OFFICIAL (CLOSED)

PUBLIC SERVICE DIVISION

ACCEPTABLE USE POLICY

Version: 3.0

This Acceptable Use Policy (AUP) is adapted from the PMO Cluster AUP for communication to
all ICT and Data end users in PSD.

OFFICIAL (CLOSED)
 OFFICIAL (CLOSED)
________________________________________________________________________

Contents
1. OBJECTIVE .............................................................................................................. 3
2. ENFORCEMENT AND VIOLATION .......................................................................... 3
3. YOUR RESPONSIBILITIES ...................................................................................... 3
4. PASSWORD MANAGEMENT .................................................................................. 3
5. INFORMATION HANDLING ..................................................................................... 4
6. DATA PROTECTION ................................................................................................ 4
7. EMAIL ACCOUNT AND MANAGEMENT ................................................................. 5
8. GOVERNMENT FURNISHED EQUIPMENT (GFE).................................................. 6
9. BACKUP AND RECOVERY ...................................................................................... 7
10. MALWARE/VIRUS MANAGEMENT ......................................................................... 7
11. INCIDENT REPORTING ........................................................................................... 7
12. OVERSEAS TRAVEL ............................................................................................... 7
13. INTERNET ACCESS ................................................................................................ 7
14. HANDLING OF SECRET CLASSIFICATION ............................................................ 8

2
 OFFICIAL (CLOSED)

This AUP applies to you if you are a public service officer, or a consultant, contractor, intern or
temporary staff working in or for the Agency.

1. OBJECTIVE

1.1. This Acceptable Use Policy (“AUP”) outlines the Do’s and Don’ts related to the use of public
sector InfoComm Technology (ICT) systems and the handling of data, to mitigate against
security breaches and reduce security risks.

2. ENFORCEMENT AND VIOLATION

2.1. In the event of any suspected abuse, unauthorised and/or illegal activities, the Agency reserves
the right to monitor your use of Government Furnished Equipment (GFE) and electronic
communications.

3. YOUR RESPONSIBILITIES

3.1. As data user, you shall be familiar with your roles and responsibilities spelled out under “ROLES
AND RESPONSIBILITIES OF PUBLIC OFFICERS” section within the Instruction Manual
ICT&SS Management -> Governance -> Leadership and Accountability.

3.2. If given access to the Agency’s data, you are responsible for safeguarding the data and
complying with the Agency’s ICT security policies, standards and procedures.

3.3. You shall use accounts and Government Furnished Equipment (GFE) issued to you for official
purposes and be responsible for all activities carried out.

3.4. All new joiner shall complete the “Cyber & Data Security” e-learning modules (via the CSC Learn
App) and pass the assessment within 3 months from date of joining the service.

4. PASSWORD MANAGEMENT

4.1. You shall not share your credentials (user ID/password/security tokens) with others in the course
of work.

4.2. You shall change your system password when prompted. You are strongly recommended to
follow the guidelines below:
(a) Do not reuse the same password across multiple systems.
(b) Do not store and/or write down passwords in places which are easily accessible by others.
(c) Logout and close all browser tabs after conducting sensitive online transactions.

OFFICIAL (CLOSED)
 OFFICIAL (CLOSED)

5. INFORMATION HANDLING

5.1. In managing CLASSIFIED information, you shall be familiar with SINGAPORE GOVERNMENT
INSTRUCTIONS FOR SECURITY OF CLASSIFIED INFORMATION.

5.2. You shall ensure that all sensitive document1 including those in the preparation stage, are clearly
marked to highlight the presence of sensitive data. Recommended format for classification
marking: “SECURITY CLASSIFICATION \ SENSITIVITY CLASSIFICATION”

Example 1: OFFICIAL (CLOSED) \ SENSITIVE HIGH

Example 2: RESTRICTED \ SENSITIVE NORMAL

5.3. You shall ensure that sensitive documents are minimally kept under lock and key.

5.4. You shall ensure sensitive documents with SENSITIVE HIGH data are stored in a steel filing
cabinet equipped with steel locking bar and high security padlock as described in the
SINGAPORE GOVERNMENT INSTRUCTIONS FOR SECURITY OF CLASSIFIED
INFORMATION.

5.5. You shall distribute sensitive documents only to authorised recipients and in a secure manner
that protects the confidentiality and integrity of the sensitive documents.

6. DATA PROTECTION

6.1. To ensure that data is appropriately managed and protected, you shall classify all data in your
control based on the following:
(a) The security classification framework set out in the SINGAPORE GOVERNMENT INSTRUCTIONS
FOR SECURITY OF CLASSIFIED INFORMATION, which classifies data based on (i) the potential
damage to an Agency; and (ii) the potential damage to national security and/or national interests, if the
data is disclosed without authorisation; and
(b) The Information Sensitivity Framework (“ISF”) which classifies data based on the potential impact to
an individual or entity if the data is disclosed without authorisation.

1The term “sensitive documents” refers to hardcopy documents or hardcopy equivalents (i.e. portable storage
media containing documents) containing sensitive data.
4

OFFICIAL (CLOSED)
 OFFICIAL (CLOSED)

6.2. You shall ensure that files containing sensitive data2 are secured with password and encryption
when the file is distributed through unsecured channels and where there is possible unauthorised
access to the file.

6.3. You shall ensure that encrypted data files and their passwords are securely distributed out-of-
band through separate channels. This is to prevent compromise of both the protected data files
and passwords during transit due to malicious interception or accidental disclosure. Password
hints may be sent in the same channel.

6.4. You shall adopt data file integrity verification measures to ensure the integrity of a file containing
sensitive data, when the file is being transferred between users. Consider using an approved
digital signature with cryptographic hash capabilities (examples include PDF signature method
and WOG signature certificate method) to digitally sign the file to ensure the file integrity.

6.5. You shall distribute files containing data via proper channels that are safeguarded by approved
security measures commensurate with the security classification of the data.

6.6. For new joiners, you shall read through and understand the Data Governance section in the PSD
intranet (PSD Connect). Refer to the below link
https://connect.psd.gov.sg/CorporateResources/DataGovernance/Pages/default.aspx

7. EMAIL ACCOUNT AND MANAGEMENT

7.1. You shall use email addresses ending with “gov.sg” domain for all official email
correspondences.

7.2. If there is a need to maintain data integrity, you shall use Secure Email or digitally signing on the
email messages; or place the messages in attachments and render them non-editable (e.g. pdf)

7.3. You shall not forward official email containing classified data to your personal Internet email
account (e.g., Hotmail, Gmail, Yahoo email, etc.).

2When email files containing the following:

(i) at least 1 record of CONFIDENTIAL \ SENSITIVE NORMAL; or
(ii) at least 1 record of CONFIDENTIAL \ SENSITIVE HIGH; or
(iii) at least 1 record of SENSITIVE HIGH sensitivity classification, regardless of security classification; or
(iv) more than 30 records of SENSITIVE NORMAL sensitivity classification, regardless of security classification.
1 record means information on 1 identifiable individual or entity
5

OFFICIAL (CLOSED)
 OFFICIAL (CLOSED)

7.4. You should include Agency email signatures and confidentiality caution in ALL email’s messages
for official email correspondences.

7.5. You shall avoid sending email messages to the general public in a way that can be viewed as
spamming.

7.6. You shall file all emails to respective Agency Email Management System (EMS) in the respective
division or department folders in accordance to the Agency filing guidelines.

7.7. You shall ensure only the authorised users receive email containing sensitive data by:
(a) Ensuring that emails containing sensitive data are addressed to the correct recipients;
(b) Use a mailing list for regular mass communication to specific groups; and
(c) Send emails via Blind Carbon Copy (BCC) when mass emailing to external-to-government parties.

7.8. When sending sensitive data via email, you shall protect the data at the file and email level by:
(a) Password protect and encrypt files containing sensitive data (see Section 6); and
(b) Perform data file integrity verification for files where integrity is critical (see Section 6)

8. GOVERNMENT FURNISHED EQUIPMENT (GFE)

8.1. You shall use Government Furnished Equipment (GFE) to store, process or access Government
classified information, except where use of non-GFE has been approved by Head of Agency.

8.2. All GFEs issued to you and its content shall remain as the property of the Singapore
Government.

8.3. You shall prevent unauthorised physical access to the GFE devices issued to you.

8.4. If you are issued with a laptop, you should always secure it to a fixture using the issued cable
lock when the laptop is left unattended. All GFE shall not be left unattended in vehicles or in
public areas.

8.5. Portable storage media and other devices (e.g., security token and access card) shall be
removed from the GFE when not in use.

8.6. You shall activate password-based screen saver or Windows lock or log off when the computer
is unattended.

8.7. You shall not connect GFE to untrusted networks nor connect non-GFE to the Government
Enterprise Network.

OFFICIAL (CLOSED)
 OFFICIAL (CLOSED)

8.8. You shall ensure that the repair of your issued GFE that contain non-removable data storage is
arranged and supervised by the Agencies’ authorised support personnel only.

8.9. You shall immediately report any loss of GFE.

8.10. You shall use passwords and/or biometrics to unlock your mobile GFE; weak authentication
mechanisms such as facial recognition on Android devices, or swipe patterns shall not be used.

8.11. You shall ensure the patch status of your issued mobile GFE are up to date.

8.12. You shall not back up Government data stored on mobile GFE to non-Government devices or
cloud storage services.

9. BACKUP AND RECOVERY

9.1. You shall not store any classified information in unauthorised Public Cloud or personal portable
storage media.

10. MALWARE/VIRUS MANAGEMENT

10.1. You should refrain from opening or copying files from untrusted sources on your GFE.

11. INCIDENT REPORTING

11.1. Report security breaches or suspected security events and take necessary corrective actions as
instructed by Agency management.

12. OVERSEAS TRAVEL

12.1. While you are required to comply with the laws of the foreign countries that you travel to, you are
strongly encouraged to observe the cross-border travel guidelines found in CARRIAGE OF
DIGITAL DEVICES FOR CROSS BORDER TRAVEL when traveling with your GFE containing
government data.

12.2. You shall request for a “clean device” from IT department when travelling to airports with carry-
on restrictions.

13. INTERNET ACCESS

Officer who are granted Internet access by the Government in the course of work SHALL NOT:

OFFICIAL (CLOSED)
 OFFICIAL (CLOSED)

13.1. contravene IM8 policies or other applicable ICT security policies, standards and procedures
governing Agency ICT resources and systems;

13.2. connect Internet devices to Government Internal Network;

13.3. transfer classified information from Agency ICT resources and systems to Internet devices;

13.4. process, record or store CLASSIFIED information on Internet devices;

13.5. use any commercial or private email system for official correspondence;

13.6. use any portable storage media (e.g. personal thumb-drives) which are not issued by the
Government to record or store CLASSIFIED information;

13.7. delay in reporting the loss, theft or compromise of any Internet device or portable storage media
issued by Agency to Security Incident Response Officer; and

13.8. engage in any inappropriate, unlawful or unauthorised activities such as the disclosure of
CLASSIFIED information, publication of defamatory materials or infringement of intellectual
property rights.

14. HANDLING OF SECRET CLASSIFICATION

14.1. You shall ensure that information classified as SECRET are not transmitted to any system(s) not
designed for information classified as SECRET to prevent unauthorised disclosure of
information.

OFFICIAL (CLOSED)
 OFFICIAL (CLOSED)

You shall comply with the prevailing Instruction Manual, Singapore Government Instructions for
Security of Classified Information and this Acceptable Use Policy (AUP).
Violation of this AUP may result in Agency revoking your access (whether in whole or in part) to
the affected ICT resources and systems. It may also result in the commencement of appropriate
disciplinary or legal action by Agency against you.

DECLARATION
I have read, understood and agree to all the provisions of this AUP. I understand this AUP shall
apply to me throughout my employment / engagement / internship / service with Agency.

Signature : __________________________
Name Khoo Wei Quan
: __________________________
Agency Name Goodtech Pte Ltd
: __________________________
Date 25 July 2023
: __________________________

OFFICIAL (CLOSED)