INTERNET & E-MAIL POLICY FOR GOVERNMENT DEPARTMENTS

2011
 2

Internet & E-mail Policy for Government Departments 2011

Preface

The world has undergone rapid transformation in the field of information

sharing and cyber technology over last few decades. Internet today has
become a greater player than it was ever before, conceived as legacy.
Information warfare and spying are major players while it has many roles in
todays society and governance. Tremendous growth and changes have
taken place since last Internet and E-mail policy was issued by the GoP. These
changes/deficiencies have posed serious concerns by the presence and
ingress of internet in our society and government sector. It is extremely
important to accordingly educate its users on what all could be done both in
terms of its merits and demerits.

In view of the sensitivity of the matter, GoP has made huge endeavors
in adapting complete automation for e-governance, paper free environments
and adopt secure and reliable communications on all electronic medium. So
far lot of information losses have been indicated in last few years and when
compared with its advantages in many respects the disadvantages have
been predominant. The word e-mail has mostly been misunderstood and
misused in many public sectors. Equally some government departments also in
several forms started carelessly using it as official medium of communication,
resulting into leakage of vital information through hacking/spying of sensitive
government departments, thus warranting isolation of official business from
private exchange of information.

Open IT and Networks government policy, deregulation, privatization

and technology neutral licensing by PTA has alarmingly exposed/ illuminated
the countrys cyber space and so every one in public sector. Pakistans
peculiar environments of geo-political scenario including terrorism and foreign
sponsored atrocities are no less to revisit our ICT related policies. It was strongly
 3
felt that we turn towards regulation of use of Internet and E-mail in public
sector. Some basic policy parameters have therefore been addressed in this
document and its forceful enforcement will contribute towards individual and
departmental protection from any possible intrusion and hacking across the
world, thus contributing in safeguarding our national security interest.
 4

INDEX

S. No. Topic Page

1. General 5

2. Aim and Policy Objectives 6

3. Applicability / Scope 8

4. Glossary of Terms 9

5. Internet Usage Policy in Government Business 9

6. Acquisition of Internet Connection Facility 11

7. Security Audit of IT Systems / Infrastructure 16

8. E-Mail Policy Guidelines 18

9. Hosting of Government Web Portal/Websites and Mail 23

Servers

10. Establishment of Central E-mail Service Network 26

(LAN/WAN/MAN)

11. Monitoring of Internet and Network Traffic 27

12. Rules / Code of Conduct 29

13. Miscellaneous Aspects 30

14. Training Parameters 32

15. Conclusion 40

16. Annexures ( A C )
 5

General
1. Pakistan over the last ten years has made exemplary progress in
promotion of Internet, IT&T. The GoP encourages government organizations
and their employees to take advantage of new technologies to improve
systems and remain current on matters pertaining to their charter. The
continued effort of the relevant departments is gradually shifting the
functioning of the government offices to paperless environment. A number of
steps have been taken while others are in progress to provide necessary
hardware and software to equip all offices of the Federal Government to use
these modern tools to enhance their proficiency and improve responses to the
public demands.

2. With the increased Internet penetration of Internet facility, our

dependence on this medium or as people call it a great resource has also
tremendously increased. Every walk of life and particularly government offices
have freely adopted use of electronic mail. This over automation of systems
thereby, simultaneously, places certain demands on users and organizations to
be aware of the related cyber space exploitation by unauthorized elements
and hostile quarters from across the globe. It may be understood that Internet
proliferation is a predominant factor that contributes to expansion of cyber
space. Use of Internet and E-mail in government departments therefore needs
to be reassessed and regulated.

3. This documents will clarify the misnomers and ambiguities, which are very
often confused with general terms of IT used outside government functions
and shall focus on provision of Internet facilities, restriction on inappropriate
use of free e-mail (hotmail, Yahoo-mail and G-mail) and government-hosted
webmail for the purpose of bridging digital divide. Hosting of websites,
placement of carefully selected contents, while demutualising the classified
government data will also be spelled out. The use of electronic media to
conduct the government business; to communicate with other offices within
 6
Government and with general public without exposing to cyber space
hazards; will be the guiding principles.

4. While the modern tools and services have enormous facilitation, they pose
great vulnerabilities to the systems through inadvertent or deliberate actions by
organizations or individuals in disclosing classified information in an unauthorized
manner or for unlawful activities. There is thus a need to lay down policy
framework for the government organizations to use these tools and services in
an organized manner to ensure security of information and networks. Cabinet
Division in consultation with various stakeholders, and with the assistance of
technical and security related organizations is instituting this policy to help
Government organizations/individuals to benefit from availability of E-Mail,
Internet and organizational Websites in a manner that while facilitating use of
internet to government, national security is not compromised.

Aim / Policy Objectives

5. Aim of this policy is to establish a culture with enforceable and auditable
framework as well as directives so that while going paperless, official business
remains secure. At the same time the systems covered in the policy are to be
used for official business to serve the national interests through Federal /
Provincial Governments thereby enhancing operational efficiency. It is the
responsibilities of every computer user and organization to follow these
guidelines, in letter and spirit to ensure optimum efficiency without
compromising security of official information.

6. The policy aims at achieving following objectives:-

a. To elaborate / clarify between free-email (through internet cloud),

webmail through government of Pakistan hosted departmental
webmail services and government central mail secure network
(EGD managed Fiber Intranet).

b. To provide guidelines / directives to government organizations on

use of electronic means of communications (E-Mail, file servers,
 7
networks, web sites / portals) for exchange of classified or
unclassified official correspondence/government data in a
controlled / secure and efficient manner through non web cloud
mode.

c. To define electronic mail within government, explicitly its network

infrastructure and identify role besides judicious use of Internet in
government functionaries without affording undesired hostile
ingress.

d. To provide broad guidelines / directive on web and mail server

hosting, bandwidth provision usage and care.

e. To institute a system of periodic technical audit to assist

government organizations, in managing designing / establishment
and deployment / maintenance of a secure and reliable data
network enabled environment.

f. Institute / promote exchange of electronic mail business between

various government organizations/departments (
Federal/Provincial) Divisions, Ministries, autonomous bodies, semi-
government organizations, through a government owned and
operated Intranet / dedicated terrestrial network without access to
global Internet cloud.

g. Encourage isolation of Internet connected PC from Official

Networks and classified information and discouraging use of free-
mail platforms / services in conducting government business /
official correspondence through Yahoo, Hotmail and G-mail etc.

h. Unambiguously lay down policy and educating government

officials on use of secure and reliable communications means,
avoiding direct internet connectivity on computers carrying
sensitive data through external storage devices such as floppy,
disks, CDs, flash drives, hard drives etc.
 8
Applicability / Scope

7. This policy as formulated for Internet usage and electronic mailing and
exchange of classified information as defined in the document on Handling
of Classified Matters in the Government Departments will be applicable to:-

a. All Ministries, Divisions, Government Organizations under the

Federal government.

b. Provincial Governments departments, Divisions, Districts and offices,

governments organizations.

c. All government funded projects and programs completed,

proposed and those in progress.

d. All existing and future IT systems/ PCs and connections forthwith.

e. Replace/ supercede existing Internet and E-mail Policy for

Government Departments issued by Cabinet Division (NTISB) in
2005.

8. Policy Updates. Internet technology is fast changing in several

respects and so is the need for updates. A variety of platforms are now
operative and contributing towards Internet proliferations. New services and
challenges accordingly pose multifarious threats, therefore the said policy
needs to be upgraded as frequently as development warrant. In this regard
following parameters must be adhered :-

a. This policy will be reviewed from time to time in response to

changing operational, technical and legislative requirements.

b. All instructions issued by Cabinet Division (NTISB) from time to will be

taken as immediate updates and complied with duly incorporated
in the existing policy.

c. It is the responsibility of users to keep themselves abreast with the

latest trends of IT and Cyber technology as per requirements of the
policy.
 9
9. User Acknowledgement. All the Internet users in the government
departments will be required to acknowledge and sign the following
certificate statement before being allowed access to the Internet services :-

I have read the Governments Internet / e-mail acceptable use policy

and fully understand the terms and conditions and agree to abide by
them. I also abide by the terms and condition related to Internet
Activity undertaken by me, including the addresses of web sites visited
or attempted to be visited and any material transmitted or received
(directly or indirectly) and that the violation of this policy may lead to
disciplinary action, including termination of service/employment, and
could also lead to personal criminal prosecution.

Glossary of Terms

10. Relevant definitions are placed at Annex-A.

Internet Usage Policy in Government Business

11. Internet services provides a great source of information and can be
accessed through multiple means/technologies for including, dial up
connection, DSL, wireless broad based, mobile phones etc. Advancements in
technology have made the availability of Internet possible everywhere; right
from home to office, hotels and on the move even in air. However, any
computer connected to Internet is intrinsically vulnerable to eavesdropping
and hacking by intruders. This inherent weakness therefore calls for stringent
measures to be adopted to ensure security of official information and data. At
present there are three distinct sources of acquiring Internet access service in
Pakistan, namely PTCL, NTC and many other private companies/ISPs including
COMSATS, Wateen, Warid, WiFi and Wi-tribe etc. In order to protect the
information system resources from hackers and make the user aware of
effective/secure use of the Internet in Government organizations, following
guidelines/directives have been evolved to provided a secure working
parameters for strict compliance.
 10
12. Internet Authorization. Use of Internet in official business and that of our
private life have different connotations and have to be comprehended
accordingly. It is a matter of understanding that Internet is a double-edged
weapon where its giving us knowledge and information its also a tool for
intelligence gathering. If the message has been understood, the head of the
Ministry / Organization / Department could authorize the Internet on
requirement basis. Security lapses or loss of information through this global hole
will also count towards authority concerned. Following policy guide lines will
act as basic parameters for future compliance :-

a. Internet use at organizational level will be allowed by Controlling

Authority (Head of Organization) i.e Secretary/ Joint Secretary of
BPS-20 or above within federal and provincial governments.

b. Having duly been authorized a government organization can

apply for Internet connection through NTC, provided their nature of
work so warrants.

c. Controlling Authority will decide as to which employee of his/her

organization should be provided with Internet access. Proper
coordination is necessary between the Controlling Authority and
Network/System administrator(s) to ensure provision of Internet
services to authorized users.

d. Use of Internet at the residence will be dealt as per procedure in

vogue. All restrictions applicable to an office connection will also
apply to the connection at the residence.

e. Private use of internet by government employees through own

expense is permissible provided computers used for such purpose
contain no official business in any context and neither a USB /
memory stick containing restricted material is swapped.
 11
Acquisition of Internet Connection Facility

13. Acquiring Internet connection for offices / official purposes from

commercial operators can be damaging. A large number of ISPs are
operating in the country but as per PTA Re-org Act, provision of government
business communication services including Internet and Data/IP bandwidth
remains the responsibility of NTC. Therefore, internet proliferation through
portable wireless devices, hotspots, cell phones, WiFi and Wireless Broadband
services etc is not recommended for government users/ officials. In this
regard following rules of business will be applicable as broad future guidelines:-

a. As per the given mandate, NTC is responsible for providing the

Internet/ IT services to all Government organizations/ departments
where available. Therefore, all government organizations are
required to approach NTC for provision of these services as
foremost obligation.

b. Areas where NTC network infrastructure is not available, NTC will

make short-term/ provisional arrangements or refer the clients to
COMSATS Internet Services (CIS) as a secondary option for the
provision of these services to government organizations/
departments and issue a time bound NOC, till the time NTC internet
services in the area becomes available.

c. If COMSATS Internet Services (CIS) also shows its inability to provide

these services, then the user organization will be required to
approach/present its requirement to Cabinet Division (NTISB) for the
issuance of a time bound NOC for acquisition of these services
from other ISPs as a special case.

d. Cabinet Division (NTISB) will decide on case to case basis and issue
a time bound NOC for obtaining internet/ IT services from other ISPs
 12
subject to security/ technical evaluation by the NTISB Network
Security Evaluation Team.

e. A mutual agreement will then be signed by both the parties

(requesting organization and the ISP) regarding the security
aspects clarifying the responsibilities/actions in case of any
disaster/ security breach.

f. Respective government departments/ organizations will be

responsible to check uncontrolled and unauthorized access to its IT
Systems/ Network infrastructure.

14. Use of Internet at Office. Following policy guidelines will imply in this
regard :-

a. Official network (LAN/WAN/Intranet/PC) will not be connected to

Internet under any circumstances.
b. An independent separated/ standalone computer will be
used for using Internet.
c. Internet can be extended to more than one terminal through
a proxy server in preferably a separate room. None of the
clients in this LAN will have any official data/ document/
information.
d. All the computers employed for Internet must be configured
with appropriate security measures (Antivirus, firewall, IDS IPS
etc).
e. All the computer used for Internet must be marked with a red
sticker Only for Internet. This Computer must not be used for
official purpose.
f. Data downloaded from Internet can be transferred to the
official network/computer on USB/CDs only after proper
scanning through an updated and approved Anti Virus and
certified by a network administrator that it contains no
 13
malware or exploits. USB/ Flash drives must be sanitized / low
level formatted and cleaned every time these get
connected to office network/PC.
g. For electronic mailing through official mail service/portal, it is
recommended that an uploading point properly configured
with antivirus/anti-malware be formed through which the user
can upload the data in official network after getting
permission from the senior officer responsible for the purpose.
h. Updating of antivirus / malware definition must be regularly
checked by administrator / maintenance team on regular
basis.
i. A record in the form of automated logging must also be
maintained. All other USB ports must be disabled in the
network.
j. Laptops including Note Book PCs, hand held and mobile based
PCs used for official purposes must not be connected to internet.
k. Officer authorized to have an Internet at his working desk will use it
only through the computer issued for the purpose.
l. Internet provided Storage places must not be used for storing the
official data (including the email accounts for example, hotmail,
yahoo, gmail etc).
m. Authorities must exercise a strict control to monitor the activities of
users over the Internet through auditing/log in procedures.
n. Government employees are barred from using facebook, YouTube,
Twitter, Orkit , Myspace and other social networking sites/ forums
through official networks/ PCs/ and even standalone Internet unless
authorized under exceptional cases by competent authority.
o. Playing online games, chat and other entertainment interactive
modes is prohibited as these can conveniently lure in for hacking.
 14
p. Access to and from internet connected PC must be controlled both
for employees and movable storage devices.
q. No official classified documents will be allowed to be converted into
different formats (MS word to PDF, PDF to MS Word etc) through free
online private web-based applications.

15. Security and Legal Parameters for Use of Internet in Office

a. Overall the head of the office is responsible for the security of

Internet and its legal use. However he can designate an officer not
less than BPS-17 as an Information/ Internet Security Officer to
implementation and monitoring the policies regarding the use of
Internet. This officer will work in close coordination with Network /
System Administrator.

b. The official Internet connection shall only be used for the purpose
for which it was authorized. No private business or activity will be
allowed for safety and security.

c. The organization/ department will ensure that no classified

information/ data is uploaded through Internet connection by any
employee knowingly or inadvertently.

d. While browsing / searching on the Internet only a suitable port/

protocol is permitted. Unwanted logical ports may be blocked for
the sake of safety.

e. Browsers facilitate spying/ intelligence gathering to their masters

and therefore be aware and do not visit potentially dangerous,
unwanted sites.

f. Avoid free downloads lest your machine is infected /

compromised.

g. Regular periodic and on required basis cleaning of computers by a

designated team is carried out and logged.
 15
h. Pop-up updates and warnings can be a fatal contraction trap and
must be avoided. Only system administrators should be consulted
for updates and configurations, if need arise.

16. Use of Internet Facility at the Residence. Any officer who is

authorized the use of an Internet connection at home shall not transact
classified business from home. The policy remains equally applicable to PC /
Internet connection at home, equally good. Any person involved in violating
the policy instruction is liable to be dealt under this policy.

a. Private Internet connection at home, though not prohibited should

only be used for the purposes that were given while justifying the
need to obtain this connection.

b. Official web dealing through private internet connections is

prohibited and PCs used for such connectivity must not be used
for official work even when it is not on-line.

c. If a person is issued with an official laptop it must not be connected

to Internet.

d. Official data/ information so accessed must not be stored in

private computers/ man storage devices.

e. Any data downloaded from home computer must not be

transferred to official network without prior permission from security
officer made responsible for the purpose, however after proper
scanning through antivirus and Anti-malware it may be allowed.

f. A proper record must also be maintained for all the data either
uploaded/ downloaded from/ to the network system/ PC.

17. Storage of classified official data, files and tables on free shared media
on the web is therefore prohibited. There is a tendency to use free space
provided by hotmail, Yahoo and other forums for carrying information without
physical storage device between home and office or one office to another.
This practice will not be permitted within government offices.
 16
18. Use of Storage Memory Devices. Movable storage devices like USB,
Flash drives, hard disks, memory sticks, Cameras, Mobile phones etc being
essential tools for downloading or uploading information between an online
PC and an officially connected computer used offline or as part of LAN
containing classified official business. All such devices must be sanitized
properly before connecting them to Internet PC, however they are of a grave
concern in compromising classified/ sensitive non-sharable information without
user consent.

19. Use of Laptops. Laptops often used to carry important data/

information of immediate nature, must not be used to connect internet,
particularly the latest/ newer models which are learnt to be root-kit enabled
with wi-fi connectivity. Wi-fi / Bluetooth should be disabled as a matter of
policy. This policy also applies to government departments/ users abroad who
need an equal care and safety practice.

20. Use of Mobile Phones. Since internet access is also available through
cell phones and therefore relevant clauses given herein at para 13,14,15
equally apply to Internet and email usage through mobile platforms. Extreme
care/ caution is to be exercised while using internet facility for official
transactions on mobile phone, i-phone and Blackberry these devices/ services
are highly susceptible to monitoring/ interception by hostile agencies as the
case may be.

21. WiFi/ Wireless Broadband Services. Use of WiFi/ Wireless Broadband

services in present global scenario have become an extremely common
public facility, extending direct wireless internet connectivity to its clients. With
medium grade security these services enable easy access with reasonable
enterprise and cost to its users. With growing competition in the field of
telecommunication, these services have also been adopted by the
Government organizations/ departments for undertaking free transactions of
government business. Under prevailing security environment, these services
 17
besides their added benefits are also likely to be jammed, compromising
network security and hence must be discouraged for minimum possible use.
However, in case an organization is desirous to use these facilities following
conditions will be applicable as future guidelines:-

a. User organization/ department will be required to process case to

Cabinet Division (NTISB) for due approval prior to obtaining WiFi/
wireless broadband connectivity.

b. Accordingly, a time bound NOC will be issued by NTC to the user

organization prior to hiring these services. COMSATS Internet
Services (CIS) will be the second option and in case of inability of
both NTC and CIS for provisioning of such services, Cabinet Division
(NTISB) will issue a time bound NOC for hiring these services from
other ISPs subject to the security/ technical evaluation by NTISB
technical team.

c. The user organization will be the sole responsible for protection of its
departmental business/ data/ website from any misuse or hacking.
All the necessary preventive/ safeguarding measures will be taken
to ensure fool proof security of the official data residing on the user
organizations servers/ machines.

d. The services will be auditable to ensure its competency/ security

and it will be clearly mentioned in the First Layer IT Security Audit
Report for re-verification during 2nd and 3rd Layer IT Security Audit of
the system/ IT network infrastructure of the user organization.

e. All the existing rules/ instructions for other internet services will
equally apply on these services also.

f. Network Administrator/ CA will exercise strict control over its secure

services to its users/ clients and necessary security settings in the IT
system/ devices to avoid any misuse/ leakage of sensitive
information.
 18
Security Audit of IT Systems / Infrastructure

22. The entire internet based emails and data exposed thereby is subject to
government security audit by NTISB / designated auditors. Every department
will have an IT security audit carried out for its own safety and information
security. However NTISB will carryout IT security audit with the support of a
composite team on regular intervals as well as through spot programs as per
existing policy and its charter of duties.

23. Network Security Audit. For Network Security audit purposes a three-
layered Network Security Audit approach will be adopted.

a. First Layer. Mainly consisting of System Administrators/

Network Administrators and Coordinator at Ministries/ Divisions
and System /Network Administrators and security specialists at
Data Centre, will be responsible to ensure correct and secure
handling of systems as well as correct implementation of
guidelines/directives on the subject.

b. Second Layer.

(1) A technical audit of the System/Network Infrastructure of

each Government Organization will be carried out
periodically by a technical committee constituted by
Cabinet Division having members as under as a Second
Network Security Audit Layer:-

(a) Cabinet Division (NTISB) - Permanent

(b) IT & T Division (EGD) - Permanent

(c) Agency concerned - (Depending upon the

concerned Organization)
(d) Any other co-opted member, if required.

(2) The committee will carry out the scrutiny to ensure

implementation of above mentioned policy guidelines with
respect to following: -
 19
(a) Systems/Networks Architecture.

(b) Vulnerabilities of licensed and customized applications.

(c) No information system/PC is connected to Internet or

Wireless network.

(d) Implementation of instructions issued from time to time.

c. Third Layer. IT&T Division will establish a specialized/certified

Federal Network/Cyber Security Audit Cell in consultation with
Cabinet Division (NTISB) comprising experts from Government
officials and hired local experts (as and when required). This cell will
carryout the detailed Network/Cyber Security Audit as covered
under National IT/Cyber Security Policy in accordance with the
guidelines/standards developed for the purpose. Organization shall
perform Internet Security Audit at least once a year under the
guidelines provided by the policy. Violation of these instructions
can lead to withdrawal or suspension of right to use systems /
networks privileges, and necessary disciplinary action will be taken
against defaulter as per laws and regulations in vogue.

24. IT Security Guidelines. Attached as Annex B.

Electronic Mail (E-Mail) Policy Guidelines

25. Where mailing facilitates instant communication between government

offices and help maintaining contacts externally, it has meanwhile turned out
to be a major security threat in cyber space. Social engineering and email
associated services like Facebook, Youtube, Orkit, Twitter, Myspace, Wikipedia
and blog forums are into compromising government information systems and
therefore pose potential danger to every automated information system,
database or network established infrastructure in the government. Being a
nuclear nation, country is target of all those who want it to fail, through cyber
war tools instead of an open war. It is in this context that need for issuance of
email Usage Policy is felt for government email users.
 20
26. This policy document clearly distinguishes Free Email (Yahoo, MSN,
Hotmail and G-mail etc), Web-mail(through locally hosted web-mail servers
within government ambit) to have an outside interface to deal public business
and bridge digital divide and Electronic mailing between government
departments in secure environments. The third type of electronic mailing can
be achieved only through a non-Internet terrestrial cloud network established
through fiber or cable. Following broad policy guidelines will be followed for
the provision of E-mail services within a Government Organization:-

a. Secure email network for government business will be established.

b. Head of a Government Organization will retain the administrative

control of the network established in his / her domain.

c. Controlling Authority will decide as to which employee of his / her

organization/ designation should be provided with Email address.

d. E-mail addresses of all users within a Government Organizations will

be created and notified according to a systematic listing
schematic by each Government Organization duly guided
/supported by EGD published in an email directory issued by the
Cabinet Division (Not through websites / Internet media).

e. To serve as legal documents, all e-mails must be maintained on the

mail server for legal audit / documentary purposes. Users will
download their official copies of the e-mails on their PCs and will
retain local hard copies as per procedures in vogue for record.
Archival of e-mails may be mandatory for all the organizations for
their record.

f. The email archiving period will be one year and will be handled as
per rules of business as applicable to government document.
 21
g. The electronic transfer of files/ email within government
departments must never be confused/ mixed with Internet based
email like yahoo, hotmail, g-mail etc.

h. E-Mail can be used for exchange of draft documents, exchange of

general information, scheduling of internal office meetings,
comments/ draft minutes of meetings, circulation of office
messages and other drafts etc within Government offices.

i. Digital Signatures/Digital Certificates (when issued) must be used

for authentication purposes in e-mails. Supporting Server and E-Mail
client software should be installed to make use of PKI (Public Key
Infrastructure) as and when instituted.

j. Need for Certification Authority within government is felt

mandatory for which Ministry of IT to pursue/ establish a CA
(Certification Authority) within Government of Pakistan.

k. Government organizations, where centralized e-mail systems are

not provided, can use point to point communication option for
transfer of files/e-mail with commensurate encryption.

27. Free E-mail through Web Cloud. Since the time Internet has been
introduced every one is using Hotmail, MSN Messenger, Yahoo mail and G-mail
for free exchange of information through these mail servers. Incidentally this is
the kind of e-mail services which are not under users or government control
and it is totally housed, transported and managed by Microsoft/ Foreign IT
based resources. It is totally unsafe and banned to be used for any
government business. Connection of any such email/Internet facility is
prohibited under this policy. Some users fail to realize that all these mails, user
IDs and passwords reside on a foreign provided server and in their total control.
Use of free mail servers, so provided, and storing information therein is strictly
forbidden for official use in all government business.
 22
28. Webmail Service Policy. Web-mail service under this policy implies
email services through officially hosted mail services under government portal
www.pakistan.gov.pk and other mail servers exclusively hosted within Pakistan.
This mail service is to interlink international customers, citizen services and to
provide access to government for conducting of government transaction and
similar other functions peculiar to that department. Following will imply:-

a. Principally, NTC services will be used by all government

organizations/ departments for hosting all such websites and mail
services. Where NTC infrastructure is inadequate, COMSATS Internet
Services (CIS) will be entrusted the responsibility for hosting of web-
mail servers through a time bound NOC from NTC.

b. In case of inability of both NTC and CIS or any other compelling

reasons, Cabinet Division (NTISB) will be approached for issuance of
a time bound NOC to use the services provided by other ISPs
subject to security/ technical evaluation by the NTISB Network
Security Evaluation Team.

c. Web mail servers for those departments that have to do public

dealing or communicate globally may be hosted within Pakistan
through NTC.

d. The mail server management will be the responsibility of respective

department/ EGD from content management and security point of
view.

29. Departmental e-mail/ web-mail archival policy will be approved by the

head of each organization (Controlling Authority) and e-mail records must be
maintained/ exist in accordance with the approved policy. Each and every
user of these facilities will be responsible to go through the contents of e-mail/
web-mail policy prior to formal commencement/ usage of these services and
 23
forward a certificate in this regard to the IT section/ Controlling Authority of the
concerned department.

30. Web Mail Service Precautions. For web browsing and web-mail
services precautions as under be followed:-
a. All PCs containing data RESTRICTED and above must be
protected with a Basic Input Output System (BIOS) and screen
saver password to prevent unauthorized access/ physical walk in
attacks. Screen savers settings are to be set for 5 minutes or less of
non-activity for activation. Reactivation must be ensured through
login password.
b. Users will be held accountable for any action that has taken place
with their user ID and Password.
c. A weak password is one that is either too short or easily guessed. It
is also a most common method used by intruders to get into
systems. Unfortunately most users dont choose good password.
d. Passwords must be changed regularly at least once a month.
Where nature of data dictates higher security, frequency may be
increased at least once a week.
e. All Government Organizations should notify their respective IT
Security Officer Coordinator and Network / System Administrators,
who should notify NTISB & EGD, IB, FIA in case of suspected loss and
disclosure of sensitive information as well as physical access
through hacking or attempted hacking through internal or external
network.
f. CERT as and when established must provide a valid contact of their
organizations security officer to assist their information system
under crises.
g. The use of Internet facility for personal use including e-mails, games
and chatting etc will not be allowed on any official connections/
PCs.
 24
h. Unauthorized encryption software will not be used by any
user/organization unless duly authorized/certified by the NTISB.
i. For information security during transmission, the files/ data to be
transferred will be encrypted with a commensurate encryption
algorithm so that level of secrecy is ensured during transmission.
Department of Communications Security (DCS) will provide
encryption software both for Inter/ Intra government exchange of
classified documents and to MoFA for secure communication with
missions abroad.
j. No facility for walk-up network connection will be provided in
any of the networks i.e. LAN, WAN or Federal Intranet.

31. Central Mail Service Network Using LAN/WAN. E-mail in letter and
spirit is the electronic mailing platform for government business conducted
between one government office to another. A special Metropolitan Network
(MAN) for the purpose is already laid down through EGD for electronic
exchange of information from ministry to ministry, departments and other
autonomous bodies. All such exchanges will be terrestrial ground based
networks for sensitive official government business that in no way should be
exposed to outside agencies. This connectivity may take place in two phases:-
a. Phase 1. At first stage Federal Government Divisions, Ministries
and departments will be connected through a MAN/WAN.
b. Phase 2. Subsequently network infrastructure for connecting
Federal Government to Provincial Governments networks will also
be established so that all the electronic information exchange
within government going takes place without going through
Internet. For the first stage Fiber Ring laid for FGDC by EGD through
NTC will be used for Federal government mail services.
Hosting of Government Web Portal/Websites and Web Mail Servers
32. Government portal, websites and mail servers are some of the public
interface platforms that enable a carefully calculated dialog with citizens,
 25
organizations and world wide exchange of information through an
infrastructure of hardware, software and network nodes, that are exclusively
provided for outward interface essentially separated from government internal
networks and databases. A special care is therefore, exercised to provide
secure and spam free bandwidth for government networks, and secure
hosting with structured configuration of network devices / routing tables,
protocols and ports that provide multilayered protection. Following policy
guidelines will enable future course of action in hosting government website:-
a. Web Hosting. All the government departments will place their
bandwidth requirements with NTC informing Ministry of IT and NTISB.
Government websites / mail servers will be hosted under secure
hosting environments by NTC through its own IP bandwidth and
servers.

b. Websites (External and Internal Portals) of Government

Organizations. The government web portal for federal
Government of Pakistan has already been created as
www.pakistan.gov.pk. Websites have been developed and hosted
for all Ministries/ Divisions as per standard format. All new websites
on need basis can be evolved and hosted through same platform
utilizing NTC Infrastructure. It may be mentioned that hosting of
websites and mail servers abroad is a potential threat and by now
enough infrastructure at national level exists for shouldering these
responsibilities. All Government Organizations will nominate a
system coordinator (preferably conversant with Information and
Communication Technology) not below the rank of a Joint
Secretary (BPS-20), who will be assisted by System/ Network(s)
administrator(s) and will be responsible for the following. Guidelines
given below will be followed to achieve maximum benefits while
ensuring security of information :-
 26
(1) Ownership of the website/ mail server of respective
government ministry/ organization etc.
(2) Content generation / updating the information on the website
of respective Government Organization on regular basis (at
least twice a week), on occurrence and also ensuring
correctness of uploaded information.
(3) The tendency to put every development /event on website
may not be in national/organizational interest because this
information could be exploited by hostile elements across the
globe. Avoid providing avoidable lead information.
(4) Ensure that no classified information is placed on the website of
Government Organization and also ensure compliance with
the parameters defined in the Freedom of Information Act
2004.
(5) Coordinate provision of essential information requested by
general public and answer their queries/emails promptly and
with responsibility so that public trust in the system is maintained
usefully.
(6) Exercise overall administrative functional control of System/
Network(s), E-Mail and Internet services within the Ministry/
Division.
(7) Ensure that FTP password is protected by the webmaster who
shall be an employee of the organization.
(8) Content updation through a shared webmaster is
recommended where a dedicated professional is
non-economical.
(9) Ensure Internet is not connected to official Network/ computer
systems by any standard.
(10) Webmaster services shall not be outsourced.
 27
c. All Government Organizations and their related setups should
migrate to the official government portal (www.pakistan.gov.pk),
unless there are compelling reasons to continue on their own web
sites and NTISB issues an NOC in consent with EGD and NTC.
d. NTC/ EGD may however consider hosting in clusters to avoid a single
point failure, bandwidth choking for likelihood of being vulnerable
to hacking attacks.
e. Government Organizations will ensure that no commercial
advertisement appear on their official website.
f. Hosting/Development of websites (where not yet initiated) will be
done in consultation with IT & T Division/EGD. They may also register
their domain names (i.e. www.xyz.gov.pk) with the help of EGD.
g. In addition, the personnel responsible for managing website(s) to
ensure :-
(1) Website does not include web forms, e.g. login fields etc for
updation of information, in order to deny possible hacking
attacks.
(2) The website is managed through File Transfer Protocol (FTP)
account provided by web hosting service provider or through
centralized Control Panel provided by web hosting service
provider.

Establishment of Central E- Mail Service Network (LAN/ WAN / MAN).

33. All Government Organizations will be interconnected through secure
network preferably optical fiber, which will be terminated at the Central
Electronic Mail Service Center for exchange of information / official mail
between government offices. This mail network hub will be specially
established for secure exchange of inter-ministerial/ divisional exchange of
official mail/ information under following parameters:-
a. Information Technology & Telecommunication Division (IT&T Div)
shall setup a Federal Government Secure Intranet through
 28
Electronic Government Directorate (EGD) for providing inter-
connectivity between the Federal Government Divisions through a
high speed Metropolitan Area Network (MAN).

b. This Central Mail Storage and Exchange Facility built on a versatile

hardened electronic mail server will be configured and made
operative by EGD.

c. To accord due privacy according to the classification of

information during transmission and storage the information will be
encrypted. Encryption keys free-downloaded or acquired from
open market are not safe and hence prohibited. The encryption
algorithm will be provided by NTISB (DCS) so that security grading
of the document is maintained during transmission through this
electronic system.

d. It will also provide central management, technical support

helpdesk and monitoring of the Federal Governments entire
electronic mailing without going through Internet.

e. The Federal Government mail service facility will maintain both

classified/ unclassified information.

34. Salient Features. The policy is essentially based on the above

infrastructure to connect various Ministries and Divisions through central mail
service network for exchange of classified/unclassified information. Salient
features of the user related architecture are as under:-

a. Head of Government Organizations personally or through his

nominee will retain the Administrative Control of the network
established in their domains.

b. A Network/System administrator(s) under the overall control of the

controlling authority in respective Government Organizations will
manage the IT Infrastructure in his/her organization.
 29
c. Mail service will be so configured in a manner that a record of all
the electronic information will be maintained by the Mail service
administration for a period duly defined by the respective
organization conforming to the rules of business.

d. An audit culture will be created and encouraged by heads of

department / organization so that security of the system is ensured
systematically.

e. Federal Government Email Centre will be the main service provider

with the responsibilities which include issue of e-mail addresses,
Networking and operation of secure mail Centre.

Monitoring of Internet and Network Traffic

35. Internet and its allied resources as provided by the GoP are for business
purposes only. Therefore, the GoP maintains the right to monitor the volume of
internet and network traffic, together with the internet sites visited. The specific
content of any transactions, however, will not be monitored unless there is a
suspicion of its improper usage.
a. Acceptable Internet Usage Policy. The Government of Pakistan
(GoP) encourages Government Organizations and their employees
to use e-mail, internet, organizational web sites and other means of
electronic media to conduct the business of Government to
communicate with other offices within Government and with
general public; to gather information relevant to their duties, and
to develop expertise in using such tools and services. However,
GoP has a policy for the use of the internet whereby employees
must ensure that they:-
(1) Comply with rules and regulations imposed by Federal
Government and its subordinate bodies as issued from time
to time.
(2) Use the internet in an appropriate way.
 30
(3) Should avoid creating unnecessary business risk to the
Federal Government by their internet misuse.
(4) Understand and do safe browsing. Avoid sites that attach
viruses, Trojans and exploits.
(5) Do not visit illegal / shameful / objectionable websites with
pornographic and social engineering profile.
(6) Avoid visiting / browsing sites that promote terrorism, ethnicity,
religion ,racism, injusticity, sexual abuse or invite hackers.

b. Unacceptable Usage and Behavior. Following, in particular,

specify unacceptable usage and behavior by Government
employees:-
(1) Hacking/Attempt Hacking/Intrusion.
(2) Using the Government owned computer to commit or
perpetrate any type of fraud or software piracy.
(3) Visiting offensive websites that contain obscenity, hateful,
pornographic or otherwise illegal contents/ objectionable
sex/porno material.
(4) Use of internet for sending offensive and/or harassing
material to others.
(5) Downloading commercial software or any copyrighted
material from the various torrents sites etc until or unless this
download is covered or permitted under a commercial
agreement or for other such license.
(6) Publishing defamatory and/or knowingly false material
about Federal Government and/or its subordinate
Governing Bodies, colleagues on social network sites such
as facebook blogs (online journals) etc.
(7) Deliberate activities that waste networked resources and
unnecessarily engagement of official staff carrying out site
management.
 31
c. Agreement / Undertaking. All Government permanent / regular
employees, contractors or temporary staff who have been granted
the right to use internet are required to sign this agreement
confirming their understanding and acceptance of this agreement
( ref to para 9 above ).

d. Federal Government Owned Information Held on Third-Party

Websites. If you produce, collect and/or process business-related
information in the course of your officials duties, that information will
remain the properly of GoP. This includes such information stored
on third-party websites such as web mail service providers and
social networking sites, such as Facebook and Linkedin etc.

36. Rules / Code of Conduct

a. Penalties on Misconduct/Violations. The GoP accepts that the
Internet is a valuable business tool but misuse of which, however,
can have a negative impact upon employees reputation and
productivity, and also that of the GoP. Where it is ensured that an
employee has failed to comply with this agreement, he/she will
face the disciplinary procedure under the prevailing code of
conduct. If the employee is found to have breached the policy,
he/she will face a disciplinary penalty ranging from a verbal
warning to dismissal from service. The assessment will depend on
extent of the damage done to the Government and the
employees past disciplinary record.

b. Legal Penalties. Any staff member / organization found violating

any of the instructions issued time to time is liable to punishment
under Official Secrets Act, Rules of Business, Handling of Classified
Documents in Government Departments, Prevention of Cyber /
Electronic Crime Ordinance and any other legislation made by
Government of Pakistan on the subject.
 32
c. Dos and Donts. Users are required to exercise extreme caution
using e-mail service as it will help arresting the compromises while
taking advantage of new technologies/services. A list of Dos and
Donts is appended as Annex- C to this policy for compliance by all
government e-mail users.

Miscellaneous Aspects
37. In addition to above, several other important aspects merit attention to
protect government information from falling to hostile elements. Following
actions are recommended as part of the policy:-
a. Proper education/ training to government employees about
appropriate handling of systems. An awareness program must be
undertaken with willing support of top management.
b. Now that sizable take off in IT use has been achieved, national IT
policy may be devised to build safeguards and controls.
c. Federal budget be enhanced to make possible the internet
working of Ministries / Divisions / Departments to amicably realign
with the electronic mailing concept enshrined in this policy
document.
d. Arrangements be made to protect the systems from external
attacks by isolating the free networks like Internet.
e. Internet Security Policy be in consistence to cover any security
breach. In this connection, systems have secure auditing tools,
monitoring the access to or other activity of the system/ users.
f. Web site security policies to be reviewed frequently and modified
periodically.
g. To audit any outgoing wrong activity/missing information users logs
will be maintained and examined frequently. Logs will also be
presented to audit teams subsequently.
h. All government organizations must make an endeavor on:-
 33
(1) Creating awareness and security consciousness among the
users down to the operator level.
(2) Periodic conduct of lectures/ seminars/ workshops on the
subject by IT experts of the organization.

38. Responsibilities of NTC

a. Provide the Internet connections to all government offices across
Pakistan.

b. Make the network secure for all possible intruders and threats.

c. Make arrangements for the provisions of Internet connections in

areas where Internet infrastructure by NTC is not available through
approved ISPs.

d. Issue necessary administrative/technical/security alerts to internet

customers in consultation with NTISB.

e. Ensure government department demands of clean IP bandwidth

(WAN) are met with responsibility.

f. Secure Websites and mail service hosting facilities are provided

efficiently and economically to better serve the government
cliental.

g. Co-location facilities are provided with convenience at

competitive rates.

h. Ensure secure web-updation without any difficulty.

39. Responsibilities/Duties of IT Staff. All governments departments (Federal

or Provincial), Ministries/Divisions and Autonomous and Semi Autonomous
Bodies are responsible to prepare and formulate the charter of duties of IT
officials and SOPs/procedures regarding handling of IT matters within the
organizations and their strict compliance. These charter of Duties and
SOPs/procedures will be duly approved by the Head of the concerned
department.
 34
Training Parameters
40. Each and every government organization will organize and make
arrangements for the prime education and training of IT personnel
hired/employed by the respective departments under their controlling
authorities. Electronic Government Directorate (EGD) and Pakistan Computer
Bureau (PCB) should extend full cooperation in this regard and plan training
courses on regular basis at their own centers and at the Ministries/Divisions
premises also. Government organizations may also contact these
departments on special need basis in addition to the private sectors for the
training of their officers/officials on IT matters to keep them abreast with latest
technologies/techniques for efficient office working. In this regard necessary
technical and professional expertise may also be sought from the top ranking
educational universities in the country. Brief training parameters should cover
following :-
a. Training should be progressive and continuous.
b. Should be complete in all respect, covering all aspects of IT security
and cyber technology.
c. Should be organized at both individual and at collective level.
d. Must be realistic in nature with all available training methods and
expertise.
e. Should be simple and comprehendible with varying level of
education and professional acumen.
f. Should be organized in following duration :-
(1) Short Term Courses - 3-6 months
(2) Long Term Courses - 6-12 months
(3) Diploma Courses - (As per requirement)

41. Conclusion. Latest developments in the field of Information and

Communication Technology warrants to give the issue due importance to
safeguard our classified data from the hostile quarters. Formulation of such
policies in the best interest of the nation and strict compliance of them is the
 35
very need of time. Though the every effort has been done to make the policy
comprehensive and cover all the related aspects on the subjects, however, it
will be under review from time to time to cope up with latest developments
and to thwart any emerging threats in this regard.

*****
 36

Annex-A

GLOSSARY OF TERMS

1. General
a. GoP. It stands for Government of Pakistan.
b. Approved ISPs/Operators. Internet service providers(including
GSM, WLL) that are approved/ licensed by the PTA to provide
services in areas where NTC network is not available. These ISPs will
be bound by certain regulations and restrictions for ensuring
security to government Internet clients.

c. Audit. Internet/ IT security Audit by an authorized government

body, NTISB or its designated team/body to investigate systems
and connections within Government ambit.

d. Authorized User. An employee of the Federal/Provincial

Government who has been authorized by the Controlling Authority
to use Government Sponsored E-Mail and Intranet facility on his
official PC.

e. Behavior. Working in government offices warrants a special care

for obvious reasons, therefore the users behaviour requires to be
different from his/ her personal/ private conduct.

f. Classified Information. It includes all security graded information

related to government business, formally Restricted Data or any
such information/data as judged sensitive by the
controlling/responsible authority. (Refer to booklet Security of
Classified Matters in Governments Departments). Requisite
treatment for transmission and storage.

g. Data Center. Highly secure, fault-resistant facilities housing

customer equipment that connects to telecommunications/data
 37
networks. The facilities accommodate web servers, application
servers, database servers, load balancers, email and collaboration
servers, routers, core switches, firewalls, Intrusion detection systems
(IDS), Intrusion Prevention Systems (IPS) etc. The EGD/NTC will
maintain the Federal Government Data Center.

h. Government Department. Any government office, ministry,

division, department, district management, autonomous body,
authority, institution, university or commission will be taken as
department in this policy document.

i. Electronic Government Directorate (EGD). A government

organization entrusted with the task to plan, execute and monitor
any kind of IT related project within Government organizations
under the control of Ministry of Information Technology.

j. Electronic Mail within Government. Electronic mail facility

specially established for exchange of government information
between government departments. It is established through fiber
network that does not Interface with internet media by any means.

k. Government Organizations. Government Organization includes

ministries / divisions / departments / Semi Autonomous Bodies /
Autonomous Bodies.

l. Internet User Behavior. The term will mean Government Internet

user paid by government of Pakistan.

m. Official PC/ Network. Any computer or network of computers that

contains a piece of classified(restricted, confidential, secret, top
secret or higher degree of secrecy) information/ data /files/
documents/ presentations/ tables/emails/ contracts/ even phone
directory will be treated as official whether at home or in the office.
 38
n. Pakistan Telecommunication Authority (PTA). Telecommunication
regulatory body, which regulates the establishment, operations
and maintenance of telecommunication services in Pakistan. It
also promotes and protects the interests of telecommunication
service providers and users. Facilitates Law Enforcement Agencies
in enforcing policies and disciplines required for national security.
PTA ensures licensing of Internet related services through private
operators does not become detrimental to national interest.
Ownership transfer to foreigners is cleansed through due course of
clearance by agencies.

o. Stand-alone PC. A computer that is self-contained and does not

require any other devices to function, and is not connected to any
type of internet architecture / IT network.

2. IT Terms

a. Authentication. Determines a user's identity, as well as determines

what a user is authorized to access (view, read, write, delete,
modify etc.). The most common form of authentication is user
name and password, although this also provides the lowest level of
security.

b. Antivirus. A program or software used to help protecting a

System/PC (Personal Computer) from being infected with a virus.

c. Bandwidth. Bandwidth is the capacity of a network to carry

data/packets/information. It is normally measured in the following
forms:-
(1) bps = bits per second
(2) kbps = Kilo bits per second
(3) Mbps = Mega bits per second
(4) Gbps = Giga bits per second
 39
All the bandwidth requirements will be met by NTC and where their
network infrastructure is lacking through it will make arrangements
in collaboration with PTCL to meet the demand on similar
standards provided by NTC in particular from security point of view.

d. Broadband Connections. The term broadband Internet access,

often shortened to "broadband Internet" or just "broadband",
generically refers to last-mile Internet connections exceeding the
bandwidth capabilities of standard analog modems and of
Integrated Services Digital Network (ISDN) connections. These are
also known as DSL connections.

e. Dial-Up Connection. The most popular form of Internet

connection for the home user, this is a connection from computer
to a host computer (Access server in ISP) over standard telephone
lines, using internal or external modems.

f. Digital Subscriber Line ( DSL). Digital Subscriber Line or DSL

refers to a family of technologies that provide a digital connection
over copper wires of the local telephone network.

g. Dedicated Link. A dedicated link is a line, reserved exclusively for

one type of communication. This is also referred as a leased line or
private line.

h. Cyber Space. All the connectivity to your automated/ stored

information Internet, Intranet, Wifi, Wimax and any other
connectivity through radio / USBs that can grant access to official
network will constitute cyber space.

i. E-Mail. Abbreviation for Electronic Mail or a message

transmitted over communication networks. The messages can be
entered from the keyboard or electronic files stored on disk.
 40
j. Free Email Services. All the emails transferred through Internet
based free email services like hotmail, Yahoo, Gmail etc. Generally
not meant for government business.

k. Web-Mail. Electronic mail that government offices exchange

with vendors citizens, companies and international communities
less social engineering forums/ blogs etc. This mail is facilitated
through government hosted mail servers along with websites
through NTC. These mail servers are hosted inside Pakistan.

l. E-mail Address. The domain based address that is used to send

electronic mail to a specified destination. For example, "Secretary@
Cabdiv.gov.pk" provides the following information:-

(1) Secretary - indicates User (Secretary)

(2) Cabdiv - indicates Abbreviated/Full Name of the
Organization
(3) .gov - indicates Government Organization
(4) .pk - indicates A Pakistani Organization.

So, Secretary@Cabdiv.gov.pk is the E-mail address of a user;

Secretary, Cabinet Division, who is an employee of government of
Pakistan.
m. Encryption. Encryption is the process of changing data into a
form that can be read only by the intended receiver.

n. Encryption Algorithm. A mathematical procedure for

performing encryption on data. Through the use of an algorithm,
information is made into meaningless cipher text and requires the
use of a key to transform the data back into its original form.

o. Ethernet Connectivity. The ability/facility of connecting/

switching to/ communicating through an Ethernet.

p. Firewall. A combination of hardware/software used to protect

internal network/Intranet and IT resources from intruders or hackers
 41
who try to break into those networks. A firewall allows only specific
kinds of traffic to flow in and out of the internal network.

q. FTP. File transfer protocol generally used to update web contents

and so will be the FTP Password.

r. Hacker/Hacking. A person who breaks into or attempts to

break into a computer, a computer network or system without
authorization, often at random, for personal amusement,
gratification, or with malicious intent.

s. High Value Digital Subscriber Line ( HDSL). High-bit-rate digital

subscriber line (HDSL) was the first DSL technology to use a
higher frequency spectrum of copper, twisted pair cables. HDSL
was developed in the US, as a better technology for high-speed,
synchronous circuits typically used to interconnect local exchange
carrier systems, and also to carry high-speed corporate data links
and voice channels, using T1 lines.

t. Internet. International network of networks traditionally speaking

connectivity through www.xxx.xxx.xx to search open source
information for the purpose of Research and Development,
education and other applications available through this platform.
Internet here means network whose governance is beyond
Pakistans control.

u. Intranet. A network belonging to an organization or group of

organizations and its sub departments, accessible only by the
authorized members/systems of the organization, employees of
organizations, or others, with secure authentication.

v. Intruder. An unauthorized individual or system who attempts to

hack or break into a computer system/Computer Network, or to
misuse it.
 42
w. Internet Connection. A communication link used to connect and
exchange data to/from the Internet. It can be implemented in the
form of Dial-Up, DSL, wireless network connection or Fiber Optic
Termination etc. The other forms could be a hotspot connection on
the move.

x. Intrusion Detection System (IDS). A system used to identify

attempts to hack or break into a computer system or to misuse it.
IDS may monitor packets passing over the network, monitor system
files, monitor log files, or set up deception systems that attempt to
trap hackers.

y. Intrusion Prevention System (IPS). A network device that monitors

network and/or system activities for malicious or unwanted
behavior and can react in real time to block or prevent those
activities.

z. Internet Service Provider (ISP). A company that is equipped and

authorized to facilitate a large number of users to access to
Internet through an Internet connection.

aa. Internet Protocol (IP). Internet protocol that enables unique

Identity across the globe. The term IP will be used both for IPv4 and
IPv6.

bb. Local Area Network (LAN, WAN, MAN). A data communications

network, which is geographically, limited allowing interconnection
of terminals, microprocessors and computers within adjacent
buildings (normally within radius of 1KM).

cc. Licensed Software. Software, which grants a special permission

of being used under specified condition of copyright and other
laws by the manufacturer.

dd. Nodes. In communication networks, a node (Latin nodus,

knot) is a connection point, either a redistribution point or
 43
a communication endpoint (some terminal equipment). A physical
network node is an active electronic device that is attached to a
network, and is capable of sending, receiving, or forwarding
information over a communications channel.

ee. Password. A unique string of characters that a user types as an

identification code to restrict access to computers and sensitive
files. Password secrecy is the responsibility of holder and sharing of
password amongst a group of people/ employees is to be
discouraged. Handing over of passwords both Internet and
Intranet remains a matter of record in government business.

ff. Server. A computer or device connected on a network that

manages network resources. e.g, file server, mail server, access
server, web server, database server, print server, network server or
an application server that serves individuals or computers or
devices within a network. Configuration and management of all
such servers within government must be through authorized
personnel and documented. Remote management of services by
vendors outsourcing is not allowed.

gg. Switches. A network switch or switching hub is a computer

networking device that connects network segments.

hh. Web-Server. Computer that stores the web contents in case of

websites hosted by government departments. All web servers will
be hosted within Pakistan. NTC will be responsible for provision of
bandwidth, storage and secure hosting environments.

ii. Web-Mail Server. A mail server hosted within Pakistan for

external interface and overcoming digital divide. A mail server for
exchange of information between offices and contractors, non-
government clients with whom communication is essential as part
of facility. This is a departments outward interface.
 44
jj. Mail Server. A computer running mail service applications for
the government business internally. This mail service will run on
dedicated network / intranet/LAN/WAN.

kk. Spam. An inappropriate attempt to use a mailing list, or other

networked communication facility as if it was a broadcast medium
by sending the same message to a large number of people who
didn't ask for it.

ll. Internet User and Email User. Any person with access and
facilities at his/ her disposal to get connected to www cloud for use
of browsers, search engine, data transfer are any of the features
provided by Internet, will be termed as Internet User. While a person
who identifies himself/ herself with an email address through
worldwide Web making use of free mail services of hotmail, yahoo,
gmail or Facebook etc or using official webmail services of the
department through www cloud will be termed as email users in
this context.

mm. Virtual Private Network (VPN). Usually refers to a network in

which some of the parts are connected using the public Internet,
but the data sent across the Internet is encrypted, so the entire
network is "virtually" private. A typical example would be a
company network where there are two offices in different cities.
Using the Internet the two offices merge their networks into one
network, but encrypt traffic that uses the Internet link.

nn. Walk-Up Network Connection. Walk-up Network Connection

means network connection points located to provide a convenient
way to connect a portable host to the network.

oo. Web Portal. Commonly referred to as simply a portal, a Web site

or collection of websites or service that offer a broad array of
resources and services. The address of Web Portal of Government
 45
of Pakistan is www.Pakistan.gov.pk. Commonly there are two kinds
of portals for large organizations. The first one is an internal portal of
an organization, which serves the employees of the organization
and its sub-departments for information, news and available
applications. Second one is an external portal, which extracts
information from the internal portal or databases of organization
automatically and displays it for public information.

pp. BIOS. It stands for Basic Input/Output System, the built-in software
that determines what a computer can do without accessing
programs from a disk. On PCs, the BIOS contains all the code
required to control the keyboard, display screen, disk drives, serial
communications, and a number of miscellaneous functions.

qq. Web Hosting. The business of providing the storage,

connectivity, and services necessary to serve files for a website.

rr. Certification. Certification refers to the confirmation of certain

characteristics of an object, programme, software, person, or
organization. This confirmation is often, but not always, provided by
some form of external review, education, assessment, or audit.

ss. PKI. A PKI (public key infrastructure) enables users of a basically

insecure public network such as the Internet to securely and
privately exchange data and money through the use of a public
and a private cryptographic key pair that is obtained and shared
through a trusted authority. The public key infrastructure provides
for a digital certificate that can identify an individual or an
organization and directory services that can store and, when
necessary, revoke the certificates. Although the components of a
PKI are generally understood, a number of different vendor
approaches and services are emerging. Meanwhile, an Internet
standard for PKI is being worked on.
 46
tt. Digital Certificates. A digital certificate is an electronic "credit
card" that establishes your credentials when doing business or other
transactions on the Web. It is issued by a certification authority
(CA). It contains your name, a serial number, expiration dates, a
copy of the certificate holder's public key (used for encrypting
messages and digital signatures), and the digital signature of the
certificate-issuing authority so that a recipient can verify that the
certificate is real.

uu. WiFi/ Wireless Broad Band. The name of a popular wireless

networking technology that uses radio waves to provide wireless
high-speed Internet and network connections.

vv. Backup Data/ Mail Recovery. Keeping the data files in multiple
copies to safeguard against any loss or disaster and recovering of
lost/ affected/ infected files by some procedure/ software.

ww. Autonomous Bodies. Autonomous Bodies are set up whenever it is

felt that certain functions need to be discharged outside the
governmental set up with some amount of independence and
flexibility without day-to-day interference of the Governmental
machinery. These are set up by the Ministries/Departments
concerned with the subject matter and are funded through grants-
in-aid, either fully or partially, depending on the extent which such
institutes generate internal resources of their own. These grants are
regulated by the Ministry of Finance through their instructions as
well as the instructions relating to powers for creation of posts and
etc. They are mostly set up as statutory institutions under the
provisions contained in various Acts.

xx. Classified Information. Classified information is information which

has been deemed sensitive enough that access to it is restricted. A
classic example of classified information is military intelligence,
which is circulated only among the people who absolutely need to
 47
see it to reduce the risk of potentially catastrophic leaks of
information. All governments and many large organizations such as
corporations have systems in place for identifying and securing
classified information to ensure that it does not fall into the wrong
hands.

yy. Semi-autonomous. A Partially self-governing body which have

the powers of self-government within a larger organization or
structure.

zz. Government Business. Any kind of work done in government

departments.

aaa. Monitoring. The process of observing, supervising, controlling

the activities, watching over or supervising any object, programme
or organization.

bbb. Storage Devices. A computer storage device is any type of

hardware that stores data. The most common type of storage
device, which nearly all computers have, is a hard drive. The
computer's primary hard drive stores the operating system,
applications, and files and folders for users of the computer.

ccc. Uploading/Downloading. To transfer data or programs from a

server or host computer to one's own computer or digital device or
transferring a file or program to a central computer, server or host
from a smaller computer or a computer at a remote location.

ddd. Third Party. Someone who may be indirectly involved but is

not a principal party to an arrangement, contract, deal, lawsuit, or
transaction.

eee. Disaster Management. Planned steps taken to minimize the

effects of a disaster, and to be able to proceed to business
continuity stage.
 48
fff. PDF/Work Format. Portable Document Format (PDF) is an open
standard for document exchange. This file format created
by Adobe Systems in 1993 is used for representing documents in a
manner independent of application software, hardware,
and operating systems. Each PDF file encapsulates a complete
description of a fixed-layout flat document, including the text,
fonts, graphics, and other information needed to display it.

3. Administrative Terms
a. Controlling Authority. Head of respective Ministry, Division,
Department, or Autonomous Body shall be the controlling authority
for the purpose of this policy.

b. Coordinator. An Officer not below the rank of a Joint Secretary,

having necessary knowledge of Information and Communication
Technology and detailed by Controlling Authority of an
Organization to Coordinate all ICT related activities in that
organization.

c. Information Security Officer (ISO). An officer designated in an

organization with specific duties/powers to look after all the matters
related to information security.

d. National Telecommunication Corporation (NTC). A government

owned telecommunication organization established to provide
telecommunication services to its designated customers, including
Federal and Provincial Governments and their departments.
 49
Annex-B

IT SECURITY GUIDELINES

1. Over a decade or so, virtually every government office has deployed

computers / networks and automation applications that need appropriate
security safeguards. Although this chapter applies to IT systems in particular, it
equally is essential in present context to ensure the safety/security of
information and data. Following guidelines are therefore, provided to be
implemented on provision of Internet/E-Mail facilities in Government
Organizations:-

a. Responsibility of Head of Department. Head of respective

Government Organizations irrespective of classification referred to
in this document shall continue to be responsible for security of
information/ documents/data of his/her Government Organization
under the exiting rules and instructions in vogue.

b. Establishment of IT Infrastructure. For any classified/ sensitive

nature of work, separate network/ environment shall be setup on
case to case basis within the organization. This secure network/
environment shall have no linkage with the other network(s)
deployed in the premises of that organization or the Federal
Government Intranet. Head of Organizations will suggest
deployment of such a Network Infrastructure only in specific
departments in consultation with Cabinet Division (NTISB).

c. Employment of Network Administrator. All Government

Organizations will have properly configured/ documented Network
Infrastructure and employ certified Network/System Administrator(s)
and Information Security Officer.

d. Password Management Policy. Strict Password management

policy will be followed by each and every organization. Passwords
 50
should not be shared and must be changed frequently as per
policy to be implemented by the Network/System Administrator(s),
under the supervision of the Controlling Authority. Moreover, the
length and No of characters of passwords should be governed as
per the policy.

e. Password Protection and Guidelines. It is the responsibility of

each computer/ e-mail user to protect and limit his/ her password
for every usage, e-mail, internet access, PC login, network login
etc. Sharing password is not recommended. In case of misuse of
the password the owner will be held responsible. Certain guidelines
for choosing and protecting passwords are given hereunder:-

(1) Use as many different characters as possible including

numbers, punctuation characters, mixed upper and
lowercase letters.

(2) Passwords should be easy to remember so you dont have to

write them down.

(3) Interlace two words, or a word and a number (like a year) by

alternating characters.

(4) Choose two short words and concatenate them with a

punctuation character between them.

(5) Use intentionally misspelled words with a number or

punctuation mark in the middle.

(6) Use the first one letter of a phrase, event, song or poem that
you can easily remember. Add a punctuation mark and a
number.
 51
(7) Users are required to change their password within 30 days. If
a user does not change his/her password within 30 days,
he/she will be automatically prompted for the change of
password.

(8) Passwords must be chosen by the users which are difficult to

guess. This means that passwords must not be related to one's
job or personal life. For example, a car license plate number,
a spouse's name, or fragments of an address must not be
used. This also means passwords must not be a word found in
the dictionary or some other part of speech. For example,
proper names, places, technical terms, and slang must not
be used.

(9) Password control software will be used to prevent users from

selecting easily-guessed passwords. A good password may
be a mixture of alphabets in upper & lower case along with
numbers and should also include special characters such as
$, > etc.

f. Network Security Parameters.

(1) For security of LAN following instructions are promulgated for

LAN:-

(a) All LANs where installed within the department are not
to be linked with internet or intranet.

(b) Wireless LAN under no circumstances will be used due

to lack of credible security standards and vulnerability
of hacking. Installation of wireless broadband LAN will
require approval from Head of the department.
 52
(2) All applications protocols and ports to be defined/
documented for Internet usage. Only specific
protocols/logical ports which are necessary for
communication (web based e-mail, FTP, www) are to be
allowed. All other ports used by torrent applications and
media streaming application to be restricted.

(3) To protect internal network from un-authorized

intrusion/attacks, need of screened /isolated architecture
(another layer of security) be incorporated in network
architecture.

(4) Significance/need to educate the Internet user in

government offices about phishing and pharming attacks be
highlighted. (Criminal, fraudulent process, an attempt to
acquire sensitive information).

(5) Network Administrator to guide departments that are

establishing their own network, regarding selection of
specified types of hardware/switches having better security
features.

(6) Frequent IT /Cyber security awareness programs/ workshops

be conducted/ arranged by respective organizations.
However, visiting security experts be invited/entrusted only
after security clearance.

(7) No online/ live training to be conducted by any vendor or

unauthorized software without prior clearance.

g. Data Integrity/Protection and Backup/Recovery Policy

(1) Securing of valuable information through regular backups is

the best defence against a natural disaster, from a virus or a
 53
hacking attack. The backup media used must be secured
properly under lock and key to avoid theft.

(2) An approved system and data backup/ recovery policy must

be evolved by the user departments/organizations and be
deployed/followed strictly.

(3) Backup recovery restore procedure must be tested and

issues resolved during peace time.

(4) Where servers are installed to provide service, regular backup

source must be maintained. One copy of backup is to be
maintained at the site while another copy is to be placed at
a secure location offsite under lock / personal custody of the
concerned authority.

(5) The frequency of offsite backup storage of server installations

depends upon validity of data (daily, weekly etc.) necessary
to resume and continue normal operations in case of any
natural disaster/incident.

(6) Conference Room PCs used for presentations or briefings are

to have no confidential data file on them. Presentations/
briefings are to be loaded only when required and promptly
deleted afterwards. Such systems must be formatted as often
as possible.

(7) Classified information up to confidential typed on the

computer must be password protected/ encrypted when
stored.

(8) It must be understood that general purpose PCs and

operating systems like Windows have been designed for ease
of use and hardly provide any security.
 54
h. Memory
(1) Use of private USB memory sticks and other storage devices
including CDs is not permitted.

(2) Each department is to obtain official USB memory sticks if

required and have them on charge with departmental IT
officer for issue/use.

(3) They are to be numbered with an identification serial number

with departmental abbreviation (e.g IT/001 etc.).

(4) In no case, they are to be taken out of department except

with prior approval of Head of the Department.

(5) Loss of same is the responsibility of the user to whom issued for
that period in which the loss occurred.

(6) Record of make/memory capacity/Registration Number and

department is to be forwarded to respective departmental IT
officer.

(7) USB ports/floppy drives where considered non essential may

be disabled/removed.

(8) Use of external hard drives is to be limited to where explicitly

essential and permitted by Head of Department. Record to
this effect is to be maintained by departmental IT officer. In
case, PC is re-issued, contents of hard drive must be
scrutinized and cleared if necessary before reissue.

(9) Defective hard drives are not to be taken out for repair
without Head of the Departments approval. Only those
vendors who are security wise cleared by the organization
may be contacted. However, the hard drive is to be repaired
 55
in supervision of Head of the Departments representative.
Where the level of security and sensitivity of information
outweighs the risks involved in possible breach of information
the hard drive is to be destroyed physically by dismantling,
breaking of disk platters and incineration. Head of the
Department is authorized to approve destruction of hard disk
on case to case basis, forwarded by department stating
justification for the same. Nevertheless repair of the hard
drive by calling the technician onsite for repair be given
preference where possible.

(10) Hard disks be cleaned/formatted on regular basis and

unwanted files be deleted. Important data is archived on
recordable CDs only.

(11) Use of floppy disc or rewritable CDs may be limited. They are
to be clearly marked and handled in accordance with their
classification.

(12) Accountability and distribution of floppies/rewritable CDs/

USBs are to be maintained by departmental IT officer on
ledger, with detail of total number of storage devices
received, issued, classification and balance if destroyed.
Storage devices /floppies are not to be passed around
without integrity check for viruses. This is to be exercised as an
SOP to avoid infection of healthy PCs. Defective floppies are
to be destroyed and record be maintained.

(13) Use of Blue Tooth, infrared and remote access devices is

prohibited. Laptop devices having wireless feature, is to be
disabled as it is possible to extract data from such emissions.
 56
(14) A clear desk policy is to be enforced on closing of offices. All
CDs, floppy disk, external hard drive and USBs are not to be
left unattended. They are to be placed under lock in proper
storage. Particularly USB sticks are to be mustered by
departmental IT officer and locked away.

(15) Gifted USBs, Cell phones and laptops are to be thoroughly

cleaned by authorized security experts before they are put to
normal use. All such gifted items must be referred to security
center established for the purpose.

Physical Security

2. Physical security protection will be ensured by creating several physical

barriers around the organizational premises and information processing
facilities. The overall responsibility of Physical Security of the Perimeters,
Systems, Networks, End-User Equipment shall remain with the Controlling/
Coordinating Authority and the end user. Security Standing Operating
Procedures (SOP) will be drawn up by each Organization to suit their prevailing
environment. This is critical because these procedures are developed to
prevent un-authorized access and prevent loss or theft of information.
Following guidelines may be considered:-

a. Security perimeters should be clearly defined.

b. The perimeter of a building or premises containing information

processing facilities should be physically separated.

c. Access to secure areas of the premises should be restricted to

authorized persons only preferably through the use of finger
print/biometric locks.

d. Equipment should be sited or protected to reduce the risks from

environmental threats, hazards and opportunity for unauthorized
access.
 57
e. Controls should be implemented to minimize the risk of potential
threats to system, data, software including theft, fire, dust,
electrical supply interference or electromagnetic radiations etc.

f. All cabling (power, telecommunication, LAN etc) should be

sufficiently protected from interception and damage.

g. All sensitive data (papers, disks, tapes, CDs etc) should be kept
protected at all times and only authorized persons should have
access to these. Their movement must be properly
logged/documented with time stamp.

h. Any information accessed by any person to sensitive data must be

recorded.

i. No private PC should be allowed inside the offices of the

organization.

j. Operating systems must be up-to-date with latest service patches

to prevent exploitation through known vulnerabilities.

k. CPU cases having classified data are to be locked to prevent

unauthorized tampering and removal of hard drives. Certain CPU
cases come with lugs that provide the facility of locking with a
padlock. While procuring new PCs, provision of this feature is to be
ensured. Old versions of CPUs without this feature may be modified
to allow locking of the CPU case or tamper proof seals be pasted
and signed by departmental IT officer along with date.
l. Laptops are to be secured with a Laptop Lock which secures the
Laptop to a fixture to prevent theft of an unattended Laptop. While
traveling, Laptops are to be carried as personal luggage and any
classified data should be password protected.
m. All PCs are to be numbered with indelible ink and record of
authorized Custodian/Users is to be kept with departmental IT
officer.
 58
n. In case of a security breach, the custodian to whom PC was issued
shall be responsible for that particular loss of data and any
unauthorized activity occurring wholly or partially from his/her (that)
PC.
o. No PC is to have a modem installed unless specifically used for
Internet and authorized by departmental IT officer.
p. Latest Antivirus software with valid copyright authentication
certificate be installed along with updated virus definitions.
q. Only authorized user/operator should use the computer. Particulars
of the authorized users duly signed by Head of the Department
must be pasted on the CPU and publish on daily orders.
r. To enhance physical security Placing of CCTV cameras in sensitive
areas e.g. server room entry.
s. All cables (must use shielded cables) are to run through false
ceilings, where possible, and network hubs switches placed behind
protective locked cabinets. This is to obviate possibility of physical
sabotage and eavesdropping.
t. Unattended visitors or visitors without ID/Security Cards are to be
challenged. Mobile phones with data transfer capabilities are
common nowadays, therefore, visitors are to deposit such devices
(USB sticks, mobiles etc) at guard room/reception.
u. Officers/Officials responsible for handling sensitive information or for
information processing resources should periodically perform a self
assessment to determine the existing level of security vulnerability
and compliance with physical security.

Provision of Authorized /Licensed Software

3. Use of only appropriate copyrighted or licensed software be ensured. It
will be ensured by HoD through his/her IT staff that no user in the organization
uses pirated software. Installation of unlicensed/pirated software from any
source (CD, USB etc) or offered free of cost on internet by the user himself for
 59
use on official PCs is strictly prohibited. EGD will provide licensed software for
government networks established/ maintained by them. However, respective
organizations will be responsible to ensure that only licensed software in
computers/ networks is used.

Departmental IT Security Manual

4. The Offices internal network introduces new resources and new services
through Local Area Network and Internet connectivity. This connectivity not
only results in new technology and services, but also poses new risks and
threats. This document formally defines a departmental IT security policy
regarding Network resource usage, rights and restrictions. All network users are
expected to be familiar with and to comply with the instructions appended in
succeeding paras:-

5. The scope of this manual includes the following information:-

a. Authorized Software.
b. Backup and Recovery.
c. File and Print Services.
d. Hardware Rights and Restrictions.
e. Internet Access.
f. Mail Management.
g. Network Protection.
h. Network/PC Usage.
i. Non-Organization Personnel.
j. Removal of Privileges.
k. Virus Protection.

Installation of Authorized Software

6. The Network/ System Administrator(s) will install only the authorized
software on the departmental machines (PC/Laptop/LAN). No individual/user
will install any software on his /her own. The user will contact the
Network/System Administrator(s) to install valid software that have direct
 60
relevance to the office work. If any additional software needs to be installed,
the user would take prior approval of Coordinator on a prescribed form
available with Network/System Administrator(s).

7. Any software required by users should have security clearance from the
Network Administrator(s).

Backup and Recovery

8. Backups will be taken regularly depending upon the organizational
backup policy on incremental or total backup basis. Tape cartridges or other
removable media/storage devices may be used for data backup and the
following strategy would be used for backing up data:-

b. Full backup of all servers, folders and e-mails would be taken on

two tape cartridges/storage devices. One of which would be
placed in the server room and the other one would be placed in a
different physical location. In this way following two goals can be
achieved.

(1) Firstly, if server crashes then one can recover all data from
the tape cartridge/storage device placed in server room.

(2) Secondly, if that tape cartridge/storage device fails or server

room faces a natural disaster then one can recover the data
from the tape cartridge/storage device which was placed in
the different physical location.

c. The remaining cartridges may be used for incremental backups.

9. The backup may be taken of the following servers, users folders and their
E-mails:-

a. Database Server (Database).

b. Network Shared Directories.
c. E-mail Server (Mailboxes).
d. File and Print Server (Main Server).
 61
File and Print Services

10. File and print services will be limited to local systems and under no
circumstances Internet will be used for remote printing both file and network
printing.

Hardware Rights and Restrictions

11. Modem of every official PC or laptop on network should be disabled. The

use of other peripheral devices (CD drives, Writable CD drives, Floppy drive,
USB drives, USB ports etc) should be minimized as these are also the potential
sources of viruses, Trojans, leakage of information etc.

12. Specific Auditing, which monitors user interaction with the key system
resources, should be enabled on the hard drives of laptops, which will help
administrators to monitor any improper use of the laptops.

Internet Access

13. The following Standard Internet services will be provided to users after the
prior approval of Controlling Authority:-

a. E-Mail -- Send/receive E-Mail messages to/from the Internet (with or

without document attachments).

b. Navigation -- WWW services as necessary for official purposes.

14. To further improve network security and to optimize Internet access, the
following measures should be adhered by the users:-

a. A list of prohibited/unauthorized websites will be kept at server level

and such sites will be blocked using the proxy server software
where applicable. This list of prohibited websites will be drawn up in
consultation with the coordinator/EGD.

b. Network Administrator(s) should monitor Internet downloading.

Proxy servers should be configured in such a way that
 62
Network/system administrator(s) should be able to report the
following two items:-

(1) Bandwidth used by each user within a month.

(2) History of all the sites visited by a user within a month.

(3) Proper logs of the above two mentioned items should be

maintained by the network administrator(s).

c. Networked workstations should not be connected to separate

analog lines or modems i.e. direct Dial-up connection is not
allowed to any user for access to the Internet while sitting within the
organization.

d. Where necessary with the approval of NTISB, Remote users can dial
into the access server using VPN client software.

Mail Management
15. The email addresses should be created keeping in mind a standard
naming convention as follows:-

a. Naming convention for email addresses should be the initial of first

name plus the last name. Organization = Domain name of
Organization.

b. But in case of same first alphabet of first name and same last
name, first two alphabets of first name may be used to avoid any
confusion.

c. The top and middle management would maintain dual E-Mail

accounts. One with their designation and the second with the
initial of their first name plus the last name.

16. Users should consider the following to better manage E-Mail activities:-

a. Users should compress large size files before attaching them with
the E-Mail. This will help to optimize the bandwidth.
 63
b. Users should delete items from their inbox and outbox when they
are no longer needed. If a mail item needs to be retained it should
be moved to an archive folder, a disk, or be printed or deleted.
Unsolicited mail should be deleted immediately.
c. Users should check their e-mail with a frequency appropriate to
their jobs. Employees who will be absent for more than one day
should make arrangements for a supervisor or co-worker to check
for messages that need attention, OR, an automatic reply message
may be configured with the help of Network/System Administrator.
d. It is possible to receive a virus when receiving E-Mail, and some
viruses are embedded in attachments. If you receive a suspicious
E-Mail, do not open it, but instead contact the Network/System
Administrator.
e. Some computer features increase E-Mail traffic, and employees
should strive to keep message and attachment sizes as small as
possible.
f. Avoid the use of graphics in auto-signatures or other parts of the
message or attachments. Use of stationary should be avoided, as
well as moving graphics and/or audio objects as they consume
more disk space, network bandwidth, and detract from the
message content.
g. Users may only use proper official language in their e-mails, and
refrain from using words in other languages transcribed in English.
h. Users shall not:-
(1) Discuss their opinions on religious/sectarian, ethnic, linguistic,
or political matters.
(2) Use e-mail to propagate indiscipline in office matters.
(3) Use e-mail for purposes of disrepute/ill repute of any
individual or organization.
(4) Use/share objectionable material / porno.
 64
i. It is also advised that users should use a standard e-mail disclaimer,
with each outgoing email. E-mail disclaimer can be standardized
for every organization with the help of Network/System
Administrator and Head of Department.

Network / PC Usage
17. The users should adhere to the following practices:-

a. Use password protected screen savers to avoid misuse of their PCs

by unauthorized personnel. Users leaving their computers
unattended for more than 15 minutes should consider logging off
the network.

b. Log off the network at the end of each day and power off their
workstations.

c. Users are responsible for the security of their LAN user ID and
Password.

d. Users are accountable for any action that are taken with their user
ID and Password.

Network Protection
18. Internet connectivity presents the organization with new risks that must
be addressed to safeguard the facilitys vital information assets. Network
Administrator(s) will ensure that properly configured firewall and filtering systems
are in place to technically support the access requirements defined by this
policy. In-bound traffic from the Internet will not be permitted except for E-Mail
and access to public mail servers.

19. Hardware or software firewall should be installed and configured to

protect the network from unauthorized access and intrusion into the Offices
LAN from the Internet. All electronic traffic would be routed through this firewall
that would be centrally monitored. Access to specific websites and ports would
be managed through this.
 65
20. Business Continuity Plan (BCP)/Disaster Management. Being a very
important issue, each and every organization is required to give it proper
consideration. Every government organization will formulate its Business
Continuity and Disaster Management Plan keeping in view its IT infrastructure
and possible threats. A proper Standard Operating Procedure (SOP) will be
devised by the IT officer of the department and got approved by the HoD. The
copies of the same will be placed at appropriate places for strict compliance.

Non-Organization Personnel
21. External clients or non-organization personnel are not permitted access
to government organizations internal network resources unless specifically
approved in advance by the Controlling Authority.

Removal of Privileges

22. Internet access will be discontinued upon termination of employee,

completion of contract, end of service of non-employee or disciplinary action
arising from violation of this policy. In the case of a change in job functions
and/or transfer the original access code will be discontinued and re-issued only
if necessary and a new request for access is approved by the Controlling
Authority.

Virus Protection
23. The Network should be protected from viruses by using industry standard
licensed/copyrighted Antivirus software (Corporate Editions). This should be
scheduled to automatically update the clients and servers after daily
centralized downloading of latest virus definition files (DAT file) from the
Internet at night.

*****
 66
Annex-C

RECOMMENDED DOS AND DONTS

FOR SYSTEMS, NETWORKS AND E-MAIL ACTIVITIES

The following Dos and Donts will be followed in general provided these
guidelines do not supercede the main policy directives.

1. Dos
a. Keep passwords secure and do not share accounts. Authorized
users are responsible for the security of their passwords and
accounts. System level passwords should be changed quarterly;
user level passwords should be changed every month.

b. All PCs, laptops and workstations should be secured with a

password-protected screensaver with the automatic activation
feature set at 5 minutes or less, or by logging-off, when the host will
be unattended.

c. Information contained on portable computers laptops is especially

vulnerable, special care should be exercised.

d. Postings of employee from one organization to other, email

address to old organization should contain a disclaimer stating that
the opinions expressed are strictly his/her own after leaving the
official duties and not necessarily those of official unless posting is in
the course of official duties.

e. All hosts used by the employees that are connected to the Federal
Internet/Intranet, shall be continually executing approved virus-
scanning software with a current virus database.

f. Employees must use extreme caution when opening E-Mail

attachments received from unknown senders, which may contain
viruses, E-Mail bombs, or Trojan horse code.
 67
2. Donts. Under no circumstances a user of Federal Internet/Intranet is
authorized to engage in any activity that is illegal under Federal or
International law while utilizing Federal owned resources. The following
activities are strictly prohibited, with no exceptions:

a. Violations of the rights of any person or state protected by

copyright, official secrets act, or similar laws or regulations.

b. Unauthorized copying/ transfer of official correspondence material

including, digitization and distribution of photographs/ official
correspondence or other copyrighted sources, , and the installation
of any copyrighted software for which the end user does not have
an active license is strictly prohibited.

c. Introduction of malicious programs into the network or server, cell

phones (e.g., viruses, worms, Trojan horses, e-mail bombs, exploits
etc.).

d. Revealing account password to others or allowing use of ones

account by others. This includes family and other household
members when a connection is authorized at home.

e. Using a Federal computing asset to actively engage in procuring or

transmitting material that is in violation of sexual harassment or
hostile workplace laws in the user's local jurisdiction.

f. Making fraudulent offers of products, items, or services originating

from any Federal account.

g. Effecting security breaches or disruptions of network

communication. Security breaches include, but are not limited to,
accessing data of which the employee is not an intended recipient
or logging into a server or account that the employee is not
expressly authorized to access, unless these duties are within the
scope of regular duties. For purposes of this section, "disruption"
includes, but is not limited to, network sniffing, pinged floods,
 68
packet spoofing, denial of service, and forged routing information
for malicious purposes.

h. Port scanning or security scanning is expressly prohibited.

i. Executing any form of network monitoring which will intercept data

not intended for the employee's host.

j. Circumventing user authentication or security of any host, network

or account.

k. Interfering with or denying service to any user other than the

employee's host (for example, denial of service attack).

l. Using any program/script/command, or sending messages of any

kind, with the intent to interfere with, or disable a user's terminal
session, via any means, locally or via the Internet/Intranet.

m. Providing information about, or lists of, organizations.

n. Sending unsolicited email messages, including the sending of "junk

mail" or other advertising material to individuals who did not
specifically request such material (email Spam).

o. Any form of harassment via email, telephone or paging, whether

through language, frequency, or size of messages.

p. Unauthorized use or forging of email header information.

q. Solicitation of email for any other email address, other than that of
the poster's account with the intent to harass or to collect replies.

r. Creating or forwarding "chain letters", "Ponzi" or other "pyramid"

schemes of any type.

s. Use of unsolicited E-Mail originating from within Federal Data

Networks of other Internet/Intranet service providers on behalf of or
to advertise any service hosted by Federal Data Networks or
connected via Federal Data Networks.
 69
t. Posting the same or similar non-official business related messages to
large numbers of Usenet newsgroups.

u. Downloading, installing, or running security programs or utilities,

which reveal weaknesses in the security of the network unless a job
specifically requires it.

v. Use of computers and User IDs for which there is no authorization, or

use of User IDs for purposes outside of those for which these have
been issued.

w. Attempting to modify, install or remove computer equipment,

software, or peripherals without proper authorization. This includes
installing any software not related to official work requirements.

x. Accessing computers, computer software, computer data

information, or networks without proper authorization.
Circumventing or attempting to circumvent logon procedures, and
security regulations, or exceeding the system's capacity limits by
downloading excessive materials.

y. The use of computing facilities, User IDs, or computer data for

purposes other than those for which they are intended or
authorized.

z. Breaking into another user's E-Mail box, or unauthorized personal

reading someone else's E-Mail without permission.

aa. Sending fraudulent electronic transmissions, including but not

limited to statements intended to mislead the receiver and are
known to be untrue, fraudulent requests for confidential
information, fraudulent submission of electronic purchase
requisitions or journal vouchers, or fraudulent electronic
authorization of purchase requisitions or journal vouchers.
 70
bb. Violating any software license agreement or copyright, including
copying or redistributing copyrighted computer software, data, or
reports without proper, recorded authorization.

cc. Encroaching on or disrupting others' use of the shared network

resources by creating unnecessary network traffic (for example,
playing games or sending excessive messages); excessive use of
using memory, bandwidth and disk space resources; interfering
with connectivity to the network; modifying system facilities,
operating systems, or disk partitions without authorization;
attempting to crash or tie up a computer; damaging or vandalizing
computing facilities, equipment, software, or computer files).

dd. Disclosing or removing proprietary information, software, printed

output or magnetic media without the explicit permission of the
owner.

ee. Reading other users' data, information, files, or programs on a

display screen, as printed output, or via electronic means, without
the owner's explicit permission. This does not prohibit Controlling
Authority having access to users computers.

*****