classification. Refer to FCT-IRS’s Information Sensitivity Policy
• 1.4.1 SYSTEM ACCOUNTS
You are responsible for the security of data, accounts, and systems under your control. Keep passwords secure and do not share account or password information with anyone, including other personnel, family, or friends. Providing access to another individual, either deliberately or through failure to secure its access, is a violation of this policy.
You must maintain system-level and user-level passwords in accordance with the Password Policy. All activity performed under a user ID is the responsibility of that user, hence performing activities using other user’s account or generic account (guest or test) is prohibited. User’s access right shall be reviewed within 90 days to ensure effective access control. Users with privileged access right must have a user ID and password other than ones used for privileged access for normal business (non -privileged) use.
You must ensure through legal or technical means that proprietary information remains within the control of FCT-IRS at all times. Conducting FCT-IRS business that results in the storage of proprietary information on personal or non-FCT-IRS controlled environments, including devices maintained by a third party with whom FCT-IRS does not have a contractual agreement, is prohibited. This specifically prohibits the use of an e-mail account that is not provided by FCT-IRS, or its customer and partners, for company business.
• 1.4.2 COMPUTING ASSETS
You are responsible for ensuring the protection of assigned FCT-IRS assets that includes the use of computer cable locks and other security devices. Laptops left at FCT-IRS overnight must be properly secured or placed in a locked drawer or cabinet. Promptly report any theft of FCT- IRS assets to the ICT Section. FCT-IRS information shall not be stored in personally owned systems neither shall those laptops be connected to FCT-IRS’s network. Any third party must sign the FCT-IRS Extranet Policy/Third Party Agreement prior to accessing any of the system refer to section 3.1.2 of FCT-IRS’s Extranet Policy. Privileged users shall prior to establishing direct remote connectivity to FCT-IRS internal network be authenticated.
All PCs, laptops, and workstations must be secured with a password-protected screensaver with the automatic activation feature set to 10 minutes or less. You must lock the screen or log off when the device is unattended.
If a virus is suspected on a system, that system should be immediately disconnected from the network and should be reported to the ICT Department. Users are responsible for ensuring that such systems have been disinfected before they are being reconnected to the network. All files downloaded from internet or mails should be scanned using approved antivirus. Emails with attachments which sources are unknown should not be opened. Complete system scan shall be run every Friday.
External storage media (flash drives, external hard drives e.t.c) that have been out of control of FCT-IRS shall be scanned before use.
Do not interfere with corporate device management or security system software, including, but not limited to antivirus.
• 1.4.3 NETWORK USE
You are responsible for the security and appropriate use of FCT-IRS network resources under your control. Using FCT-IRS resources for the following is strictly prohibited:
• Causing a security breach to either FCT-IRS or other network resources, including, but not limited to, accessing data, servers, or accounts to which you are not authorized; circumventing user authentication on any device; or sniffing network traffic.
• Causing a disruption of service to either FCT-IRS or other network resources, including, but not limited to, Internet Control Message Protocol floods, packet spoofing, denial of service, heap or buffer overflows, and forged routing information for malicious purposes.
• Introducing honeypots, honeynets, or similar technology on the FCT-IRS network.
• Violating copyright law, including, but not limited to, illegally duplicating or transmitting copyrighted pictures, music, video, and software. See the Copy Right Laws of the Federation of Nigeria for additional information on copyright restrictions.
• Use of the Internet or FCT-IRS network that violates the Cyber Security, FCT-IRS policies, or local laws.
• Intentionally introducing malicious code, including, but not limited to, viruses, worms, Trojan horses, e-mail bombs, spyware, adware, and keyloggers.
• Port scanning or security scanning on a production network unless authorized in advance by Information Security or ICT Department.
• Any suspected system vulnerability shall be reported only to the ICT Department. Users shall not publicize network or system vulnerability.
• 1.4.4 ELECTRONIC COMMUNICATIONS
The following are strictly prohibited:
• Inappropriate use of communication vehicles and equipment, including, but not limited to, supporting illegal activities, and procuring or transmitting material that leads to harassment or that violates confidential or proprietary information.
• Sending Spam via e-mail, text messages, pages, instant messages, voice mail, or other forms of electronic communication. Caution should be used when opening emails and attachments from unknown sources as these may contain malicious codes.
• Forging, misrepresenting, obscuring, suppressing, or replacing a user identity on any electronic communication to mislead the recipient about the sender.
• Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam). Legal Department should be contacted on receipt of any illegal information for a proper guide on how to handle that.
• Use of FCT-IRS e-mail or IP address to engage in conduct that violates FCT-IRS policies or guidelines. Posting to a public newsgroup, bulletin board, or listserv with FCT-IRS e-mail or IP address exposes FCT-IRS to the public; therefore, you must exercise good judgment to avoid misrepresenting or exceeding your authority in representing the opinion of the company.
• 1.4.5 ORAL COMMUNICATIONS
FCT-IRS staff should be aware of their surroundings when discussing Taxpayer Information and Confidential Information. This includes the use of mobile phones in public areas. FCT-IRS staff should not discuss Taxpayer Information or Confidential Information in public areas if the information can be overheard. Caution should be used when conducting conversations in: semi-private rooms, waiting rooms, corridors, elevators, staircase, cafeterias, restaurants, or on public transportation.
• 1.4.6 PASSWORD MANAGEMENT
Passwords must never be shared with another person, unless the person is a designated security manager.
• Every password must, where possible, be changed regularly – (between 45 and 90 days depending on the sensitivity of the information being accessed)
• Passwords must, where possible, have a minimum length of eight characters.
• Passwords must never be saved when prompted by any application with the exception of central single sign-on (SSO) systems as approved by the ISO. This feature should be disabled in all applicable systems.
• Passwords must not be programmed into a PC or recorded anywhere that someone may find and use them.
• When creating a password, it is important not to use words that can be found in dictionaries or words that are easily guessed due to their association with the user (i.e. children’s names, pets’ names, birthdays, etc). A combination of alpha numeric characters is more difficult to guess.
• Passwords shouldn’t be revealed in email message and same password as ones used in other accounts shouldn’t be used
• Remember password features in applications shouldn’t be used
• Passwords either in written form or electronic form shouldn’t be stored on any device or anywhere
• FCT-IRS account/password suspected to be compromised should be reported to the ICT Department
• 1.4.7 SECURITY EQUIPMENT OFF PREMISE
ICT policies and procedures apply to all systems and information regardless of location. Authorized systems, classified information and media taken outside FCT-IRS premises shall be controlled, secured and protected to ensure protection against theft, destruction or unauthorized disclosure and use according to the Information Sensitivity Policy
• 1.5 ENFORCEMENT
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. A violation of this policy by a temporary worker, contractor or vendor may result in the termination of their contract or assignment with FCT-IRS.
• 1.6 EXCEPTION
Exception from this policy must be approved in advance by Director of ICT FCT-IRS
• 1.7 DEFINITION OF ACRONYMS
• FCT-IRS – Federal Capital Territory Internal Revenue Service
• ICT – Information Communication Technology
• ID- User Identification
• IP- Internet Protocol
• E-mail- Electronic Mail
• ICMP- Internet Control Message Protocol
CHAPTER 2: BUSINESS CONTINUITY POLICY
• 2.1 INTRODUCTION
For FCT-IRS to continue operations when emergency or disaster occur and to restore damaged information assets or business systems processes from these incidents, a business continuity plan needs to be put in place. This emergency or disaster can be in form of FCT-IRS’s business process, procedure or system damage, interruption or failure.
2.2 OBJECTIVE
The objective of this policy is to define the requirement to ensure continuity of business operations after a disaster. A business continuity plan is a plan to help ensure that business processes continue after emergency or disaster. This policy provides the requirement for business continuity.
• 2.3 SCOPE
This policy applies to all FCT-IRS’s Employees and Third Parties with access to FCT-IRS’s information.
• 2.4 RESPONSIBILITY OF BUSINESS CONTINUITY MANAGEMENT
Responsibility for Business Continuity management in FCT-IRS will be mainly with the Management. The Management shall be responsible for:
• Creating a standard framework for all business continuity plans which will be communicated to employees
• Oversee the development of the business continuity plan
• Monitor regular testing, review and update procedures relating to the Business continuity plan
• Analyze and assess the business impact and likelihood of threats to business functions and information systems
• Evaluate and recommend strategies for the reduction or transfer of risk
Responsibility for business continuity implementation lies with the Directors of departments. These Directors may delegate the undertaking and implementation of business continuity measures in their areas to an appropriate member of their staff. As a minimum FCT-IRS expects each unit/area of significant size to have its own, fit for purpose, business continuity plan and for that plan to be reviewed and updated on a regular basis
• 2.5 WRITING AND IMPLEMENTING CONTINUITY PLANS
Business Continuity Plans and Disaster Recovery Plans shall restore or maintain business operations in the required time following any interruption of service or disaster. The following should therefore be included in the plan:
• Documentation of all roles, responsibilities and agreements regarding actions during execution of the plans
• Documentation of procedures for restoration of resources including training and education schedule for all affected or involved personnel
• Testing and updating schedule for the plans
• Recovery and after-action reporting process
2.5.1 DISASTER RECOVERY CLASSIFICATION DEFINITION
All systems shall be classified in one of the 3 groups below:
Group 1: critical applications with operations that have serious financial impact on FCT-IRS. The target for restoring services of this group of application is 1 hour. Also, applications in this group must achieve one successful disaster recovery test after every six months.
Group 2: applications which impact the overall operations of FCT-IRS. Applications in this group should be recovered within 1 hour and must achieve one disaster recovery test every year
Group 3: other applications. This group of application can be recovered within 3 weeks.
• 2.6 INCIDENCE RESPONSE PROCEDURE OBJECTIVE
Since incidence response is a branch of Business Continuity, it is important to have a detailed Incidence response procedure.
The objective of this procedure is to define how to deal with security incidents in order to minimize the damage and act as fast as possible to restore affected business operations in the shortest possible time. The concerned/assigned staff will be dealing with security incidents by following the procedure
• 2.7 INCIDENCE RESPONSE PROCEDURE
Typical respondent activities in the case of security incident are explained here:
Inform the person in charge in each department
Whenever there is a security incident, the employee and/or external contractor should immediately inform the responsible person in his or her section/department.
• The responsible person should immediately unplug the network cable, he or she should report exactly what and how it happened, the time it happened, and should do it in writing to the Computer Security Incident Response Team.
Verify the status
• FCT-IRS Computer Security Incident Response Team should critically verify the status of the incident.
Prevent extension of damage
Depending on the incident that occurred,
• if incident is related to server and other components, the Incident Response Team should inform external contractor to solve the problem.
Inform relevant departments
• Computer Security Incidence Response Team
They should inform all relevant departments including system administrator and any other third-party if necessary.
• ICT Team
• This team should review and compile all reports from Computer Security Incidence Response Team, to help them, take further action. E.g; amendment of FCT-IRS’s security related policies.
• Report the incidents to the management.
Investigate the cause
• Only the Computer Security Incident Response Team should investigate the cause of incidents.
• The Computer Security Incident Response Team should do one or more the following activities;
• On-site inspection
• Isolating the infected devices from the network
• Back-up data and log information
• Collecting the evidence information
• Analyzing the collected information
• Any other activity found necessary to be done
Restore the normal status
• All incidents should be handled with the goal to restore the previous normal status.
Perform required works
• All related personnel should make documentation for all incidents.
• The Computer Security Incident Response Team/ ICT Team should always document steps followed to solve security incidents.
Draw up and implement preventive plan
• The Computer Security Incident Response Team should draw up and implement preventive plan
• The Computer Security Incident Response Team should create necessary countermeasures to the incident
Report and maintain a record of incident
• All related Computer Security Incident Response Team personnel should make documented reports of all incidents, solutions, preventive plans and countermeasures.
• 2.8 Definition of Acronyms
CSIRT: Computer Security Incident Response Team
FCT-IRS: Federal Capital Territory Internal Revenue Service
CHAPTER 3: VULNERABILITY SCAN POLICY
• 3.1 INTRODUCTION
This policy gives the ICT Department of the FCT-IRS or external Information Security Auditors consent to access FCT-IRS’s network to the extent necessary to perform vulnerability scans. The scan will be used to inspect potential point of exploit/vulnerability in order to identify security weakness (security holes) in FCT-IRS’s Computers, network, and communication equipment.
• 3.2 OBJECTIVE
The purpose of this policy is to allow either FCT-IRS’s ICT Department or external Information Security Auditors to scan devices attached to FCT-IRS’s network for vulnerabilities. This is to enable FCT-IRS to make informed decision on counter measures to put in place in order to ensure CIA of FCT-IRS’s Information.
• 3.3 POLICY STATEMENT
The ICT Department of the FCT-IRS shall provide protocols, addressing information, necessary documents/documentation and network connections sufficient for the external Information Security auditors to carry out the necessary vulnerability scan. Access may include but not limited to:
• User level or system level access to any computing or communications device
• Access to documents/documentation either electronic or hardcopy of measures put in place to secure FCT-IRS’s information which is stored in or transmitted through FCT-IRS’s equipment either in or outside FCT-IRS’s premises.
• Access to work areas within the building
• Access to monitor and log traffic on FCT-IRS network.
• 3.3.1 NETWORK CONTROL
Since FCT-IRS will be connected to other organization’s network, these organizations are required to approve vulnerability scanning in writing if scanning is to occur outside the FCT-IRS’s LAN. By signing this agreement, all parties acknowledge that they authorize the FCT-IRS ICT Department or FCT-IRS’s External Information Security Auditors to carry out the scan using the access privilege given to them or might request any other privilege necessary to carry out the scan on dates and time specified.
• 3.3.2 SERVICE DEGRADATION OR INTERRUPTION
Network performance or availability may be affected by the vulnerability scan. FCT-IRS releases its ICT Department or External Information Security Auditors of all liability for damages that may arise from network availability restrictions caused by the network vulnerability scan, unless such damages are as a result of the ICT Department or External Information Security Auditor’s negligence or intentional misconduct
• 3.4 DEFINITION OF ACRONYMS
• FCT-IRS – Federal Capital Territory Internal Revenue Service
• ICT – Information Communication Technology
• CIA- Confidentiality Integrity and Availability
• LAN- Local Area Network
CHAPTER 4: ANTIVIRUS GUIDELINES
• 4.1 INTRODUCTION
FCT-IRS’s information assets aids staff to run FCT-IRS’s business effectively. Computer viruses pose considerable risks to Computers. They can cause the affected computers to run ineffectively, cause loss of information and cause information to become corrupted, which will in turn adversely affect the productivity of the Service. Hence, the need for a policy to minimize the risk of a virus infection.
• 4.2 OBJECTIVE
The objective of this Policy is to give the users of FC-IRS Computers a guide on the use of Anti-Virus to ensure that all computers are virus free and on what to do in the case of a virus infection.
• 4.3 ANTI-VIRUS POLICY STATEMENT
It is the policy of FCT-IRS to ensure that:
• All staff are aware of their responsibilities in relation to safeguarding the confidentiality, integrity, and availability of information and software within the organization.
• Instructions are provided on the prevention of virus infection and steps to be taken when a virus is found.
• Breach to this policy should be regarded as serious misconduct which could lead to disciplinary action in accordance with FCT-IRS’s Disciplinary Policy.
• Every individual defined within the scope of this document is responsible for the implementation of this policy whilst operating any personal computer resources to access any of the organizations systems.
• 4.4 SCOPE
This policy applies to:
• All employees whilst using FCT-IRS’s equipment and accessing FCT-IRS’ Network at any location, on any computer or Internet connection.
• Other persons working for FCT-IRS, persons engaged on business or persons using equipment and networks of FCT-IRS.
• Anyone granted access to the network.
• 4.4.1 DEFINITIONS
• For the scope of this policy, a virus is defined as a self-replicating piece of software, which may cause damage to the operating system of the computer, the storage devices, and any data and/or software stored on them.
• For the scope of this policy, software is defined as a computer program that is designed to carry out specific functions
• For the scope of this policy, a personal computer is defined as any one of the following: Desktop computers, laptop computers, and hand-held computers, phones and tablets.
• 4.5 USE OF E-MAIL AND THE INTERNET
E-mail is one of the main ways in which computer viruses are spread. This is due to the ease of which information can be distributed globally. Viruses can be hidden in email attachments or in material downloaded from the internet. To help protect against viruses being spread over the network, the following should be applied:
• NEVER open files or attachments to an email from an unknown, suspicious or untrustworthy source. Delete these attachments immediately, then “double delete” them by emptying your Trash.
• If you know the sender but you are suspicious in any way then contact the sender by phone, to confirm if he/she sent the e-mail.
• If you believe you have received an e-mail virus or have received an alert from your PC to this effect, then please contact the ICT Department.
• Do not download non-business software, screen savers, or any games from any source other than those Software supplied by the ICT Department.
• Do not action any emails that suggest they have been sent to fix a problem with your machine (e.g. Emails from Microsoft). Reputable vendors would never distribute software patches in this way.
• If you have any suspicion regarding a received e-mail, do not open it, but contact the ICT Department immediately.
• Delete spam, chain, and other junk email without forwarding, in accordance with the FCT- IRS’s Acceptable Use Policy.
• Always scan a flash drive from an unknown source for viruses before using it.
4.6 ANTI-VIRUS CONTROLS
• 4.6.1 REQUIREMENTS
• Anti-Virus software must only be installed and configured by FCT-IRS ICT Department. Users must not disable or interfere with anti-virus software installed on any computer.
• No computer may be connected to the network without adequate protection i.e up to date anti-virus software being installed and activated.
• Users must not change or delete any anti-virus software that is installed on the FCT-IRS Computer.
4.6.2 SOFTWARE CONTROLS
• No software programs or executable files should be downloaded from the Internet and installed onto FCT-IRS,s Computer without the consent of FCT-IRS’s ICT Department. Unauthorized downloading of software may breach the copyright license, could introduce a computer virus to the system.
• The unauthorized copying of software is a criminal offence under the Copy Right Laws of the Federation of Nigeria
• 4.7 AVOIDING VIRUS INFECTION
To avoid being infected by a virus:
• Avoid the transfer of information by unscanned USB memory sticks between computers and do not introduce the above media from home onto FCT-IRS’s computers without scanning.
• Do not “start-up” FCT-IRS’s Computer with a CD in the disk drive, unless instructed by the FCT-IRS’s ICT Department.
• Regular backups should be made and stored on external hard drives provided by FCT-IRS, to ensure easy recovery of data in case of any incident.
• All email attachments are checked for viruses as part of the automated process.
• 4.8 WHAT TO DO IF A VIRUS IS FOUND OR SUSPECTED
• 4.8.1 RESPONSIBILITY OF THE USER:
• Contact the FCT-IRS’s ICT Department immediately.
• Do not use the Computer until re-use has been approved by the ICT Department.
• 4.8.2 THE RESPONSIBILITY OF THE ICT DEPARTMENT IS TO:
• Check the infected Computer
• Check any media that have been used with the infected Computer
• Check any other Computer that the media has been used with
• Delete or clean any infected files
• Inform the Information Security Officer of any viruses detected
• 4.9 DEFINITION OF ACRONYMS
• FCT-IRS – Federal Capital Territory Internal Revenue Service
• ICT – Information Communication Technology
• The Service – Federal Capital Territory Internal Revenue Service
CHAPTER 5: EMAIL USE POLICY
• 5.1 INTRODUCTION
Electronic mail is a primary awareness tool used both for communication and information dissemination both within and outside an organization. Misuse of email can pose many legal, privacy and security risks, thus it’s important for users to understand the appropriate use of electronic mail communications.
• 5.2 OBJECTIVE
The objective of this email policy is to guide users on how to ensure the proper use of FCT-IRS email system and make users aware of what FCT-IRS deems as acceptable and unacceptable use of its email system. This policy outlines the minimum requirements for use of email within FCT-IRS Network.
• 5.3 SCOPE
This policy covers the appropriate use of any email sent from and to FCT-IRS email address and applies to all employees, vendors, and agents operating on behalf of FCT-IRS.
• 5.4 POLICY
• All use of email must be consistent with FCT-IRS policies.
• FCT-IRS email account should be used primarily for FCT-IRS business-related purposes; personal communication is permitted on a limited basis, but non FCT-IRS related commercial uses are prohibited.
• All FCT-IRS data contained within an email message or an attachment must be secured according to the Data Protection Standard. (Encryption policy)
• Email should be retained only if it qualifies as FCT-IRS business record. Email is an FCT-IRS business record if there exists a legitimate and ongoing business reason to preserve the information contained in the email.
• Mail that is identified as an FCT-IRS business record shall be retained according to FCT-IRS email Retention policy.
• The FCT-IRS email system shall not to be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin. Employees who receive any emails with this content from any FCT-IRS employee should report the matter to their supervisor immediately.
• Users are prohibited from automatically forwarding FCT-IRS email to a third-party email system (noted in the next bullet below). Individual messages which are forwarded by the user must not contain FCT-IRS confidential or above information.
• Users are prohibited from using third-party email systems and storage servers such as Google, Yahoo, and MSN Hotmail etc. to conduct FCT-IRS business, to create or memorialize any binding transactions, or to store or retain email on behalf of FCT-IRS. Such communications and transactions should be conducted through proper channels using FCT-IRS approved documentation.
• Using a reasonable amount of FCT-IRS resources for personal emails is acceptable, but non-work-related email shall be saved in a separate folder from work related email. Sending chain letters or joke emails from FCT-IRS email account is prohibited.
• FCT-IRS shall have no expectation of privacy in anything they store, send or receive on the company’s email system.
• FCT-IRS may monitor messages without prior notice. FCT-IRS is not obliged to monitor email messages.
• 5.5 POLICY COMPLIANCE
5.5.1 COMPLIANCE MEASUREMENT
The Information Security team will verify compliance to this policy through various methods, including but not limited to business tool reports, internal and external audits, and feedback to the policy owner.
5.5.2 EXCEPTIONS
Any exception to the policy must be approved by the Director ICT in advance.
5.5.3 NON-COMPLIANCE
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
CHAPTER 6: EXTRANET POLICY
• 6.1 INTRODUCTION
This policy covers both connectivity, access to information and data exchange between FCT-IRS and third parties.
• 6.2 OBJECTIVE
The objective of this policy is to provide a laid down guideline under which third party organizations connect to FCT-IRS networks for the purpose of exchanging data/information and transacting business related to FCT-IRS
• 6.3 POLICY
6.3.1 PRE-REQUISITES
A committee comprising of the user departments, ICT, Legal, Account and Finance, Tax and representative of the Executive Chairman should be set up to develop the business case and justification for the connectivity. Areas such as risk assessment, cost benefit analysis, agreement and termination will be evaluated and recommendation for final approval by the Executive Chairman.
6.3.2 RISK ASSESSMENT
Evaluation of FCT-IRS’s data exposure to risk must be analyzed and countermeasures recommended by the ICT department. FCT-IRS’s Confidentiality, Integrity, Availability of information must be ensured, hence the need to protect information from leakage.
The vulnerability of FCT-IRS’s network due to its connection to third party must be reviewed to protect the network from intrusion and other attacks.
6.3.3 THIRD PARTY CONNECTION AGREEMENT
All new connections requests between FCT-IRS and third parties require that the third party and FCT-IRS representatives agree and sign the Third-Party Agreement detailing business case and justification of the connectivity, risks, process for connectivity termination and change request on connectivity and data exchange, network topology diagram and binding penalty and enforcement. This agreement must be signed by the Executive chairman of FCT-IRS as well as the Executive chairman or the Head of the third-party organization as the case may be
6.3.4 BUSINESS CASE
All extranet connections must be accompanied by a valid business justification, in writing, that is approved. Typically, this is handled as part of the Third-Party Agreement or Service Level Agreement (SLA)
6.3.5 POINT OF CONTACT (POC)
The sponsoring section of FCT-IRS must designate a person to be the Point of Contact (POC) for the Extranet connection. The POC acts on behalf of the sponsoring section of FCT-IRS and is responsible for those portions of this policy and the Third-Party Agreement that pertain to it. In the event that the POC changes, the relevant section must be informed promptly.
6.3.6 ESTABLISHING CONNECTIVITY
Sponsoring department within FCT-IRS that wish to establish connectivity to a third party is to file a new site request with the extranet group. The extranet group will engage Information Security group to address security issues inherent in the project. The Sponsoring department must provide full and complete information as to the nature of the proposed access to the extranet group and Information Security group, as requested.
All connectivity established must be based on the least-access principle, in accordance with the approved business requirements and the security review. In no case will FCT-IRS rely upon the third party to protect FCT-IRS’s network or resources except in a case where those services are hosted on cloud (Not on premise).
6.3.7 MODIFYING OR CHANGING CONNECTIVITY AND ACCESS
All changes in access must be accompanied by a valid business justification and are subject to security review. Changes are to be implemented via corporate change management process. The Sponsoring department is responsible for notifying the extranet management group and/or Information Security group when there is a material change in their originally provided information so that security and connectivity evolve accordingly.
6.3.8 TERMINATING ACCESS
When access is no longer required, the Sponsoring department within FC- IRS must notify the extranet team responsible for that connectivity, which will then terminate the access. This may mean a modification of existing permissions up to terminating the circuit, as appropriate. The extranet and security teams must conduct an audit of their respective connections on an annual basis to ensure that all existing connections are still needed, and that the access provided meets the needs of the connection. Connections that are no longer being used to conduct FCT-IRS business, will be terminated immediately. Should a security incident or a finding that a circuit is no longer being used to conduct FCT-IRS business necessitate a modification of existing permissions, or termination of connectivity, Information Security group and/or the extranet team will notify the POC or the Sponsoring department of the change.
CHAPTER 7: SECURE DISPOSAL POLICY
• 7.1 INTRODUCTION
This Policy clearly spells out how both FCT-IRS electronic media and documents on paper should be disposed of to avoid information leakage
• 7.2 OBJECTIVE
The objective of this policy is to ensure that all FCT-IRS information is securely disposed of to avoid it from being accessed by unauthorized parties and to reduce environmental pollution.
• 7.3 POLICY STATEMENT
Electronic media that have exceeded the useful life limit must be approved for destruction via a signed memo. Media devices approved for physical destruction, should be hammered with a mallet ensuring significant damage to the enclosed disc.
7.3.1 PAPER MATERIALS
• All printed copy media is to be shredded using the shredders provided by FCT-IRS.
• These includes all paper and notebooks as well as written notes with sensitive information. See FCT-IRS’s Information Sensitivity Policy
7.3.2 HARDWARE
• When an equipment or an ICT accessory is being donated, recycled or even being disposed of, the ICT Department or any other custodian of the equipment or accessory is to ensure that all data is securely wiped (several times) and in the case of a system, it is restored to factory default before the hardware is removed.
• Empty Printer tonners and ink cartridges should be hammered and destroyed by a designated storekeeper on retrieval before they are being disposed to avoid it from being reused to produce fake toners and inks or should be returned to HP for proper recycling
• A Hardware that is obsolete or damaged such as computer and damaged batteries should be returned to the producer, for example HP, intel for proper disposal to protect the environment from being polluted.
• The item of hardware should be removed from the asset register where appropriate or marked as decommissioned within the asset register.
• The following table acts as a guideline for disposal of certain devices;
• Software wipe: secure wipe program in accordance with industry-accepted standards
• Degaussed: process of decreasing or eliminating a remnant magnetic field
• Physically destroyed: device physically crushed
Classification Device Disposal Method
Hardware • Computers
• Printers
• Servers
• Tonner and Ink cartridge
• Batteries
• Flash, disc and hard drives • Software wiped
• Degaussed
• Physically destroyed or returned to the manufacturer
Software Software, programs and data on computers and other electronic medias • Software wiped
• Degaussed
Paper documents Shred
CHAPTER 8: CLEAN DESK CLEAR SCREEN POLICY
• 8.1 INTRODUCTION
To improve the security and confidentiality of information, all staff should adopt a clear desk policy for papers and removable storage media and a clear screen policy for all computers. This is to reduce the risk of unauthorized access, loss, and modification to information and information systems during and outside normal working hours or when work areas are unattended.
• 8.2 OBJECTIVE
The Objective of this Policy is to set rules on how to ensure the Security and confidentiality of all Information belonging to FCT-IRS.
• 8.3 CLEAR DESK GUIDELINES
This policy applies to printed documents and all removable storage media. All permanent, temporary, contracted staff or National Youth Service Corps (NYSC) employed by FCT-IRS are required to adhere to the following rules:
8.3.1 WORK ENVIRONMENT
This policy applies to printed documents and all removable storage media. All permanent, temporary, contracted staff or National Youth Service Corps (NYSC) employed by FCT-IRS are required to adhere to the following rules:
• Maintain a neat work environment during and after business hours. Ensure unnecessary materials are removed from the desk.
• Take time to clear accumulated paperwork at regular intervals e.g. once a week.
• Avoid cluttering the work area with handwritten notes and post-it notes displaying sensitive information.
• Do not write down confidential information such as passwords, user IDs or account information
• Before leaving a meeting room, all evidence of meetings should be removed from view (computer screens, meeting notes etc.).
• Although in-trays are allowed on desks, ensure that no confidential information is left in in-trays outside office hours.
• The reception desk can be particularly vulnerable to visitors. This area should always be kept as clear as possible, customer, supplier or project details should not be kept on the desk within reach/sight of visitors.
• It is also worth noting that information left on desks is also more likely to be damaged or destroyed in a disaster such as fire, flood or explosion. So, ensure that all printed information is always stored in secure cabinets or drawers.
8.3.2 HANDLING AND PRINTING
• All documents obtained from other departments should be promptly returned when no longer needed.
• Print on both sides of the paper to reduce waste, where possible.
• Confidential, Restricted or Internal information, when printed, should be cleared from printers immediately.
• All photocopiers and printers should be cleared of papers as soon as they are copied/printed, this will ensure that sensitive documents are not left in the device trays for the wrong person to pick up.
• Outside working hours, photocopiers should be switched off and locked (where possible). This makes it difficult for unauthorized copying of sensitive information to occur.
8.3.3 STORAGE
• All FCT-IRS branded papers including letterheads and computer media should be stored in suitable locked safes, cabinets or other forms of security furniture when not in use, especially outside working hours (where practicable)
• Where safes, lockable filing cabinets/drawers/cupboards are not available, office / room doors must be locked if left unattended.
• At the close of each day, or when away from work area for an extended period, all sensitive information and objects should be removed from the desk area and locked up.
• All FCT-IRS information and tax-payer information printed or in portable storage media should be secured in a fire-resistant cabinet. Papers may be scanned and filed in electronic format with adequate backup available.
• Lock away portable computing device such as laptops.
• 8.4 CLEAR SCREEN GUIDELINES
The following rules are to be followed for clear screens:
• Computers / computer terminals should be password protected and should be locked or off when unattended
• Computer screens should be angled away from the view of unauthorized persons.
• The screen is set to automatically lock when there is no activity for a period of five (5) minutes.
• Following a screen lock, login credentials of the user will be required to unlock the system.
• Users should log off their machines when they leave the room or the office particularly at the close of business every day.
• Personal Computers should be switched off at the end of the day.
CHAPTER 9: EXCHANGE OF INFORMATION POLICY
• 9.1 INTRODUCTION
This policy sets out the process to be followed in all the FCT-IRS communications both within the country and outside. These include electronic media handling, post, telephone, fax communications, electronic communications and hand delivery. FCT-IRS needs to maintain an efficient communications policy so that relevant information is processed and stored. This policy must be followed by all staff.
• 9.2 OBJECTIVE
The Objective of this Policy is to set rules on how information e.g. post, telephone calls etc. should be exchanged to ensure Confidentiality, Integrity and Availability of FCT-IRS Information.
• 9.3 DETAIL
9.3.1 INCOMING POST
All incoming post addressed to FCT-IRS should be received at the front desk of the FCT-IRS Admin Unit of each of the FCT-IRS office locations. Mail/Posts are sorted and dispatched to the appropriate FCT-IRS location/Department. Mails/Post should be acknowledged, date stamped and passed to the relevant departmental member of staff or unit unopened. Officers responsible for receiving mails should not open Mails/Post. Post marked for the attention of an individual should be passed directly to the relevant member of staff unopened. This also applies to any post marked as ‘Private’ and/or ‘confidential’.
• In the absence of the Receptionist, a designated member of staff should be delegated to deal with incoming post.
• Particular attention should be paid to urgent and important communications.
9.3.2 OUTGOING POST
All outgoing official correspondences should be written in correct English, free from errors and neatly typed on FCT-IRS’s letter head paper.
• Any Private and/or Confidential correspondence should be clearly marked as such.
• Important letters should be copied to relevant staff members for their information.
• Large mail outs (e.g. Taxpayer letters dispatch) requiring mail sacks must be kept in the collation area until when they are to be moved to the post area for collection.
9.3.3 TELEPHONE MESSAGES
• In all cases, take down the name of the caller, his/her telephone number, company name (if relevant) and a clear and understandable message. Telephone numbers should be repeated to the caller for confirmation of correctness. The message should then be passed on to the relevant person via email immediately.
• Any important messages should be immediately communicated to the relevant member of staff via phone or in person.
• All messages should be dealt with and responded to on same day.
9.3.4 FILES
Files should be kept neat and in date order. Duplicate copies of letters or documents should not be placed in files as these will make the file unnecessarily bulky.
• Filing must not be delayed (accumulated) and all items must be filed in the correct file at the end of the day.
• From time to time files need to be “pruned”. Older materials which are no longer necessary should be moved to the Archives every 6/12 months.
• From time to time files need to be “pruned”. Older materials which are no longer necessary should be moved to the Archives every 6/12 months.
9.3.5 ELECTRONIC MEDIA
• When electronic media is to be sent via the postal service all confidential documents contained on the media (be it CD/DVD or a Pen Drive) must be password protected.
• When sent via the postal service, the above “Postal Service” process is followed.
• Public electronic media is sent through normal postal channels.
• All electronic media should be adequately protected to ensure that it is not damaged during transportation.
9.3.6 HAND DELIVERY
• When media is in electronic format all documents shall be checked for virus/malware prior to delivery.
• All media will be securely handled as per the Mobile Equipment Policy. This includes hard copy media.
Media will only be exchanged in a secure manner. This means in the client’s premises / office, a signature should be required for the receipt of any information delivered in this manner.
CHAPTER 10: PHYSICAL SECURITY POLICY
• 10.1 INTRODUCTION
This Policy sets out the rules in ensuring the security of the FCT-IRS office buildings. It sets rules on how employees, corp members, casual staff, cleaners and visitors should access the office and measures put in place to control access to the physical building.
• 10.2 OBJECTIVE
The Objective of this Policy is to set rules on how to ensure the Physical Security of the FCT-IRS office buildings.
• 10.3 DETAIL
10.3.1PHYSICAL ACCESS
• Security Personnel are onsite 24/7
• Security Personnel are located at the gate and on reception desks and roam the premises;
• ID Badges are plastic placed in a visible manner. The ID card has the staff passport sized picture, first and last name, HR assigned unique staff number, the FCT-IRS name and logo on the front; on the back is the office address and authorized FCT-IRS signature;
• All employees must wear their ID badge at all times
• CCTV is located externally and internally in general office areas
• The retention time for CCTV is a minimum of 3 months
• The retention time for visitor’s log is a minimum of 3 months
• All Facilities are kept secure at all times in order to prevent unauthorized access
•
10.3.2SECURE AREAS
Secure areas have been identified as the Server Room, all staff working area and all Directors and Chairman’s office. And the below applies to these areas:
• Only designated staff have access to these areas
• All other staff and visitors/contractors must always be accompanied into the secured areas (server room) if they are granted access to the secure areas
• All persons entering secure areas must sign the book and clearly state the office they will visit at the reception upon entry and exit
10.3.3 VISITOR ACCESS
Visitor access is managed by Security;
• All visitors must sign in before gaining entrance into the building
Further detail on how visitors are managed is detailed within the Visitor Policy.
10.3.4 COMPUTER EQUIPMENT
Adequate Physical security measures are taken to protect computer systems and information from theft, damage and misuse;
• Avoid eating or drinking near equipment
• Lock equipment away when not in use
• Make sure all mobile PC’s, mobile phones and other movable equipment are protected from loss or theft
• Never leave equipment in public places, hotel rooms, in cars, or on luggage racks
• Where possible use blinds or screens to stop outsiders from seeing in
10.3.5 FILING CABINETS
All confidential information is stored in the appropriate storage cabinet;
• Storage cabinets are kept locked;
• The keys to filing cabinets and desks are stored securely.
10.3.6 OFFICE KEYS
Office keys are not loaned to external parties;
• If an FCT-IRS key is issued to an employee, it must be signed for and returned when the employee ceases to be employed by the Service. Employees are not permitted to have a copy of the key cut. Employees may not loan the key to anyone who is not a fellow employee and may only loan the key to a fellow employee on the authority of the Director Human Resource;
• Keys are properly labelled and do not have the office address attached to them;
• The fire escape door is always kept clear
• The fire-escape door can only be opened internally, external access is not possible.
CHAPTER 11: ACCESS CONTROL POLICY
• 11.1 INTRODUCTION
To ensure accountability, each user will be assigned a unique user Identity (ID). This ID will be used by the user at logon and all actions carried out by the user will be recorded against this ID.
The account will be revoked by the ICT Department when it is no longer required.
• 11.2 OBJECTIVE
The objective of this policy is to put in place guidelines on how to control access to FCT-IRS information assets to prevent unauthorized access, compromise or theft of information or information processing facilities.
• 11.3 DETAIL OF THE POLICY
Access to system software shall be controlled and monitored. These technical security measures will be supplemented with procedural measures and all users are required to comply.
It is necessary to ensure that all staff understand the seriousness of accessing parts of any system to which they have not been given access rights. Notice is hereby given that FCT-IRS shall prosecute those who set out deliberately to try to extend their legitimate scope of access for unauthorized purposes.
11.3.1 ACCESS CONTROL RULES
Access to FCT-IRS (Taxpayer) data by default is denied. The one exception to this is access to the FCT-IRS public/shared data which was referred to in the FCT-IRS Information Sensitivity Policy. Permissions for everyone are restricted to read or write access based on the role assigned. Access will be given to users according to their job description.
11.3.2 SEGREGATION OF DUTIES
This ensures an individual does not have control over all phases of a transaction. Rights/Authorization given to each staff should align with approved job role.
11.3.3 PHYSICAL ACCESS CONTROL
Servers are secured within the server room. The server room are secured with restricted access to relevant personnel only. All personnel or third-party needing access to the server room are required to sign the register upon entry and exit from the server room under the supervision of the custodian.
11.3.4 USER ACCESS MANAGEMENT
Access control to information systems and services covers all stages in the lifecycle of user access: from registration of new users to de-registration of users who no longer need access. Where possible, user policies are enforced by the operating system and group policy.
11.3.5 USER AUTHENTICATION
When users log on to the FCT-IRS web portal, they are authenticated by means of the username and password supplied to them by the Administrator.
11.3.6 USER REGISTRATION- ACCOUNT AND ACCESS MANAGEMENT
Users are assigned only the access privileges required for their job function.
System administration accounts are only to be used as needed. As much as possible, all Technology staff are to use their own unique logon credentials when carrying out their normal responsibilities.
If additional administration accounts are required, approval must first be sought.
The creation of user accounts is authorized and approved through Director ICT.
Likewise, when a user leaves, access of the user on all applications is removed. The instruction to revoke the user’s access right is approved by Director Human Resource and Director ICT. The user is checked on a list of applications for the removal of access rights to individual systems. The user account will be disabled/deleted upon a user leaving FCT-IRS or when the rights are no longer required.
11.3.7 VENDOR AND THIRD-PARTY ACCESS TO FCT-IRS SYSTEMS
A) Vendor access to FCT-IRS Information Resources is granted solely for the work contracted and for no other purposes.
b) Vendors must comply with all applicable FCT-IRS policies, practice standards and agreements
c) Each vendor granted access to any Information System must sign the FCT-IRS Service Level Agreement Form which stipulates that each individual:
• Has read and understands the security policies
• Understands the responsibility to comply
• Understands the consequences of an infraction.
d) Vendor access must be uniquely identifiable and must comply with the FCT-IRS Password Policy, Access Control Policy, Remote Access Policy, Acceptable Use Policy and other applicable policies.
e) Upon termination of contract, or at the request of FCT-IRS, the vendor must surrender all access cards, badges, and equipment immediately. Equipment and/or supplies to be retained by the vendor must be documented by authorized FCT-IRS management.
11.3.8 INACTIVITY TIME OUT AND RESTRICTED CONNECTION TIMES
After 5 minutes inactivity, password protected screen savers shall come into force. Only the logged-on user or an Administrator will be able to unlock this. Although this is in place, all users MUST press Windows + L before leaving their device unattended.
• 11.4 LAPTOP SECURITY
Laptops are increasingly being targeted by thieves, users therefore must be made aware that anyone in possession of the FCT-IRS laptop must accept responsibility to observe precautions to avoid loss, damage or theft.
Guidelines for Laptop security:
• Laptops must not be left unsecured when not in use in public places (including Tax offices offices) or vehicles.
• Theft from vehicles is one of the most common so here are tips to avoid this:
• Do not leave laptops unattended in vehicles for any period. Even for short periods
Cars parked in the middle of car parks are more likely to be targeted as thieves can drive up, smash windows and drive away very quickly. Cars reversed up to walls etc. are less likely to be targeted
Watch out for broken glass in car parks, this may indicate previous attacks have taken place
• 11.5 DATA SECURITY
Security solutions to facilitate secure access control and hard-disk encryption are recommended for laptops that contain classified information.
• 11.6 SERVER ROOM ACCESS
The “server room” is a restricted area that requires greater level of control than normal non-public spaces. Only those individuals who are expressly authorized to do so may enter this area. Access privileges will be granted to individuals who have legitimate business need to be in the server room. This area may only be entered to conduct authorized FCT-IRS business.
The only exception allowed to the server room is temporary suspension of these rules if it becomes necessary to provide emergency access to medical, fire among others.
All infractions of the server room rules shall be reported to ICT Department. This includes equipment installation/removal, construction or any activity that adds/removes assets to/from the Server Room.
All individuals that have access to the Server Room must conduct their work in a safe manner.
The Server Room will be kept as clean as possible. All individuals in the Server Room are expected to clean up after work activity. Boxes and trash need to be disposed of properly. Tools must be replaced to their rightful place. Food and drink are not allowed in the Server Room.
The Access logs (Register) must be maintained at all times by the support staff. All escorted individuals entering the Server Room must sign the log (Register) as they enter and exit for audit purposes
11.6.1 LEVELS OF ACCESS TO SERVER ROOM
Two (2) “Levels of Access” to the Server Room will be implemented. This includes: General Access and Escorted Access
General Access is granted to FCT-IRS ICT staff whose job responsibilities require that they have access to the area. Individuals with General access to the area may allow properly authorized individuals escorted access to the Server Room.
If a person with general access allows escorted access to an individual, the person granting access is responsible for escorting the individual granted escorted access and ensuring compliance to this policy
Escorted Access is closely monitored access given to people who have a legitimate business need for infrequent access to the Server Room. “Infrequent access” is generally defined as access required for less than 15 days per year.
A person given Escorted Access to the area must sign in and out under the direct supervision of a person with General Access, must provide an identification upon demand, and must leave the area when requested to do so.
11.6.2 SERVER ROOM DOOR
All doors to the Server Room must remain locked at all times and may only be temporarily opened for periods not to exceed that minimally necessary in order to:
• Allow officially approved entrance and exit of authorized individuals
• Permit the transfer of supplies/equipment as directly supervised by a person with General Access to the area
• Prop open the door to the Server Room ONLY if it is necessary to increase airflow into the Server Room in the case on an air conditioning failure. In this case, staff personnel with General Access must be present to limit access to the Server Room.
CHAPTER 12: VISITOR POLICY
• 12.1 INTRODUCTION
This policy sets rules on what is expected of visitors who visit FCT-IRS. The policy sets rule on how visitors visiting FCT-IRS to conduct themselves
• 12.2 OBJECTIVE
The objective of this policy is to ensure that the confidentiality, integrity and availability of information is not exposed/tempered with by visitors including delivery personnel, cleaners and contractors on-site.
• 12.3 POLICY
Visitors will be classified as non-employees who are given access to working places within the FCT-IRS offices.
Generally, the following rules are in place regarding visitors:
• Visitors should sign the book at main reception and clearly state the office to be visited
• The security personnel should ensure that they verify the name, company and who visitors are visiting
• The security personnel should ensure that visitors sign the visitor’s book on entering and leaving the premises
• Security personnel should receive visitors and direct them to the meeting room/office
• If it is necessary to leave a visitor unattended (e.g. to make a phone call, for example) ensure that all sensitive information is removed from view, any accessible computers are “locked”
• With ‘long term’ visitors (e.g. contractors) do not forget they are still visitors and the rules still apply. Do not be tempted to relax the rules
• If you see an unescorted person around the office, do not hesitate to assist the visitor to the right direction / office
• Visitors are not allowed to connect their own computer equipment to FCT-IRS network.
• Should it be necessary to copy data from a visitor’s computer into the FCT-IRS network, this should be done via email request to the ICT Department
• Any information supplied by a visitor that is required to be copied to a computer on the FCT-IRS network should first be scanned for viruses
• Ensure visitors (contractors, vendors, consultants and business partners) are made aware of the security requirements of FCT-IRS as documented in the Information Security Requirements for vendors, consultants and business partners.
• 12.4 SPECIFIC PROCESSES
When visiting the offices within FCT-IRS buildings, the processes to be followed in the management of visitors/contractor visits are:
• Visitors/Contractors should sign the visitor’s register at the security desk in the entrance
• Visitors/Contractors should fill out a form which will be submitted to who they want to visit
• Access should be approved by the staff receiving the Visitor/contractor
• All visitors are escorted at all times within the premises
• 12.5 DELIVERY PERSONNEL
Delivery personnel are also classified under visitors and may require access to FCT-IRS facilities whilst delivering goods throughout FCT-IRS locations. These visitors will be required to complete the visitor’s book and follow the contractor’s processes.
In any case most deliveries will be managed and distributed by Security.
• 12.6 CLEANERS
The office cleaners are an exception to the visitor rules set out above. They have been specifically vetted and as a result are the only visitors who are permitted unescorted access to the office during working hour. On non-working hours the cleaners shall be escorted by security personnel
Any incidents that arise relating to this policy are recorded on the Security Desk and reported to the Human Resource.
CHAPTER 13: TRANSPORTATION OF MEDIA POLICY
• 13.1 INTRODUCTION
This policy sets out the process to be followed for transportation of media containing data relevant to FCT-IRS.
• 13.2 OBJECTIVE
The objective of this policy is to set up a guideline to be followed when transporting media containing data relevant to FCT-IRS or any other sensitive/confidential FCT-IRS Information in order to preserve the confidentiality of such data/information.
• 13.3 POLICY DETAIL
Sensitive data located on information system resources or electronic media must be protected against theft and unauthorized access. Sensitive data must be consistently protected and managed through its life cycle, from origination to destruction. Information system resources and electronic media for which this policy applies include, but are not limited to, computers (servers, desktops and portable computing devices), backup tapes, portable hard drives and USB storage devices with stored sensitive data.
Sensitive data in transport should be encrypted where feasible.
An exact copy of sensitive data should be maintained in case of loss or damage
An excel document that records the following information should be maintained:
• What was transported
• When it was transported and where was its final destination
• Why it was transported
• Who handled it during transport
• When it arrived at its final destination
• Condition upon arrival
CHAPTER 14: DATABASE PASSWORD POLICY
• 14.1 INTRODUCTION
Database authentication credentials, such as usernames and passwords, are a critical part of authorizing access to databases. All computer programs that access a database must be authenticated by providing acceptable username and password combinations. Incorrect use, storage, and transmission of such credentials can lead to the compromise of very sensitive assets that are meant to be restricted by the credentials. This could also lead to a wider compromise within the organization.
• 14.2 OBJECTIVE
This policy defines the requirements for securely storing and retrieving database usernames and passwords (i.e. database credentials) for use by a program that will access a database running on one of FCT-IRS’ networks.
Computer programs running on FCT-IRS’ networks often require the use of one of the many internal database servers. In order to access one of these databases, a program must authenticate to the database by presenting acceptable credentials. The database privileges that the credentials are meant to restrict can be compromised when the credentials are improperly stored.
• 14.3 SCOPE
This policy is directed at all system implementer and/or software engineers who may be coding applications that will access a production database server on the Network. This policy also applies to all software (programs, modules, libraries or APIS) that will access any FCT-IRS production database.
• 14.4 POLICY
14.4.1 GENERAL
In order to maintain the security of FCT-IRS’ internal databases, access by software programs must be granted only after authentication with credentials. The credentials used for this authentication must not reside in the main, executing body of the program’s source code in clear text. Database credentials must not be stored in a location that can be accessed through a web server.
14.4.2 SPECIFIC REQUIREMENTS
Requirements for the Storage of Data Base Usernames and Passwords are:
• Database usernames and passwords may be stored in a file separate from the executing body of the program’s code. This file must not be world readable or writeable.
• Database credentials may reside on the database server. In this case, a hash function number identifying the credentials may be stored in the executing body of the program’s code.
• Database credentials may be stored as part of an authentication server (i.e. an entitlement directory), such as an LDAP server used for user authentication. Database authentication may occur on behalf of a program as part of the user authentication process at the authentication server. In this case, there is no need for programmatic use of database credentials.
• Database credentials may not reside in the documents tree of a web server.
• Passwords or pass phrases used to access a database must adhere to the Password Policy.
14.4.3 RETRIEVAL OF DATABASE USERNAMES AND PASSWORDS
• If stored in a file that is not source code, then database usernames and passwords must be read from the file immediately prior to use. Immediately following database authentication, the memory containing the username and password must be released or cleared.
• The scope into which you may store database credentials must be physically separated from the other areas of your code, e.g. the credentials must be in a separate source file. The file that contains the credentials must contain no other code but the credentials (i.e. the username and password) and any functions, routines, or methods that will be used to access the credentials.
• For languages that execute from source code, the credentials’ source file must not reside in the same browsable or executable file directory tree in which the executing body of code resides.
14.4.4 ACCESS TO DATABASE USERNAMES AND PASSWORDS
• Every program or every collection of programs implementing a single business function must have unique database credentials. Sharing of credentials between programs is not allowed.
• Database passwords used by programs are system-level passwords as defined by the Password Policy.
• Developer groups must have a process in place to ensure that database passwords are controlled and changed in accordance with the Password Policy. This process must include a method for restricting knowledge of database passwords to a need-to-know basis.
• 14.5 COMPLIANCE
14.5.1 COMPLIANCE MEASUREMENT
The Information Security team or any team assigned this responsibility by the Director ICT will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
• 14.5.2 NON-COMPLIANCE
• An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
• A violation of this policy by a temporary worker, contractor or vendor may result in the termination of their contract or assignment with FCT-IRS.
• Any program code or application that is found to violate this policy must be remediated within a 30-day period.
14.6 EXCEPTIONS
Any exception to the policy must be approved by the Director ICT in advance.
• 14.7 TERMS AND DEFINITIONS
Term Definition
Web Server A program that uses HTTP (Hypertext Transfer Protocol) to serve the files that form Web pages to users, in response to their requests, which are forwarded by their computers’ web browsers.
LDAP Lightweight Directory Access Protocol is an application protocol for accessing and maintaining distributed directory information services over an internet protocol network.
CHAPTER 15: INFORMATION SENSITIVITY POLICY
• 15.1 INTRODUCTION
Information owned by FCT-IRS needs to be classified and protected based on its sensitivity.
• 15.2 OBJECTIVE
This policy document is designed to help FCT-IRS staff determine what information can be disclosed to non-employees, as well as the relative sensitivity of information that should not be disclosed outside of FCT-IRS without proper authorization.
The information covered in this policy document include information that is either stored or shared via any means, such as electronic information, information on paper, and information shared orally.
• 15.3 SCOPE
All FCT-IRS information is categorized into two main classifications:
• FCT-IRS Public
• FCT-IRS Confidential
FCT-IRS Public information is information that has been declared public by someone with the authority to do so and can freely be given to anyone without any possible damages to FCT-IRS.
FCT-IRIS Confidential contains all other information, with some information more sensitive than other information. FCT-IRS Confidential information should be protected in a secure manner, and include information such as taxpayer information, assessment information, and other information integral to the success of FCT-IRS. Also included is information such as general corporate information and personnel information.
A subset of FCTI-IRS Confidential information is “FCT-IRS Third Party Confidential” information. This is confidential information belonging or pertaining to another organization which has been entrusted to FCT-IRS by that organization under non-disclosure agreements and other contracts. Such information covers contractor/vendor information and partnerships.
FCT-IRS staff are encouraged to use common sense judgement in securing FCT-IRS Confidential information. Any employee that is uncertain of the sensitivity of a particular piece of information should contact his/her manager.
• 15.4 SENSITIVITY GUIDELINES
The sensitivity guidelines below provide details on how to protect information at varying sensitivity levels.
15.4.1 MINIMAL SENSITIVITY
This includes general corporate information, some personnel information, and technical information.
Marking information of minimal sensitivity with the words “FCT-IRS Confidential” is at the discretion of the owner or custodian of the specific information. Markings should be written on a conspicuous place on/in the information in question. Even if no marking is present, FCT-IRS information is presumed to be FCT-IRS Confidential unless expressly determined to be FCT-IRS Public information by an FCT-IRS employee with authority to do so.
• Marking: Marking information of minimal sensitivity with the words “FCT-IRS Confidential” is at the discretion of the owner or custodian of the specific information. Markings should be written on a conspicuous place on/in the information in question. Even if no marking is present, FCT-IRS information is presumed to be FCT-IRS Confidential unless expressly determined to be FCT-IRS Public information by an FCT-IRS employee with authority to do so.
• Access: FCT-IRS employees, contractors, and people with a business need to know.
• Distribution within FCT-IRS: Standard interoffice mail, approved electronic mail and other electronic file transmission methods.
• Distribution outside of FCT-IRS internal mail: Approved public or private couriers such as NIPOST, DHL, or FedEx, approved electronic mail and electronic file transmission methods.
• Electronic distribution: No restrictions, except that it is sent only to approved recipients.
• Storage: Keep from view of unauthorized people, erase whiteboards, and do not leave in view on tabletop. Machines should be administered with security in mind. Protect from loss and assign individual access controls to electronic information wherever possible and appropriate.
• Disposal/Destruction: Deposit outdated paper information in specially marked disposal bins on FCT-IRS premises; electronic data should be expunged/cleared.
15.4.2 MORE SENSITIVE
This entails business, financial, technical, and most personnel information.
• Marking: “FCT-IRS Confidential: Internal Use Only”. Marking is at the discretion of the owner or custodian of the specific information.
• Access: FCT-IRS employees and non-employees with signed non-disclosure agreements who have a business need to know.
• Distribution within FCT-IRS: Standard interoffice mail, approved electronic mail and electronic file transmission methods.
• Distribution outside of FCT-IRS internal mail: Approved public or private couriers such as NIPOST, DHL, or FedEx, approved electronic mail and electronic file transmission methods.
• Electronic distribution: No restrictions to approved recipients within FCT-IRS but should be encrypted or sent via a private link to approved recipients outside of FCT-IRS premises.
• Storage: Individual access controls are highly recommended for electronic information.
• Disposal/Destruction: Deposit outdated paper information in specially marked disposal bins on FCT-IRS premises; electronic data should be expunged/cleared.
15.4.3 HIGHLY SENSITIVE
This is the most sensitive category of FCT-IRS Confidential information and includes taxpayer financial and assessment information, operational, personnel and technical information integral to the success of FCT-IRS.
• Marking: “FCT-IRS Confidential: Restricted”. Marking is at the discretion of the owner or custodian of the specific information.
• Access: Only those individuals (FCT-IRS employees and non-employees) designated with approved access and signed non-disclosure agreements.
• Distribution within FCT-IRS: Delivered direct – signature required, envelopes stamped confidential, or approved electronic file transmission methods.
• Distribution outside of FCT-IRS internal mail: Delivered direct; signature required; approved private carriers.
• Electronic distribution: No restrictions to approved recipients within FCT-IRS, but it is highly recommended that all information be strongly encrypted.
• Storage: Individual access controls are very highly recommended for electronic information. Physical security is generally used.
• Disposal/Destruction: Paper documents should be shredded; electronic data should be expunged/cleared.
• 15.5 COMPLIANCE
All departmental, divisional, and unit heads MUST ensure compliance with this policy document within their respective jurisdictions.
• 15.6 NON-COMPLIANCE
• An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment, possible civil and/or criminal prosecution to the full extent of the law.
• A violation of this policy by a temporary worker, contractor or vendor may result in the termination of their contract or assignment with FCT-IRS and possible civil and/or criminal prosecution to the full extent of the law.
CHAPTER 16: BACKUP AND RECOVERY POLICY
• 16.1 INTRODUCTION
Data that is owned and/or used by FCT-IRS in the course of carrying out its functions needs to be retained and stored as backups. These backups must be taken in accordance with this policy and stored at an off-site location. They will be used for recovery in the event of failures in the Service’s IT systems which result in data loss.
• 16.2 OBJECTIVE
This document defines the policy and procedures that govern the backup of critical information systems at FCT-IRS, which will safeguard the information assets of the Service.
• 16.3 SCOPE
This policy applies to all critical and non-critical information systems that are owned, operated, maintained, and/or controlled by FCT-IRS.
• 16.4 POLICY
16.4.1 GENERAL
The backup and maintenance of data are critical to the viability and operations of FCT-IRS. It is essential that certain basic standard practices be followed to ensure that data files are backed up on a regular basis.
For the purpose of backups, FCT-IRS information systems will be classified as follows:
• Critical Systems: These include the Tax Management and Administration Systems, Enterprise Resource Planning, and Document Management Systems.
• Non-Critical Systems: All other applications and data such as Email, fleet management, etc.
The following backup types will be employed at FCT-IRS:
• Daily incremental backups.
• Monthly full backups.
• Quarterly full backups.
• Annual full backups.
16.4.2 SPECIFIC REQUIREMENTS
Storage Media • FCT-IRS shall use tape drives as backup media.
• All backups must be labelled with the following information:
• Server name.
• Date and time of backup.
• Serial number (if applicable).
Storage Location • All full backups must be stored at a secure offsite location as approved by the Director ICT.
• All incremental backups may be stored on-site.
Frequency • Weekly full backups must be taken every Saturday.
• Incremental backups must be taken at off-peak hours every weekday.
• Full monthly backups must be taken on the last Saturday of every month.
• Full quarterly backups must be taken on the last Saturday of every business quarter.
• Full annual backups must be taken on the 31st of every December.
Retention • Weekly Full backups must be retained for a minimum of one month or until after the next full monthly backup has been taken.
• Daily Incremental backups must be retained for a minimum of 7 days or until the next Weekly Full backup has been taken.
• Monthly Full backups must be retained for at least 3 months or until after the next Quarterly Full backup has been taken.
• Quarterly Full backups must be retained for a minimum of 12 months or after the next Annual Full backup has been taken.
• Annual Full backups must be retained for a minimum of 2 years.
Encryption All backups must be encrypted in accordance with the FCT-IRS Acceptable Encryption Policy.
Testing • Every backup should be tested for consistency and ensure that it can be used for recovery.
• Random test restores should be carried out every week to ensure the viability of backups.
Media Disposal • Prior to disposal, ICT must ensure the following:
• The media no longer contains active backup images.
• The media’s current and/or former contents cannot be read or recovered by an unauthorized party.
• IT must ensure the physical destruction of the backup media before disposal.
Data Recovery • In the event of a catastrophic system failure that results in data loss, backups should be made available and restored within 72 hours of the incident if the affected hardware has been replaced by that time.
• In the event of non-catastrophic system failure or user error that results in data loss, backups should be made available and restored within 24 hours of the incident.
• In the event of accidental deletion of corruption of information, restoration requests should be made to the ICT department.
16.4.3 BACKUP AND RECOVERY OF NON-CRITICAL SYSTEMS
Storage Media • FCT-IRS shall use tape drives as backup media.
• All backups must be labelled with the following information:
• Server name.
• Date and time of backup.
• Serial number (if applicable).
Storage Location • All full backups must be stored at a secure offsite location as approved by the Director ICT.
• All incremental backups may be stored on-site.
Frequency • Monthly Full backups must be taken on the last Saturday of every month.
• Weekly Incremental backups must be taken every Sunday.
• Quarterly Full backups must be taken on the last Saturday of every business quarter.
• Annual Full backups must be taken on the 31st of every December.
Retention • Weekly Incremental backups must be retained for a minimum of one month or until after the next Monthly Full backup has been taken.
• Monthly Full backups must be retained for at least 3 months or until after the next Quarterly Full backup has been taken.
• Quarterly Full backups must be retained for a minimum of 12 months or after the next Annual Full backup has been taken.
• Annual Full backups must be retained for a minimum of 2 years.
Encryption All backups must be encrypted in accordance with the FCT-IRS Acceptable Encryption Policy.
Testing • Every backup should be tested for consistency and ensure that it can be used for recovery.
• Random test restores should be carried out every week to ensure the viability of backups.
Media Disposal • Prior to disposal, ICT must ensure the following:
• The media no longer contains active backup images.
• The media’s current and/or former contents cannot be read or recovered by an unauthorised party.
• IT must ensure the physical destruction of the backup media before disposal.
Data Recovery • In the event of a catastrophic system failure that results in data loss, backups should be made available and restored within 7 days of the incident if the affected hardware has been replaced by that time.
• In the event of non-catastrophic system failure or user error that results in data loss, backups should be made available and restored within 72 hours of the incident.
• In the event of accidental deletion of corruption of information, restoration requests should be made to the ICT department.
• 16.5 COMPLIANCE
16.5.1 COMPLIANCE MEASUREMENT
The Database, Applications, and Server administrators or any team assigned this responsibility by the Director ICT will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
16.5.2 NON-COMPLIANCE
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
16.6 EXCEPTIONS
Any exception to the policy must be approved by the Director ICT in advance.
CHAPTER 17: PASSWORD POLICY
• 17.1 INTRODUCTION
Passwords are critical components of information security. Passwords protect user accounts, and poorly chosen passwords may result in the compromise of individual systems, data, and/or the network. All persons who have access to FCT-IRS ICT systems and networks, including staff, contractors, and vendors, are responsible for taking appropriate steps to create and protect their secure passwords.
• 17.2 OBJECTIVE
The objective of this policy document is to establish a standard for the creation of strong and secure passwords, as well as establish secure ways of protecting passwords.
• 17.3 SCOPE
This policy document is applicable to all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that is owned by FCT-IRS, has access to FCT-IRS network, or stores any non-public FCT-IRS information. Such personnel include employees, contractors, consultants, temporary and other workers, and all personnel affiliated with third parties.
• 17.4 POLICY
17.4.1 PASSWORD CONSTRUCTION
All persons that have access to FCT-IRS systems and network are required to create strong passwords with the following characteristics:
• All passwords must contain at least eight characters.
• All passwords must contain both uppercase and lowercase characters (A…Z, a…z).
• All passwords must contain special characters (!$<{}]).
• All passwords must contain numbers (0…9).
• All passwords must not contain your personal information such as your real name, username, or the name of your spouse.
• Each password must be very unique from your last three (3) previously used passwords.
• A password should not contain any word spelled completely.
• Every work account should have a different, unique password. To enable users to maintain multiple passwords, it is highly encouraged to use ‘Password Manager’ software that is authorized and provided by FCT-IRS. Whenever possible, the use of multi-factor authentication should be employed.
• It is highly recommended to use passphrases, which are generally longer passwords that contains multiple words.
17.4.2 CHANGING PASSWORDS
• Passwords should be changed immediately when there is reason to believe that a password has been compromised.
• Passwords should be changed at least every six (6) months.
17.4.3 PASSWORD PROTECTION
• Passwords must not be shared with anyone, including supervisors and colleagues. All passwords are to be treated as sensitive, confidential FCT-IRS information.
• Passwords must not be revealed in email, SMS, or chat messages, post-it notes, or written on other documents.
• Passwords may only be stored in “Password Managers” authorized by FCT-IRS.
• Do not use the “Remember Password” feature of applications such as web browsers.
• Any person that suspects his/her password may have been compromised must immediately report the incident to ICT and change all passwords.
• 17.5 APPLICATION DEVELOPMENT
Application developers must ensure that their programs contain the following security precautions:
• Applications must support authentication of individual users, not groups.
• Applications should support the use of TACACS+, RADIUS, and/or X.509 with LDAP for authentication.
• Applications must not store passwords in cleartext or in any easily reversible form.
• Applications must not transmit passwords in cleartext over the network.
• Applications must provide role management functionality, such that one user can take over functions of another user without having to know the other user’s password.
• 17.6 MULTIFACTOR AUTHENTICATION
Multi-factor authentication, which requires more than one method of authentication using independent categories of credentials, is highly recommended. Users may be required to access FCT-IRS systems using a secondary authentication mechanism such as a token, in addition to their username and password
• 17.7 COMPLIANCE
17.7.1 COMPLIANCE MEASUREMENT
The Information Security team or any team assigned this responsibility by the Director ICT will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner.
17.7.2 NON-COMPLIANCE
• An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
• A violation of this policy by a temporary worker, contractor or vendor may result in the termination of their contract or assignment with FCT-IRS.
• 17.8 EXCEPTIONS
Any exception to the policy must be approved by the Director ICT in advance.
Terms and Definitions
Term Definition
Password Manager A software that generates passwords and stores them for each application in an encrypted format.
TACACS+ Terminal Access Controller Access-Control System Plus protocol that handles authentication, authorisation and accounting services
RADIUS Remote Authentication Dial-In User Service protocol that provides centralised authentication, authorisation and accounting management for users.
X.509 A standard that defines the format of public key certificates that are used in network protocols like TLS/SSL and HTTPS.
LDAP Lightweight Directory Access Protocol is an application protocol for accessing and maintaining distributed directory information services over an internet protocol network.