Introduction
The ICT Policy manual provides the policies and procedures for selection and use of ICT within Ampersand. It also provides guidelines Ampersand will use to administer these policies, with the correct procedures to follow.
Ampersand will keep all ICT policies current and relevant. Therefore, from time to time it will be necessary to modify and amend some sections of the policies and procedures, or to add new procedures.
Any suggestions, recommendations or feedback on the policies and procedures specified in this manual are raised with the IT department.
1. General Information
This policy was created and is maintained by Ampersand’s IT department. The web version of the policy available via the company’s official website is the definitive version and shall always be the most up to date.
2. Principles
-
Ampersand recognizes that information is an asset and is vital to the operational and economic well being of the company, and shall therefore create security measures and assign responsibilities to protect this asset from loss, theft, and unauthorized modification or disclosure
-
Ampersand recognises that it holds confidential personal information data from its employees, applicants, customers, contractors, and other stakeholders across multiple jurisdictions.
-
Ampersand recognises that it is under non-disclosure and confidentiality obligations for various third parties including legal Non-Disclosure Agreements.
-
All measures must conform to established company policies and legal requirements
-
Every cost effective measure shall be made to ensure confidentiality, integrity, authenticity and availability of information
-
It is a priority for all employees at all levels of the company to protect the confidentiality, integrity, and availability of information and resources including information they receive about present and past employees, applicants, clients, partners and the company itself.
3. Objectives
The purpose of this ICT policy is to:
-
Establish direction, procedures and requirements to ensure the appropriate protection of information handled by the company computer resources
-
Emphasize the importance of following ICT policy in the various computer environments and the roles of staff at each level
-
Assign specific responsibilities to ensure policy implementation.
4. Scope
-
The ICT policy applies to all company owned information or data in all forms including electronic and physical
-
The ICT policy applies to all employees both full-time and part-time, contractors, consultants and other workers at the company, including those affiliated with third parties who access the company’s ICT resources
-
The ICT policy applies equally to networked servers, stand-alone computers, peripheral equipment, personal computers, laptops, workstations, mobile phones, and other electronic devices within Ampersand. It also applies to equipment outside of the company network but authorized for access to the company resources. Resources include data, information, software, hardware, facilities and telecommunications.
5. Enforcement of ICT Policy
-
Enforcement
The IT Manager shall be responsible for enforcing the policy and for any appeals against IT department decisions.
This policy document shall be reviewed during the first quarter of each year by the IT department as stated in the final section of this policy, and changes shall be approved by the leadership team of Ampersand.
2. Violation of ICT Policy
Sanctions for violation of the ICT Policy may include, but not limited to deactivation of the user's accounts and prosecution by law enforcement agencies.
If misuse of user accounts lead to a violation of policy and compromise of confidential data, the person responsible shall be subject to disciplinary action, which may include termination of employment contract.
ICT users who receive unsolicited offensive or inappropriate material electronically should delete such material immediately. Offensive or inappropriate material received from people inside the company and known to the receiver should be deleted immediately and the sender of the material should be reported to the IT department and asked to refrain from sending such material again. In the event that a user does not cease sending unsolicited offensive or inappropriate email, disciplinary action shall be taken and shall include de-activation of the user accounts and legal action.
Computer crimes such as unauthorized access to company and/or personal digital resources, computer fraud, hacking and damage to programs and data and introducing and spreading computer viruses shall normally result in legal action.
I. IT procurement & Assets management policy
IT Equipment means computer hardware, servers and ancillary equipment, telephones, computers (laptops and desktops) and other telecommunications products, office products such as photocopiers, projectors, screens, printers and scan machines, or other hardware technology or equipment that is used in the creation, conversion, or duplication of data or information.
Purpose of the Policy
This policy provides guidelines for the purchase of IT hardware for the company to ensure that all hardware technology is appropriate, value for money and where applicable integrates with other technologies. The objective of this policy is to ensure that there is maximum control in purchase and delivery of hardware within the company.
Procedures
IT Procurement
All requests of IT equipment are raised to the IT department which receives, reviews and contact requester’s line manager for initial approval when necessary. In order to ensure that IT equipment is delivered to the requester as soon as possible, an IT inventory should be maintained with items and quantities listed in the IT department forecast sheet.
If the requested item is not present in the IT inventory or available in insufficient quantity, the request is forwarded to the procurement team which takes charge of both local and international purchases. For more details, refer to section 10 of Ampersand’s local procurement manual.
IT Assets management System (ITAMS)
The IT department is the primary owner of the IT assets, including hardware devices, software licenses, and other ICT resources, and is responsible for their acquisition, deployment, maintenance, and disposal. The IT department is responsible for managing and maintaining the IT asset management database as part of the IT asset management process.
The IT department may work closely with other departments, such as procurement, and finance to manage the IT asset register and ensure that it aligns with the organization's overall business strategy and goals.
II. Policy for Getting Software
Purpose of the Policy
This policy provides guidelines for the purchase of software for the company to ensure that all software used by the business is appropriate, value for money and where applicable integrates with other technologies. This policy applies to software obtained as part of a hardware bundle or pre-loaded software.
Procedures
Request for Software
All employees are required to obtain approval from the IT department before installing any commercial software on their corporate computers. Commercial software refers to any software that requires a license or is not freely available for public use. Software freely available for public use can be installed without approval.
Purchase of software
The purchase of all software must adhere to this policy.
All purchased software must be purchased by the IT department. The requester sends a request to the IT department specifying clearly all the software specifications, beneficiaries and license details. In some cases, the department manager of the requester may be contacted to approve the purchase.
III. Policy for Use of Software
Purpose of the Policy
This policy provides guidelines for the use of software for all employees within the business to ensure that all software use is appropriate. Under this policy, the use of all open source and freeware software will be conducted under the same procedures outlined for commercial software.
Procedures
Software Licensing
All computer software copyrights and terms of all software licenses will be followed by all employees of the business.
Where licensing states limited usage (i.e. number of computers or users etc.), then it is the responsibility of the IT Manager to ensure these terms are followed.
The IT department is responsible for completing an annual software audit to ensure that software copyrights and license agreements are adhered to.
Software Installation
All software must be appropriately registered with the supplier where this is a requirement.
Only software obtained in accordance with the getting software policy (Section 2) is to be installed on the business’s computers.
All commercial software installation is to be carried out after informing the IT department.
A software upgrade shall not be installed on a computer that does not already have a copy of the original version of the software loaded on it.
Software Usage
Only software purchased in accordance with the getting software policy (Section 2) is to be used within the business.
Prior to the use of any software, the employee must receive instructions on any licensing agreements relating to the software, including any restrictions on use of the software.
All relevant employees must receive training for new software. This includes new employees to be trained to use existing software appropriately. This will be the responsibility of the employee’s department manager.
Employees are prohibited from bringing commercial software from home and loading it onto the business’s computer hardware without approval from their respective department’s manager.
Unless express approval from the IT Manager and staff department’s manager is obtained, commercial software owned by the company cannot be taken and loaded on a employees’ personal computer
Where an employee is required to use software on his personal computer, an evaluation where the employee can use a portable business computer should be undertaken in the first instance. Where it is found that software can be used on the employee’s personal computer, authorisation from the IT Manager and staff department’s manager is required to purchase separate software if licensing or copyright restrictions apply. Where software is purchased in this circumstance, it remains the property of the business and must be recorded on the software register by the IT department.
The unauthorized duplicating, acquiring or use of software copies is prohibited. Any employee who makes, acquires, or uses unauthorized copies of software will normally be subject to disciplinary actions, which may include legal action. The illegal duplication of software or other copyrighted works is not condoned within Ampersand. The IT, legal and HR departments are authorized to undertake disciplinary actions where such an event occurs.
Breach of Policy
Where an employee is aware of a breach of the use of software in accordance with this policy, they are obliged to notify the IT department immediately. In the event that the breach is not reported and it is determined that an employee failed to report the breach on time, then that employee will normally be subject to disciplinary actions, which may include legal action.
Unauthorized software
Unauthorized software is prohibited from being used in business operations. This includes the use of software fully owned by an employee and used within the company. The following list includes all software categories that are prohibited from being downloaded, installed or used across all company devices and network:
-
Any torrent client software (Bittorrent, uTorrent, qTorrent, Tixati and all others)
-
Any VPN client without express approval from the IT Manager and staff department’s manager
-
Any cracked, patched, modded or illegally distributed copy of a commercial software without a genuine official license.
IV. IT Project Management Policy
Purpose of the Policy
This policy contains rules and guidelines which are followed during different phases of IT projects.
Procedures
All major ICT projects must follow a formal project management methodology. This methodology must, at a minimum, stipulate the following project deliverables within the respective phases of the project:
-
Project Initiation – Project charter
-
Project Definition – Project definition report, Project plan and Business justification
-
Execution – Project status reports
-
Close out – Project completion report
-
Maintenance
V. Electronic and Physical Media Disposal Policy
Purpose of the Policy
This policy governs the secure disposal of corporate electronic and physical media according to the purpose, time of usage, lifespan, and retention period, ensuring compliance with applicable laws and regulations.
Procedures
Devices may be retired to mitigate the risk of important data being lost or difficult to retrieve due to hardware failure. When a device is retired, all data on the device must be securely erased as indicated in the disposal options below.
Devices that are not retired may be repaired and repurposed. This cost-effective option helps to reduce the environmental impact of ICT waste. When a device is repaired, it should be tested to ensure that it is working properly. Once the device has been repaired, it can be assigned to a new user or used for a different purpose.
Disposal Options
When electronic or physical media is no longer needed, it must be disposed of in a secure manner. The company has the following disposal options:
-
Shredding: Physical media, such as paper documents are securely disposed of through shredding. This ensures that information cannot be accessed or reconstructed.
-
Data wiping: For electronic devices which need to be reused such as laptops, a special software is used to overwrite the data on the storage media as an effective way to protect the data from being recoverable.
-
Resell: For unused electronic devices, the company can also decide to calculate their current value and sell them to individuals after the data has been wiped out to prevent stocking unused ICT assets.
VI. Performance & Capacity Management Policy
Purpose of the Policy
This policy provides information about how the IT department ensures that devices and systems are operating smoothly according to their expectations.
Procedures
Weekly health checks must be conducted on critical ICT resources. The checks must include, amongst others critical devices functionality, storage capacity, network bandwidth, error logs, consumables e.g. printer toner, printer paper, WAN and LAN connectivity checks.
Performance reporting must occur on all critical IT resources on a regular basis. Capacity planning reviews must also be conducted regularly to forecast future ICT requirements.
VII. Bring Your Own Device Policy
At Ampersand we acknowledge the importance of mobile technologies in improving business communication and productivity. In addition to the increased use of mobile devices, staff members are allowed the option of connecting their own mobile devices to Ampersand 's network. We encourage you to read this policy in full and to act upon the recommendations and to re-read the policy, or view an instructional video (if available) or participate in training once a year.
Purpose of the Policy
This policy provides guidelines for the use of personally owned notebooks, smart phones, tablets and other electronic devices for business purposes. All staff who use their personal technology or equipment at Ampersand’s workplaces are bound by the conditions of this policy.
Procedures
Current mobile devices approved for business use
The following personally owned mobile devices are approved to be used for business purposes:
-
Personal smartphones
-
Personal laptops
-
Personal computer peripherals such as monitors, keyboards, mice, webcams, stands and others.
Registration of personal mobile devices for business use
Employees using their personal devices for business use, especially at the workplace, have to inform the IT department to register the device within the IT register to avoid confusion. The IT department will record the device and all applications used by the device.
Each employee who utilizes personal devices agrees:
-
Not to use the registered mobile device as the sole repository for Ampersand 's information. All business information stored on mobile devices should be backed up to the employee’s business Google drive storage
-
To make every reasonable effort to ensure that Ampersand 's information is not compromised through the use of mobile equipment in a public place. Phones containing sensitive or critical information should not be used by unauthorized persons and all registered devices should be password protected
-
Not to share the device with other individuals to protect the business data access through the device
-
To abide by Ampersand 's internet usage policy for appropriate use and access of internet site
-
To notify the IT department immediately in the event of loss or theft of the registered device
-
Not to connect to the device USB memory sticks from untrusted or unknown sources.
All employees who have a registered personal device for business use acknowledge that the company:
-
Owns all company related intellectual property created on the device
-
Will regularly back-up data held on the device
-
Will delete all data held on the device in the event of loss or theft of the device
-
Has first right to buy the device where the employee wants to sell the device
-
Will delete all data held on the device upon resignation or termination of the employee’s contract. The resigned / terminated employee can request personal data be reinstated from back up data
-
Has the right to deregister the device for business use at any time.
-
Keeping mobile devices secure
The following must be observed when handling mobile computing devices (such as notebooks and smartphones):
-
Mobile computer devices must never be left unattended in a public place, or in an unlocked house, or in a motor vehicle, even if it is locked. Wherever possible they should be kept on the person or securely locked away
-
Cable locking devices should also be considered for use with laptop computers in public places, e.g. in a seminar or conference, even when the laptop is attended
-
Mobile devices should be carried as hand luggage when traveling by aircraft.
Breach of this policy
Any breach of this policy will be referred to the IT department who will together with the HR department, review the breach and determine adequate consequences, which can include disciplinary actions and/or restriction from using personal devices for business purposes again.
VIII. Onboarding / Offboarding Policy
Purpose of the Policy
Ampersand understands that developing a consistent process to onboard new employees into the company ensures that from the very start they feel as though they are part of a cohesive team, while management can also be assured that important information is consistently shared with everyone new. The same applies to offboarding where a consistent offboarding process ensures that both the employees and the company remain in a safe and secure state.
This can be achieved by having a standardized IT onboarding / offboarding policy that is delivered in conjunction with an IT checklist for new employees.
Procedures
Onboarding
IT onboarding is the process of setting up a new employee in the company’s IT environment and then introducing them to it when they commence. This is achieved by following a new employee IT checklist.
The HR department informs the IT department with the new employee’s name, job title, workspace location, starting date and any other relevant information that is needed to set everything up.
The HR, IT, and new employee’s department have to make sure that the aforementioned IT checklist has been respected and completed within the appropriate time frame.
Offboarding
Whereas onboarding provides a smooth transition into the company, offboarding provides a smooth transition out of the company. Offboarding is a process that completes the end of a professional relationship between an employee and the company they work for. It involves all the tasks and procedures that need to be completed when an employee leaves a job, whether it is voluntary or involuntary.
This process is initiated and carried out by the HR department. In order to make sure that everything is taken care of, the IT department has to be notified with all relevant details when an employee offboarding process has started. This is to guarantee that below key tasks are planned for and executed in time:
-
Collecting company IT property from the employee
-
Disabling employee access to company systems and data
Effective and consistent offboarding is important because it helps to ensure a smooth transition for the departing employee and minimize disruption to the company. It also helps to protect the company's confidential information and intellectual property, and maintain a positive relationship with the departing employee.
IX. Information Technology Security Policy
Purpose of the Policy
This policy provides guidelines for the protection and use of information technology assets and resources within the business to ensure integrity, confidentiality and availability of data and assets.
Procedures
Physical Security
Information security encompasses the protection of digital assets and the physical security of the company’s premises, equipment, and resources. The following controls are in place at the company premises:
-
Access Control Systems: We utilize access control systems with keypad and biometric lock to manage and control access to our premises and specific areas within. These systems enable us to track and restrict entry to authorized personnel only.
-
Security Personnel: Trained security personnel, including security guards, are stationed at strategic points throughout our facilities. They monitor access points, conduct regular patrols, and respond to security incidents or breaches promptly.
-
Closed Circuit Television (CCTV) systems: A network of CCTV cameras is in place to monitor and record activities in key areas of our premises. These cameras provide real-time surveillance and aid in investigations if any security incidents occur.
-
Perimeter Security: We have implemented physical barriers, such as fences, gates to secure the perimeter of our premises. These measures prevent unauthorized access and provide an additional layer of protection.
For all physical servers and other network assets, the area must be secured with adequate ventilation. It will be the responsibility of the IT Manager to ensure that this requirement is followed at all times. Any employee becoming aware of a breach to this security requirement is obliged to notify the IT department immediately.
All security and safety of all portable technology, such as laptops, notepads, iPads etc. will be the responsibility of the employee who has been issued with them. Each employee is obliged to use passwords and other authentication measures and to ensure the asset is kept safely at all times to protect the security of the asset issued to them.
In the event of loss or damage, the IT Manager will assess the security measures undertaken to determine if the employee will be required to reimburse the business for the loss or damage.
All electronic devices such as laptops, notepads, iPads and smartphones when left at the office desk or anywhere alone are to be locked immediately.
Each employee who utilizes a business phone, computer, or any other electronic device agrees:
-
Not to use the registered device as the sole repository for Ampersand 's information. All business information stored on mobile devices should be backed up to the employee’s business Google drive storage
-
To make every reasonable effort to ensure that Ampersand 's information is not compromised through the use of that device in a public place. Portable devices containing sensitive or critical information should not be used by unauthorized persons and they should be password protected
-
Not to share the device with other individuals to protect the business data access through the device
-
To abide by Ampersand 's internet usage policy for appropriate use and access of internet site
-
To notify the IT department immediately in the event of loss or theft of the device
-
Not to connect USB memory sticks from an untrusted or unknown source to Ampersand 's equipment
Each employee who utilizes a business phone, computer, or any other electronic device acknowledge that the business:
-
Owns all company related intellectual property created on the device
-
Can access all data held on the device, including personal data
-
Will regularly back-up data held on the device
-
Will delete all data held on the device in the event of loss or theft of the device
-
Will delete all data held on the device upon resignation or termination of the employee’s contract.
Information Security
All business data such as sensitive, valuable, or critical employee, department, or company data is to be backed-up on secure online storage.
The company provides secure online storage facilities to enable efficient and reliable data backups. It is the responsibility of each employee to initiate regular backups of their work-related files and folders, including documents, presentations, spreadsheets, and other important data. Any unauthorized use of company online storage or failure to comply with this policy may result in disciplinary actions.
It is mandatory for all corporate computers to have antivirus software installed and running with up-to-date virus definitions. Windows Defender is the minimum accepted antivirus solution for all Windows-based workstations. Employees can also use other licenced commercially recognized antivirus software, subject to approval from the IT department. It is the responsibility of each employee to regularly update their antivirus software and ensure that it remains active and functional. Compliance with this requirement is essential to safeguard our network, data, and systems from malware, viruses, and other security risks.
All information used within the business is to adhere to the privacy laws and the business’s confidentiality requirements. Any employee breaching this will be subject to disciplinary actions.
Two-factor authentication (2FA) and password policies
To enhance the security of our work-related applications and protect sensitive data, employees are strongly encouraged to enable and use two-factor authentication (2FA) whenever it is supported, especially on corporate Google and Microsoft accounts. Employees are advised to combine password and one or more OTP medium such as mobile phone number or personal email. Failure to adhere to this policy may result in restricted access to work-related applications or disciplinary actions.
Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may compromise the company network. As such, all company employees, including contractors, consultants, vendors and visitors with access to company systems, are responsible for taking the appropriate steps, outlined below, to select and secure their passwords.
General password policies:
-
All system-level passwords shall be changed every 3 months
-
All user-level passwords shall be changed every 60 days with password reuse disabled
-
Passwords shall not be inserted into email messages or other forms of electronic communication
Password protection standards:
-
Do not reveal a password over the phone to ANYONE
-
Do not reveal a password in an email message
-
Do not talk about your password in front of others
-
Do not hint at the format of a password (e.g. "my family name")
-
Do not share a password with family members, co-workers or reveal it at any time
-
If someone demands a password, refer them to this document or have them call someone at the IT department
-
Employees are strongly encouraged to utilize password-less sign-in options, such as two-factor authentication (2FA), whenever available. Additionally, the use of password manager applications, such as LastPass, is highly recommended to securely manage and store passwords for different systems and applications.
-
Change passwords every 2 months (except system-level passwords which must be changed at least every three months or according to the system specific procedure)
-
If you think an account or password has been compromised, the incident shall be reported to the IT department immediately and change all passwords.
The IT department has rights to perform password cracking or guessing on a periodic or random basis. If a password is guessed or cracked during one of these scans, the user shall be required to change it immediately.
File sharing and file storage
To safeguard company information, employees are responsible for storing all work files on company-approved storage mediums, such as Google Drive or Microsoft OneDrive. These storage mediums are encrypted and backed up regularly, which helps to protect the company's data from unauthorized access, loss, or damage. It is essential for employees to respect and follow below information security guidelines when sharing files online:
-
Set access expiration dates when sharing files with external parties
-
Only share files with people who need access to them
-
Use the "Share with specific people" option when sharing files with external sources
-
Set correct permissions for each person who has access to the file
-
Review the file permissions and expiration dates regularly to make sure that they are still correct
-
Delete files that are no longer needed.
Technology Access
Every employee will be issued with unique identification credentials to access the business technology and will be required to change a password for access every 180 days.
System administrators are responsible for the issuing of the accounts and initial password for all employees.
Where an employee forgets the password or is ‘locked out’ after multiple attempts, then the IT department is authorized to reissue a new initial password that will be required to be changed when the employee logs in using the new initial password.
The following table provides the authorisation of access:
Technology Primary Administrator
AmperOps Louange Hirwa
Atlassian Apps Louange Hirwa
Cin7 Core Irene Wanjiku
Grafana Mick Ganza
Office 365 Louange Hirwa
Syft Andy Williams
Xero Andy Williams
Google WorkSpace Louange Hirwa
AutoDesk Taiei Harimoto
It is the responsibility of the IT Manager to keep all procedures of this policy up to date.
Data inventory and classification
The company has implemented data inventory and classification mechanisms to ensure the appropriate handling and protection of data. The following methodology is employed:
-
Data Inventory: The company maintains a detailed data inventory that includes an overview of the types of data stored and processed within the company. This inventory includes data stored in various mediums, including cloud storage platforms like Google Drive.
-
Data Classification: Data within our organization is classified based on its sensitivity and criticality. This classification helps in identifying the appropriate security controls, access permissions, and protection measures for each category of data.
-
Confidential Data Protection: Confidential data, such as HR records, financial information, trade secrets, or proprietary data, is given special consideration in terms of protection. Access to confidential data is limited to authorized personnel only, and strict access controls and permissions are implemented to prevent unauthorized disclosure or misuse.
-
Cloud Storage Mediums: The company utilizes cloud storage mediums, especially Google Drive, for storing and sharing data. Access and permissions are regularly reviewed to ensure that confidential data is adequately protected. User access is granted based on a need-to-know basis, and data sharing settings are configured to align with the data classification and privacy requirements.
-
Ongoing Review and Monitoring: The data inventory and classification methodology are reviewed periodically to ensure they align with changing data protection regulations and organizational requirements. This includes regular assessments of the sensitivity and criticality of data, as well as reviewing access permissions and security controls for data stored in cloud storage mediums.
Electronic Records Retention
Ampersand recognizes the importance of properly managing and retaining electronic records, including customer and investor confidential data, in a secure and compliant manner. Below Records Retention Policy outlines guidelines and retention schedules specific to different types of records.
Retention Schedule
The following table lists the types of electronic records and the required retention periods:
Type of record Retention period
Customer information The company retains information about active customers for the duration of their engagement with our services. Information is securely stored for a period of one year after our relationship with the customer is discontinued.
Restricted data (third-party information)
Records are retained only when in active use.
Disposal of Records
At the end of the retention period, all electronic records must be destroyed in a secure manner. This may involve shredding and/or deleting the records using appropriate software as it is stated in the fifth policy of this document.
Exceptions
In some cases, it may be necessary to retain electronic records for a longer period of time than specified in the retention schedule. This may be required by law, regulation, or a court order.
Temporary suspension
In below cases, a user account is temporarily suspended until the HR and IT department agrees to re-grant access:
-
Security concerns: If there is reason to believe that a user's account has been compromised, it is suspended to prevent unauthorized access and protect the security of the system and the data
-
Policy violations: User accounts can be suspended if a user violates the organization's policies, such as sharing confidential information, accessing unauthorized resources, or engaging in inappropriate conduct
-
Inactivity: If a user account is inactive for a period longer than 1 month, it may be suspended to free up resources and reduce the risk of unauthorized access. This applies to employees who are on long leave of absence due to different reasons including maternity, sickness and others.
-
Maintenance or upgrades: User accounts may be suspended temporarily during maintenance or system upgrades to ensure that the system remains stable and secure during the process.
Overall, suspending user accounts is an important tool for organizations to manage their resources and protect their systems and data. It allows them to respond quickly to security threats, enforce policies, and ensure that users are paying for the services they use.
Surveillance Systems
Ampersand recognises the value of people, assets and other properties located inside its operating areas and understands all possible incidents which may occur in those areas including but not limited to theft, frauds, disputes, accidents and natural disasters. It is for those reasons why the company uses surveillance systems in different areas of the head office and charging stations .
Benefits of surveillance systems include:
-
Prevent and reduce chances of theft
-
Useful criminal and accident evidence
-
Resolve internal business disputes
-
Cut down security-related costs
-
Monitor high-risk areas.
It is the responsibility of the IT department to ensure that surveillance systems are operational and automatic video data back-ups are being recorded and accessible for future use. The backed up data is either kept on the recording device local storage or company cloud storage mediums when it is necessary.
The IT department is also in charge of accessing video data recorded by surveillance systems and distributing access of those video data to internal or external entities when necessary.
All information recorded by company surveillance systems is critical and non-shareable, it should only be viewed by relevant staff. Any employee breaching this policy will be subject to disciplinary actions.
X. Network Policy
Purpose of the Policy
Ampersand has different network services available to a large number and variety of users, including staff, contractors and external parties. Compromised security for any networked system can have a detrimental impact on other networked systems and even bring down the entire company network. The IT department has company-wide responsibility to maintain the integrity and security of its networks and to provide the wiring and cabling infrastructures that support voice, data and video services.
This policy encompasses all systems directly connected to the Ampersand networks and systems. This includes company internet connections, ethernet connection, fiber connection and wireless networks.
Procedures
Network traffic
The IT department shall control access to all intra-company traffic, all inbound and outbound Internet traffic. The IT Manager shall determine what Internet traffic shall be permitted. The IT department shall provide oversight to ensure that the traffic limitations are consistent with the business goals of Ampersand.
Network bandwidth
Bandwidth is the amount of data that can be sent from one computer to another through a network connection in a certain amount of time. Data flow is negatively impacted by a steady increase in users on the network who transfer data above a standard level or size. This increase in users and demand causes contention, slowing down the speed of transfer for everyone.
-
The amount of internet bandwidth available to the company will be increased when feasible
-
The IT department may prioritize certain types of internet traffic to improve interactive performance
-
The IT department will implement access control to discourage excessive use of the network so that users do not negatively impact others. This may include blocking traffic of certain applications / websites.
A Service Level Agreement (SLA) with the ISP must specifically state how much bandwidth the company receives monthly, performance measurements, agreed upon service levels and problem management.
Network management
-
The IT department is the primary administrative contact for all network security related activities
-
The IT department shall coordinate investigations into any alleged computer or network security compromises, incidents, and other problems. To ensure that this coordination is effective, the IT department requests security compromises to be reported by victims immediately
-
The IT department shall monitor backbone network traffic in real-time to detect unauthorized activity or intrusion attempts
-
If scans or network monitoring identifies security vulnerabilities, the cooperation of the IT department and appropriate departments shall be required. If the appropriate contact cannot be determined, the relevant management shall be notified. When a security problem (or potential security problem) is identified the IT department shall take steps to disable system access to alleged users and their devices until the problems have been rectified
-
The IT department has the right to remove or disable any network segment in real-time from the company network until problems affecting the network segment are identified and solved.
Blocked websites
To prevent extreme usage of the network, the IT department has rights to block certain applications and websites that are prohibited to be used at the workplace, identified as illegal or bandwidth-consuming from running on the internal company network. Those websites include but not limited to:
-
All social media websites except WhatsApp and LinkedIn
-
All movies, series, and video sharing websites except Youtube
-
All websites with adult contents
-
All torrents sharing websites and P2P clients.
Any staff who bypasses company firewalls and is found using any of the above websites without permission from the IT department will be immediately asked to terminate all the processes associated with that website. If the same staff does not respect the first warning, the HR department will be involved in taking disciplinary actions including tight access control.
XI. Website & Social media Policy
Purpose of the Policy
This policy provides guidelines for the maintenance of all relevant technology issues related to the business official websites and all official social media handles of the company.
Procedures
Website & Social media Register
The website & Social media register must record the following details:
-
List of domain names registered to the business
-
Dates of renewal for domain names and hosting packages
-
List of hosting service providers
-
Expiry dates of hosting
-
Hosting package details and third party providers associated to the website
-
List of all official social media handles of the company
-
Contributors on each social media handle
-
Procedures to get content posted on the business social media page.
Keeping the register up to date will be the responsibility of the communications officer.
The communications officer will be responsible for any renewal of items listed in the register.
Website & Social media content
All content on the business website and all social media handles is to be accurate, appropriate and current. This will be the responsibility of a communications officer.
The content of the website is to be reviewed every 3 months.
The following people are authorized to make changes to the business website and google maps profile:
-
Mick Ganza
-
Pacifique clement
-
Duly authorized and contracted web design and PR agencies /contractors.
The following people are authorized administrators of the business social media handles::
-
Joyeux Didier.
-
Staff at Ampersand duly authorized Public Relations agency(ies).
Basic branding guidelines must be followed on all website pages and social media handles to ensure a consistent and cohesive image for the business.
All data collected from the website and social media handles is to adhere to Ampersand’s privacy policy
XII. Electronic Collaboration & Information Exchange Policy
Purpose of the Policy
Ampersand provides communication and collaboration services, including email, and video and voice conferencing to all employees of the company, enhancing efficiency and effectiveness of collaboration, communications and scheduling.
Procedures
E-mail is an official communication channel among staff and third party entities within and outside the company. Proper use of e-mail and other electronic communication mechanisms will avoid waste of resources and enable proper communication with target recipients.
The use of company official email has the following advantages:
-
Sustainably keeps the records and back up of work related information
-
They serve to uphold confidentiality and integrity of work related information
-
They serve to reduce potential bad practices associated with use of emails in communication (Personal Email Accountability)
-
They reduce unnecessary use of papers and implied costs with recognition of official emails as a formal company communication medium.
To maintain a secure and unified communication environment, all employees are strongly encouraged to use their corporate emails when signing up for external work-related applications, whenever it is supported. By utilizing your corporate email, you ensure consistency, security, and professionalism in your communication with external parties. It also enables the company to better manage and protect your data in accordance with our privacy and security policies.
Any information that is not legally required to be kept and presented as hard copy e.g. Invoices, Cheques, Receipts, and Delivery Notes, should be shared on official emails or using other appropriate software applications and recognized as formal communication.
The company’s Email system shall not be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or origin.
The IT department will make an effort to prevent unsolicited mail or content deemed as undesirable by the company senior management. It is, however, the responsibility of each and every employee to ensure that they do not in any way forward any spam mails. Any violation of the rule shall normally result in disciplinary actions.
Google Chat
Google chat is acknowledged as one of the recognized methods of communication within Ampersand. Google Chat offers a secure and efficient platform that enables real-time messaging and collaboration among employees. It provides a convenient way to engage in discussions, share files, and coordinate work across teams, departments, and projects, which streamline collaboration and enhance productivity.
XIII. ICT Service Agreements Policy
Purpose of the Policy
This policy provides guidelines for all ICT service agreements entered into on behalf of the business.
Procedures
The following ICT service agreements can be entered into on behalf of the company:
-
Provision of general ICT services
-
Provision of network hardware and software
-
Leasing, repairs and maintenance of ICT equipment
-
Provision of business commercial software
-
Provision of mobile phones and relevant plans
-
Provision of commercial web services including hosting.
All ICT service agreements must be reviewed by respective department’s manager and company legal entities before the agreement is entered into. Once the agreement has been reviewed and recommendation for execution received, then the agreement must be approved by the person in charge.
All ICT service agreements, obligations and renewals must be recorded and stored in a protected cloud storage folder (Google Drive, Onedrive, Mega or others) with strict access restrictions.
Where an ICT service agreement renewal is required, in the event that the agreement is substantially unchanged from the previous agreement, then this agreement renewal can be authorized by the respective department’s manager.
Where an ICT service agreement renewal is required, in the event that the agreement has substantially changed from the previous agreement, then this agreement needs to be reviewed by respective department’s manager and company legal entities before the renewal is entered into. Once the agreement has been reviewed and recommendation for execution received, then the agreement must be approved by the respective department’s manager.
In the event that there is a dispute to the provision of ICT services covered by an ICT service agreement, it must be referred to the company legal entities who will be responsible for the settlement of such dispute.
XIV. Emergency Management of Information Technology
Purpose of the Policy
This policy provides guidelines for emergency management of all information technology within the company.
Procedures
ICT Hardware Failure
Where there is a failure of any of the company’s IT hardware assets, this must be referred to the IT department immediately.
It is the responsibility of the IT department to assess the damage and provide repair or replacement solutions in the event of ICT hardware failure.
It is the responsibility of the IT department to undertake tests on planned emergency procedures every 6 months to ensure that all planned emergency procedures are appropriate and minimize disruption to business operations.
Internet Service Disruptions
Where there is significant drop in the speed of company wireless / wired internet, this must be referred to the IT department immediately using any of the available real-time channels (Whatsapp, Chats, Calls) to speed up the troubleshooting processes and reduce possible damages.
As well as the ISP, the IT department does not guarantee maximum and consistent internet speeds during every minute of the day as there are different short time causes of internet disruptions including internal network congestion, ISP’s link congestion, bandwidth throttling and so on. However, the IT department will always ensure that any issue that disrupts the internet connection is quickly and effectively resolved and communicated to the users.
In case of a planned network upgrade which will stop the internet connection on the whole network or certain segments of the network, the IT department will normally schedule the upgrade outside company working hours and notify relevant users about the upgrade at least 3 hours prior.
Virus or other security breach
In the event that the business’s information technology is compromised by software virus, trojan, malware, spyware, or any other computer / network attack, such breaches are to be reported to the IT department immediately regardless of working hours or time of day.
The IT department is responsible for ensuring that any security breach is dealt with within a reasonable timeframe to minimize disruption to business operations.
Website / Application Disruption
In the event that business website is disrupted, the following actions must be immediately undertaken:
-
Website host to be notified if it is a technical issue
-
The IT department must be notified immediately.
XV. Backup, Recovery & Archiving Policy
Purpose of the Policy
This policy provides guidelines for the Backup, Recovery & Archiving Policy. Introduction The purpose of this Section of the policy is to:
-
Safeguard the information assets of the company
-
Prevent the loss of data in the case of an accidental deletion or corruption of computer system failure, or disaster
-
Permit timely restoration of information and business processes, should such events occur
-
Manage and secure backup and restoration processes and the media employed in the process.
The retention periods of information contained within system level backups are designed for recoverability and provide a point-in-time snapshot of information as it existed during the time period defined by system backup policies.
-
Backup retention periods are in contrast to retention periods defined by legal or business requirements
-
System backups are not meant for the following purposes:
-
Archiving data for future reference
-
Maintaining a versioned history of data.
Procedures
Employee data backups
Each employee with business email is obliged to backup all device business-related data to a Google Drive folder. This will ensure that in case of device failure or disaster, company data and information will still be available.
System / Configuration backups
Although commercial third party systems have their own ways of ensuring data integrity and backup, company network devices such as routers need periodic configuration backups to ensure fast service recovery in the event of device failure or disaster.
Approval, Review and Amendment
Approval
This policy is approved and has been circulated to the leadership team, department managers and all staff.
Review
In order to ensure that Ampersand ICT resources are adequately protected and that this policy
remains relevant, a mandatory review of this policy will occur once in every quarter of the year.
Records of amendments
Version no Description of amendment Date
Signed by: Ampersand Management Signed by: HR Department
Emmanuel Hakizimana Valerie Okinda
Country Manager Chief People Officer
Date: Date: