Privacy Policy

Foreword

Numerous changes in the world of technology have taken place in the recent past and thus security in use of ICT facilities and equipment has become crucial, driven in part by changes in the regulatory environment and advances in technology. There is a need for a guideline that ensures ICT systems, data and infrastructure are protected from risks such as unauthorized access, manipulation, destruction or loss of data, as well as unauthorized disclosure or incorrect processing of data and this contributes in minimization and mitigation of any threat to the continuous provision of the essential ICT services like data and infrastructure.

The Policy provides Mawingu stakeholders and especially the ICT facilities and equipment users with the guidelines for use of the facilities and how they are held to account for the use or misuse of the same. It is hoped that the document will go a long way in protecting the company business against malpractices and ensure smooth flow of information.

This document has been formulated and adopted from the, 2016 as well as from The National Information & Communication Technology (ICT) Policy and is the property of Mawingu Networks Limited. All users should be aware that several network usage issues are covered by the National ICT Policy of which, violation is an offence under national law.

Please note that this document was developed with a startup company environment in mind and is part of all other Mawingu Networks Policy Documents, Company Staff Handbook and should be used along the documents.

The following article, amongst others, were considered in the drafting of this policy:
• Mawingu Staff Handbook Article 4.1, page 25
• Kenya ICT Law Act, 2016
• National Information & Communication Technology (ICT) Policy, 2019
• Kenya information and communication Act, 2019
• ISO 27002:2013 Information technology – Security techniques – Code of practice for information security controls

Objective of the Policy

The objective of the policy is to define the user access management control measures for Mawingu ICT systems, information and infrastructure where it would apply to both Mawingu Networks users and Service Providers. This policy seeks to further ensure that it protects the privacy, security and confidentiality of Mawingu’s information. The main objective of this policy is to provide guidelines to users for use of the facilities and how they are held to account for the use or misuse of the same aiming to protect the company business against malpractices and ensure smooth flow of information.

Scope of the Policy

This Policy applies to all Mawingu Networks stakeholders that use the company’s ICT facilities. These include any person that may access, develop, implement, test, commission and use any ICT based information owned, managed, supported or operated by, or on behalf of Mawingu Networks Limited. Hence all employees, contractors engaged by the company to carry out projects, develop, repair or maintain the ICT resources, suppliers of ICT resources and customers shall comply with the policies stipulated in this document.

General Guidelines:

1. All users should be aware that several network usage issues are covered by the National ICT Policy, violation of which is an offence under national law.
2. Mawingu network and Internet access resources/facility are meant for official use by the staff, therefore, use of network resources for personal purposes is discouraged.
3. Users should view the ICT resources with a sense of ownership and participation and should actively help to prevent any misuse. Procedures laid down from time to time regarding the management of ICT & network resources, must be understood and followed meticulously by the user community.
4. The ICT Department has the right to monitor and scan all information carried by the network for the purpose of detecting and identifying inappropriate use. As such the privacy of information carried by the network is not guaranteed. ICT Department is authorized to break open a PC OR disconnect it from the network, if called for. However, specific scanning will be done only on approval / post facto approval by a competent authority. This is in accordance with the National ICT Policy.
5. Every user is expected to be aware of the contents of this policy document and agrees to abide by its provisions. Once adopted, this policy should be shared with all individuals who use ICT & network resources of the company.

User Awareness and Training

1. All users of systems managed by Mawingu Networks must be trained on relevant Cybersecurity and physical security threats and safeguards to increase awareness of their information security responsibilities in protecting the confidentiality, integrity, and availability of Company Information Resources.
2. ICT department, on behalf of the company, will ensure a recurring security awareness training to make sure that all employees, contractors and third parties are familiar and comply with the ICT policy.

Physical Security of Servers, Desktop, Laptop, Thin Client, Portable Devices etc.

1. The staff is responsible for the physical security of ICT equipment installed and used, either temporarily or permanently.
2. Users must take adequate & appropriate measures to prevent misuse of network from computer systems that they are responsible for.

Network and System Security

1. Systems with connections to the public Internet shall be placed behind the Network firewall. Access logs of these systems should be maintained and monitored to detect intrusion from the outside network.
2. Use of non Mawingu Network user hardware and other portable devices to access Company systems or to carry out company work should be authorized by the ICT department through the line manager and details of the hardware registered.

Use of Licensed Software

1. Software programs are covered by copyrights and a license is required for their use.
2. Legal, free and compatible alternatives are available for many applications / software and users must evaluate them, rather than straightway going for software having a cost.
3. Users / User ICT Departments must ensure that they have either a commercial or public license (as in the case of ‘free’ software) for any software they install on the systems that they are responsible for.
4. Use and exchange of pirated / illegal software over the Mawingu-Intranet is prohibited. It is the responsibility of the line manager of the user department to ensure compliance.
5. The downloading and use of software that is not characterized as public domain or ‘free’ is prohibited.
6. Use of Open Source Software is encouraged to avoid financial burden and legal complications arising out of license management.

Use of Anti-Virus & Internet/Endpoint Security/Protection Software

1. The ICT Department is responsible for installation and maintenance of proper Antivirus or Internet/Endpoint Security/Protection Software or any other security software as prescribed by the ICT Department. ii. In case of detection of any issues in the security, the compromised computer/equipment must be disconnected from the Mawingu Intranet which ICT Department shall disable the respective network connection.
2. Strict action may be taken by the ICT Department against users who deliberately prevent installation of such security software, disable such software OR prevent them from running.
3. Individual users should take reasonable care of the vulnerability of systems attached to the company network. In particular, users must apply appropriate service packs, browser updates and antivirus and client security solutions in their MS Windows machines, and necessary upgrades, OS patches, browser updates etc. for other systems.
4. All additional software installation shall be with the prior approval from the Line Manager
5. Users shall not Download or store music, media or any other files where copyright issues may be of concern
6. Users shall not use the company’s Internet facility for running private businesses, upload, download, or transmit Copyrighted materials belonging to third parties, Offensive, fraudulent, threatening or harassing materials.

Hardware and USB Storage Device

1. Users are responsible and accountable for the security of all ICT hardware allocated to them either in office or out of the office.
2. Staff shall take appropriate care of all assets under their care/control. Damage caused to ICT hardware as a result of negligence or mishandling of the same, may result in the staff being surcharged.
3. Laptops used in the office should be locked with the user password when left unattended.
4. Users shall be issued with an Assignment Note which they shall sign upon receipt or upon returning of every ICT hardware i.e. laptop, tablets, workstations or any other company hardware.
5. Users shall report any lost hardware to the ICT Department and present their signed Assignment Note to the head of department who will advise on any other requirements.
6. USB devices: the company currently does not prohibit the use of these devices. However, users should be aware of the potential misuse of such devices, and the threats that this could pose.

E-mail and Internet

1. Internet resources shall not be used for illegal, unethical or unacceptable purposes.
2. Use of the internet for non-business high volume traffic over the network which might substantially hinder other users is prohibited.
3. The company encourages the use of email and respects the privacy of users. The company shall not routinely inspect, monitor or disclose the contents of email without the consent of the user.
4. All emails shall as much as possible be accessed on the user’s official platform as approved by the company unless it is not accessible at the time the user needs to communicate. Use of private emails shall be limited to exceptional
   circumstances only.
5. Information transmitted by email must not be defamatory, abusive, involve any form of racial or sexual abuse, damage the reputation of Mawingu Networks Limited, or contain any material that is detrimental to any party outside the specific business interests of the company.
6. Use of internet is permitted for as long as it does not disclose confidential information including but not limited to financial information, staff/customer personal information, databases and the information contained therein,
   computer/network access codes and business relationships.

Data management

1. Employees are not allowed to disclose to non-employee sensitive information without proper authorization.
2. All staff are encouraged to use common sense judgment in securing Mawingu Confidential information to the proper extent. If one is uncertain of the information sensitivity, they should contact their line manager.
3. It shall be the responsibility of line managers from various departments in close consultation with the ICT Department to ensure data capture, availability, accuracy, confidentiality, and integrity.

User Account & Active Directory Management

1. All computers will be administered via Active Directory which will be vital for Central Data Management to ensure that files are accurate and updated. This makes it easier and more efficient to access specific information.
2. Passwords are used for various purposes at Mawingu. Some of the more common uses include: user level accounts, web accounts, email accounts, screen saver protection, and local router logins. Since very few systems have support for one-time tokens (i.e., dynamic passwords which are only used once), every staff should be aware of how to select strong passwords, protection of those passwords, and the frequency of change.
3. Line managers shall formally make user account creation requests on behalf of their staff to the relevant ICT

Section for approval

• Users are responsible for the security of their accounts, password(s) and are accountable for any misuse.
• Users are responsible for their system access and all the transactions and activities carried out on the Mawingu systems using their account, thus credentials should not be shared.
• Incidents where a user suspects that his/her accounts has been compromised shall immediately report to the ICT Security

System Audit and Maintenance

1. System audit may be conducted to ensure integrity, confidentiality and availability of information and resources as well as investigate possible security incidents, ensure conformance to Mawingu ICT Policies and monitor user or system activity where appropriate.
2. System maintenance includes any activity which requires a system or systems to become unavailable to users for a certain period, for the purpose of upgrading, reconfiguring, modifying, replacing, changing it, and servicing. Maintenance includes, but is not limited to software changes, hardware changes, network changes, patches, fixes or cabling.
3. ICT team will schedule any planned systems maintenance at a time which has the lowest impact on the company. They will be scheduled outside the normal company hours of operation.
4. Only ICT support staff are authorized to install or modify software and to transfer and update data on company hardware. Any other persons shall require specific authorization through their line managers.

Statement of Compliance to the Policy

1. The ICT department and line managers shall be responsible for enforcing these policies and taking appropriate action where there is non-compliance.
2. Failure to comply with these policies may result in any of the following actions being taken: –
   i) Cancellation or suspension of use of any ICT facilities, systems or technologies,
   ii) Payment for loss, damage or repairs,
   iii) Civil or criminal liability under applicable laws,
   iv) Disciplinary action under any other appropriate Mawingu policies including suspension, expulsion or termination of employment.
   v) Any other action that Mawingu Networks deems fit.
3. Where otherwise stated or approved, exceptions to this policy MUST have prior approval of the CEO, Line Manager, or equivalent and if it is of material nature, the management must ratify such changes.