SOP Library
SOP NO:
SS-MS03
(List of Exhibits/Attachments)
Mission
:
Support Staff Services
Area:
Support Staff Services (SS)
Title:
NFA ICT Usage and Cyber Security Policy
Date Approved/Issued:
09/24/2018
Date Effective:
09/24/2018
Digest:
I. TERMS OF REFERENCE
A. Rationale
B. Objective
C. Scope
D. Basis
II. IMPLEMENTING GUIDELINES
For the information, guidance and compliance of all concerned, published hereunder is
the NFA ICT Usage and Cyber Security Policy.
II.
STATEMENT OF POLICIES
A. ICT Management
1. The NFA will formulate and implement policies, plans and programs on the
management and security of ICT resources and facilities of the agency with
the concurrence and approval by the management
2. All ICT related projects, activities and requirements of the NFA shall be
coordinated with CPMSD. CPMSD will review and evaluate the integration of
all the existing ICT systems of NFA.
3. The CPMSD will review, evaluate and standardize all ICT resources technical
specifications to ensure interoperability and compatibility with existing ICT
equipment and systems.
4. Moving any ICT equipment in Central Office, except for mobile computers,
from its original location, which is not for purpose of repair or replacement,
shall have prior coordination with the CPMSD.
5. All ICT equipment and peripherals shall be moved and assembled by the
CPMSD, to ensure efficient network performance, troubleshooting, access
rights assignments and resolving network problems.
6. Reassigning any ICT equipment, from its original user, shall have prior
coordination with the CPMSD.
7. Only CPMSD or its authorized personnel shall install, modify or upgrade any
hardware and/or software in the Central Office. However, in the field offices,
the designated LAN administrator will perform the said activities.
8. To ensure protection and security of the NFA corporate network and
workstations from external threats as required by the Data Privacy Act of
2012, NFA will maintain security gateway devices and install endpoint
protection for the computers and servers.
9. Only CPMSD or its authorized personnel shall install the corporate anti-virus,
security software in any NFA computer.
10. Users shall not be allowed to disable, defeat, circumvent the setting and
configuration, or install any security mechanism in any of the NFA ICT
equipment, network or resources.
11. Only the CPMSD or its authorized personnel shall inspect, install, modify,
upgrade, repair or maintain any ICT equipment in the Central Office.
However, in the field offices, the designated LAN administrator will perform
the said activities.
12. All ICT resources and Facilities are owned by the Government. The NFA
reserve the right to monitor and/or log all network-based activities. NFA has
the right to access, read, review, monitor, and audit NFA computer system
and its content through CPMSD technical staff.
B. System Access Requirements
1. NFA ICT facility and resources like internet access are to be used only for
work-related activities and functions to support business activities.
2. BYOD Laptops/equipment of NFA executives shall have prior approval from
CPMSD before it is connected to the NFA network. NFA will not be liable for
damage, infections of said devices.
3. Peer network or work group connection shall be allowed provided prior
approval from CPMSD has been obtained.
4. All qualified users of the NFA ICT resources and facilities shall be issued a
unique log-in name and password to gain access to the network resources.
Username
The CPMSD shall issue the standardized naming convention and
format of username to be adopted.
Password
a. “Confidentiality”. It is the sole responsibility of the user to secure
his/her password. Should the user be required to divulge his/her
username and password for whatever legal purpose, the user is
obliged to do so on the presence of his/her direct supervisor.
b. “Standards”. It is recommended that password should have a
minimum of seven alphanumeric characters and should consist of at
least one capital letter, one number and one special character.
c. The NFA reserves the right to hold the employee liable for damages
caused by the user’s failure to protect the confidentiality of his/her
password.
5. Internet access is formally requested to the CPMSD department manager with
justification for required access by the user’s department manager. Access to
the internet will be approved and provided only if reasonable business needs
are identified. Internet access will be granted based on employee’s current
job responsibilities.
6. NFA ICT resources like user login and internet access will be discontinued
upon termination of employee, completion of contract, end of service of
employee, change of function, division/department of employee, or
disciplinary action arising from violation of this policy.
C. Prohibited Acts and Uses of the ICT Resources and Facilities
1. General Principle in Proper Use of ICT Resources.
Users shall access or use only those services and parts of the ICT facilities or
resource that are consistent with his/her duties and responsibilities. The ICT
facilities or resources shall be used in accordance with its authorized
purpose. The uses and acts discussed in the following paragraphs shall be
considered violations in the use of the NFA ICT facilities or resources.
2. Uses Contrary to Laws shall be defined as follows:
2.1 Use of NFA ICT resources for criminal and unlawful activities.
2.2 Unauthorized use of Copyrighted material. Prohibited Act include, but
are not limited to:
2.2.1 Copying, reproduction, dissemination, distribution, use,
importation, removal, alteration, substitution, modification,
storage, unloading, downloading, communication, publication or
broadcasting of copyrighted material without permission from the
Copyright owner. Un-copyrighted materials copied from or
through the NFA ICT System should be properly attributed;
2.2.2 Infringement of Intellectual Property Rights through the use of
unauthorized or “pirated” softwares, peripherals or devices that
are used in conjunction with or attached to NFA ICT resources
and facilities; and,
2.2.3 Infringement of Intellectual Property Rights belonging to others
through the use of ICT resources.
2.3 Hacking and Profiteering Schemes. These include but are not limited to:
2.3.1 Use of NFA ICT resources and facilities for hacking other ICT
communication/computer systems; and
2.3.2 Use of NFA ICT resources and facilities in any profiteering
schemes that intends to defraud other people.
3. Uses for Personal Benefits, Business or Partisan Activities. These shall
include, but not limited to:
3.1 Use of NFA ICT resources and facilities for commercial purpose,
advertisement , personal profit;
3.2 Use of NFA ICT resources and facilities for any partisan political
activities. Use of NFA ICT resources and facilities for political lobbying,
disseminating information or gathering support or contributions for
social, political or cause-oriented group, which are inconsistent with the
activities of the NFA; and
3.3 Use of NFA ICT resources and facilities for
viewing/uploading/downloading of pornographic materials or any activity
unrelated or inappropriate to the duties and responsibilities of the User.
4. Acts that Damage the Integrity, Confidentiality and Efficiency of the NFA ICT
System. These shall include but not limited to:
4.1 Interconnection of server systems, running particular service(s) such as
Active Directory, DNS and DHCP, to the NFA LAN system;
4.2 Destruction, deletion, removal, modification, or installation of NFAowned
computer equipment, peripheral, operating system, disk
partition, software, database, or other components of the ICT System;
4.3 Acts that attempt to crash, tie up, or deny any service on NFA ICT
system, such as, but not limited to: sending or repetitive request for the
same service (denial-of-service); sending bulk mail; sending mail with
very large attachments (e.g. 20MB or more); sending data packets that
serve to flood the network bandwidth.
4.4 Concealment deletion, or modification of data or records pertaining to
access to the NFA ICT System at the time of access, or alter system
logs after such access for the purpose of concealing identity or to hide
unauthorized use;
4.5 Concealment of identity, pretending as other users when accessing,
sending, receiving, processing or storing through or on NFA ICT
system;
4.6 Attempts or actions that tend to disable, defeat or circumvent any
security mechanism installed in any of the NFA ICT system, network or
resources; and
4.7 Alternate ISP connection to the NFA’s internal network shall not be
permitted. Devices using independent dial-up, DSL or lease-line shall
not be connected to NFA’s LAN.
5. Acts that Encroach on the Rights of Other Users. These shall include but not
limited to:
5.1 Sending unsolicited mail such as chain-letters, advertisements, jokes,
trivia, announcements to non-official group or activities, offers, inquiries,
and the like (spamming);
5.2 Accessing, downloading, uploading, producing, disseminating or
displaying material that could be considered offensive, pornographic,
racially abusive, culturally insensitive, or libelous in nature;
5.3 Sending messages which are fraudulent, maliciously harassing,
obscene, threatening, or in violation of laws, administrative rules and
regulations, or other policies of the NFA; and
5.4 Acts that interfere with or disrupt other computer users such as, but not
limited to: sending messages through pop-up screens; running
programs that simulate crashes; running spyware to monitor activities of
other users.
6. Acts which Violate Privacy shall be defined as follows:
6.1 Spying or Spoofing. These includes but are not limited to:
6.1.1 Accessing or attempting to gain access to information, archive or
systems that are outside their approved areas and level of
access
6.1.2 Decrypting, attempting to decrypt, or enabling others to decrypt
such information which are intentionally encrypted, passwordprotected,
or secure; and
6.1.3 Re-routing or capture of data transmitted over ICT Systems.
6.2 Unauthorized Disclosure. These shall include but not limited to:
6.2.1 Copying, modification, dissemination, or use of confidential
information such as, client’s data submitted to NFA based on
policy of trust and confidentiality, proprietary data and
information; research materials and other material or information
that is not classified for public use.
6.2.2 Searching or providing copies of, or modification to, files,
programs, or passwords belonging to other users, without the
expressed permission of the owners of the said files, programs
or passwords; and,
6.2.3 Disclosure of private personal data without expressed permission
from the concerned person/s.
7. Acts that violate the Section 4(b) of R.A. 6713, Code of Conduct and Ethical
Standards for Public Officials and Employees: “Professionalism – Public
officials shall perform and discharge their duties with the highest degree of
excellence, professionalism, intelligence and skill”. These shall include but
not limited to:
7.1 Habitual non-work related use of ICT resources like use of social media
and other non-productive websites during office hours which are not in
any way related to official functions.
7.2 Playing online and off-line computer games at work.
7.3 Accessing gambling website sites.
7.4 Online and off-line watching movies or videos during office hours which
are not related
to the performance of official duties and responsibilities
of the government employee
.
7.5 Acts that waste resources like printing of non-work related documents,
files, data, or programs; and sending of unsolicited files or messages.
D. Internet Use
1. Internet usage is granted for the sole purpose of supporting business
activities necessary to carry out job functions.
2. Access to the following sites are prohibited: criminal activities, extremistic
sites, games and gambling, illegal software, nudity, pornography
3. Access to other websites are limited on office hours like social and
streaming media unless required in the user’s job functions.
E. Email Use
The NFA is one of the participating agencies where GovMail was implemented.
GovMail is the government’s own email and collaboration system, allows
agencies to use the “.gov.ph” address in emails and the government cloud
(GovCloud) for data storage which was implemented by the Department of
Information and Communication Technology (DICT).
1. Acceptable Use of GovMail
1.1 As a rule, any e-mail sent using the GovMail Service is permitted for as
long as the same is used in performance of official duties and
responsibilities of the government employee. When using the GovMail
Service, the Account Holders shall act professionally and shall be
bound by the provisions of the Code of Conduct and Ethical Standards
for Public Officials and Employees (R.A. 6713).
1.2 Messages sent through the GovMail Service shall follow the
government communication protocol or the rules stipulated in individual
agency communication policies.
2. Prohibited Use of the GovMail Service
2.1 No e-mail shall be sent through the GovMail Service for purposes
outside of the performance of official duties and responsibilities. It shall
not be used to send out jokes, rumors, gossips or opinions that are not
delivered in the performance of official duties and responsibilities.
2.2 E-mail Account Holders shall be prohibited from accessing, copying or
deleting the e-mail of another Account Holder without the consent of the
latter.
2.3 Account Holders shall not disclose their passwords to other persons,
unless the Agency requires it.
2.4 The GovMail Service shall not be used for the creation or distribution of
messages that are disruptive or offensive to other persons, including
offensive comments and statements about race, gender, disabilities,
age, sexual orientation, pornography, religious beliefs and practices,
political beliefs or national origin.
2.5 The GovMail Service shall not be used for personal or commercial
purposes and for the promotion of business or other matters outside of
the government.
2.6 As a rule, the sending of bulk mail shall be prohibited unless such bulk
mail is formally solicited. Users should send e-mail messages and
copies thereof only to those with a legitimate need to read the message.
Attaching bulk files in the e-mail message is discouraged.
2.7 The use of materials, procedures, devices or technologies that will
enable unauthorized access to the GovMail Service is prohibited.
2.8 Authorized users are prohibited from using their Agency E-mail Account
in registering or joining Social Networking Sites and other list groups
that are for personal use in nature.
F. Free Public Wifi Use
In support to the current plans of the government to provide free WIFI access to
the public in government agencies, NFA provided public access to WIFI in
selected areas in the NFA Central Office.
1. Target Users
This public service is intended for visitors and stakeholders of the National
Food Authority Central Office.
2. Log-in Scheme/Period
2.1 This public service is envisioned to provide connectivity to the internet
everywhere for all visitors and guest of the NFA Central Office. Initially
the service will only be available in selected strategic areas in NFA
Central Office. NFA will not be liable for damage, infections of devices
connected to the NFA Free Public Wifi. CPMSD will
conduct orientation
for updates/revisions.
2.2 Guest users are required to agree to a set of Term and Conditions of
Use and registration that will only require the machine ID (MAC
address) of the device for a user to gain access.
2.3
The public service shall generally be accessible during office hours,
except when requested by a competent authority such as the head of
agency or due to security and safety reason.
3. Fair Usage Policy
3.1 Users are each provided with 1 hour access per day starting from the
acceptance of Terms of Use or 50MB per day whichever is consumed
first.
3.2 Users are provided with connection speed up to 256 kbps bandwidth
un-committed rate.
This policy shall take effect immediately upon approval.
LT. COL. JASON L. Y. AQUINO, (RET.) PA
NFA Administrator
III. RESPONSIBILITIES
IV. FLOW CHART
Top Page
EXHIBITS
No documents found