IT Security and Acceptable Use Policy

  • adminaadf

IT Security and Acceptable Use Policy

Policy Statement

American Albanian Development Fund (“AADF”) IT Security and Acceptable Use Policy covers the communication systems, software, and hardware (“Systems”) used by the Company.

This policy defines a framework for protecting AADF’s systems from threats whether internal, external, deliberate, or accidental. All staff are required to familiarise themselves with this policy and comply with its requirements.

Key Principles

  • This policy applies to the use of AADF’s systems, software, hardware devices, and the information contained within them that are owned and maintained by AADF.
  • AADF’s systems and equipment are operated to enable AADF staff to conduct daily AADF business.
  • All information held on AADF systems is subject to review and oversight by appropriate AADF staff for the purposes of ensuring the integrity of all systems.
  • Access to the systems is to be used to benefit the business activities of AADF. No User may install unauthorised software or change any set-up that could be a detriment to AADF – if users are unsure about whether particular software is authorised, they should first confirm with the <Operations MAnager>.
  • Excessive personal use of the telephone, e-mail and internet systems that has an adverse effect on AADF Systems is not acceptable.
  • Any User who uses the Internet or e-mail facilities to use, store or distribute material of an offensive, sexual or racist nature, or any other inappropriate use as deemed by AADF, will be subject to disciplinary action.
  • All staff members need to play a role in ensuring AADF’s information security, supported by the Business Operations Team and outsourced IT support.

Policy Implementation Framework

  1. Governance accountability

The Board of Governors of AADF is ultimately accountable for overseeing the enforcement of this Policy and ensuring the proper management of AADF’s arrangements to manage IT security risks.

The Board may delegate this accountability to the Audit & Risk Committee from time to time.

  1. Management responsibility

The Director of Operations holds overall responsibility for overseeing and enforcing this policy, assisted by the Head of Operations.

Heads of Department and line managers have responsibility for ensuring the implementation of and adherence to this policy in their areas of responsibility.

  1. Scope and application

This policy applies directly to all AADF internal stakeholders, including but not limited to Governors, employees, agency workers, self-employed contractors engaged by AADF and external stakeholders who access or use AADF’s systems, both in the UK and overseas, in respect of the work they undertake for AADF.  (“Users”).

        4. Stakeholder roles and responsibilities

             a) General guidelines

  • Passwords should not be divulged or shared with anyone, internally or externally, including with the Business Operations Team or outsourced IT support. Users are responsible for the security of their own passwords, which protect against unauthorised access to their computer, the network, the e-mail system and any other confidential and/or critical business systems. You should not use accounts other than those that are assigned to you. In the case of a user accessing and/or using an account other than their own, both the user gaining access as well as the owner of the account that has been accessed, will be held responsible and could be subject to investigation, which could lead to disciplinary proceedings. It is important therefore to keep all individual users’ log-in details and passwords confidential.

When creating a password staff must:

  • Not choose obvious passwords (such as those based on easily discoverable information like the name of a favourite pet)
  • Not choose common passwords, Password1, Qwerty123! etc
  • Note use the same password anywhere else, at work or at home
  • Not write passwords down.

It is advisable that

  • Users should not knowingly burden the network or consume excessive amounts of bandwidth. Users should check their inboxes and delete messages on a regular basis. Users should not regularly send large e-mail messages or attachments over 10MB in size.
  • It is important to remember that there is no guarantee that e-mails are private or that they will arrive at their destination at a particular time or at all. Users should not, therefore, transmit confidential, personal, or other sensitive information by e-mail or on the Internet unless appropriate encryption is applied to protect it. Users should seek further advice on password protecting documents and encryption of e-mails from the Head of Operations if needed.
  • You must use e-mail with as much consideration and attention as with any other form of communication on AADF’s headed notepaper. Every word written on the e-mail system or downloaded from the Internet is saved, and may be subject to legal discovery, and may form the basis for defamation claims (even if not transmitted outside AADF).
  • Often e-mail and Internet files are embedded on the hard drive of individual computers. Files can often be restored even after being erased or overwritten. Therefore, care should be taken when downloading anything from Internet sites. E-mail messages should not contain anything that you would not otherwise put in print.
  • Users should ensure that information is stored on the relevant system
  • Care should be taken to ensure the security of AADF assets:
    • Laptops should not be transported for longer than necessary, whenever possible.
    • Laptop bags or a designated pouch in rucksacks should be used to transport laptops.
    • Ensure laptops and devices are locked when away from them
    • Do not leave devices unattended in public spaces.
    • If leaving laptops and devices in the office or home, store them out of sight, and preferably lock them away.
    • Enable password protection on your wireless networks, including those at home.
    • Restart laptops and devices regularly and ensure the latest security updates are installed.

      b) Identification and Authentication

AADF in order to limit the risk of of unauthorised use of controlled resources, people and/or IT systems must first identify themselves unambiguously, and then be authenticated to confirm their claimed identities using mechanisms whose assurance reflects the risk of unauthorised access.

  • Every authorised IT user (internal or contracted) must be issued a unique identifier (user ID or username) for their personal use in order to be able to limit and relate activities on the IT systems to the corresponding individual person.
  • Every single user ID (especially privileged) must have a corresponding single owner i.e. an individual person who accepts full personal accountability for all activities that take place through that user ID.
  • Generic built in administrative account credentials on systems and network devices should be stored in a safe and updated regularly (at least yearly)
  • If there is not possibility to create personal ID (apart from the Generic build in account) this account must be shared and declared. Access from the network to those devices should be restricted from specific management hosts
  • People (IT and non IT) must be authenticated using mechanisms that are strong enough to satisfy the specific security requirements of the systems and situations concerned:
    • Single factor user authentication (typically using user IDs and passwords) is normally only sufficient for basic security requirements, such as users logging on to ordinary non-privileged user IDs on office systems, when are in the office.
    • IT Admins should use Dual Factor (2FA) for managing IT systems. If the system doesn’t offer the possibility access to those systems should be from specific dedicated workstations.
    • On VPN connections all AADF users without exception will authenticate by 2FA, regardless of the device they are using to connect (Mobile,tablet or laptop)
  • Interconnections between AADF and third-party networks must be explicitly authorised by the <Operations/CISO>.
  • Failed identification/authentication security events should be routinely recorded in security logs of systems/devices and trigger silent or audible security alarms where appropriate.

    c) Personal use

AADF does permit reasonable personal use of the telephone system, Internet, and personal e-mail accounts subject to the following limitations:

Personal Voice Calls:

  • Users should choose the most cost-effective method for making a personal telephone call
  • Whilst in the office users should default to personal Skype/Teams accounts to make calls to international or premium numbers
  • Some staff members may be allocated a company mobile phone. Personal use of AADF Mobiles is permitted in the following circumstances
  • In an emergency
  • If you are required to work late or extended hours and need to contact someone regarding this
  • To stay connected with family if you are staying away from home at the request of AADF
  • If you are otherwise delayed due to a work situation
  • Other reasonable use – if unsure Users should first check with their Line Manager

E-mail:

  • AADF e-mail accounts are not to be used to send or receive personal e-mails at any time. AADF e-mail accounts should only be used for sending and receiving correspondence in a professional capacity and/or related to their AADF duties
  • Users are permitted to send and receive non-business e-mails using their personal e-mail account during business hours provided that:
  • It is not detrimental to their duties and responsibilities
  • It is not excessive
  • The account is from a reputable provider, e.g., Outlook.com, Gmail, Yahoo.
  • Attachments received with personal e-mail accounts are never opened on any AADF equipment
  • The e-mail system is not used for prohibited activities (see section 4c)

Internet:

  • Personal use of the Internet should be done in a user’s own time (such as lunch time or during breaks) and may not be used for prohibited activities (see below). In all cases, access to the Internet and e-mail using AADF equipment or facilities will be subject to the terms of this policy.

    d) Prohibited activities

  • At all times, prohibited uses of AADF’s Internet and e-mail include the viewing, or the storing, or the distributing of, or otherwise using the facilities, for the following:
    • Illegal activities (including any violation of copyright laws or GDPR)
    • Threatening, abusive, harassing, or discriminatory behaviour
    • Slanderous or defamatory purposes
    • Obscene, suggestive, or intimate messages or offensive graphical images or pornographic materials
    • Internet proxies
    • Personal, political, or religious views or beliefs
    • Activities that will incur a cost to AADF without prior proper authorisation
    • Chain letters through e-mail
    • Private commercial activities, whether or not for profit making purposes
    • Use of AADF e-mail account for anything other than for professional reasons and business relating to AADF
  • Users are forbidden to download and/or distribute from the Internet any software including programmes, games, screensavers, etc. without prior approval of the <Operations/CISO>
  • Unauthorised software is forbidden due to potential security risks and the possibility of it interfering with organisation software. If you are in any doubt even in the event of accidental occurrence, please contact the <Operations/CISO>.
  • The user logged in at a computer will be considered to be the author of any messages sent from that computer. Users must log off or lock their computers when away from their desks.
  • Users must only use their own user account to access AADF systems. The only exception to this will be IT Administrators for the purpose of troubleshooting errors.
  • Under no circumstances must emails be sent from an account that the user does not have the authority to send and this will be considered an offence. It is forbidden to access other Users’ AADF e-mail accounts without prior written permission from the individual as well as the <Operations/CISO>. A User can choose to extend access of their email and calendar to other Users if business reasons make this appropriate. If the User has left AADF or is unavailable (e.g. on annual leave) and a need arises to access their email, without having given prior permission, the <Operations/CISO> must first notify Head of HR (an email is sufficient but must specify who is being granted access), and the e-mail must be acknowledged. In this situation, this authorisation will be time specific and must be given every time that access is needed.
  • Personal conduct – AADF respects all Users’ right to privacy however AADF must also ensure that confidentiality and its reputation are protected. Users on social networking websites must ensure their conduct does not bring AADF into disrepute or disclose any confidential business information.

    e) Monitoring and inspection

  • AADF may inspect Internet, e-mails and files at any time to ensure that Users do not abuse the system. Reasons for review include, but are not limited to system, hardware, or software problems; general system failure; a suspected violation of this policy; a need to perform work or provide a service when the user is not available; or any other reason as determined by the Head of HR(position to declared). They will be inspected in accordance with:
    • This policy and related guidelines
    • AADF maintains security and logging software that monitors and records the details of any network activity in which users transmit or receive any kind of file. In addition to the above, random checks may be conducted on these records from time to time to ensure compliance with this policy. This monitoring capacity will however be utilised in cases of suspected misuse of the entire AADF data and network system, not limited to e-mails and internet browsing.

      f) Business equipment

  • AADF will normally issue a PC/workstation/laptop to each employee and make available suitable peripheral equipment for their office workstations, i.e., an external monitor, keyboard, and mouse. Admin Team maintains a current list of available devices also devices on the server room.
  • All items issued to the User by AADF remain the property of AADF. On termination, or when requested by AADF, all property must be accounted for and returned in good order.  Failure to do so may result in deductions from any monies owed by AADF, and disciplinary and/or civil action to recover the cost of replacement.  For more information, please refer to section.

    g) Replacement IT equipment (current equipment at end of its life)

  • Upon receipt of the new equipment (e.g., Laptop), the user must ensure any old equipment is securely wiped. Specifically for laptops, if the old laptop is at end of its life this must be surrendered to the IT Operations team.
  • For all other devices, care should be taken to ensure that all data is deleted, and it is securely destroyed – please consult the Business Operations Team before disposal.

    h) Lost or mislaid equipment

  • Utmost care should be taken of all AADF equipment to prevent theft, loss, damage, or misuse. Users must contact the Head of Operations as soon as possible following the loss or damage to any equipment and the actual or potential breach of password security, and network, telephone, Internet, or e-mail security. This also applies to any unauthorised access or suspected virus infection. An Incident Report Form should also be completed as soon as possible.4
  • Further advice will be issued at the time including access rights – this may also involve disclosure to various bodies such as the Police, AADFs insurers or regulators. It is particularly important that lost or stolen equipment is reported as soon as possible.
  • For suspected password breaches, a ticket must be raised by contacting helpdesk@aadf.org as soon as possible.
  • If loss or damage of AADF’s equipment is caused or contributed to by the User’s conduct, they may be required to reimburse AADF for the cost of the equipment (or the cost of repairs to it).

    i) User access procedures and third-party access

  • HR are responsible for requesting new user accounts for employees. These requests are received via the Start and Leave Planner. The plan membership includes team members from other AADF teams that require access to this information, in order to configure the user setup on different systems. The planner entry states the following details for the new starter:
  • New starters name
  • The Job Title and Department
  • Line Manager
  • Start Date
  • Personal Email
  • Preferred name (this is used to create the AADF e-mail address)
  • New user profiles and access to AADF systems will only be granted when a valid employment contract is in place. Exceptions to this will be third-party support providers or contractors working on AADF Systems – in this instance a AADF-issued contract must be in place and signed by both parties. An additional exception would be SharePoint sites that are available for external sharing – however, user logins would not be created for this purpose. Please refer to section j) External sharing. Any exceptions to this must be authorised by the Head of Operations.
  • The Business Operations Team will make best efforts to ensure that the new user will be issued their login details the morning of their scheduled start date, providing at least three working days’ notice has been given.
  • If the role is new (additional), a workstation/laptop request form must be submitted to the <Operations Manager> by the line manager of the post, at least 28 days before the anticipated start date. Note that it is not the responsibility of the HR department to submit this request.

    j) Access Levels

Google Workspaces (email), Fileserver, Active Directory:

  • Most users will be granted standard ‘user’ access for Google Workspaces and Active Directory, and will have sufficient security permissions to edit documents in their department’s section. Please consult the <Operations Manager/IT Outsource> if you have specific queries in relation to permissions on SharePoint.
  • There are a small number of users that have elevated permissions, including the Business Operations Team and third-party IT managed service provider. For any other admin accounts, these must be authorised, in writing, by the Head of Operations or Director of Operations.
  • Administrator accounts must not be used for day-to-day general account access or web browsing. These accounts must only be used to perform administrative functions.

Finance Software:

  • Logins for AADF’s finance system, SAP- emir I sakte duhet, will be created by the Business Operations Team, with a standard level of access according to role and department (as deemed necessary by the Finance Department). The Finance team will configure the user access within SAP. Queries on SAP should be directed to the Finance team.

    k) External sharing

  • AADF uses Microsoft FileShare to store files and collaborate on documents with others. Certain areas of FileSharet are designated to allow external sharing with users without a AADF account. This may include, for example, partners, auditors, and consultants.

    l) Leavers

  • The AADF Operations Team will be notified by the HR Team of any leavers in order to schedule the removal of access to AADF systems. Note that this should be before the user has left the company to ensure that access to e-mails and/or systems is not allowed beyond the finish date.
  • Any AADFD issued equipment must be surrendered on the final day of employment, including but not limited to all storage media, mobile phones, and laptops – it is the responsibility of the immediate line manager to ensure that this happens on the day.
  • The Operations Team will ensure that the user’s ‘out of office’ is activated and their password reset on the leaver’s last day, or no later than the day after.
  • Two weeks after the employee has left, the Operations Team will archive their emails, a copy of which will be retained on the server. The line manager will have access to the employee’s files for up to 90 Days. Any exceptions to this must be authorised by the Head of Operations.

    m) Extended periods of leave – including parental leave

  • If a member of staff is on a period of extended leave (including secondments, maternity/shared parental leave, cases of long-term absence, etc.) AADF may request that all IT equipment is returned on their final day before their leave commences or at the earliest opportunity. Any exceptions must be agreed in advance by either the Operations Director.
  • All accounts must be disabled on all systems for extended periods of leave

    n) Mobile/smart phones, tablets, and other devices

  • AADF may provide a User with a mobile device(s) for the proper performance of their duties or for safety reasons. Utmost care should be taken of mobile devices to prevent theft or misuse of AADF property. The mobile device is provided for business use and should only be used for personal use in compliance with this policy.
  • Users accessing the internet and/or email on a mobile device are expected to comply with the procedures set out in this policy.
  • If AADF’s mobile device is lost or stolen the <Operations Team> must be contacted immediately so a bar can be placed on all outgoing calls. If the Business Operations Team are unavailable or it is out of office hours, the User must contact the network provider’s (One/Vodafone etc.) appropriate Customer Services number, who will arrange for a bar to be placed on the lost or stolen phone. If the network provider is contacted the theft/loss must be reported to the Business Operations Team (or Line Manager) not later than the next working day.
  • If AADF considers the theft, loss or damage was caused or contributed to by the User’s conduct, they may be required to reimburse AADF for the cost of the mobile device (or the cost of repairs to it).
  • For devices provided by AADF, the mobile device connection charge, monthly rental and call charges relating to AADF business will be paid. However, if it is deemed by AADF that the number or type of calls made from a mobile device exceeds what has been specified as reasonable by AADF or could have been made more cost effectively (e.g., using a landline or Skype), the User must recompense AADF for the cost of these calls within a reasonable period of notification. AADF will deduct from the User’s salary or other payment any outstanding amount if the User has not paid for these calls within the agreed period of notification. On termination of employment or other contract AADF reserves the right to deduct any outstanding amount from any monies owed.
  • Where AADF considers that the proper performance of a user’s duties no longer requires the provision of a mobile device they will be notified and it must be returned, together with all accessories, to AADF.
  • It is an offence in the Albania to use a hand-held mobile communication device while in control of a vehicle. The offence may be punishable by a fine and a penalty point endorsement. AADF confirm that this is unacceptable conduct across the world under this policy, and under no circumstances will AADF condone the use of a mobile device be used to make telephone calls, check, or send emails or other messaging services while the User is in control of a vehicle.

    o) Bring your own device

  • AADF allows the use of phones and tablets owned by employees to access e-mails. These devices must be password protected, and if lost or stolen this should be reported to the Business Operations Team immediately. Using these devices can increase the risks of AADF information, including personal data, being lost, or accidentally released.[1] Given the constantly changing nature of the threats to the security of information on a personal device, the employee must consult the Business Operations Team before using any personal device to access AADF systems.
  • AADF uses software that allows remote wiping of AADF information on devices (both personal devices and company devices) and may use the software to enforce extra security measures to protect company data on these devices (e.g., passcode protection, requirement of face ID or fingerprint). Note that AADF does not control nor can wipe non-company data from personal devices.
  • Employees, contractors, and authorised users requiring VPN or additional trusted root certificate access on their personal mobile devices which they use to access AADF resources (Office 365 / e-mails etc.), must submit a request to the Business Operations Team, outlining the reason for VPN access, preferred VPN provider, and mobile device details. The Business Operations Team will review the requests based on the user’s role, business justification, and adherence to other applicable policies.

Users that install VPNs on their personal mobile devices which they use to access AADF resources must comply with applicable laws and policies, and respect third-party rights.

  • For more information please refer to the mobile phone and tablet guidance, which also includes details on configuration.
  • Any iOS or Android device connecting to AADF data should be updated to the latest version of the operating system within 2 weeks of its release.

     

    p) Data security

  • AADF’s business depends on maintaining the security of its data. We do not hold information that is classified as “Secret” or “Top Secret” under the Government’s security framework. We do however hold information that may be classified as “Official” or “Official Sensitive” and “Confidential”. The latter may be sensitive to our stakeholders and, if released in an inappropriate way could embarrass them and would damage AADF’s reputation. There are also legal requirements to maintain the security of personal data. All staff members therefore need to ensure they always consider data security.[2]
  • Personal data is defined in the Albanian legislation as information related to a living individual and that allows you to identify that individual. Some types of personal data are sensitive, including opinions about an individual. Annual appraisals are an example of sensitive personal data. AADF is required to protect personal data in a way that is appropriate to the nature of the information and the harm that might result from its improper release.
  • Copyright, data base rights, registered and unregistered design rights and any other Intellectual property rights for all work performed by Users for and/or on behalf of AADF are the property of AADF. Users do not acquire any license or ownership of any materials and in any medium whatsoever, whether written, electronic, audio-visual, or photographic, produced by the User in the course of their employment with AADF, for which AADF has copyright or other property rights. Users may not keep, publish, or otherwise distribute any such materials without the express permission of AADF. Users will be liable to FD for any breach of this condition both during their employment with AADF and after termination of their employment; any breach of these provisions may result in disciplinary action and in certain circumstances criminal or civil proceedings.

Considering these factors:

  • All AADF data should only be stored on laptops that are password and anti-virus protected, that should be joined to the AADF domain and provided by the company. Use of devices not procured by AADF must be authorised by either the Head of Operations or the Director of Operations. AADF laptop hard drives will be encrypted using BitLocker.
  • Documents that contain sensitive information should be password-protected and/or be stored within a restricted area on Shared Folders.
  • For Exchange, Windows and applications that use single sign-on, a AAD password policy enforces a minimum 10-character length, at least one upper case letter one lower case letter and one number and the password must not have been used in the previous 24 months. Users are also prompted to change their password every 90 days. In addition to this, all users will be enrolled in multi-factor authentication – requiring a second device (usually a mobile phone) in order to access e-mails and other company resources.
  • For other applications, A minimum password length of at least 8 characters must be used, or 12 if Multifactor Authentication can’t be used.
  • AADF information should normally be stored only on central AADF systems and not kept on other devices. Should a User propose to work on AADF data or other material using third party equipment prior approval of the Director of Operations/ Head of HR/Head of Operations is required and AADF reserves the right to make whatever investigations it deems necessary in order to check the equipment and its location are safe to use and the user agrees to give full access to the equipment for this purpose. There are very limited circumstances where reasonable exceptions can be made – for further guidance please read the Removable Device Guidance.
  • Sensitive personal data should only be held by those authorised to store such data, notably the Head of HR. Other staff that generate sensitive information, e.g., about an employee’s health, should consider whether they should delete that information from their computer storage once it has been passed to the Head of HR.
  • AADF staff are responsible for considering whether sending AADF data to others (e.g., by e-mail) would be damaging to AADF or its stakeholders. In the event of breaches of confidentiality, the AADF Business Operations Team and managers will have the right to review the devices of staff in order to determine responsibility.
  • AADF systems provide regular backups. When AADF staff generate information that is not being held on AADF central systems it is their responsibility to protect against accidental loss of data, e.g., by using cloud storage or a backup memory stick, until the information is transferred to central AADF systems.

Protection against viruses and hacking

  • AADF provides a centralised system for installing and updating software and anti-virus protection. Staff should report any problems with the anti-virus applications to the Business Operations Team.

Data Protection Act

  • Data should be processed in accordance with AADF’s privacy policy.[3]

    q) Physical security

  • Most AADF staff are issued with an individual laptop. Within the AADF office (in Tirana or in a field office) the Head of Operations or Head of a field office is responsible for providing a secure office environment to minimise risk of theft. They should provide any relevant guidance to staff about security of laptops when being used in the office.
  • When carrying or using the laptop outside of the AADF office, the staff member is responsible for taking precautions to protect the laptop from theft, damage, or unauthorised access, e.g., not leaving it unattended in public places or in a vehicle.
  • AADF reserves the right, at its absolute discretion to withdraw, update or amend in anyway any parts of this policy.
  • All central devices and including servers, network and filtering devices should be kept in a separate and protected space with smoke and water detector. The room should have Air Conditioner capable of guaranteeing 21 grade Celsius temperature. Only outsourcing IT company staff and <Operations Team> can enter in the room. A proper access control should be installed on the system and the room should have 24×7 monitoring through CCTV. The access control system should have log registration for at least 1 month.
  1. Reporting
  • Any breach of this policy should be reported to the Head of Operations or Director of Operations. An incident report form should also be completed as soon as possible.[4]
  • This could include (but is not limited to) any event that has resulted or could result in:
    • The disclosure of confidential information to any unauthorised person.
    • The integrity of the system or data being put at risk.
    • The availability of the system or information being put at risk
    • The improper use or abuse of the telephone system, Internet, e-mail facilities, IT equipment and mobile devices
    • The deliberate failure or otherwise to keep to Company rules and procedures designed to ensure the security of personal data held
    • Manipulation of AADF’s systems that could have a negative impact on our reputation, threaten personal safety or privacy, lead to a legal obligation, penalty or financial loss, or disruption of activities
  • In the case of a serious breach, the Head of Operations will investigate the incident and decide whether it needs to be reported to any regulatory bodies or other third parties. The Head of Operations will retain a central register of all such incidents occurring within AADF.4

AADF’s privacy policy can be found at https://www.aadf.org/privacy-policy