IT Policy and Procedure Manual

November 2019

Version NumberApproved DateApproved byNext Review Date
1.0 November 2019 President December 2020
The Central Executive Committee (CEC) has the authority to change the policy with the exception waivers which should be logged and reported to the Central Committee on a quarterly basis.

Contents

  1. Introduction
  2. Policy Approval
  3. Shadow IT
  4. Hardware
  5. Software
  6. Hardware and Software Standard
  7. IT Security
  8. IT Security Infrastructure Policy for IT Staff
  9. Server Back-up and Restore
  10. Outsourcing Management

1. Introduction

The MHAA IT department provides for the security and privacy of the data stored on and processed by MHAA technology resources to be compliance with the organizational policies and mandates, and generally accepted industry best practices, and with the aim to increase the productivity of users and facilitate an accessible and coherent flow of information, thereby enhancing the decision-making process.


Throughout this policy, the term “users” identifies full and part-time staff members, contractors, consultants, interns, volunteers, and other users who access IT resources according to each responsibility. Management expects users to comply with these and other applicable organizational policies and procedures. Failure to abide by these conditions may result in forfeiture of the privilege to continue the use of IT resources, disciplinary action.


The IT department is committed to protecting MHAA and its staff from illegal or damaging actions by organizations and individuals, either knowingly or unknowingly. Its systems are to be used for organization goals  serving the interests of the organization during the course of normal operations. It is the responsibility of users to know MHAA policies and conduct their activities accordingly.


For the technical assistance, IT department is to make ensure the compatibility between field offices and headquarter and responsible to enforce standardization of Information Technology (IT) platforms in the organization. The IT department develops and is responsible for facilitating and implementing the Information Technology strategy of the organization with the defining and revising the systems, hardware, software,  networks and communications standards for MHAA.

2. Policy Approval

 The IT department works with management to research the requirements for the new/revised policy. This research includes reviewing existing policies, getting best practices from outside the organization. If necessary, reviewing and revision are made to the draft one to be sent to Senior Management Team. Then, the policy is presented to central executive committee (CEC) for the approval. The final approved version is to be uploaded into the MHAA website.

3. Shadow IT

 The IT department will ensure that the shadow IT system is aligned to organizational strategic goals and must also be informed of any major changes to such systems as these may affect other IT areas as well. Shadow IT needs addressing to ensure the integrity and efficiency of the organization technology, and to prevent fragmentation of information and processes. It is defined as IT systems and solutions outside the  ownership or control of IT department (e.g. Head Quarter Office development of a financial accounting system).


The shadow IT which IT department unmanages and is unacknowledged isn't necessarily detrimental to the organization but it can create risks of data loss, corruption or misuse, inefficient and disconnected  processes, and fragmented information which must be addressed appropriately. IT department is responsible for monitoring shadow IT systems to determine associated risks, support services, stability, effectiveness, and impact on internal system performance.

4. Hardware

This policy covers all the users who are MHAA staff and central executive members. Those who separate from the organization will return assigned IT hardware before departure. Deviations from current standards  must be cleared by the IT department which clearance can be obtained via email.


There is a total of 4 years cycle of replacement for all IT hardware, and a need of IT department technical endorsement following provision of justification for any replacements made prior to 4 years require. All MHAA  staff based on the available budget are eligible for a computer and accessible to IT related resources with excluding of drivers, security guards and cleaners who can share units. All MHAA staff and central executive  members cannot have more than one computer. If users have a desktop, they can use a shared laptop for traveling use.


According to security concern, user owned hardware is not permitted to use MHAA wired network connections but wireless connectivity is permitted where available. All the users are responsible for the reasonable  care of the hardware assigned to them. If the loss or damage of the hardware is attributable to negligence on the part of the user, the user will incur the costs related to the repair or replacement of the equipment. Failure to do so may even result in disciplinary
action.


All the users are accountable to make sure the integrity, privacy, and security of assets assigned to them. Laptops and other portable devices must be secured to prevent theft. MHAA provides hardware for the  operations and for performing daily work activities. Commercial use of MHAA hardware is strictly prohibited. Users may be subject to disciplinary action if found using hardware contrary to this policy.

 5. Software

This policy provides stable technology software solutions to address organization needs. Any installation of software on organizational devices without standardized ones can hinder the provision of services.This policy for all MHAA users covers the installation of software on MHAA owned computers. MHAA owns all IT software procured for utilizing its resources. It is forbidden from installation of MHAA licensed software on  computers not belonging to the organization.


It is inhibited from distribution or using computer programs for reasons such as scanning networks, intercepting information or password capture unless specific authority is obtained from the MHAA IT department. All the users must not duplicate licensed software for use on everywhere unless expressly authorized to do so. Users may not give software to third parties, including contractors, suppliers and may use software on networks or on multiple machines only in accordance with applicable license agreements. Software must only be installed, modified, de-installed or deleted in accordance with agreed change management procedures, and must only be carried out by authorized IT personnel.

6. Hardware and Software Standard

6.1. Hardware Standard

6.1.1. Network & security device

  • Recommended Vendor for Routers and Switches should be Cisco or Juniper but other vendor like HPE, Netgear, Brocade, Mikrotik, D-Link, TPlink, Prolink, TrendNet etc., can be accepted also.
  • Recommended Vendor for Firewall/Network Security Device should be Checkpoint, PaloAlto or Fortinet FortiGate but another vendor like Cisco, Juniper, Sonic Wall or WatchGuard can be accepted also.

6.1.2. Physical Server

Recommended Vendor for Server should be Dell but another vendor like IBM or HP can be accepted also.

6.1.3. Client Computer

Recommended Vendor for client computer (laptop/desktop) should be Lenovo but another vendor like HP, Dell, Acer, Asus, MSI etc., can be accepted also.

6.1.4. Printer/Scanner/Copier

Recommended Vendor for Printer/Scanner/Copier should be HP or Canon or Epson but another vendor like Fujitsu, Brother etc., can be accepted also.

6.2. Software Standard

6.2.1. Operating System

Microsoft Windows Server 2016 and above is recommended Standard Server Operating System. Microsoft Windows 10 professional is recommended Client Computer Operating System for Laptop/Desktop but Windows 8.1 and Windows 7 can be accepted also.

6.2.2. Standard Applications for Laptop/Desktop are recommended as follow.

1) Microsoft Office
2) Adobe Reader
3) Adobe Acrobat
4) Adobe PageMaker 7.0
5) Adobe Photoshop
6) Adobe Flash Player
7) Java
8) Cube PDF Writer
9) WinRAR or WinZip or 7Zip
10) CDBurner XP or Neo Burning Rom
11) VLC Media Player
12) Mozilla Firefox or Google Chrome
13) Skype, Viber
14) Zapya for PC
15) Alpha Zawgyi Keyboard and Font
16) Pyidaungsu Keyboard and Font
17) Win Myanmar Fonts
18) Myanmar-English-Myanmar Dictionary
19) USB Disk Security
20) Windows Defender and Smad AV Anti-Virus

7. IT Security

Actually, computer security is the crucial issue for data security. Secure information requires participation of the user as it relates to everyone assigned jobs. Any problems using under this user name, the user is accountable for his actions and results as MHAA IT policies and procedures. Organization IT staff has the importance role in taking responsible for infrastructure security and prevention of security concerned. MHAA  has the right to monitor and review of its IT resources without notice includes email, internet access, file access, log-ins and changes to access levels. MHAA may review the system logs to take decision on the causes if the security problem arises.


User responsibilities include:


- Any user can access and release only data which are in line with his job and a need to know.

- Cloud storage both free and paid version can be used if the data are directly link with the business.

- Data sharing can be done after taking approval from line Manager/supervisor.-Illegal purposes are not allowed including copyright violation, offensiveness, libel, insult, fraud, defamation, plagiarism, harassment, intimidation, forgery, impersonation, gambling, soliciting for illegal pyramid schemes, and computer tampering (e.g.-Personal usage of the MHAA Internet is not allowed.

- Personal usage is limited in communication with family and friends, independent learning, and public service uploading and downloading of files for personal use, access to pornographic sites, peer to peer sites, illegal drugs, weapons, gaming, competitive commercial activity, and the dissemination of chain letters.

-All users access to MHAA corporate network need to use updated anti-virus system running on their computers whether locally or remotely by using VPN software.

-All staff have responsibilities to report IT security violations to the IT focal person regarding the abuse or misuse of MHAA IT resources.

-If anyone does not in compliance with MHAA IT policy and procedures, it will be administrative, disciplinary or other legal action as applicable.

-User IDs and passwords must be confidential. The key to access MHAA IT system resources is the password.

-To make sure password confidential is the critical to prevent information theft and disclosure of organizational and personal information.


Users must follow password policy as follow:

  • Not allow to write down your password.
  • Not allow to share your password to anyone.
  • You have to change your password immediately if someone has disclosed it.


Periodically change your password. According to MHAA password policy, everyone needs to change their passwords every 90 days.


Guidelines to create a new password are

  • Minimum password length is 8 characters.
  • The users cannot change previous three passwords as the password history is 3.
  • Everyone needs to change default password immediately.
  • Password should be included numbers, special characters, capital and small letters.
  • It should not be easy to guess by someone.


User should log off systems or lock your system with a password protected screen before leaving a computer unattended.

8. IT Security Infrastructure Policy for IT Staff

 Data security is the most important computer security issue. Dedicated Infrastructure security provided a greater level of security for information systems. The Security Infrastructure Policy which deployed to all  dedicated information systems protect the property of MHAA, including perimeter protection platforms (i.e., firewalls); malware protection platforms (i.e., anti-virus, anti-spyware, etc.); intrusion protection platforms; and data protection platforms (i.e., content filters, encryption).


IT Staff need to be responsible for security infrastructure, policy enforcement, and prevention of security breaches in their respective offices. MHAA owns its IT security infrastructure. Technical approval from Head of IT must need to be obtained for major configurations before implementation. If the security incident arose, in whole or in part because of user noncompliance with applicable regulations, rules, policies or procedures, privilege user account will be disable which was allowed to use MHAA IT resources as well as administrative, disciplinary or other legal action as applicable.


Data can be destroyed or stolen in number of ways. All MHAA offices (for collocated offices, the infrastructure can be shared with other agencies) must implement the following items to ensure data security:


Firewall should protect boundary network access by monitoring and controlling data flow. The firewall needs to be configured implicit deny rule and allow as needed to prevent public access to internal networks. MHAA standard firewalls should be utilized whenever possible. Antivirus protection systems should be applied for all information systems. At least, it should be performed at the network boundary, on e-mail and other communications systems, and on all computers, servers and other endpoints.


Any network access from Public Internet to MHAA internal networks via VPN Tunnel need to be protected by data protection platform of firewall which include data encryption, session encryption and content filtering. Only approved staff can utilize remote access VPN which was setup and managed by MHAA IT department. Anti-virus software with updated virus definition database must be used while all computers are connecting to MHAA internal networks via VPN. All action of IT Staff is imperative with the highest degree of professional responsibility and integrity as high level of access to data and systems infrastructure was provided.

 9. Server Back-up and Restore

The purpose of this policy is to define the backup schedules for all server and ensure server continuity to support the backup and restoration of information in the event of a natural disaster, equipment failure, and/or accidental loss of files. The goals of this backup policy are outlined as follows:


- To safeguard the information assets of MHAA.
- To prevent the loss of data in case of accidental deletion or corruption of data, system failure, or disaster.
- To permit timely restoration of information and business processes
- To manage and secure backup & restoration processes and the media employed within these processes.


This policy covers MHAA users who are involved in providing backup and restoration services to any MHAA HQ servers such as IT Backup Administrators and Local Area Network Administrators. IT department is responsible for backing up user data stored on HQ servers. IT department must designate Backup Administrator who will work under the supervision of Head of IT and will be responsible and accountable for backup and restoration management.


Backup Administrator must put in place procedures to create backup copies of all critical data stored on MHAA servers. Critical data is defined as official documentation and SQL financial software database which is stored on HQ servers. Methods are implemented for authorized users to gain access to the backup data quickly. These procedures are updated yearly to accommodate changes in policies or procedures at MHAA.

Restore Request procedure:
All requests for restoration services must be submitted through IT department. Time duration of data or system restoration may be depending on minor or major issues.


IT emergency recovery procedures
In case of disaster or hardware failure or virus infection in server operating system, IT Department will perform Data/System restore with the latest recent backup.


Minor Case for File Server
Restore File or Folder from latest backup restore point of Backup Software to original location.


Major Case for All Server
Restore entire Virtual server from latest recent backup of Backup Software to datastore of Hypervisor.


Defining what is to be backed up:
All data and SQL financial software database essential for the continued operation of all MHAA services must be backed up. For headquarters, the Backup Administrator will determine what information to back up, in what form, and how often, in consultation with Head of IT is responsible for the specific data.

10. Outsourcing Management

Outsourcing management is crucial to address the risks associated with IT outsourcing process. It is transferring responsibility to an outsourcing provider to carry out the activity under the agreement. Under the formal contract, the contractor provides the services based on a mutual agreement. Determination and selection of IT outsource vendors throughout MHAA are responsible to the organization. Outsourcers include: hardware and software support and maintenance staff, applications development staff and external IT consultants and vendors. A formal contract or any agreement between MHAA and the outsourcer shall exist to protect both parties. The contract or any agreement is based on MHAA HR / procurement policy.