STAFF INFORMATION TECHNOLOGY DATA USE POLICY

In line with the Federal Government crusade for Digital Ecomomy and achieving the Agency's Core Values, Mission and Vission. All Staff are required to read the IT policies for awareness and consent in preparation for the deployment of the Electronic Document Management System (EDMS). 

At the end of the entire page, staff are mandated to fill and print the Consent Form. It is mandatory to sign the Form and submit it to your Director/Zonal Head for filing.

Note: The deadline for submission has been extended to 30th December, 2023. Be advised that the Form will automatically be deactivated by the stipulated deadline.

No compliance within the stated deadline will result in disciplinary action.

 

Management Review of Data and Information Security Management System (DISMS) Policy  

 PURPOSE

The purpose of this policy is to establish directives, which will forestall uncontrolled or unauthorized access, misuse of user privileges, or unauthorized disclosure to third parties, that may result in security breaches, malicious damage, misuse, or theft of NOSDRA’s data and related data resources.

SCOPE

All Data and Information Security Management Systems (DISMS) documents are within the scope and are subject to review and evaluation by top management 

AUDIENCE

 This policy applies to ALL individuals who are responsible for or has a role to play in DISMS scope.
 

POLICY STATEMENT

The following must be presented to the management review meeting, as input for the review: -

• Any formal feedback on the ISMS from interested parties including, but not limited to, the certification body, external parties such as outsourcing suppliers and customers, and special interest groups.

• Results and analysis of internal and external DISMS audits and independent reviews.

• Any documentation relating to corrective actions carried out (or underway), or vulnerabilities or threats not adequately addressed in previous risk assessments, including the status of those actions.

• Results from effectiveness measurements.

• The minutes of previous management reviews, together with information about the implementation of decisions and actions.

• Identified weaknesses or inadequacies in process performance and information about compliance with the Data and Information Security Policy.

•Information about changes in NOSDRA’s context and environment, requirements of interested parties, the business circumstances, resource availability, contractual, regulatory and legal circumstances, or in the technical environment, that might create new risks, or a change in already assessed risks, and have an impact on NOSDRA’s information security management.

• The management review should focus on: -

➢ Improving NOSDRA’s assessment of the risks to information security and its continual improvement approach, including updating the risk assessment and risk treatment plan

➢ Modifying or improving the policies and procedures for managing information security, including improvements to how effectiveness is measured.

➢ Modifying or improving its control objectives and controls to ensure that they are adequately focused on the identified risks, and respond to internal and external risks that may impact the ISMS, including changes to contractual obligations. 

RESPONSIBILITIES

It is the responsibility of the entire NOSDRA to ensure top management is appropriately informed of any event that may negatively/positively impact the effectiveness of the DISMS. Furthermore, top management should provide clear leadership and support.

DISCIPLINARY ACTIONS

 Violation of this policy may result in disciplinary action, which may include:

▪ Suspension/Termination of employees and;

▪ Termination of employment relations in the case of contractors or consultants;

▪ Dismissal for interns and volunteers;

Additionally, individuals are subject to denial of access privileges to NOSDRA’s Data Systems, civil, and criminal prosecution as may be deemed necessary.

Regulatory Compliance Policy

 INTRODUCTION

In line with ISO27001:2013, this document sets applicable regulatory compliance requirements that cover the ISMS scope. This guideline has been provided by NOSDRA to guide its staff on the requirements of regulatory compliance. This document is hereby adopted by NOSDRA to ensure the overall effectiveness of the Data and Information Security Management Systems.
SCOPE Regulatory compliance requirements that are applicable to the ISMS scope.

AUDIENCE

This policy applies to ALL individuals who are responsible for or has a role to play in the ISMS scope process. It is applicable to all permanent employees, contract workers, temporary employees and third parties contracted to provide services for NOSDRA and permitted to access NOSDRA’s corporate network and network resources. 

 RESPONSIBILITIES

The Director ICT/GIS is responsible for adherence to this documentation and is supported by the entire NOSDRA staff and applicable external parties.

REQUIREMENTS: This standard is an ISO27001:2013, and to comply with this requirement, this document has been adapted accordingly to ensure regulatory compliance.

DISCIPLINARY ACTIONS: Violation of this policy may result in disciplinary action, which may include:

▪ Suspension/Termination of employees and;

▪ Termination of employment relations in the case of contractors or consultants;

▪ Dismissal for interns and volunteers;

Additionally, individuals are subject to denial of access privileges to NOSDRA’s data Systems, civil, and criminal prosecution as may be deemed necessary.

Access Control Policy

INTRODUCTION

Data is an asset that, like other important business assets, is essential to an organization’s business and consequently needs to be suitably protected. This is especially important in the increasingly interconnected business environment. As a result of this increasing interconnectivity, data is now exposed to a growing number and a wider variety of threats and vulnerabilities. Data and information in the hands of unauthorized users can present serious risks to the organisation in the custody of such data. Some of those risks can have legal implications-violation of privacy laws, financial implications- fraud, and have a negative impact on the organisation's reputation. It is therefore very essential that access to the data; and the applications and infrastructure that process them are controlled and available to only authorized personnel in a manner that guarantees the preservation of Security (Confidentiality, Integrity and Availability) of such data.  

 

PURPOSE

The purpose of this policy is to establish directives, which will forestall uncontrolled or unauthorized access, misuse of user privileges, or unauthorized disclosure to third parties, that may result in security breaches, malicious damage, misuse, or theft of NOSDRA’s data and related data resources.

SCOPE

The scope of this policy covers the control of access to NOSDRA’s data assets and their applicable Data systems and processing environments.

AUDIENCE

This policy is applicable to all permanent employees, contract workers, temporary employees and third parties contracted to provide services for NOSDRA and permitted to access NOSDRA’s corporate network and network resources.

DEFINITIONS

Data: Data can exist in many forms. It can be printed or written on paper, stored electronically, transmitted by post or by using electronic means, shown on films, or spoken in conversation. Whatever forms the data takes, or means by which it is shared or stored, it should always be appropriately protected.

Media: storage and transmission channels or tools used to store and deliver data or information

Access: Permission to use data/information resource

 Access Control Policy Cont'd

ACCESS CONTROL POLICY STATEMENTS

➢ Access to data and information especially confidential or sensitive data via computer systems and databases must be given to staff on a “need to know basis” known as the least privileged method.

➢ Every staff of NOSDRA must be assigned a unique ID for computer access.

➢ Staff must not have access to data that they do not require to do their job.

➢ Access to data must be restricted to only those who need to have access to it.

➢ Access controls shall be implemented using an automated access control system.

➢ Routing controls must be implemented on appropriate network devices.

➢ There must be a defined process for granting access rights to new employees, staff whose roles have changed and for removing access rights from employees leaving NOSDRA.

➢ Access rights given to new employees or those who have changed roles by their line managers must be checked or audited by an independent person/party (IS Audit) to ensure that staff do not have inappropriate access to the organisation’s data.

➢ There must be detailed role profiles including the description of access rights required to carry out the role for each type of user role within NOSDRA.

➢ Access rights should only be given to NOSDRA’s staff based on the defined role profiles.

➢ Access rights must be reviewed quarterly and/or when an individual changes role or is given new responsibilities. This must be done to ensure that staff do not build up inappropriate access to a large number of systems over time.

➢ When staff is relieved of his/her duties from the organisation, access rights of such staff must be permanently disabled. Failure to do this can lead to the use of such access by staff with malicious intent for criminal purposes including theft of NOSDRA’s data.

➢ A procedure to notify the data systems security department of forthcoming staff departures must be in place so that system access can be permanently disabled or deleted in a timely and proactive manner.

➢ NOSDRA’s staff access rights must be reviewed on a quarterly basis to ensure there are no anomalies.

➢ There must be risk-based, proactive monitoring of staff access to NOSDRA’s data to ensure it is being accessed and updated for a genuine business reason.

➢ Audit and accounting must be implemented to ensure appropriate monitoring and logging of access to NOSDRA’s data.

➢ All-access control to Card Data Environment (CDE) must be logged, and the log format should include – user ID, event resource access and time stamp.

➢ Physical access to the CDE must be controlled and monitored via a CCTV and the CCTV logs should be reviewed periodically.

➢ Access to NOSDRA’s CDE remotely via the internet must be done via two (2) factor authentication.

DISCIPLINARY ACTIONS

Violation of this policy may result in disciplinary action, which may include:

▪ Suspension/Termination of employees and;

▪ Termination of employment relations in the case of contractors or consultants;

▪ Dismissal for interns and volunteers;

Additionally, individuals are subject to denial of access privileges to NOSDRA’s data Systems, civil, and criminal prosecution as may be deemed necessary.

Data and Information Security Policy

INTRODUCTION
Data and Information in whatever form, is a valuable resource, which NOSDRA takes careful measures to protect from loss, corruption, unauthorized access and modification. In addition, such information and the way it may be processed is subject to relevant laws and regulations of the Federal Republic of Nigeria. This Data and Information Security (DIS) Policy document follows the broad outline of ISO 27002 guidelines.

PURPOSE
This document sets the direction for data and information Security at NOSDRA. The data and information security objectives are stated in the data and information security objectives document.

AUDIENCE
The DIS policy is applicable to ALL stakeholders of NOSDRA’s data and information systems (employees, contractors, business processes, partners, vendors etc.)

DEFINITIONS
Data and Information: Data and Information take many forms and include data stored on computers, transmitted across networks, printed out or written on paper, sent by fax, stored on tapes and diskettes, or spoken in conversation and over the telephone.

Confidentiality: The protection of valuable or sensitive information from unauthorized disclosure or unavoidable interruptions.

Integrity: Protecting the accuracy and completeness of information by protecting against unauthorized modification.

Availability: Ensuring that information is accessible to authorized persons or business processes when and where needed and in the right format required.

Asset: Any information resource (hardware, software, people, data and information etc.) that has value.

Disruption: Any event or activity that causes an interruption in the normal operation of a business process.

Data and Information Security Policy Cont'd

SECURITY ORGANIZATION – ROLES & RESPONSIBILITIES

➢ Responsibility for approving this policy and authorizing consequent action lies with NOSDRA, Management.

➢ Responsibility for the annual review of this policy lies with the Director ICT/GIS Unit. They are to review this policy annually and submit revisions to NOSDRA. management for approval.

➢ The members of the DIS team must maintain and monitor, at monthly intervals, reports of records of electronic security incidents and feed them back to the Director of the ICT/GIS Unit who must decide if further action or investigation is required.

➢ The IT access control matrix, listing members of staff with access to key systems and services, must be maintained by the ICT/GIS Unit.

➢ All NOSDRA Staff and vendors have a right, subject to regulations, to use relevant NOSDRA’s IT systems and a duty to use IT resources responsibly.

➢ External users do not normally have automatic rights to use NOSDRA’s IT resources. Authorization for external users must be subject to a written agreement with the user to consent to NOSDRA policies and must be subject to regulations and approval by the Director of the ICT/GIS Unit.

➢ Guest users must NOT be permitted to use NOSDRA’s IT resources at any time.

➢ NOSDRA is committed to continuous improvement of all staff, processes and operations towards the effectiveness of DISMS Scope.

➢ All staff is required to read and understand the data and information security policy annually.

ASSET CLASSIFICATION
The ICT/GIS Unit must maintain an information asset register, subject to audit, of assets using COBIT Asset classification guidelines: -

➢ Application

➢ Infrastructure

➢ Information

➢ People

An inventory of learning resources for relevant assets (manuals, procedure documents etc.) must be maintained by each department in the ICT/GIS Unit. For each asset, the inventory must state which unit/business process/Service has responsibility for using the asset and the Data and Information Security Policy.

This register is in addition to the fixed asset register maintenance plan if any. Any system and the data it contains that is not part of the above register is the responsibility of the creator of that system but is subject to this Data and Information Security Policy.

The Director ICT/GIS Unit must maintain a directory of people authorized to use NOSDRA’s Information Assets. Staff, vendors, external users and guest users are subject to NOSDRA’s Acceptable Use Policy but have different rights and responsibilities.

For the purposes of this policy,

➢ Staffs are those people registered on NOSDRA’s Active Directory systems and currently paid on the payroll of the Agency.

➢ Agency vendors are those people registered temporarily on a project basis.

➢ Guest users are people permitted temporary access to public IT facilities offered by NOSDRA if any.

➢ External users are all other people/organizations permitted access to NOSDRA Data and Information systems.

 

DISCIPLINARY ACTIONS

Violation of this policy may result in disciplinary action, which may include:

▪ Suspension/Termination of employees and;

▪ Termination of employment relations in the case of contractors or consultants;

▪ Dismissal for interns and volunteers;

Additionally, individuals are subject to denial of access privileges to NOSDRA’s data Systems, civil, and criminal prosecution as may be deemed necessary.

Electronic Document Policy

PURPOSE
The Electronic Document (e-document) policy is intended to legalize the transmission and acceptance of official documents in the day to day activities of NOSDRA. It is meant to encourage staff members to accept documents sent through selected productivity tools and software applications acquired by NOSDRA. It is also to maintain the security of information transferred within the organization and with external parties. The use is expected to facilitate returns on investment and reduce the cost and time involved in photocopying and circulation of hard copy documents.

SCOPE

The information covered in this policy includes, but is not limited to, information that is either transmitted, stored or shared via Oracle Enterprise Resource Planning (ERP), electronic mailing system or instant messaging, Document Management System (DMS) and other software applications that may be acquired or implemented by NOSDRA.

Few of the electronic documents involved (but not limited to) are captured below:

A. NOSDRA Oracle ERP

S/N	Module Name	Window	Attachments File
1	Management	Upload	Any File
2	Agency Equipment	Upload	Any File
3	Account Documents i. General Ledger ii. Purchasing iii. Payables iv. Receivables v. Cash	Journal Requisition, Purchase Order	Any File
4	Human Resource	Upload	Any File
5	Establishment Act	Upload	Any File
6	Operational Regulations	Upload	Any File
7	Condition of Service	Upload	Any File
8	Operational Guidelines	Upload	Any File

 

B. Other Document Types

1) Internal Memos

2) External Memos

3) Procurement Template

4) Procurement/Requisition Analysis

5) Scanned Memos

6) Quotations, Proposals, Invoices, Delivery Notes, etc

Electronic documents could include but are not limited to the following file types: Text File, PDF, Excel, Word & Image File

 

Electronic Document Policy Cont'd.

POLICY
3.1 Acceptance of Software System to Drive Electronic Document
i. Relevant software application(s) acquired by NOSDRA shall be used as machinery to drive and facilitate electronic document processing.

ii. Electronic documents transferred through different software applications (e.g. email, Lync, ERP, DMS, etc) shall be legally and operationally acceptable in NOSDRA.

iii. The use of electronic documents shall be accepted as a substitute in communicating vital and other documents within NOSDRA.

iv. Reports showing pending approvals in respect of electronic transactions (from ERP) forwarded to the Director General (DG/CEO) and Directors (Ds) shall be made available to their supporting staff to facilitate approvals and for the purpose of tracking the instructions to Departmental heads on ERP.

v. Original (hard) copy of documents relating to the procurement of assets shall be kept by the Administration, Finance and Procurement Departments.

vi. When operational, the usage of the ERP Solution is compulsory by all staff of NOSDRA to encourage a paperless environment and discourage the continual usage of hard copies.

vii. Regular user training shall be provided to facilitate efficient usage of relevant software systems.

3.2 Custodian of Electronic Document
i. The existing policy of the Internal Control Division keeping payment vouchers and associated receipts/invoices still subsist. However, soft copies of documents or warehouse payment vouchers and associated receipts/invoices will be stored on NOSDRA ICT/GIS infrastructure.

ii. Approval authorities may request to sight the physical versions of electronic documents as the need arises.

3.3 Data/Document Integrity
i. Electronic documents shall be stored properly and kept in accordance with the retention policy of NOSDRA.

ii. Data and information in transit shall be encrypted where applicable.

iii. Adequate data repository shall be made readily available for archiving the data component of the electronic documents.

3.4 Acceptance as Evidence in Law
i. Electronic documents which are attached and sent via notification with the ERP or I note are accepted to be equivalent to presenting an original copy of the said attached document.

ii. Communication via electronically secured applications e.g. ERP, I note and other Document management systems are held to be originating from their sender as defined in the applications

iii. A printout of the electronic document system shall be used as evidence in litigation processes as the case may be.

3.5 Access Control
i. Access to the software applications shall be restricted to authorized users

ii. Access shall be granted in line with the existing policy and verifiable as the need arises.

iii. All staff of NOSDRA shall be fully responsible for any communication originating with their access rights and identity.

iv. Appropriate archival systems shall be made available for efficient storage of electronic documents.

v. Proper audit trail shall be kept and tamper-proof.

vi. Word/Excel documents shall be converted to PDFs before transmitting them, to prevent alteration where applicable.

3.6 Document Security
i. The data security team of NOSDRA has been implemented across the enterprise to prevent unauthorized transfer of information or copying of information.

ii. Service Level Agreements are executed between NOSDRA and external parties before the exchange of information takes place.

iii. Confidentiality / Non-Disclosure Agreements are also in place to ensure that the information being transferred or shared is protected.

ENFORCEMENT

Any employee found to have violated this Policy may be subject to disciplinary action, in accordance with the provision of the Collective Agreement/Employee Handbook/Public Service Rule.

DISCIPLINARY ACTIONS

Violation of this policy may result in disciplinary action, which may include:

▪ Suspension/Termination of employees and;

▪ Termination of employment relations in the case of contractors or consultants;

▪ Dismissal for interns and volunteers;

Additionally, individuals are subject to denial of access privileges to NOSDRA’s Information Systems, civil, and criminal prosecution as may be deemed necessary.

Password Policy

INTRODUCTION
Passwords are a common means of authenticating a user’s identity before access is given to a data/information system or service according to the user’s authorization. This policy defines the Password Policy for NOSDRA’s data/information systems. The Password Policy applies to all users and systems on the NOSDRA network. This policy sets out the Agency's intent for the protection of the confidentiality, integrity and availability of the data/information system resources and provides a reference to documentation relevant to this policy.

PURPOSE
The purpose of this Password Policy is to establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of change of those passwords in NOSDRA. This will reduce the risk of compromise of the Agency’s data/information processing systems.

AUDIENCE
This policy applies to all employees of NOSDRA, Third-party contractors and everyone accessing the Agency’s data/information infrastructure; network devices, networks, services, and technologies used to access store, process or transmit the Agency’s data/information or connect to the Agency’s network.

 

DEFINITIONS

User Passwords: These are passwords common to each user, allowing access to NOSDRA’s systems to perform everyday activities.

System-Level Passwords: These are special passwords that allow a user access to the configuration settings of NOSDRA’s systems and devices. These passwords provide a higher level of access than the user passwords.

 

POLICY STATEMENT
Access to Information, networks and systems shall be controlled, managed, documented, audited and reviewed based on business and security requirements for access.

 

PASSWORD POLICY USER PASSWORDS

The allocation of passwords must be controlled through a formal management process; which must contain the following requirements:

➢ All staff with computer access must have a unique ID which must be combined with a password to log on.

➢ Users must be required to sign a statement to keep personal passwords confidential and to keep group passwords solely within the members of the group; this signed statement could be included in the terms and conditions of employment.

➢ The use of the generic passwords is not allowed.

➢ The user’s password must have a minimum length of eight (8) characters, which should be a combination of alphanumeric and special characters.

➢ When users are required to maintain their own passwords they must be provided initially with a secure temporary password, which they are forced to change immediately.

➢ Establish procedures to verify the identity of a user prior to providing a new, replacement or temporary password.

➢ Temporary passwords must be given to users in a secure manner; the use of unprotected (clear text) electronic mail messages must be avoided.

➢ Temporary passwords must be unique to an individual and must not be guessable.

➢ Passwords must never be stored on computer systems in an unprotected form.

➢ Default vendor passwords must be altered following the installation of systems or software.

➢ All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed at least once in thirty days.

Password Policy Cont'd.

Whenever wrong passwords are provided, accounts must be locked out after 3 consecutive, unsuccessful attempts. Other technologies for user identification and authentication, such as biometrics, e.g. fingerprint verification, signature verification, and use of hardware tokens, e.g. smart cards, shall be made available and will be considered by NOSDRA where appropriate.

System-Level Passwords

➢ All system-level passwords (e.g., root, enable, operating system admin, application administration accounts, etc.) must be changed on at least a quarterly basis

➢ User accounts that have system-level privileges granted through group memberships or programs such as "sudo" must have a unique password from all other accounts held by that user

➢ All production system-level passwords must be part of the data/information Security administered global password management data/information base
Use of Passwords All users shall:

➢ Keep passwords confidential; This is the responsibility of the user.

➢ Avoid keeping a record (e.g. paper, software file or hand-held device) of passwords, unless this can be stored securely and the method of storing has been approved;

➢ Change passwords whenever there is any indication of possible system or password compromise; select quality passwords with sufficient minimum length which are:

o Easy to remember;

o Not based on anything somebody else could easily guess or obtain using person-related data/information, e.g. names, telephone numbers, dates of birth etc.;

o Not vulnerable to dictionary attacks (i.e. do not consist of words included in dictionaries) o Free of consecutive identical, all-numeric or all-alphabetic characters;