DIT SECURITY DIVISION

Republic of Botswana

Ministry of transport and Communications

Department of Information Technology

Security Division
Computer Equipment Acceptable Use Policy
Version 1.0

Date: 2010/02/01

GOB Acceptable Use Policy

 DIT SECURITY DIVISION

Document Control

Organization Department of Information Technology

Title Computer Equipment Acceptable Use Policy

Author DIT Security Division
Filename DIT GDN acceptable use policy
Owner Government of Botswana
Subject
Protective Marking None

Review date February 1, 2010

Revision History

Revision Reviser Previous Description of Revision

Date Version

Document Approvals

This document requires the following approvals:

Sponsor Approval Name Signature Date

Director Information Technology Joyce Mpete

GOB Acceptable Use Policy

 DIT SECURITY DIVISION

Table of Contents
1.0 Overview ..........................................................................................................................1
2.0 Purpose ............................................................................................................................1
3.0 Scope ...............................................................................................................................1
4.0 Definitions........................................................................................................................1
5.0 Policy ...............................................................................................................................2
5.1 General Use and Ownership ..........................................................................................2
5.2 Security and Proprietary Information ............................................................................2
5.3 Unacceptable Use..........................................................................................................3
5.3.1 System and Network Activities ..............................................................................3
5.3.2 Email and Communications Activities ...................................................................5
5.3.3 Blogging ................................................................................................................5
6.0 Accountability ..................................................................................................................6
7.0 Violations .........................................................................................................................7
8.0 Associated Policies ...........................................................................................................7
9.0 Policy Governance ...........................................................................................................8
10.0 Review and Revision ........................................................................................................8
11.0 Enforcement queries and comments ..................................................................................8
12.0 Exceptions ........................................................................................................................9

GOB Acceptable Use Policy

1.0 Overview
The intentions of Department of Information Technology for publishing an Acceptable Use
Policy are not to impose restrictions that are contrary to the government of Botswana’s
established culture of openness, trust and integrity. DIT is committed to protecting government
of Botswana's information and communication systems, employees, partners and the country
from illegal or damaging actions by individuals, either knowingly or unknowingly.

Internet/Intranet/Extranet-related systems, including but not limited to computer equipment,

software, operating systems, storage media, network accounts providing electronic mail, web
browsing, and secure file transfers, are the property of the government of Botswana. These
systems are to be used for business purposes in serving the interests of the country, and of our
clients and customers in the course of normal operations.

Effective security is a team effort involving the participation and support of every government of
Botswana employee and affiliate who deals with information and government infrastructure
and/or information systems. It is the responsibility of every computer user to know these
guidelines, and to conduct their activities accordingly.

2.0 Purpose

The purpose of this policy is to outline the acceptable use of computer equipment on the GDN.
These rules are in place to protect the employee and government. Inappropriate use exposes the
GDN to risks including virus attacks, compromise of network systems and services, and denial of
services, not forgetting poor service delivery to the nation at large.

3.0 Scope
This policy applies to employees, contractors, consultants, temporaries, and other workers of the
government of Botswana, including all personnel affiliated with third parties. This policy applies
to all equipment that is owned or leased by the government of Botswana.

4.0 Definitions

Term Definition
Blogging Writing a blog. A blog (short for weblog) is a personal online journal that
is frequently updated and intended for general public consumption.

Chain letters Consists of a message that attempts to induce the recipient to make a
number of copies of the letter and then pass them on to as many recipients
as possible

DIT Department of Information Technology

GOB Acceptable Use Policy Page | 1

Internet/ Extranet An international standardized global system of interconnected computer
networks that connects millions of people.

Intranet A private computer network that uses Internet technologies to securely

share any part of an organization's information or operational systems with
its employees.

GDN Government Data Network

Spam Unauthorized and/or unsolicited electronic mass mailings.

5.0 Policy

5.1 General Use and Ownership

a) While GDN administration desires to provide a reasonable level of privacy, users should
be aware that the data they create on the government systems remains the property of the
government of Botswana. Management cannot guarantee the confidentiality of
information stored on any network device belonging to the government of Botswana;
hence government’s secrets and confidential information should NEVER be sent over the
network.

b) Employees are responsible for exercising good judgment regarding the reasonableness of
personal use. Individual departments are responsible for creating guidelines concerning
personal use of Internet/Intranet/Extranet systems. In the absence of such policies,
employees should be guided by their departmental policies on personal use, and if there is
any uncertainty, employees should consult their supervisor or manager.

c) DIT recommends that any information that users consider sensitive or vulnerable be
encrypted. Refer to Data Encryption Policy

d) For security and network maintenance purposes, authorized individuals within the GDN
may monitor equipment, systems and network traffic at any time.

e) Government of Botswana reserves the right to audit networks and systems on a periodic
basis to ensure compliance with this policy.

5.2 Security and Proprietary Information

a) The user interface for information contained on Internet/Intranet/Extranet-related

systems should be classified as either confidential or not confidential, as defined by
confidentiality guidelines. Examples of confidential information include but are not
limited to: tender documents, systems and user passwords, medical records. Refer to

GOB Computer Equipment Acceptable Use Policy Page |2

 Confidential Information Document. Employees should take all necessary steps to
prevent unauthorized access to this information.

b) In order to control unauthorized users to use network devices and applications, users
are advised to abide to the password policy and systems use best practices.

c) All computers, laptops and workstations should be secured with a password-

protected screensaver with the automatic activation feature set at 10 minutes or less,
or by logging-off when hosts are unattended.

d) Never leave computers or devices unattended or with unauthorized users.

e) Because information contained on portable computers is especially vulnerable,

special care should be exercised. Protect laptops in accordance with the “Laptop
Security Tips and Best Practice”.

f) Postings by employees from a government of Botswana email address to newsgroups

should contain a disclaimer stating that the opinions expressed are strictly their own
and not necessarily those of the government of Botswana, unless posting is in the
course of business duties.

g) All hosts used by the employee that are connected to the government internet,
intranet, whether owned by the employee or government of Botswana, shall be
continually executing approved virus-scanning software with a current virus database
unless overridden by departmental or group policy.

Employees must use extreme caution when opening e-mail attachments received from unknown
senders, which may contain viruses, e-mail bombs, or Trojan horse code.

5.3 Unacceptable Use

Under no circumstances is an employee of the government of Botswana authorized to engage in

any activity that is illegal under local, state or international law while utilizing government-
owned resources. Employees may be exempted from these restrictions during the course of their
legitimate job responsibilities (e.g., systems administration staff may have a need to disable the
network access of a host if that host is disrupting production services).

The lists below are by no means exhaustive, but attempt to provide a framework for activities
which fall into the category of unacceptable use.

5.3.1 System and Network Activities

The following activities are strictly prohibited, with no exceptions:

GOB Computer Equipment Acceptable Use Policy Page |3

 a) Violations of the rights of any person or company protected by copyright, trade
secret, patent or other intellectual property, or similar laws or regulations,
including, but not limited to, the installation or distribution of "pirated" or other
software products that are not appropriately licensed for use by the government of
Botswana.

b) Unauthorized copying of copyrighted material including, but not limited to,

digitization and distribution of photographs from magazines, books or other
copyrighted sources, copyrighted music, and the installation of any copyrighted
software for which the government of Botswana or the end user does not have an
active license is strictly prohibited.

c) Exporting, importing, uploading and downloading software, technical

information, in violation of international or regional export control laws, is illegal.
The appropriate management should be consulted prior to export of any material
that is in question.

d) Introduction of malicious programs into the network or server (e.g., viruses,

worms, Trojan horses, e-mail bombs, etc.) is illegal.

e) Revealing your account password to others or allowing use of your account by

others is punishable by law. This includes family and other household members
when work is being done at home.
f) Using a Government of Botswana computing asset to actively engage in
procuring or transmitting material that is in violation of sexual harassment or
hostile workplace laws in the user's local jurisdiction.

g) Making fraudulent offers of products, items, or services originating from any

government of Botswana user account.

h) Making statements about warranty, expressly or implied, unless it is a part of

normal job duties.

i) Effecting security breaches or disruptions of network communication. Security

breaches include, but are not limited to, accessing data of which the employee is
not an intended recipient or logging into a server or account that the employee is
not expressly authorized to access, unless these duties are within the scope of
regular duties. For purposes of this section, "disruption" includes, but is not
limited to, network sniffing, pinged floods, packet spoofing, denial of service, and
forged routing information for malicious purposes.

j) Port scanning or security scanning is expressly prohibited unless prior notification

to DIT Security Division or Director is made.

GOB Computer Equipment Acceptable Use Policy Page |4

 k) Executing any form of network monitoring which will intercept data not intended
for the employee's host, unless this activity is a part of the employee's normal
job/duty.

l) Circumventing user authentication or security of any host, network or account.

m) Interfering with or denying service to any user other than the employee's host (for
example, denial of service attack).

n) Using any program/script/command, or sending messages of any kind, with the

intent to interfere with, or disable, a user's terminal session, via any means, locally
or via the Internet or Intranet.

o) Providing information about, or lists of, government of Botswana employees to

parties outside the government.

5.3.2 Email and Communications Activities

a) Sending unsolicited email messages, including the sending of "junk mail" or other
advertising material to individuals who did not specifically request such material
(email spam).

b) Any form of harassment via email, telephone or paging, whether through

language, frequency, or size of messages.

c) Unauthorized use, or forging, of email header information.

d) Solicitation of email for any other email address, other than that of the poster's
account, with the intent to harass or to collect replies.

e) Creating or forwarding "chain letters", "hoaxes" or other "pyramid" schemes of

any type.

f) Use of unsolicited email originating from within the GDN of other internet or
intranet service providers on behalf of, or to advertise, any service hosted by
government of Botswana or connected via the GDN.

g) Posting the same or similar non-business-related messages to large numbers of

Usenet newsgroups (newsgroup spam).

5.3.3 Blogging

a) Blogging by employees, whether using the GDN property and systems or personal
computer systems, is also subject to the terms and restrictions set forth in this Policy.
Limited and occasional use of GDN systems to engage in blogging is acceptable,

GOB Computer Equipment Acceptable Use Policy Page |5

 provided that it is done in a professional and responsible manner, does not otherwise
violate GDN policy, is not detrimental to government of Botswana’s best interests, and
does not interfere with an employee's regular work duties. Blogging from GDN systems
is also subject to monitoring.

b) Government of Botswana Confidential Information policy also applies to blogging. As

such, Employees are prohibited from revealing any government of Botswana confidential
or proprietary information, trade secrets or any other material covered by the government
of Botswana’s Confidential Information policy when engaged in blogging.

c) Employees shall not engage in any blogging that may harm or tarnish the image,
reputation and/or goodwill of the government of Botswana and/or any of its employees.
Employees are also prohibited from making any discriminatory, disparaging, defamatory
or harassing comments when blogging or otherwise engaging in any conduct prohibited
by the government of Botswana’s Non-Discrimination and Anti-Harassment policy.

d) Employees may also not attribute personal statements, opinions or beliefs to the
government of Botswana when engaged in blogging. If an employee is expressing his or
her beliefs and/or opinions in blogs, the employee may not, expressly or implicitly,
represent themselves as an employee or representative of the government of Botswana.
Employees assume any and all risk associated with blogging.

e) Apart from following all laws pertaining to the handling and disclosure of copyrighted or
export controlled materials, the government of Botswana’s trademarks, logos and any
other government intellectual property may also not be used in connection with any
blogging activity.

6.0 Accountability
This policy applies to all government equipment operational and administered by the any IT Unit
within the Government Data Network. It is the responsibility of each IT manager or supervisors
to enforce this policy. Employees who do not comply with this policy shall be subject to
disciplinary action and vulnerable equipments which do not follow the methods defined above
will not be allowed to run on the Government Data Network. An assurance from the IT manger
will be requested upon request to re connect the equipment on the GDN. For applications, no
application will be registered for name resolution (DNS) without the approval of the security
division.

Before hosting or allowing applications to run in the GDN, DIT might perform penetration tests
that verify the operation of custom security policy requirements, including authentication,
session management, access control, and any other security check. In fact, the security team will
have verified and documented how they will perform the penetration tests or any other
verification tool used.

GOB Computer Equipment Acceptable Use Policy Page |6

For all serious cyber crimes as deemed by the director, the CYBERCRIME AND COMPUTER
RELATED CRIMES ACT, 2007 will be reference instead.

It’s worth noting that, the overall computer usage and appliance’s Security, Standard compliance
and information security are not one-time events. Organizations and users must work diligently
and consistently to ensure that appliance and applications weaknesses are found and threats are
defended against as quickly as possible and the right people use the right equipments.

7.0 Violations

These regulations apply subject to and in addition to the law. Any violation of these regulations
may also be subject to penalties under civil or criminal law (Cybercrime and Computer Related
Crimes Act, 2007) and such law may be invoked by DIT. Use of the government’s systems may
be logged to permit the detection and investigation of infringement of Policies. Monitoring of
emails, internet usage, telephone calls and other Information and Communications Technology
may be carried out in some situations, for the purposes of;

 Investigating unauthorized use, prevention and detection of criminal activities;

 Establishing compliance with regulatory standards and governmental policies;
 And to ensure effective system operation.
The Government reserves the right to inspect any Government item owned ICT equipment. Any
equipment deemed to be breaching policy or otherwise interfering with the operation of the
network may be removed.

Infringements of this policy may be investigated under the Government’s appropriate

disciplinary procedures as described below. Associated sanctions (with approval from Director,
Permanent Secretary or Permanent secretary to the President) may include:
 Withdrawal of Government ICT facilities
 Seizure of equipment that is in violation of the policy
 Initiation of relevant disciplinary procedure for anyone found violating the policy.
 Section 34 and 37 Part VIII, 31 Part VII and 21 Part V of the Botswana Public Service
Act of 1999 will be enforced on anyone found violating this policy
 Punishable by civil and criminal law (Cybercrime and Computer Related Crimes Act,
2007)
 Any account found in violation of any government policies will be disabled without prior
notice.

8.0 Associated Policies

Applicable policies include those listed below. This list is not exhaustive and will be subject to
change. Below are some of the applicable policies;

 Clean Desk Policy

GOB Computer Equipment Acceptable Use Policy Page |7

  Antivirus and Malware Policy
 Acceptable use Policy
 Password Policy
 Electronic mail Policy
 Remote Access Policy
 Acceptable Encryption Policy
 Privacy and Confidential Policy
 Removable Media and Data Transfer Policy
 Screen saver Policy
 Physical and Access Security policy

9.0 Policy Governance

The following table identifies who within government is Accountable, Responsible, Informed or
Consulted with regards to this policy. The following definitions apply:

 Responsible – the person(s) responsible for developing and implementing the policy.
 Accountable – the person who has ultimate accountability and authority for the policy.
 Consulted – the person(s) or groups to be consulted prior to final policy implementation
or amendment.
 Informed – the person(s) or groups to be informed after policy implementation or
amendment.

Responsible Head of DIT Security

Accountable Director of Information Technology

Consulted All DIT Divisions, IT officers and managers

All Government of Botswana employees, All Temporary Staff, All

Informed
Contractors, service providers and stakeholders

10.0 Review and Revision

This policy will be reviewed as it is deemed appropriate, but no less frequently than every 3
months for the two years then once annually thereafter.

Policy review will be undertaken by Head of Security

11.0 Enforcement queries and comments

GOB Computer Equipment Acceptable Use Policy Page |8

For enforcement questions or clarification on any of the information contained in this policy, please
contact the DIT Security section: [email protected]. Including any general questions about
department-wide policies and procedures

12.0 Exceptions

Any exceptions to this policy will require written authorization. Exceptions granted will be issued a
policy waiver for a defined period of time. Requests for exceptions to this policy should be addressed
to the Director of the Department of Information Technology (DIT).

GOB Computer Equipment Acceptable Use Policy Page |9