BLGF Information & Communications Technology (ICT) Policies & Standards Copyright Š Bureau of Local Government Finance, 2010 8F, EDPC Bldg., BSP Complex, Roxas Blvd. 1004 Metro Manila, Philippines Telefax: + 632 524-6324 Web: www.blgf.gov.ph E-mail: blgf@blgf.gov.ph First Printing, 2010. Printed in the Philippines. All rights reserved. No part of this book may be reproduced in any form or by any means without express permission of the copyright owners and the publisher. ISBN 978-971-94098-4-7 Design and Layout by Hanzel F. Gapayao. Graphics (in the cover) from www.gettyimages.com.
BLGF Information and Communications Technology (ICT) Policies and Standards
JULY 2010
iii
FOREWORD This manual is the first volume of a series of parts on Information and Communication Technology (ICT) Policies and Standards formulated under the LAMP2 – Valuation and Taxation Component. The Project is implemented by the Department of Finance through the Bureau of Local Government Finance (BLGF) and the National Tax Research Center (NTRC) and funded by the World Bank and the Australian Aid for International Development (AUSAID). This manual discusses some of the very important ICT policies and standards specifically on E-mail and Internet Use, Local Network and the proper utilization of ICT facilities and resources. It also includes internationally recognized standards for hardware, software, data communication protocols and equipment which can easily be adopted or modified. The goal is to achieve a secure working environment for the employees and other persons working at or visiting the Bureau’s ICT facilities and more importantly to establish processes to ensure the protection and proper management of vital information and resources. The manual also discusses the users’ responsibilities and approaches to mitigating security threats which are prevalent to ICT systems. These threats not only will incur financial losses to the Bureau but also impact the confidentiality and integrity of information. The ICT Policies and Standards described in the manual are based on concrete ICT principles, best practices and responsibilities toward securing information, threats and management of ICT resources and assets. Seen as a very useful guide in the proper management of ICT systems and facilities , we wish to propagate the adoption and use of the manual by other agencies of the government. To be able to this will be a milestone achievement.
BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
v
ACKNOWLEDGMENT The Bureau of Local Government Finance wishes to acknowledge the following: The Government of Australia thru the Australian Assistance for International Development (AUSAID) for the funding support and technical assistance to the 2nd Land Administration and Management Project (LAMP2) – Valuation and Taxation Component. Through this Project, a valuable output in the form of this Manual has been realized. To the Technical Working Group for their support and valuable inputs to make this manual a useful guide in the proper management of Information and Communication Technology (ICT) facilities and resources and the security of vital information. To the IT Systems Development and Deployment Team of LAMP2 - Valuation and Taxation Component for facilitating the discussions and for their valuable inputs. To the Management Information and Data Systems Division (MIS) for their technical inputs and for reviewing and editing the manual. The MIS will be responsible in maintaining the implementation of the policies and standards. To the Human Resource Management Team of the BLGF for their active participation during the small group discussions. These Policies and Standards were formulated and drafted by Mr. Rommel M. Cunanan, National Technical Adviser (NTA) for Valuation Information System of the Australian Agency for International Development (AusAID) represented by the Australian Managing Contractor, Land Equity International (LEI). The TA was funded by AusAID and the views expressed in this work do not necessarily represent the views of the Commonwealth of Australia. The draft document was subsequently reviewed and approved by the Technical Working Group.
BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
vii
TABLE OF CONTENTS
I. Policy Overview
1
II. Purpose
1
III. ICT Facility General Directive
2
IV. Part I. Use of Equipment, Internet, E-mail and Other ICT Resources Sec. 1. E-Mail Use
3 4 7 8 9 13 15 16 17 17 19 20
V. Part II. Software License Policy Sec. 12. Software License Policy
23 23
VI. Annexes Annex A. ICT Policy Easy Reference for Employees
27
Sec. 2. Sec. 3. Sec. 4. Sec. 5. Sec. 6. Sec. 7. Sec. 8. Sec. 9. Sec. 10. Sec. 11.
Internet Use Network Use Hardware Use and Security Settings Miscellaneous Provisions for Use of Internet, E-mail and Other ICT Resources Data / Electronic Information Back Up Anti-Virus Protection Computer Users Contravention of the related National and Local Policy Disciplinary Actions
Annex B. Procurement and Configuration Guide for ICT Equipment and Network Purpose
39 40
Part I. IEEE 802. LAN/WAN/WLAN Minimum Standards
40 40 42
Part II. Enterprise Server & Client Computer Hardware Standards
43 43 45 47 48 48 49
Section 1 Network Devices Section 2 Wireless Configurations
Section 1 Section 2 Section 3 Section 4 Section 5 Section 6
Minimum Specifications for Enterprise Servers Minimum Specification for Storage Systems Minimum Specification for Desktop Systems Minimum Specification for Portable Personal Computer Mandatory Security Feature Environmental Compliance
BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
Policy Overview Purpose
1
I. Policy Overview The Information and Communications Technology (ICT) policies, standards, and guidelines herein provided apply to every organized body, unit, division, or office in the Bureau of Local Government Finance (BLGF) for the exercise of its mandate and operational duties and responsibilities. The scope of these policies, standards and guidelines cover the BLGF’s ICT facility in general, including the equipment and telecommunication systems derived from special projects and donors, and the employees, contractual staff, and other personnel of the BLGF who use and/or administer any of the BLGF’s IT system. The BLGF shall formulate and implement procedural policies and guidelines in compliance with these policies and standards to ensure adherence of all concerned personnel. It shall be a general operating rule that users shall consult and seek technical assistance from the Management Information and Data Systems Division (MIS) of the BLGF in operating or accessing any BLGF ICT facility, component, systems and equipments.
II. Purpose of this Document The purpose of this document is to provide the BLGF with a comprehensive Information and Communications Technology (ICT) guidelines and standards to ensure effective and efficient management of various ICT assets and resources under a secure environment. Listed below are common IT related problems which the BLGF may encounter, thus the need for this document: 1. Loss or corruption of important data due to poor data management and security procedures; 2. Downtime of computing services in mission critical offices; 3. Loss or damage of various IT equipment; 4. Perennial Computer Virus Infection resulting to data loss and downtime; 5. Reduced productivity due to misuse of IT resources; 6. Minimal and limited use of IT facility; and 7. Limited support service resulting to reduced public service efficiency delivery. The benefits to be derived by the BLGF from these policies will support the Bureau’s operations, as follows; 1. Reliable and secure data access and retrieval; 2. Optimum protection on confidential and sensitive government and taxpayer information; 3. Consistent and responsive computing service for mission critical offices; BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
2
ICT Facility General Directive 4. Prolonged equipment life and service, therefore saving the Bureau from unnecessary investments; 5. Effective security from computer virus infection; 6. Improve employee productivity; and 7. Efficient and effective public service delivery through reliable ICT support services.
III. ICT Facility General Directive Function vs Equipment Assessment
As a matter of policy, a functional assessment of employee position against designated equipment should be conducted at least once a year or as necessary (especially in the implementation of special projects). The assessment shall describe the functions of each employee position and the ICT requirement to support said function. Depending on the degree of work, ICT equipment such as personal computer systems and laptop may be designated to a specific employee position or for common use of a specific function. The Senior Management/ EXECOM of BLGF shall ensure that employees adhere to these policies, including the implementation of appropriate education and awareness programs to disseminate related information.
General Directives
a) BLGF information resources, all types of application software, hardware, network facility, and similar devices, must be used appropriately, responsibly and with accountability. Any damage to ICT properties or corruption of software and data as a result of the user’s negligence shall be dealt with accordingly upon validation of fault. b) All concerned shall take appropriate action with due diligence to comply with hardware warranty or conditions of use, software license agreements and respect of the rights of other authorized users of the facility. Ignorance of agreements will not be an excuse and users shall be held liable to any violations thereof. c) Users shall be accountable of their ICT facility personal access accounts and the personal access accounts of others. They shall be equally liable for all the unauthorized access/ transactions of their accounts even without their knowledge or permission. Each user is obliged to report unauthorized access or transaction of another user. d) Each user is accountable to his/her own work or data, much more, accountable to the work or data of other users of the ICT facility. Accountability includes compliance with system use policy and the practice of periodic back-up of work or data. Each user shall be held responsible for loss of their own work or data, much more for being the cause of loss of other user’s data. e) Users shall use only the machines or component ICT facility for which they are authorized. It is likewise their responsibility to ensure that other users of similar machine BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
Use of Equipment, the Internet, Email and Other ICT Resources
3
or component ICT facility are authorized. f) Access accounts must be used for intended purpose only. Any machines or component ICT facility shall be used for purposes of BLGF related work only. g) All users should cooperate with the systems administrator. The systems administrator is authorized and may access the users work or data if deemed necessary to maintain secure environment and ensure effective and efficient use of the ICT facility. h) It is the responsibility of all Directors, Division Chiefs, Project Managers, Team Leaders and alike to ensure that staff and team members are informed of the standing and latest ICT policies, enforcement of ICT policies, practice of ethical computing, good computing practice and data management. i) BLGF is committed to advance the development and implementation of measures to safeguard official data stored in data systems. All executives, officers, permanent and non permanent employees and contractual employees of this Bureau should ensure that procedures relative hereof are followed and compliance with access permission that information should be used for legitimate and official purpose/objective only is adhered to. This however, shall not restrict public access to this information as allowed by Bureau regulations. j) Adequate power supply to support the ICT Facility operation shall be a major consideration of BLGF. An inspection of energy supplies and electrical outlets shall be undertaken annually. k) All users are directed to report any illegal activity and wrong-doing related to ICT activities. In the event of an official investigation, all users are mandated to cooperate to the full extent of their capacity and authorization. l) The Management Information and Data Systems Division (MIS) shall ensure proper communication and documentation of Bureau expectations for handling sensitive data.
BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
Use of Equipment, the Internet, Email and Other ICT Resources
4
IV.
Part I.
Use of Equipment, the Internet, E-mail and Other ICT Resources This policy defines the control and protective measures for the use of ‘ICT’ Equipment, Internet, E-mail, and other ICT resources to ensure that they are appropriately used for the purposes for which they were acquired.
Section 1.0 E-Mail Use (Bureau e-mail systems, Public or Private E-mail systems, etc.) 1.1 Purpose of Use. Electronic mail or “e-mail” systems are important alternative means of communication. In specific business functions, the e-mail is preferred more than other conventional method of communications. 1.2 Examination of e-mail use. All employees whether regular, contractual, or circumstantial are required to give consent to the examination of the use and content of their e-mail accounts with due approval of the Executive Director and in strict observance of personal privacy. 1.3 Bureau provided e-mail system. The Bureau retains the right to access and view all E-mails sent and received by the Bureau e-mail system. This right is exercised solely through the MIS upon official written instruction of a member of Senior Management/ EXECOM.
1
a) Minimize Messages. For Bureau provided e-mail accounts, employees should minimize the number of messages in their e-mail in-box to ensure efficient function of the e-mail system.
b) Maintenance of Messages. Garbage messages should be deleted regularly. Folders should be set up and messages filed accordingly.
c) Archiving and storing. Employees should utilize the archiving facility within the E-mail system in accordance with allowed storage capacity and guidelines.
d) Accounts and passwords. A register of e-mail accounts and passwords updated regularly shall be maintained by the MIS.
Excerpt from the OSS e-mail use policy 1
BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
Use of Equipment, the Internet, Email and Other ICT Resources
5
e) Password and account expiration. It is mandatory to change e-mail password every 30 days or as necessary. The e-mail accounts of employees separated from the Bureau shall be processed and deleted upon approval of Senior Management/ EXECOM.
1.4 Limitation of personal use. Limited use of Bureau provided e-mail system for personal use is permitted, however, Bureau Officials/ Division Chiefs should ensure that there is no abuse of this privilege. At the most, e-mail may be personally used for; a) Use and access only during work breaks or after office hours. b) Personal use of e-mail should not interfere with work. 1 c) Personal e-mails must adhere to the guidelines in this policy. 2 d) Personal e-mails must be kept in a separate folder, named ‘Private’. The e-mails in this folder must be deleted weekly so as not to clog up the system. 2
e) The forwarding of chain letters, junk mail, jokes and executable files is strictly prohibited. 2 f) Users are not allowed to send more than 2 personal e-mails a day using Bureau-owned ICT resources. 2 g) Mass mailing is strictly prohibited. 2 h) All messages distributed via the Bureau e-mail system, even personal e-mails, are Bureau property. 2
1.5 Group sending of e-mail. Group / List sending of e-mails should be used appropriately. Spamming is prohibited. E-mail to all staff (broadcast) concerning official business function should be used only when appropriate. 1.6 Confidential Materials. Official and confidential materials sent through e-mail should be marked and sent only with caution, and in compliance with “Information Security Framework” and “Data Privacy Policy”. 1.7 Non-Bureau e-mail systems. For public/commercial provided e-mail systems, employees should seek approval from Senior Management/ EXECOM through the MIS before accessing or using any said accounts in any Bureau provided ICT resources. At a minimum, only the following conditions shall be the basis for approval; a) If the public/commercial account will be used for official business function only.
b) If the employee seeking approval, as a condition, shall permit the Bureau to access and review the account as required. BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
Use of Equipment, the Internet, Email and Other ICT Resources
6
1.8 E-mail access using Bureau ICT resources. Bureau IT resources used to operate Bureau provided e-mail service or public commercial operated e-mail services should not be used for the following; a) Political, commercial and personal purposes not related to the Bureau.
b) Illegal, pornographic, harm or cause to harm any entity, or any inappropriate material. c) Sending or forwarding e-mails containing libellous, defamatory, offensive, racist or obscene remarks, or any similar nature. d) Forwarding messages without acquiring permission from the sender. 1 e) Sending/Forwarding unsolicited e-mail messages. 1 f) Forging or attempting to forge e-mail messages. 1 g) Sending e-mail messages using another person’s e-mail account. 1
h) Copying messages or attachment belonging to another user without permission from the originator. 1 i) Disguising or attempting to disguise one’s identity when sending mail.
Note: If you receive an e-mail of this nature, you must promptly notify the IT.1 1.9 Signature and Disclaimer:3 Signatures must include your name, job title and company name. A disclaimer will be added underneath your signature (see Disclaimer) Name Position Address Tel Fax Mobile E-mail Website
: +xxxxxxxxxxxxxx : +xxxxxxxxxxxxxx : +xxxxxxxxxxxxxx : xxx@xxx.com :
The following disclaimer will be added to each outgoing e-mail: ‘This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to which they are addressed. If you have received this e-mail in error please notify the system manager. Please note that views or opinions presented in this e-mail are solely those of the author and do Excerpt from OSS e-mail use policy Excerpt from OSS e-mail use policy
2 3
BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
Use of Equipment, the Internet, Email and Other ICT Resources
7
not necessarily represent those of the Bureau. Finally, the recipient should check this e-mail and any attachments for the presence of viruses. The Bureau accepts no liability for any damage caused by any virus transmitted by this e-mail.’
Section 2.0 Internet Use (Bureau Access, Public or Private Access) 2.1 Purpose of Use. Access to the Internet is provided for official purposes, therefore, any act relative to the use of Bureau provided internet access should be for official purpose only. 2.2 Examination of internet use. All employees whether regular, contractual, or circumstantial shall give consent to the examination of the use and content of their internet activity/history accounts as required with due approval of the Executive Director and in strict observance of personal privacy. 2.3 Limitation of Personal Use. Limited personal use of Bureau provided internet is permitted. Managers should ensure there is no abuse of this privilege. At the most, internet may be personally used for; a) Personal use not related to any Bureau function but only during work breaks or after office hours.
b) Personal use should not cause to diminish equal use of other internet users of the Bureau.
2.4 Limitation on browsing other websites. Access or any act similar to viewing pornographic, obscene, violent, gambling, illegal or other similar web sites using Bureau provided internet facility is prohibited. Bureau employees are duty-bound to report such abuse by co employees. This policy also applies to access using non-Bureau provided internet but within the premises of the Bureau and using or not using any Bureau provided ICT resources. 2.5 Online Communities, Subscriptions and alike. It is prohibited to operate, participate in, contribute in online communities or subscription to other similar on-line groups over the internet unless permission is officially granted by Senior Management/ EXECOM. Below are conditions for approving permission; a) Online Communities/Subscription is to support or improve work related task
b) Online Communities/Subscription sites operate in secure environment and this should be verified by the MIS. c) Online Communities/Subscription does not entail cost to the Bureau. BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
Use of Equipment, the Internet, Email and Other ICT Resources
8
d) Participation in Online Communities/Subscription does not violate Bureau ICT policy, rules and regulations and any local and national law.
2.6 Programs and Executable Files. Any program or executable file, including screensavers, or any similar format when using Bureau provided machine through Bureau provided internet access are not to be downloaded. Any required program or application required in performance of an official function shall be coursed through the MIS. This is to prevent indiscriminate downloading and installation of programs or application that may slow down ICT resources performance and worst, threaten security of facility. 2.7 Monitoring of internet usage. The Bureau retains the right to monitor the Internet usage of employees. This right is exercised solely through the MIS and, where relating to a specific staff, only on written instruction from an authorized official and related to a legitimate government function. 2.8 File Download. Downloading of movies, video, music, image and similar format not related to any official or legitimate government function is strictly prohibited. Scanning for virus is a mandatory pre-requisite before opening any file or program downloaded thru the internet. 2.9 Secure internet access. All employees who have access to the internet should ensure the use of said facility do not compromise stability and security of ICT facility environment. Should anyone accidentally/mistakenly allowed this to happen, the systems administrator must be notified immediately. Note: Abuse of Internet access will be dealt with severely relative to seriousness of the act. Minor abuse will lead to removal of the privilege of access from an individual’s workstation.
Section 3.0 Network Use (LAN, WAN, VPN, WLAN, etc.) 3.1 General Network Access. Network facility and bandwidth is limited, therefore access and use of the facility is managed according to priorities and importance. Below are limitations to the use;
a) Access will be available only during pre-defined time set by MIS. Notice will be issued accordingly. b) Access shall be on a ‘first in, first serve basis’. c) The MIS does not guarantee connection reliability and consistencies.
3.2 Network Management. Network installation, administration and maintenance within the Bureau are the responsibility of qualified and authorized MIS Staff only. Access to, and management of the Network Servers are restricted to authorized staff. BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
Use of Equipment, the Internet, Email and Other ICT Resources
9
3.3 Network Access information. Disclosing any assigned IP address, Systems Administration password and any similar key that may compromise access, security of network and data is prohibited. Any knowledge of such disclosure should be reported to the MIS. 3.4 Tampering and unauthorized access. Unauthorized connection physical or virtual to any framework or device; or tampering of network cables or any similar device within the Bureau is prohibited and will constitute grave offense. Any knowledge of such activity should be reported to the MIS. 3.5 Jeopardize Network Integrity. Any action that may damage, destroy, and negatively affect performance or any similar act that may intentionally or unintentionally jeopardize any network device or facility is prohibited. Any cost born out of such recklessness or negligence shall be at the account of the person liable.
Section 4.0
Hardware Use (Servers, PCs, Laptops, Notebooks, Printers, Modems, etc.) 4.1 Hardware Management. Any installation or deployment, configuration and maintenance of computer equipment are the responsibility of the MIS. Maintenance action or procedures shall comply with enforced ‘warranty or related maintenance agreements’. 4.2 Hardware Documentation. The MIS shall maintain a register (inventory) of the Bureau’s ICT equipment. This includes custodian list, Local and Wide Are Network setup/diagram, systems specifications, and configurations. A periodic inspection and update of register shall be conducted by the MIS. The inventory shall include IT special projects or any IT related undertaking of the Bureau. 4.3 Hardware Protection and Insurance. The MIS Chief will liaise with concerned office to ensure adequate insurance coverage for ICT equipment/facility. Likewise, the MIS shall ensure that adequate facilities which are critical to the physical protection of the device or its environment are installed to prevent or minimize the effect of fire, flooding, and similar physical threat. The MIS will ensure that staff are aware of restrictions and limitations. 4.4 Procurement. Procurement of ICT equipment is subject to the approved annual plan. Any procurement outside of the annual plan, approved by Senior Management/ EXECOM, shall require review of the MIS. Requirements for new hardware should be discussed in advance with management or with the MIS to assess the detailed specification of the equipment. 4.5 Procurement representation. For purposes of ICT procurement, a qualified representative from the MIS shall be an ex-officio member of the TWG or BAC to provide technical assistance in the process of procurement. 4.6 Movement of ICT equipment. Any movement of ICT equipment or transfer of custody shall be duly coordinated with the MIS for necessary processing (update of register and insurance policy). Movement or transfer shall comply with related policy on “disposal,
BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
Use of Equipment, the Internet, Email and Other ICT Resources
10
servicing, transfer of ICT equipment”. Movement or transfer shall not be let to any private person. 4.7 Use of Portable Equipment. Laptops, multi-media display, or any portable media, or other ICT equipment used outside of the Bureau premises for official business shall be logged in/out for proper tracking of equipment movement. The security and safekeeping of portable and other equipment used outside of Bureau premises is the responsibility of the staff using it. 4.8 Designation or sharing of portable equipment. Distribution or assignment of laptops or notebook PC or any similar portable computing device should follow “Function vs. Equipment Assessment” result. Designated portable computing device to a specific employee position shall follow the general rule on care and manufacturer instructions. Portable computing device designated to be common shall be managed solely by the MIS. Portable Device Request Procedure: a) b) c) d)
Fill out form for request. (Forms: Details, Approval Section, Gate Pass) Submit to MIS for immediate processing (sanitizing etc.) MIS facilitates availability of unit upon approval MIS releases the unit to the requesting party
Note: The requesting party should not be the one to get the device from previous user
4.9 Equipment on-board software. As stated in the “Software License Policy”, the MIS is responsible for all software installation, deployment and configuration on all Bureauowned ICT equipment. This includes Bureau Special Project ICT Equipment, Operating Systems, Network Operating Systems, Application Software, etc. Unauthorized software installed will be deleted without need to notify the user. 4.10 Loss or Damage to ICT Equipment. In the event of loss or damage to any ICT equipment the following shall be the rule:
a) If caused by force majeure, lost or damaged ICT equipment should be reported to the MIS for report and processing of insurance claims. b) If caused by misuse or negligence, the employee responsible for the said loss or damage shall replace the damaged equipment or be fined accordingly. c) If caused by accident or theft, a report on the incident duly attested by Division Chief should be accomplished. This shall be forwarded to the MIS for processing of insurance claims. d) If caused by natural wear and tear, this should be reported to the MIS immediately for processing of replacement or repair. e) If caused by manufacturer defect, this should be reported to the MIS immediately for processing of replacement by provider.
4.11 Portable storage devices. Bureau provided portable external storage device or similar device should be given appropriate care by the employee in custody as described in the BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
Use of Equipment, the Internet, Email and Other ICT Resources 11 manufacturer’s instruction for care. 4.12 Personal portable storage devices. Any personal portable external storage device upon processing (registration, scanning, sanitizing, etc.) of the MIS and approved for use within the Bureau’s ICT Facility shall be the responsibility of the owner of the device. 4.13 Loss or damage caused by personal portable storage device. Loss or damage of said device or data stored therein shall be the responsibility of the owner or any loss or damage caused by the device to any Bureau/ Project owned ICT equipment shall be the liability of the owner of the personal device. 4.14 Schedule of Hardware System Maintenance. It is mandatory for all employees with designated PC system or with personal computing/ storage device to scan and clean systems from computer virus every Friday at 3:00 P.M. 4.15 ICT Equipment Care. All employees shall be responsible for the proper usage, care and cleanliness of the ICT equipment they use. Division Chiefs shall ensure that their staff maintain the cleanliness of their machines. Only approved and authorized cleaning solutions and materials shall be allowed for use. 4.16 Printer Care. Everyone is to take extra care for the printers. Following are some rules on prescribed care:
a) b) c) d)
Use only prescribed “substance” as described by printer manufacturer. Do not use scratch paper for specific designated printers. Printers are shared except for areas with confidential requirements. Due to cost of printing, there will be specific printers restricted for common use (plotter, Color Laser Printer, etc.) e) Printing of personal materials is prohibited.
4.17 Safety precaution. For safety precaution, it is prohibited to plug multi appliances in one single electrical power outlets or any similar act of overloading specific power outlet. 4.18 Power conservation. Below is a guide to support the power conservation effort of the Bureau.
a) ICT support facility should be officially powered on between 7am to 6pm only, with the exception of approved overtime and for official Bureau purposes. b) ICT equipment should be turned off between 12nn to 1pm unless officially working. c) Configure setting of PC power management in accordance with the following:
BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
12
Use of Equipment, the Internet, Email and Other ICT Resources When Computer is
Plugged In
On Batteries
Turn off monitor
5 Mins
2 Mins
Turn off HDD
10 Mins
5 Mins
System standby
15 Mins
10 Mins
System Hibernate
20 Mins
15Mins
4.19 Hardware input/output devices. Majority of ICT equipment operates with input/ output devices. Due care of use and cleanliness must be given to accessories attached to any system like ports, keyboard, mouse, monitor, docking stations, cables, etc. As a rule of thumb, the right port always fits in when inserted. 4.20 Cables, Links, Wire etc. Only power cables and accessories and alike that come with ICT equipment and portable devices like multi media projectors, should be used. Any alternate use of cables, links, wire, etc. shall require authorization from the MIS. 4.21 Non Bureau Users. Visitors, guests or even government employees from other agencies are prohibited from using any ICT facility owned by the Bureau unless given explicit permission by the supervisor or senior officer of the unit, section or office visited. Permission is subject to rules and regulations as described in this document. 4.22 Splitting. Splitting or salvaging or cannibalizing PC systems, component or part of a component by non IT staff is not allowed; i.e. transfer of mouse or keyboard to another PC system is likewise prohibited without the knowledge of MIS. MIS shall record such splitting of PC set, components, or parts for purposes of documentation. 4.23 Hardware Upgrading or downgrading. Upgrading of Bureau -owned ICT resource using personal property or device is prohibited. Likewise, downgrading or removal of a whole or component part of any Bureau -owned hardware device is prohibited. 4.24 Service requirement. Problems with hardware should be reported to the MIS Unit / ICT Services. 4.25 Hardware Servicing. Servicing of any ICT equipment should not contravene with any related agreement, laws on Intellectual Property, license agreement etc. Outsourced servicing of ICT equipment should conform with this policy document. 4.26 Securing very ‘Expensive’ equipment. Expensive devices such as laptops, multi media projectors or as pre defined equipment/items must be kept in secure location when leaving overnight. Other than Bureau security, equipment assignee must take extra caution in the safe keeping of the equipment. 4.27 Transporting ICT Equipment. Portable items must be hand carried when travelling and if required by transport/airport authority to check in the equipment, it must be ensured that the item is properly secured and has adequate crash protection. Label “fragile” is a BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
Use of Equipment, the Internet, Email and Other ICT Resources 13 must. 4.28 Access protection. All employees assigned to use a specific ICT equipment shall be given passkeys for access. Always protect the software or data on any device following the ‘data policy’ and ‘information security framework’. (log off when out of desk, or set password in screensavers, avoid obvious passwords, etc.) 4.29 Software. All employees are instructed to protect software license agreement as defined in the ‘software license policy’ in this document. 4.30 ICT Devices and Accessories: All ICT devices and accessories attached to any ICT equipment, systems or network such as Biometric Scanners, PC Desktop Camera, Wireless USB, Scanners, etc. shall be given appropriate care. Loss or damage due to misuse or intentional cause is considered a grave offense.
Section 5.0 Miscellaneous Provisions for Use of Internet, E-mail and Other ICT Resources 5.1 Unacceptable Personal Use. Described herein are general acts considered to be unacceptable use of ICT resources. These may be acts to interrupt official business operation, cause undue loss, damage or cost to the Bureau, and embarrassment or any act of impropriety. a) Violation of Law. Act to violate, encourage to violate, accomplice to a violation of the Bureau’s rules and regulations and any local or national law. b) Illegal Copying. Any act of copying or any act of similar nature using copyrighted materials of any format as prohibited by copyright or intellectual property materials. c) Operating a Business. Directly or indirectly using the Bureau’s facility to operate any non-Bureau related business is prohibited. d) Gambling or Wagering. Accessing, operating or simply viewing any gambling activity over any Bureau -owned ICT facility is prohibited. This includes computer gaming and any form of entertainment not related to official business function is prohibited. e) Solicitation. Except for Bureau -approved programs, soliciting for money or support on behalf of charities, religious entities or political causes is strictly prohibited. f) Political or Partisan Activities. The use of any ICT facility to promote, advocate, BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
14
Use of Equipment, the Internet, Email and Other ICT Resources
distribute any material, or any act of similar nature, for political or partisan politics is prohibited.
g) Integrity of the ICT facility is necessary. Any act that will reduce the reliability, compromise fidelity, or any action of similar nature that will negatively affect the integrity of the ICT facility is prohibited. h) Acts that waste ICT resources is prohibited. Any act that depletes, expends or any action of similar nature that wastes resources like but not limited to, excessive printing of documents, storing unnecessary files on board hard disk drives, storing unimportant e-mails on Bureau provided e-mail systems, transmission/ extraction of large files over the network or internet, etc. is prohibited. 5.2 List of online communities/subscription Online forums, chat rooms, instant messaging, blogs, wikis, webo’s, peer-to-peer file sharing, and social networks. Any employee permitted to participate in any of the above means of communication should comply with the rules and regulations of the Bureau, the Bureau’s ICT policy and any related local and national law. 5.3 Unauthorized Installation of Wireless Hardware. Connecting or attempting to connect a wireless device to the Bureau ICT internet or LAN wireless service is prohibited unless approved by the MIS. 5.4 No Anticipation of Privacy. In general, no employee should expect or demand privacy in using Bureau provided ICT resources. At any time, with the approval of Senior Management/ EXECOM and for official purpose, the MIS may subject the ICT resource to review, inspection and investigation. 5.5 Implied User Agreement to the Terms and Conditions of this Policy. Relative to the use of the Bureau ICT Equipment, Bureau Network Facility, Bureau e-mail systems, or any of the Bureau related ICT components and parts, the user shall agree to the terms and conditions of this policy without need to signify formally. 5.6 Obstruction to ICT resources. Impede, directly or indirectly cause a delay, encrypt or conceal, or do any similar act that will limit or prohibit the Bureau from accessing, operating, monitoring, and reviewing ICT resources is prohibited. Only authorized MIS staff shall be allowed to set or manipulate passwords on any Bureau -owned ICT resources, and or limit the use of ICT resources by specific employee with the approval of Senior Management/ EXECOM. a) Falsification or Misrepresentation. Falsifying any electronic document or misrepresenting one’s identity or association to carry out an unauthorized, unlawful, offensive act through BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
Use of Equipment, the Internet, Email and Other ICT Resources 15 electronic communication whether using Bureau -owned ICT resources or personal devices within the premises of the Bureau is prohibited. b) Restrictions on the Use of Bureau provided E-mail Addresses. Bureau employees should avoid use of Bureau provided e-mail addresses such as firstname.surname@blgf.gov.ph for personal communications in public forums or sites of similar nature unless approved by Senior Management/ EXECOM for official purpose only. This is to avoid any personal opinion becoming a Bureau opinion. c) Violations of public or private Systems Security Measures. Any use of Bureau provided ICT resources to manipulate or compromise the security or operation of any public or private computer systems is prohibited. d) Violating Data privacy or confidentiality Procedures. Using Bureau provided ICT resources or personal device inside or outside the Bureau premises to violate or attempt to circumvent data or confidentiality procedures is prohibited. e) Accessing or Disseminating Private or Confidential Information. Accessing or disseminating private or confidential information about another person whether the person is an employee or non employee of the Bureau using Bureau -owned ICT resources without proper authorization is prohibited. Prohibition includes falsifying of such information. f) Accessing Systems without Authorization. Accessing files, systems, networks, account of another person and similar devices within the Bureau provided ICT resources are prohibited. Each employee is accountable for the safeguarding of their PIN, passwords or keys in accordance to related policies and with the ICT policy for ‘Password and PIN Security’ g) Distributing Malicious Code. Distributing malicious code or similar format such as computer virus, spyware, malware is prohibited. Prohibition includes intentional keeping of malicious codes.
Section 6.0 Data / Electronic Information 6.1 Data Management. Data administration and maintenance should be in accordance with the data management policies, procedures of the Bureau and related Government Laws. This task is both the responsibility of the MIS and the Division Chiefs/Unit Heads. 6.2 Data Quality. Division Chiefs/Unit Heads are responsible for maintaining the quality of the computer-held data processed by their staff. MIS on the other hand is the ‘custodian’ of these data; hence, protection of these data is their counterpart responsibility.
BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
16
Use of Equipment, the Internet, Email and Other ICT Resources
6.3 Individual Users. The individual user is responsible to his/her respective Supervisor for the quality of the computer data he/she has personally processed. 6.4 Data Privacy. Data shall be private and confidential to a specific user. Users shall not allow access or copying of these data under their responsibility nor tolerate others with similar responsibility. Division Chiefs/Unit Heads are responsible for ensuring compliance with ‘Data Privacy Policy’ with regard to data processed within their Units. 6.5 Coordination. The MIS Chief/ICT Services Provider will keep abreast of ‘data policy’, and ensure that all applications and databases are registered in accordance with ‘government/ policies’ and ‘internal organizational data management policies’. 6.6 Ownership of data. All information/data stored in the Bureau’s systems are deemed the property of the Bureau. 6.7 Examination of data use. Staff consent to the examination of the use and content of all data/information processed and/or stored by the staff in the Bureau’s systems is required.
Section 7.0 Back Up (Data, Software, etc.) 7.1 Back-up Responsibility. The MIS Division is responsible for ensuring the implementation of an effective back-up strategy for server-held software and data. 7.2 Storing Back-up Data. Users of networked desktop PCs should avoid storing back-up data on their local hard drives. Data so stored may be lost if a problem develops with the PC, and the MIS Division may not be able to assist in its recovery. Back-up should be stored within the designated safe file directory (folder) structure used by each Division/ Unit. Likewise, the MIS unit shall ensure there is physical security for back-up data. Physical security shall refer to physical restriction to back-up storage facility. 7.3 Remote Users. Remote and laptop/notebook PC users must ensure they back up their data regularly. The MIS Division will provide necessary advice and assistance accordingly. 7.4 Remote Back-up. The MIS Division in coordination with concerned Divisions or offices shall maintain remote back-up of data. This may be stored in digital or compact disc, portable large media storage devices or similar devices. The Bureau shall maintain off-site (outside of Bureau premises) back-up facility storage for all Bureau data. 7.5 Schedule of Back-up. All designated users shall perform back-up of their data on the designated safe file directory (folder) every Friday of the week at 3:00PM. In case the said schedule falls on a holiday, the conduct of back-up shall be the day before the said holiday.
BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
Use of Equipment, the Internet, Email and Other ICT Resources 17
Section 8.0 Anti-Virus Protection 8.1 Anti Virus Protection Implementation Strategy. The MIS shall be responsible for the implementation of an effective virus security strategy. All machines, networked and standalone, will have up-to-date anti-virus protection. The Bureau will provide adequate funding for the acquisition and renewal of anti-virus software. 8.2 Installation of Anti Virus Software. The installation of anti-virus software on all machines is the responsibility of the MIS Division and/or ICT Service Provider. 8.3 Upgrading of Anti Virus Software. The MIS /or ICT Services Provider will ensure the upgrade of the anti-virus software on networked desk-top PCs. 8.4 Remote Users. Remote users and users of portable machines will assist in the upgrade of anti-virus software in accordance with specified mechanisms agreed with the MIS Division/ ICT Services Provider, eg. Internet updates. 8.5 Bureau Users. All employees/users of ICT equipment must virus-scan all media and ensure their devices to be computer virus free (including floppy disks, portable storage devices, zip disks, CDs and all similar devices) before use. The MIS Division / ICT Services Provider will provide facility, assistance and training when required. 8.6 Detection of Computer Virus. On detection of a virus, users/staff must notify the MIS Division /ICT Services Provider to mitigate further risk, perform control measures and ensure secure environment. 8.7 Tampering the Anti Virus Software. Under no circumstances users/staff should not attempt to disable or interfere with the anti-virus software. 8.8 Shared Responsibility. Protection from computer virus and ensuring ICT facility operation under secure environment is a shared responsibility of all Division Chiefs/Unit Heads. Recklessness and negligence must not be tolerated under any circumstance.
Section 9.0 Computer Users Health & Safety 9.1 Health and Safety Use. Health and safety with regard to use of computer equipment and computer work stations should be managed within the context of the general and specific Health & Safety policies and procedures of the Bureau. 9.2 Awareness Program. The Human Resource Management and MIS Division shall be responsible in disseminating information and providing awareness/education program BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
18
Use of Equipment, the Internet, Email and Other ICT Resources
relative to Health and Safety on use of ICT equipment. 9.3 Policies and Procedure Implementation. Division Chiefs/Unit Heads are responsible for ensuring that health & safety policies and procedures with regard to use of computer equipment are implemented within their Units. 9.4 New Policies. The MIS Chief/ ICT Services Provider will keep abreast of new ICT related policies and provide advise and information accordingly. Training 9.5 Training Requirement. It is the responsibility of Human Resource Management Unit to ensure the following; • Training needs assessment of IT Staff and Bureau employees. • Training Strategy and Implementation Plan • Training Budget for ICT Note: The MIS Division / ICT Services Provider shall advise on computer-related training concerns.
9.6 User participation. It is a must for all computer operators/users/staff to attend all scheduled computer related trainings. User Accounts (PC, e-mail, network, etc.) 9.7 New Appointments. Division Chiefs/Unit Heads should notify the MIS Division in advance to allow the creation of network and e-mail accounts and PC system permissions for them. 9.8 Termination. Division Chiefs/Unit Heads should notify the MIS Division of the departure of any staff to allow the deletion of network and e-mail accounts and PC systems permission, assigned to him/ her. Access Codes (Login Key and Passwords) 9.9 Implementation Responsibility. The MIS Division, Division Chiefs and Unit Heads will ensure that implementation of access code is part of the security strategy on the Bureau’s ICT facility. 9.10 User responsibility. Users should change their access codes when prompted by the system in the case of networked machines or on a regular basis for standalone machines. 9.11 Passkey Confidentiality. Staff shall be responsible for the security of their access codes which they should not divulge, even to colleagues. 9.12 Technical Support. Problems with access codes should be reported to the MIS Division for proper troubleshooting. BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
Use of Equipment, the Internet, Email and Other ICT Resources 19 9.13 Accounts and password. A regularly updated register of login names and passwords shall be maintained by the MIS Division. 9.14 Password expiration. It is mandatory to change password every 30 days or as necessary. E-mail accounts of employees separated from the Bureau shall be processed and deleted upon approval of Senior Management/ EXECOM. Miscellaneous provisions on ‘System Usage’ 9.15 Users should ensure their computers are fully shut down and turned off at end of day. 9.16 Computers should be locked or shut down when left unattended for any significant period of time. 9.17 With regard to file management, Division Chiefs will determine the top-level folders/ directories and associated permissions for their respective Divisions and inform the MIS Division. The MIS Division will create or modify the folders accordingly. 9.18 Within their respective top-level folders, staff should create sub-folders in accordance with their own departmental guidelines but cannot create new top-level folders. User Responsibility 9.19 As a general rule, users are mandated to report all offenses or violation made by ‘anyone’ relative to these policies. Likewise, for purposes of care and maintenance, users shall report any repair requirement, troubleshooting or any technical assistance that may be required relative to the use of ICT facility. 9.20 In the event of an investigation, all users are obliged to cooperate in full extent particularly but not limited to, surrender of passkeys, access to ‘systems’, disclosure of required data, etc, or as required.
Section 10 Contravention of the related National and Local Policy Bureau Staff should be aware of their responsibilities under the e-Commerce Law, Intellectual Property Rights Law, Philippine Copyright and Patent Law. The MIS will provide guidance when required.
BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
20
Use of Equipment, the Internet, Email and Other ICT Resources
Section 11 Disciplinary Action This section provides corresponding penalty to a specific offense or violation to this policy committed by any Bureau personnel whether, permanent, contractual, or circumstantial. Penalties provided hereof are based from the ‘Rule XIV on Discipline’ Omnibus Rules Implementing Book V of Executive Order No. 292 and Other Pertinent Civil Service Laws. 11.1 Violation of ‘e-mail use policy’ shall be classified as ‘Less Grave Offense’ and penalties thereof shall follow the provisions of ‘Rule XIV on Discipline’ Omnibus Rules Implementing Book V of Executive Order No. 292 and Other Pertinent Civil Service Laws; The following violation will constitute ‘Grave Offense’ if aggravating circumstances and evidence prove that the act or actions fall under specific provisions as classified in the ‘Rule XIV on Discipline’, particularly, but not limited to the following i. ii. iii. iv. v. vi. vii. viii. ix. x. xi.
Dishonesty or attempting to commit dishonesty. Intellectual Property Rights or Copyright or Patent Law. Act or actions that are described to be criminal under the ‘penal code’ Unauthorized sending / forwarding of confidential information / materials Unauthorized disclosure or sharing of passkey(s) information. Illegal, pornographic, harm or cause to harm any entity. Sending or forwarding e-mails containing libelous, defamatory, offensive, racist or obscene remarks, or any of similar nature. Forwarding messages without first acquiring permission from the sender. Forging or attempting to forge e-mail messages. Sending e-mail messages using another person’s e-mail account. Copying messages or attachment belonging to another user without permission of the originator. xii. Disguising or attempting to disguise ones identity when sending mail. 11.2 Violation of ‘internet use policy’ shall be classified as ‘Light Offenses’ and penalties thereof shall follow the provisions of ‘Rule XIV on Discipline’ Omnibus Rules Implementing Book V of Executive Order No. 292 and Other Pertinent Civil Service Laws; The following violation will constitute ‘Grave Offense’ if aggravating circumstances and evidence prove that the act or actions fall under specific provisions as classified in the ‘Rule XIV on Discipline’, particularly, but not limited to the following i. Failure to comply or neglect of security protocol. ii. Dishonesty or attempting to commit dishonesty using the internet. iii. Violation of Intellectual Property Rights or Copyright or Patent Law over the internet. iv. Act or actions that are described to be criminal under the ‘penal code’ over the internet. v. Unauthorized transmission / extraction of confidential information / materials over the internet BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
Use of Equipment, the Internet, Email and Other ICT Resources 21 vi. vii. viii.
Unauthorized disclosure or sharing of passkey(s) information over the internet. Actions that are illegal, harm or cause to harm any entity over the internet. Copying messages or attachment belonging to another user without permission of the originator.
11.3 Violation of ‘network use policy’ shall be classified as ‘Less Grave Offense’ and penalties thereof shall follow the provisions of ‘Rule XIV on Discipline’ Omnibus Rules Implementing Book V of Executive Order No. 292 and Other Pertinent Civil Service Laws; The following violation will constitute ‘Grave Offense’ if aggravating circumstances and evidence prove that the act or action falls under specific provisions as classified in the ‘Rule XIV on Discipline’, particularly, but not limited to the following i. Network Access information. ii. Tampering and unauthorized access. iii. Jeopardize Network Integrity. 11.4 Violation of ‘hardware use policy’ shall be classified as ‘Light Offense’ and penalties thereof shall follow the provisions of ‘Rule XIV on Discipline’ Omnibus Rules Implementing Book V of Executive Order No. 292 and Other Pertinent Civil Service Laws; The following violation will constitute ‘Grave Offense’ if aggravating circumstances and evidence prove that the act or actions fall under specific provisions as classified in the ‘Rule XIV on Discipline’, particularly, but not limited to the following i. Recklessness resulting to significant loss or damage to ICT Equipment ii. Compromising access keys (passkeys) to ICT equipment iii. Unacceptable personal use that will interrupt or halt official business operation, cause undue loss, damage or cost to the Bureau, embarrassment or any act of impropriety. iv. Use of ICT equipment resulting to violation of Bureau rules and regulations or any local and national law v. Use of ICT equipment to commit or attempt to commit illegal copying. vi. Use of ICT equipment for gambling and or wagering vii. Use of ICT equipment for unauthorized solicitation of money and political activities viii. Use of ICT equipment compromising the integrity of the ICT facility ix. Act of Falsification or Misrepresentation using the ICT equipment x. Act of violating any public or private Systems Security Measures. xi. Act of violating Data privacy or confidentiality Procedures. xii. Act of accessing or Disseminating Private or Confidential Information. xiii. Act of accessing Systems without Authorization. xiv. Distributing Malicious Code. 11.5 Violation of ‘Data / electronic’, ‘back up’ and anti virus protection policy’ shall be classified as ‘less grave offense’ and penalties thereof shall follow the provisions of ‘Rule XIV on Discipline’ Omnibus Rules Implementing Book V of Executive Order No. 292 and Other Pertinent Civil Service Laws; The following violation will constitute to ‘Grave BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
22
Use of Equipment, the Internet, Email and Other ICT Resources
Offense’ if aggravating circumstances and evidence prove that the act or actions fall under specific provisions as classified in the ‘Rule XIV on Discipline’, particularly, but not limited to the following i. ii. iii.
Recklessness or gross negligence resulting to significant loss or corruption of data and/ or operating systems Compromising access keys (passkeys) to Confidential Data. Unacceptable Personal Use that will interrupt or halt official business operation, cause undue loss, damage or cost to the Bureau, embarrassment or any act of impropriety. iv. Use of ICT equipment resulting to violation of Bureau rules and regulations or any local and national law 11.6 Violation of ‘computer usage policy’ shall be classified as ‘less grave offense’ and penalties thereof shall follow the provisions of ‘Rule XIV on Discipline’ Omnibus Rules Implementing Book V of Executive Order No. 292 and Other Pertinent Civil Service Laws; The degree of violation may become ‘light’ or become ‘grave’ depending on the circumstances and effect of the violation on the ICT facility. 11.7 One or more violation may be cited for a particular act depending on the gravity or complication of an offense. This should be processed accordingly as prescribed in the civil service law or related law. 11.8 Non-Bureau personnel (guest or visitor) found guilty of violating any provision of these policies shall be barred from entering the Bureau premises without need for any Court or Legislative Resolution. Bureau personnel who allowed access of said guest or visitor shall be held equally liable and shall entail penalty as provided for by this section. Non-Bureau personnel shall mean non-Bureau ‘BLGF’ personnel. 11.9 Prima Facie Evidence. - The presence of any of the following circumstances shall constitute prima facie evidence of violating this ICT Policy, by the person thereby, and shall be the basis for (1) immediate termination of access to any Bureau -owned ICT facility, and (2) subsequent filling of appropriate charges. i. ii. iii. iv. v.
When someone acting in his behalf shall have been caught en flagrante delicto doing any of the act of violation enumerated in these policies; When any of the less grave or light offenses enumerated has been discovered to be committed for the second time. Provided, a written notice or warning have been issued upon first discovery of the act/offense committed; The presence of an unauthorized device attached to a Bureau -owned ICT facility where the user custodian is directly liable; Tampered, broken, or fake seal on the ICT equipment where the user custodian shall be directly liable; When system log shows an unauthorized user access code is in the act or undoubtedly committed the act to any system or database;
BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
Software License Policy 23 vi. When a user is in possession, control or custody of any Bureau -owned equipment or other IT resources without authorization; vii. When a formal written complaint or report, duly signed, is submitted to Senior Management/ EXECOM, attesting to a violation of ICT policy provisions. 11.10 Administrative Suspension. The MIS may suspend access to any IT equipment of any user upon order of the investigating body duly approved by Senior Management/ EXECOM as part of precautionary suspension procedure.
V.
Part II.
Section 12 Software License Policy This section ensures the control and protection of licensed software required to conduct official business. Be it understood that a software “license” grants permission to use the software subject to allowed number/installations and conditions set forth by the terms and conditions of the license. Licenses do not give ownership of the software nor give rights to transfer rights/permission to use the software. Freeware, shareware and open-source softwares also have terms and conditions of their use. The Bureau should ensure there is clear understanding on the degree of permission, limitations of use and compliance with the terms and conditions expressed by intellectual property rights holders. The Bureau shall ensure that all licenses are granted by the intellectual property rights holder and any use or similar act is in compliance with the related license agreement. This policy requires that management control be in place to ensure adherence to software licensing agreements. 12.1 Authorized Software: The Bureau shall maintain up-to-date documentation of software licenses used to conduct official business. Authorized software shall refer to application software purchased/acquired by the Bureau which are duly processed and cleared for Bureau use by the MIS; which include commercial software, Bureau -developed software, and project-developed software. License Inventory: maintenance of authorized software acquired and installed by the Bureau, must contain the following: • • • •
purchase documentation; number of licenses; serial numbers, access codes, or license keys; location and quantity of original media; BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
24
Software License Policy • location of each installation of the licensed software; • evidence of registration; and • License agreement document.
12.2 Bureau -Licensed Software: Software acquisitions by the Bureau shall be licensed in the name of the Bureau of Local Government Finance only. This includes the registration of said license with intellectual property rights holder. 12.3 Software Management: Installation, deployment, configuration and support to all software applications used by the Bureau are the responsibility of the MIS. Installation of unauthorized software is prohibited; which includes games, screensavers, programs downloaded from the internet and any similar applications. Any third party software management provider should work in accordance with relevant ICT policy specifically the “Data Privacy Policy” and “Information Security Framework”. 12.4 Software Installations: Installation procedures shall be based upon this policy. Procedure should ensure that software has been authorized and properly installed by the MIS. Procedures should always identify the staff that will receive, inspect and accept, distribute and install the softwares. 12.5 Bureau -Licensed Software installed in Privately-owned Computers: By virtue of a special requirement or case in performance of official function, upon approval of Senior Management/ EXECOM to allow the installation of a Bureau -Licensed Software to a privately-owned computer unit. An agreement stating compliance to BLGF ICT policies (Security, environment, etc.) and related software license agreement, must be executed first. 12.6 Privately Owned-Licensed Software: By virtue of a special requirement or case in performance of official function, upon approval of Senior Management/ EXECOM to allow the installation of a Bureau -Licensed Software to a privately-owned computer unit, the Bureau should ensure that such use has authorization from the IP holder and related licenses. There should be an agreement stating compliance to BLGF ICT policies (Security, environment, etc.) and related software license agreement. 12.7 Software Audit: The Bureau shall establish and implement procedures to periodically inspect all software under the control of or operated by the Bureau in performance of its functions. An MIS staff shall periodically update the software license inventory and regularly inspect the actual number of software against existing list. For any discrepancies found during the conduct of inspection a, corrective measure shall be implemented within 10 days upon discovery of the fault. 12.8 Software Disposal: Procedures established relative to software disposal should comply with existing laws, rules and regulations, policies governing disposal of government properties. Any ICT equipment housing a particular licensed software or any software license media that is loaned, serviced, recycled, salvaged, sold or traded-in, or disposed should be processed as necessary to comply with related license agreement and prevent any unauthorized use of the license. BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
Software License Policy 25 12.9 Software Requirement and Procurement: Software requirements should always be identified during annual procurement planning. A functional requirement should always support any declaration of purchase or upgrading of application software used by the Bureau. Over-all, any planned procurement of software should conform with the “ICT Strategic Plan and ICT Special Plan”. 12.10 Software Media/Installer: Installation/setup disk or any media used to deploy application software is the responsibility of the MIS Division and should be kept in secure location, including maintaining off-site back-up as described in the “ICT Business Contingency Planning”. 12.11 Software Troubleshooting: All employees shall report any problem relative to application softwares. Users may troubleshoot an application only to the extent allowed by the MIS, which should be clearly described during orientation or training. Only authorized MIS staff shall troubleshoot an application software. 12.12 Software Modification/Customization: For in-house or third party maintained application software, request for modifications, enhancement and upgrades of current software versions should be coordinated, discussed with the MIS chief before any further activities are undertaken. This will ensure that such change complies with overall strategy and functions required in general. 12.13 Software developed by Donor Bureau /Project: This shall refer to application software developed during a project life and or software developed by a Donor agency and provided for the BLGF for official function. The Bureau shall ensure that there are terms and conditions of use for the software before accepting and deploying them for Bureau use; and that these terms and conditions are clearly understood by all employees. 12.14 Software prohibitions: Licensed software use is limited to the terms and conditions of the license agreement. The Bureau prohibits the use of licensed software for any illegal activities, personal use other than work related or any act that shall harm or cause harm to any entity.
BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
26
BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
27
ANNEX A ICT Policy Easy Reference for Employees
BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
28 ICT Policy Easy Reference for Employees
ICT Policy Easy Reference for Employees The purpose of this document is to provide easy and quick reference guide to computer users and managers on the Bureau’s ICT Policy. Provisions of this “ICT Policy Easy Reference for Employees” will be implemented to ensure effective management and maintenance of the ICT System of the bureau. This ICT Policy Reference defines the control and protective measures for the use of ‘ICT’ Equipment, Internet, E-mail, and other ICT resources to ensure that they are appropriately used for the purposes for which they were acquired. Section 1.0: E-Mail Use (Bureau e-mail systems, Public or Private E-mail systems, etc.) 1.4 Limitation of personal use. Limited personal use of Bureau provided e-mail system is permitted. Division Chiefs/Unit Heads should ensure there is no abuse of this privilege. At the most, the following must be observed; a)
Use and access only during work breaks or after office hour.
b)
Personal use of e-mail should not interfere with work.4
c)
Personal e-mails must also adhere to the guidelines in this policy. 2
d) Personal e-mails must be kept in a separate folder, named ‘Private’. The e-mails in this folder must be deleted weekly so as not to clog up the system. 2 e) The forwarding of chain letters, junk mail, jokes and executable files is strictly prohibited. 2 f)
Users are not allowed to send more than 2 personal e-mails a day when using Bureau -owned ICT resources. 2
g) Mass mailing is prohibited. 2 h) All messages distributed via the Bureau e-mail system, even personal e-mails, are Bureau property. 2 1.5 Group sending of e-mail. Group / List sending of e-mails should be used appropriately. Spamming is prohibited. E-mail to all staff (broadcast) concerning official business function should be used only when appropriate. 1.6 Confidential Materials. Official and confidential materials sent through e-mail should be so marked but sent only with caution, 4
Excerpt from the OSS e-mail use policy
BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
ICT Policy Easy Reference for Employees 29
1.7 Non-Bureau e-mail systems. For public/commercial provided e-mail systems, employees should seek approval from Senior Management/ EXECOM through the MIS before accessing or using any said accounts in any Bureau provided ICT resources. At a minimum, only the following conditions shall be the basis of approval; a) If the public/commercial account will be used for official business function only. b) If the employee seeking approval, as a condition, shall permit the Bureau to access and review the account as required. 1.8 E-mail access using Bureau ICT resources. Using Bureau ICT resources to operate a Bureau provided public/commercial operated e-mail service should not be used for the following; a) Political, personal business or commercial, personal purposes not related to the Bureau . b) Illegal, pornographic, harm or cause to harm any entity, or for any inappropriate material. c) Sending or forwarding e-mails containing libellous, defamatory, offensive, racist or obscene remarks, or any similar nature. d) Forwarding messages without acquiring permission from the sender. 1 e) Sending/Forwarding unsolicited e-mail messages. 1 f)
Forging or attempting to forge e-mail messages. 1
g)
Sending e-mail messages using another person’s e-mail account.1
h) Copying messages or attachment belonging to another user without permission of the originator. i)
Disguising or attempting to disguise one’s identity when sending mail. 5
Note: If you receive an e-mail of this nature, you must promptly notify the MIS.1
1.9 Signature and Disclaimer: 6 Signatures must include your name, job title and company name. A disclaimer will be
Excerpt from OSS e-mail use policy Excerpt from OSS e-mail use policy
5 6
BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
30 ICT Policy Easy Reference for Employees added underneath your signature (see Disclaimer) Name Position Address Tel Fax Mobile E-mail Website :
: +xxxxxxxxxxxxxx : +xxxxxxxxxxxxxx : +xxxxxxxxxxxxxx : xxx@xxx.com
The following disclaimer will be added to each outgoing e-mail: ‘This e-mail and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the system manager. Please note that views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of the Bureau . Finally, the recipient should check this e-mail and any attachments for the presence of viruses. The Bureau accepts no liability for any damage caused by any virus transmitted through this e-mail.’1 Section 2.0: Internet Use (Bureau Access, Public or Private Access) 2.3 Limitation of Personal Use. Limited personal use of Bureau provided internet is permitted. Division Chiefs/Unit Heads should ensure there is no abuse of this privilege. At the most, internet may be personally used for; a) b)
Personal use not related to Bureau function but only during work breaks or after office hour. Personal use should not cause to diminish equal use of other Bureau internet users.
2.4 Limitation on browsing other websites. Access or any act similar to viewing pornographic, obscene, violent, gambling, illegal or other similar web sites using Bureau provided internet facility is prohibited. Bureau employees are duty-bound to report such abuse by co employees. This policy also applies to access using non-Bureau provided internet but within the premises of the Bureau using or not using any Bureau provided ICT resources. 2.5 Online Communities, subscriptions and alike. It is prohibited to operate, participate in, or contribute in online communities, subscription or other similar on-line groups over the internet unless permission is officially granted by Senior Management/ EXECOM. The following are the conditions for approving permissions; a) Online Communities/Subscription is to support or improve work related task b) Online Communities/Subscription sites operate in secure environment and this BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
ICT Policy Easy Reference for Employees 31 should be verified by the MIS. c) Online Communities/Subscription does not entail cost to the Bureau . d) Participation in Online Communities/Subscription does not violate Bureau ICT policy, Bureau rules and regulations, or any local and national law. 2.6 Programs and Executable Files. Downloading of any program or executable file, including screensavers, or any similar format when using Bureau provided machine through Bureau provided internet access is prohibited. Any program or application required in performance of an official duty should be coursed through the MIS. This is to prevent indiscriminate downloading and installation of programs or application that may slow down ICT resources performance and worst, threaten security of the facility. 2.8 File Download. Downloading of movies, video, music, image and similar format not related to any official or legitimate government function is strictly prohibited. Scanning for virus is a mandatory pre-requisite before opening any file or program downloaded thru the internet. 2.9 Secure internet access. All employees who have access to the internet should ensure the use of said facility do not compromise stability and security of ICT facility environment. Should anyone accidentally/mistakenly allowed this to happen, the systems administrator must be immediately notified. Note: Abuse of Internet access will be dealt with severely relative to seriousness. Minor abuse will lead to removal of the privilege of access from an individual’s workstation.
Section 3.0: Network Use (LAN, WAN, VPN, WLAN, etc.) 3.3 Network Access information. Disclosing any assigned IP address, Systems Administration password and any similar key that may compromise access, security of network and data is prohibited. Any knowledge of such disclosure should be reported to the MIS. 3.4 Tampering and unauthorized access. Unauthorized connection physical or virtual to any framework or device; or tampering of network cables or any similar device owned by the Bureau is prohibited and will constitute grave offense. Any knowledge of such activity should be reported to the MIS. 3.5 Jeopardize Network Integrity. Any actions that may damage, destroy, and negatively affect performance or any similar act that may intentionally or unintentionally jeopardize any network device or facility is prohibited. Any cost born out of such recklessness or negligence shall be at the account of the person liable. Section 4.0: Hardware Use (Servers, PCs, Laptops, Notebooks, Printers, Modems, etc.) 4.6 Movement of ICT equipment. Any movement of ICT equipment or transfer of custody shall be duly coordinated with the MIS for necessary processing (update of register and BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
32 ICT Policy Easy Reference for Employees insurance policy). Movement or transfer shall comply with related policy on “disposal, servicing, transfer of ICT equipment”. Movement or transfer shall not be let to any private person. 4.7 Use of Portable Equipment. Laptops, multi-media display, or any portable media, or other ICT equipment used outside of the Bureau premises for official business shall be logged in/out for proper tracking of equipment movement. The security and safekeeping of portable and other equipment used outside of Bureau premises is the responsibility of the staff using it. 4.8 Designation or sharing of portable equipment. Employees with designed portable computing device shall follow the general rule on care and manufacturer instructions. Portable computing device designated for common use shall be managed solely by the MIS. Portable Device Request Procedure: a) Fill out form for request. (Forms: Details, Approval Section, Gate Pass) b) Submit to MIS for immediate processing (sanitizing etc.) c) MIS facilitates availability of unit upon approval d) MIS releases unit to requesting party Note: The requesting party should not be the one to get the device from the previous user
4.9 Equipment on-board software. The MIS is responsible for all software installation, deployment and configuration on all Bureau -owned ICT equipment. This includes Bureau Special Project ICT Equipment, Operating Systems, Network Operating Systems, Application Software, etc. Unauthorized software will be deleted without need to notify the user. 4.10 Loss or Damage to ICT Equipment. In the event of loss or damage to any ICT equipment; the following is a list of what to do; a) b) c) d)
If caused by force majeure, lost or damaged ICT equipment should be reported to the MIS for report purposes. If caused by misuse or negligence, the employee responsible for the said loss or damage shall replace the damaged equipment or be fined accordingly. If caused by accident or theft, a report on the incident duly attested by supervising officer should be accomplished. This shall be forwarded to the MIS for report purposes. If caused by natural wear and tear, this should be reported to the MIS immediately for processing of replacement or repair. e) If caused by manufacturer defect, this should be reported to the MIS immediately for processing of replacement by provider. 4.11 Portable storage devices. Bureau provided portable external storage device or similar device should be given appropriate care by the employee in custody as described in the manufacturer’s instruction for care. BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
ICT Policy Easy Reference for Employees 33 4.12 Personal portable storage devices. Any personal portable external storage device shall be processed (registration, scanning, sanitizing, etc.) by MIS and approved for use within Bureau ICT Facility. The device shall be the responsibility of the owner. 4.13 Loss or damage caused by personal portable storage device. Loss or damage of said device or data stored therein shall be the responsibility of owner or any loss or damage caused by the device to any Bureau /Project owned ICT equipment shall be the liability of the owner of the personal device. 4.14 Schedule of Hardware System Maintenance. It shall be mandatory for the employee with designated PC system or with personal computing / storage device to scan and clean systems from computer virus every Friday at 3:00 P.M.. 4.15 ICT Equipment Care. All employees are responsible for the proper use, care and cleanliness of the ICT equipment they use. Division Chiefs/Unit Heads should ensure that staff maintains the cleanliness of their machines. Only approved and authorized cleaning solutions and materials shall be allowed. 4.16 Printer Care. Everyone must take extra care for the printers. Following are some prescribed care: a) b) c) d) e)
Use only prescribed “substance� as described by printer manufacturer. Do not use scratch paper for specific designated printers. Printers are shared except for areas with confidential requirements. Due to cost of printing, there will be specific printers restricted for common use (plotter, Color Laser Printer, etc.) Printing of personal materials is prohibited.
4.17 Safety precaution. For safety precaution, it is prohibited to plug multi appliances in one single electrical power outlet or any similar act of overloading a specific power outlet. 4.18 Power conservation. For power conservation, following is a guide to support this effort;
a)
ICT support facility shall be officially powered on between 7am to 6pm only, with the exception of approved overtime. b) Turn off ICT equipment between 12nn to 1pm unless officially working. c) Configure setting of PC power management in accordance to following
4.19 Hardware input/output devices. Majority of ICT equipment operates with input/ output devices. Due care of use and cleanliness must be given to accessories attached to any system like ports, keyboard, mouse, monitor, docking stations, cables, etc. As a rule of thumb, the right port always fits in when inserted. 4.20 Cables, Links, Wires etc. Only power cables, accessories and alike that come with ICT equipment, portable devices like laptops or multimedia projectors should be used, any BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
34 ICT Policy Easy Reference for Employees When Computer is
Plugged In
On Batteries
Turn off monitor
5 Mins
2 Mins
Turn off HDD
10 Mins
5 Mins
System standby
15 Mins
10 Mins
System Hibernate
20 Mins
15Mins
alternate use of cables, links, wire, etc. shall require authorization from the MIS. 4.21 Non Bureau Users. Visitors, guests or even government employees from other Agencies are prohibited from using any ICT facility owned by the Bureau unless given explicit permission by the supervisor or senior officer of the unit, section or office visited. Permission is subject to rules and regulations described in this document. 4.22 Splitting. Splitting or salvaging or cannibalizing PC systems, component or part of a component by non MIS staff is not allowed; i.e. Transfer of mouse or keyboard to another PC system is likewise prohibited without the knowledge of MIS. MIS shall record such splitting of PC set, components, or parts for purpose of documentation. 4.23 Hardware Upgrading or downgrading. Upgrading of Bureau-owned ICT resource using personal property or device is prohibited. Likewise, downgrading or removal of a whole or component part of any Bureau -owned hardware device is prohibited. 4.24 Service requirement. Problems with hardware should be reported to the MIS Division /ICT Services provider. 4.25 Hardware Servicing. Servicing of any ICT equipment should not contravene with any related agreement, laws on Intellectual Property, license agreement etc. Outsourced servicing of ICT equipment should conform to this policy document. 4.26 Securing ‘Expensive’ equipment. Expensive devices such as laptops, multi media projector or as pre defined equipment/items must be kept in secure location. Aside from Bureau security, equipment assignee must take extra caution in keeping the devices. 4.27 Transporting ICT Equipment. Portable items must be hand carried when travelling and, if required by transport/airport authority to check in the equipment, it must be ensured that the item is properly secured and has adequate crash protection. Label “fragile” is a must. 4.28 Access protection. All employees assigned to use specific ICT equipment shall be given passkeys for access. Always protect the software or data on any device like log off when out of desk, or set password in screensavers, avoid obvious passwords. 4.29 Software. All employees are instructed to protect software license agreement as defined in the ‘software license policy’ in this document. BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
ICT Policy Easy Reference for Employees 35 4.30 ICT Devices and Accessories: All ICT devices and accessories attached to any ICT equipment, systems or network such as Biometric Scanners, PC Desktop Camera, Wireless USBs, Scanners, etc. shall be given appropriate care. Loss or damage due to misuse or intentional cause is considered grave offense. Section 5.0: Miscellaneous Provisions for Use of Internet, E-mail and Other ICT Resources 5.1 Unacceptable Personal Use. Described herein are general acts considered to be unacceptable personal use of ICT resources. These may be acts to interrupt official business operation, cause undue loss, damage or cost to the Bureau and embarrassment or any act of impropriety. Violation of Law / Illegal Copying / Operating a Business / Gambling or Wagering / Solicitation / Political or Partisan Activities / Integrity of the ICT facility / Acts that waste ICT resources. Section 6.0: Data/Electronic Information 6.3 Individual Users. The individual user is responsible to his/her respective Supervisor for the quality of the computer data he/she has personally processed. 6.4 Data Privacy. Data shall be private and confidential to a specific user. Users shall not allow access or copying of these data under their responsibility nor tolerate others with similar responsibility. Division Chiefs/Unit Heads are responsible for ensuring compliance with ‘Data Privacy Policy’ with regards to data processed within their Units. 6.6 Ownership of data. All information/data stored in the Bureau’s systems are deemed the property of the Bureau. 6.7 Examination of data use. Staff consent to the examination of the use and content of all data/information processed and/or stored by the staff in the Bureau’s systems is required. Section 7.0: Back Up (Data, Software, etc.) 7.2 Storing Back-up Data. Users of networked desktop PCs should avoid storing back-up data on their local hard drives. Data so stored may be lost if a problem develops with the PC, and the MIS Unit may not be able to assist in its recovery. Back-up should be stored within the designated safe file directory (folder) structure used by each Division/Unit. Likewise, the MIS unit shall ensure there is physical security of back-up data. Physical security shall refer to physical restriction to back-up storage facility.
BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
36 ICT Policy Easy Reference for Employees 7.3 Remote Users. Remote and laptop/notebook PC users must ensure they back up their data regularly. The MIS /ICT Service Provider will provide necessary advice and assistance accordingly. 7.4 Schedule of Back-up. All designated users shall perform back-up of their data on the designated safe file directory (folder) every Friday of the week at 3:00PM. In case the said schedule falls on a holiday, the conduct of back-up shall be the day before the said holiday. Section 8.0: Anti-Virus Protection 8.4 Remote Users. Remote users and users of portable machines will assist in the upgrade of anti-virus software in accordance with specified mechanisms agreed with the MIS/ ICT Services Provider, eg. Internet updates. 8.5 Bureau Users. All employees/users of ICT equipment must virus-scan all media and ensure their device to be computer virus free (including floppy disks, portable storage devices, thumb drives, USB, zip disks, CDs and all similar devices) before use. The MIS Unit / ICT Services Provider will provide facility, assistance and training where required. 8.6 Detection of Computer Virus. On detection of a virus, users/staff must notify the MIS Unit /ICT Services Provider to mitigate further risk, perform control measures and ensure secure environment. 8.7 Tampering the Anti Virus Software. Under no circumstances users/staff should not attempt to disable or interfere with the anti-virus software. 8.8 Shared Responsibility. Protection from computer virus and ensuring ICT facility operation under secure environment is a shared responsibility of all Division Chiefs/Unit Heads. Recklessness and negligence must not be tolerated under any circumstance. Section 9.0: Computer Users Access Codes (Login Key and Passwords) 9.9 User responsibility. Users should change their access codes when prompted by the system in the case of networked machines or on a regular basis for standalone machines. 9.10 Passkey Confidentiality. Staff are responsible for the security of their access codes which they should not divulge, even to colleagues. 9.11 Technical Support. Problems with access codes should be reported to the MIS / ICT Services Provider for proper troubleshooting. BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
ICT Policy Easy Reference for Employees 37 9.12 Password expiration. It is mandatory to change password every 30 days or as necessary. E-mail accounts of separated employees who are separated from the Bureau shall be processed and deleted upon approval of Senior Management/ EXECOM. Miscellaneous provisions on ‘System Usage’ 9.15 Users should ensure their computers are fully shut down and turned off at end of day. 9.16 Computers should be locked or shut down when left unattended for any significant period of time. User Responsibility in Implementing this Policy 9.19 Certain levels of responsibility are defined in each specific section. As a general rule, users are mandated to report all offenses or violation made by ‘anyone’ relative to this policy. Likewise, for purposes of care and maintenance, shall report any repair requirement, troubleshooting or any technical assistance that may be required relative to the use of ICT facility. 9.20 In case of an investigation, all users are obliged to cooperate in full extent particularly but not limited to, surrender of passkeys, access to concern ‘systems’, disclosure of required data, etc. Section 10: Contravention of the related National and Local Policy Bureau Staff should be aware of their responsibilities under the e-Commerce Law, Intellectual Property Rights Law, Philippine Copyright and Patent Law. The MIS will provide guidance when required. Section 11:Disciplinary Action This section provides corresponding penalty to a specific offense or violation to this policy committed by any Bureau personnel whether, permanent, contractual, or circumstantial. Penalties provided hereof are based from the ‘Rule XIV on Discipline’ Omnibus Rules Implementing Book V of Executive Order No. 292 and Other Pertinent Civil Service Laws. For the complete Section 11, refer back to pages 19 to 22. Section 12: Software License Policy 12.3 Software Management: Installation, deployment, configuration and support to all software applications used by the Bureau are the responsibility of the MIS. Installation of unauthorized software is prohibited; which includes games, screensavers, programs downloaded from the internet and similar applications. Any third party software management provider should work in accordance with relevant ICT policy specifically the BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
38 ICT Policy Easy Reference for Employees “Data Privacy Policy” and “Information Security Framework”. 12.11 Software Troubleshooting: All employees shall report any problem relative to application software. Users may troubleshoot an application only to the extent allowed by the MIS, which should be clearly discussed during orientation or training. Only authorized MIS staff shall troubleshoot application software. 12.14 Software prohibitions: Licensed software use is limited to the terms and conditions of the license agreement. The Bureau prohibits the use of licensed software for any illegal activities, personal use other than work related and any act that shall harm or cause harm to any entity. It is likewise prohibited to install or use any illegal copy or pirated copy of software in any Bureau -owned ICT assets and resources.
BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
39
ANNEX B Procurement and Configuration Guide for ICT Equipment and Network
BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
40
Procurement and Configuration Guide
Purpose of this Document The purpose of this document is to describe the minimum specifications when procuring Servers, PC units, network devices and associated storage devices. This document includes basic security and industry compliance features required and configurations.
Part I. IEEE 802. LAN/WAN/WLAN Minimum Standards This LAN/WAN standard define minimal requirements for the specification of network devices acquired for the purpose. Defined here as well is the wireless security standard configuration for all wireless local area network implementations to strengthen the networks operation under secure environment. Revisions: The MIS Chief shall ensure the standard is regularly updated to reflect changes in market trends and Bureau requirements. The standard shall be reviewed and revised by the MIS Division with technical assistance of an ICT expert. Deviations: Any unit requiring deviation from the LAN/WAN/WLAN minimum standard shall submit sufficient business justification for approval of Senior Management/ EXECOM.
Section 1.0 Network Devices 1.1 Network Switch Features:
High availability and scalability Power Consumption Monitoring Power Redundancy and Fault Back-up Device Service Management Software Multi Protocol Layering System Bridging and routing on Fast Ethernet ports
BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
Procurement and Configuration Guide 41
Standards and Protocols:
Safety:
Security:
Operating Environment:
IEEE 802.1s IEEE 802.1w IEEE 802.1x IEEE 802.3ad IEEE 802.3af IEEE 802.3ah IEEE 802.1ag IEEE 802.3x full duplex on 10BASE-T, 100BASE-TX, and 1000BASE-T ports IEEE 802.1D Spanning Tree Protocol IEEE 802.1p CoS classification IEEE 802.1Q VLAN IEEE 802.3 10BASE-T IEEE 802.3u 100BASE-T IEEE 802.3ab 1000BASE-T IEEE 802.3z 1000BASE-X IP routing: Static, RIP versions 1 and 2, EIGRP, OSPF, BGPv4, HSRPv2, PIM-SM, and PIMDM Management: SNMP versions 1, 2, and 3 UL 60950, Third Edition UL to CAN/CSA 22.2 No.60950, Third Edition TUV/GS to EN 60950 with Amendment A1-A4 and A11 CB to IEC 60950 with all country deviations NOM to NOM-019-SCFI AS/NZS 3260, TS001 CE Marking CLEI Coding ACL based Security Implementation; IEEE 802.3af. Security Standards SSL web authentication MAC authentication, MAC filtering and MAC address notification Port based ACLs Unknown unicast and multicast port blocking SSHv2 and SNMPv3 Bidirectional data support on the Switched Port Analyser (SPAN) port TACACS+ and RADIUS authentication DHCP snooping DHCP Interface Tracker Port connection aging feature Multi-level security console access BPDU Guard Spanning-Tree Root Guard (STRG) IGMP filtering VLAN Membership Policy Server (VMPS) client function Temperature: 0 to +45ยบC: -5 to +55ยบC (NEBS short-term operation) Relative humidity: 10 to 85% non-condensing: 5 to 95% non-condensing (NEBS short-term operation)
BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
42
Procurement and Configuration Guide
1.2 Standard Service and Support when required from device provider; • Project management • Site survey, configuration, and deployment • Installation, text, and cutover • Training • Major moves, adds, and changes • Design review and product staging • 24-hour access to software updates • Web access to technical repositories • Telephone support • Advance replacement of hardware parts The LAN/WAN/WLAN implementation of IT unit, as described in the Scope section, shall conform to this standard.
Section 2.0 Wireless Configurations 2.1 Hot Spots and Wireless Access Point Configuration Security
WPA & WPA2 (Wi-Fi Protected Access) Network Address Translation (NAT) Stateful Packet Inspection (SPI) VPN Pass-through / Multi-sessions PPTP / L2TP / IPSec
Service Set
Broadcast separate SSID for guest and Bureau user access
2.2 Wireless Bureau Owned Client Device (notebook, tablet PC, handheld, etc.) Security
Infrastructure Mode Enabled; Ad Hoc Mode Disabled
2.3 Wireless Local Area Network Access Method: 802.11 a/b/g Encryption:
WPA/WPA2-AES CCMP VPN Pass-through / Multi-sessions PPTP / L2TP / IPSec
Authentication EAP-Type Support (Required)
802.1X EAP for Bureau user access, captive portal or 802.1X EAP for guest use PEAPv0, also known as PEAP/MS-CHAPv2 or PEAPv0/EAP-MSCHAPv2 (FAST, PEAPv1, SC, TLS, TTLS) (Optional)
User Access
Created using a switch-to-switch IP tunnel or VPN (SSL, IPSec)
BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
Procurement and Configuration Guide 43 Units may use Ad hoc mode for peer-to-peer wireless network connectivity as described by the Bureau’s ‘disaster recovery’ or ‘business continuity plan’.
Part II. Enterprise Server & Client Computer Hardware Standards This section defines the minimum requirement for Personal Computer Systems for use of Bureau employees. Minimum requirements shall be the minimum standard specific to hardware component’s specifications, security features and environmental compliance effective upon approval. Revisions to the Specifications: The Bureau MIS Chief ensure that the enterprise server and client computing hardware specifications are regularly updated to reflect changes in market trends, technology, Bureau requirements and Bureau policies. The standard shall be reviewed and updated under the advice of the Technical Working Group. Exceptions to the Specifications: Any organized body, Office, Division, Section under the Bureau requesting permission to procure client computers or LCD displays not in conformity with this Bureau ICT standard shall provide sufficient justification describing why the specified standard does not satisfy their requirements. A limited variance from this Bureau ICT standard is allowed for client computer configurations that conform with the prior version of the standard. As a general rule, any request for quotation, development of procurement plan, with attributes, features or peripherals devices shall not quote or submit proposal that is below the minimum standards set forth in this policy.
Section 1.0 Minimum Specifications for Enterprise Servers Descriptions
File and Print
Messaging
Web
Domain Controller
Database
Application / General
Form Factor
Rack
Rack
Rack
Rack
Rack
Rack
Processor Type
Intel® Xeon® Processor X5270 (3.50 GHz, 1333MHz FSB, 80W) Dual-Core type
Intel® Xeon® Processor X5260 (3.33 GHz, 1333MHz FSB, 80W) Dual-Core type
Intel® Xeon® Processor X5470 (3.33 GHz, 1333MHz FSB, 120W) Quad-Core type
Intel® Xeon® Processor X5260 (3.33 GHz, 1333MHz FSB, 80W) Dual-Core type
Intel® Xeon® X7460 Processor (2.67 GHz, 16MB cache, 130 Watts) 6-Core type
Intel® Xeon® Processor X5470 (3.33 GHz, 1333MHz FSB, 120W) Quad-Core type
Or equivalent
Or equivalent
Or equivalent
Or equivalent
Or equivalent
Or equivalent
BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
44
Procurement and Configuration Guide
Number of Processor(s) (std/max)
1/2 Up to 12MB Level 2 cache (2 x 6MB)
1 / 2
2/4
1/2
4/6
2/4
Cache (std)
6MB L2
4MB L2
12MB L3
4MB L2
16MB L3
12MB L3
Minimum Memory (DIMM) (DDR)
4GB
4GB
6GB
4GB
12GB
6GB
Expansion Slots
PCI-Express, PCI-X and PCI Compatible
PCI-Express, PCI-X and PCI Compatible
PCI-Express, PCI-X and PCI Compatible
PCI-Express, PCI-X and PCI Compatible
PCI-Express, PCI-X and PCI Compatible
PCI-Express, PCI-X and PCI Compatible
Disk bays
SFF and LFF: Hot plug drive to support both SAS and SATA
SFF and LFF: Hot plug drive to support both SAS and SATA
SFF and LFF: Hot plug drive to support both SAS and SATA
SFF and LFF: Hot plug drive to support both SAS and SATA
SFF and LFF: Hot plug drive to support both SAS and SATA
SFF and LFF: Hot plug drive to support both SAS and SATA
Minimum Internal Storage
180GB
180GB
180GB
180GB
450GB
320GB
Network interface
10/100/ Integrated dual Gigabit Ethernet
10/100/ Integrated dual Gigabit Ethernet
10/100/Two (2) NC382i Dual-Port Multifunction Gigabit Server Adapters (four ports total)
10/100/ Integrated dual Gigabit Ethernet
10/100/Two (2) NC382i Dual-Port Multifunction Gigabit Server Adapters (four ports total)
10/100/Two (2) NC382i Dual-Port Multifunction Gigabit Server Adapters (four ports total)
System management processor
Server Recovery Hardware Diagnostic Remote Management
Server Recovery Hardware Diagnostic Remote Management
Server Recovery Hardware Diagnostic Remote Management
Server Recovery Hardware Diagnostic Remote Management
Server Recovery Hardware Diagnostic Remote Management
Server Recovery Hardware Diagnostic Remote Management
Required Hot-swap components
Hard disk drives, power supply, fans
Hard disk drives, power supply, fans
Hard disk drives, power supply, fans
Hard disk drives, power supply, fans
Hard disk drives, power supply, fans
Hard disk drives, power supply, fans
Minimum Required RAID support
Integrated RAID 0/1/0+1/5/6
Integrated RAID 0/1/0+1/5/6
Integrated RAID 0/1/0+1/5/6
Integrated RAID 0/1/0+1/5/6
Integrated RAID 0/1/0+1/5/6
Integrated RAID 0/1/0+1/5/6
Maximum Capacity per Drive is 80GB
BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
Procurement and Configuration Guide 45 Minimum OS compatibilities support
Red Hat Linux, SUSE Linux, Microsoft Windows,
Red Hat Linux, SUSE Linux, Microsoft Windows,
Red Hat Linux, SUSE Linux, Microsoft Windows,
Red Hat Linux, SUSE Linux, Microsoft Windows,
Red Hat Linux, SUSE Linux, Microsoft Windows,
Red Hat Linux, SUSE Linux, Microsoft Windows,
Warranty - year(s) (parts/labour/onsite)
3/3/3 (Must have provider service coverage nationwide)
3/3/3 (Must have provider service coverage nationwide)
3/3/3 (Must have provider service coverage nationwide)
3/3/3 (Must have provider service coverage nationwide)
3/3/3 (Must have provider service coverage nationwide)
3/3/3 (Must have provider service coverage nationwide)
Section 2.0 Minimum Specification for Storage Systems 2.1 Network-attached Storage (NAS) Description
Minimum Standard
Solution
Network-attached Storage (NAS)
RAM
2GB
Fibre Channel Ports Speed
4 Gigabits per second (Gbps)
Ethernet Ports Speed
1 Gigabits per second (Gbps)
Minimum Disk Bays
34 Bays
Minimum Storage
1 TB
Disk Drives Supported in Controller
SAS at 15,000 rpm: SATA at 7,200 rpm
Disk expansion unit supported Software Requirement
Hardware and File Management Application Management Protection Management (Mirror, Clone, Redundancy, Restore etc.) RAID Management Inter-operatibility Management Operations Management (Network, etc.)
Warranty
3 years (next business day, onsite) with option for years 4 and 5 (Must have provider service coverage nationwide)
BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
46
Procurement and Configuration Guide
2.2 Storage attached Network (SAN) Fabric Switch Description
Minimum Standard
Solution
Storage attached Network (SAN) (Fabric Switch)
Fiber Channel Interface
E_Port, F_Port
Optical Transceivers
Short, long and extended long wave Gbps links; Compatible in both FC and Ethernet ports
Copper Transceivers
At least 100 mbps Ethernet
Hot Swappable Components Fans, Power Supply, transceivers Server Supported
At least supports IBM’s, Sun, HPs, and Dells
Operating Systems Supported
At least supports Microsoft, Red Hat, and SUSI Linux OS
Storage Products Supported
At least IBM and HP Storage Solutions
Fibre Channel Switches Supported
any-type switches and their current firmware
Fiber Optic Cable
Required length and at least in multi mode format
Power Cords
Required length and in country-specific features
Warranty
1 year (next business day, onsite) with option for years 2 and 3; and with customer replaceable unit (Must have provider service coverage nationwide)
2.3
Storage attached Network (SAN) (Storage System)
Description
Minimum Standard
Solution
Storage attached Network (SAN) (Storage System)
Storage Devices
Provisions for Tape and DVD
Minimum Compression
2:1 for tape drives; 3:1 for DVD optical drives
Operating Environment
Compatible with current Bureau operating environment
Software Requirement
AIX, Linux, IBM or any current firmware
Drive Options Drive Type Tape
CD-RAM
CD-ROM
Bare Disc
Bare Disc
Native Capacity 36GB
26GB-9.4GB
2.6G-9.4GBB
Compressed Capacity 72GB
Up to 28GB
Up to 28GB
CD-WR/ CD-R
CD-ROM
Media 4mm Tape
Compatibility Current
BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
Procurement and Configuration Guide 47 Power Cords
Required length and in country-specific features
Warranty
1 year (next business day, onsite) with option for years 2 and 3; and with customer replaceable unit (Must have provider service coverage nationwide)
Section 3.0 Minimum Specification for Desktop Systems Form Factor
Basic Office Desktop (Micro Tower, Small Desktop, Small Form Factor)
Managed Desktop (Small Desktop, Ultra Small Desktop, Small Form Factor, Ultra small Form Factor, Tower)
Processor
Intel® Core™ 2 Duo E8400 Processor ( 3.00GHz 1GHz 6MB )
Intel® Core™ 2 Quad Q6600 Processor ( 2.40GHz 1GHz 8MB )
Minimum Memory (DIMM/DDR(2)
2GB DDR2 SDRAM 667MHz
4GB DDR2 SDRAM 667MHz
Graphic Memory
High Resolution 128MB
PCI
1+ internal slots (16x or 1x)
Network Adapter Speed
10/100 mbps
Hard Drive
250Gb (SATA, 7200 RPM) (2 x 80GB)
Optical Drives
CDRW/DVD-ROM Combo, DVD+/-RW or no optical drive
I/O Ports
USB, Audio, Video, Printer, LCD
Warranty
3 years (next business day, onsite) with option for years 4 and 5 (Must have provider service coverage nationwide)
Optional Features : Wireless2
802.11 a/b/g
Legacy Ports
PS/2, serial, parallel
Modem
56K v.92
Floppy Drive3
Internal floppy drives are allowed, however their acquisition is discouraged in favor of acquiring external USB floppy drives that are shared within user work groups on an as needed basis.
BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
48
Procurement and Configuration Guide
Section 4.0 Minimum Specification for Portable Personal Computer Form Factor
Basic Notebook (Business)
Managed Notebook (Specialized)
Processor
IIntel® Core™2 Duo Proces- UP to Intel® Core™2 Duo sor (2.80GHz) Processor (2.80GHz)
Minimum Memory (DIMM/DDR(2)
2GB DDR2 SDRAM 667MHz 4GB DDR2 SDRAM 667MHz
Graphic Memory
High Resolution 256MB
Display Size
14.1” to 15.4”, wide aspect ratio: WXGA (1280x800)
Pointing Device
Touchpad
Network Adapter Speed
Integrated 10/100/1000 NIC
Hard Drive
160Gb (SATA, 7200 RPM)
Optical Drives
CDRW/DVD-ROM Combo, DVD+/-RW or no optical drive
I/O Ports
USB, Audio, Video, Printer, LCD, PC Card Slots, SD
Warranty
3 years (next business day, onsite) with option for years 4 and 5 (Must have provider service coverage nationwide)
Optional Features : Wireless
802.11 a/b/g
Legacy Ports
PS/2, serial, parallel
Modem
56K v.92
Floppy Drive3
External USB floppy drive only.
Dock Station
Port, Extra Fan
Battery
Lithium-Ion/6-cell or Lithium-Ion/9-cell
Biometric Device
Fingerprint reader
Section 5.0 Mandatory Security Features Client computers must comply with the following security requirements: No exceptions Requirement TPM Chip BIOS Agent1
Version 1.2 revision 103 Absolute Software Corp. Computrace
BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
Procurement and Configuration Guide 49
Section 6.0 Environmental Compliance Environmental Compliance for LCD Displays and Client Computers EPEAT Rating1 Silver or Gold ENERGY STAR 4.0 TCO Label TCO’03 (LCD displays only)
BLGF INFORMATION AND COMMUNICATIONS TECHNOLOGY POLICIES AND STANDARDS
MEMBERS OF THE TECHNICAL WORKING GROUP Atty. Flosie Fanlo -Tayag
Deputy Executive Director for Administration
Dr. Jose Arnold M. Tan, PhD
Deputy Executive Director for Operations
Ms. Armi M. Advincula
Director II, Internal Administration Office
IT SYSTEMS DEVELOPMENT AND DEPLOYMENT TEAM - LAMP2 COMPONENT 4 Ma. Pamela P. Quizon
Team Leader, Database Team - LAMP2 Component 4 Acting Chief, Local Revenue Enforcement Division (REV)
Mervin A. Martinez
Information System Management Associate
Ramilo T. Morales
Information System Management Associate
Erick N. Villapando
Information System Management Associate
Rommel M. Cunanan
National Technical Adviser, Valuation Information System
MANAGEMENT INFORMATION AND DATA SYSTEMS DIVISION (MIS) Ma. Florizelda A. Enriquez
Team Leader, HRMD Team - LAMP2 Component 4 Acting Chief, MIS
Joel B. Capule
Data Entry Machine Operator
Gemma P. Vinluan
Data Encoder - Job Outsource
Jorge C. Sandro
IT Assistant - Job Outsource
Evelyn D.R. Facun
Information System Researcher - Job Outsource HUMAN RESOURCE MANAGEMENT TEAM
Hazel Gampay
HRMD Officer
Rosely L. Perpetua
Local Assessment Operations Officer III