Professional Documents
Culture Documents
2011
2
In view of the sensitivity of the matter, GoP has made huge endeavors
in adapting complete automation for e-governance, paper free environments
and adopt secure and reliable communications on all electronic medium. So
far lot of information losses have been indicated in last few years and when
compared with its advantages in many respects the disadvantages have
been predominant. The word e-mail has mostly been misunderstood and
misused in many public sectors. Equally some government departments also in
several forms started carelessly using it as official medium of communication,
resulting into leakage of vital information through hacking/spying of sensitive
government departments, thus warranting isolation of official business from
private exchange of information.
INDEX
1. General 5
3. Applicability / Scope 8
4. Glossary of Terms 9
15. Conclusion 40
16. Annexures ( A C )
5
General
1. Pakistan over the last ten years has made exemplary progress in
promotion of Internet, IT&T. The GoP encourages government organizations
and their employees to take advantage of new technologies to improve
systems and remain current on matters pertaining to their charter. The
continued effort of the relevant departments is gradually shifting the
functioning of the government offices to paperless environment. A number of
steps have been taken while others are in progress to provide necessary
hardware and software to equip all offices of the Federal Government to use
these modern tools to enhance their proficiency and improve responses to the
public demands.
3. This documents will clarify the misnomers and ambiguities, which are very
often confused with general terms of IT used outside government functions
and shall focus on provision of Internet facilities, restriction on inappropriate
use of free e-mail (hotmail, Yahoo-mail and G-mail) and government-hosted
webmail for the purpose of bridging digital divide. Hosting of websites,
placement of carefully selected contents, while demutualising the classified
government data will also be spelled out. The use of electronic media to
conduct the government business; to communicate with other offices within
6
Government and with general public without exposing to cyber space
hazards; will be the guiding principles.
4. While the modern tools and services have enormous facilitation, they pose
great vulnerabilities to the systems through inadvertent or deliberate actions by
organizations or individuals in disclosing classified information in an unauthorized
manner or for unlawful activities. There is thus a need to lay down policy
framework for the government organizations to use these tools and services in
an organized manner to ensure security of information and networks. Cabinet
Division in consultation with various stakeholders, and with the assistance of
technical and security related organizations is instituting this policy to help
Government organizations/individuals to benefit from availability of E-Mail,
Internet and organizational Websites in a manner that while facilitating use of
internet to government, national security is not compromised.
7. This policy as formulated for Internet usage and electronic mailing and
exchange of classified information as defined in the document on Handling
of Classified Matters in the Government Departments will be applicable to:-
Glossary of Terms
d. Cabinet Division (NTISB) will decide on case to case basis and issue
a time bound NOC for obtaining internet/ IT services from other ISPs
12
subject to security/ technical evaluation by the NTISB Network
Security Evaluation Team.
14. Use of Internet at Office. Following policy guidelines will imply in this
regard :-
b. The official Internet connection shall only be used for the purpose
for which it was authorized. No private business or activity will be
allowed for safety and security.
f. A proper record must also be maintained for all the data either
uploaded/ downloaded from/ to the network system/ PC.
17. Storage of classified official data, files and tables on free shared media
on the web is therefore prohibited. There is a tendency to use free space
provided by hotmail, Yahoo and other forums for carrying information without
physical storage device between home and office or one office to another.
This practice will not be permitted within government offices.
16
18. Use of Storage Memory Devices. Movable storage devices like USB,
Flash drives, hard disks, memory sticks, Cameras, Mobile phones etc being
essential tools for downloading or uploading information between an online
PC and an officially connected computer used offline or as part of LAN
containing classified official business. All such devices must be sanitized
properly before connecting them to Internet PC, however they are of a grave
concern in compromising classified/ sensitive non-sharable information without
user consent.
20. Use of Mobile Phones. Since internet access is also available through
cell phones and therefore relevant clauses given herein at para 13,14,15
equally apply to Internet and email usage through mobile platforms. Extreme
care/ caution is to be exercised while using internet facility for official
transactions on mobile phone, i-phone and Blackberry these devices/ services
are highly susceptible to monitoring/ interception by hostile agencies as the
case may be.
c. The user organization will be the sole responsible for protection of its
departmental business/ data/ website from any misuse or hacking.
All the necessary preventive/ safeguarding measures will be taken
to ensure fool proof security of the official data residing on the user
organizations servers/ machines.
e. All the existing rules/ instructions for other internet services will
equally apply on these services also.
22. The entire internet based emails and data exposed thereby is subject to
government security audit by NTISB / designated auditors. Every department
will have an IT security audit carried out for its own safety and information
security. However NTISB will carryout IT security audit with the support of a
composite team on regular intervals as well as through spot programs as per
existing policy and its charter of duties.
23. Network Security Audit. For Network Security audit purposes a three-
layered Network Security Audit approach will be adopted.
b. Second Layer.
f. The email archiving period will be one year and will be handled as
per rules of business as applicable to government document.
21
g. The electronic transfer of files/ email within government
departments must never be confused/ mixed with Internet based
email like yahoo, hotmail, g-mail etc.
27. Free E-mail through Web Cloud. Since the time Internet has been
introduced every one is using Hotmail, MSN Messenger, Yahoo mail and G-mail
for free exchange of information through these mail servers. Incidentally this is
the kind of e-mail services which are not under users or government control
and it is totally housed, transported and managed by Microsoft/ Foreign IT
based resources. It is totally unsafe and banned to be used for any
government business. Connection of any such email/Internet facility is
prohibited under this policy. Some users fail to realize that all these mails, user
IDs and passwords reside on a foreign provided server and in their total control.
Use of free mail servers, so provided, and storing information therein is strictly
forbidden for official use in all government business.
22
28. Webmail Service Policy. Web-mail service under this policy implies
email services through officially hosted mail services under government portal
www.pakistan.gov.pk and other mail servers exclusively hosted within Pakistan.
This mail service is to interlink international customers, citizen services and to
provide access to government for conducting of government transaction and
similar other functions peculiar to that department. Following will imply:-
30. Web Mail Service Precautions. For web browsing and web-mail
services precautions as under be followed:-
a. All PCs containing data RESTRICTED and above must be
protected with a Basic Input Output System (BIOS) and screen
saver password to prevent unauthorized access/ physical walk in
attacks. Screen savers settings are to be set for 5 minutes or less of
non-activity for activation. Reactivation must be ensured through
login password.
b. Users will be held accountable for any action that has taken place
with their user ID and Password.
c. A weak password is one that is either too short or easily guessed. It
is also a most common method used by intruders to get into
systems. Unfortunately most users dont choose good password.
d. Passwords must be changed regularly at least once a month.
Where nature of data dictates higher security, frequency may be
increased at least once a week.
e. All Government Organizations should notify their respective IT
Security Officer Coordinator and Network / System Administrators,
who should notify NTISB & EGD, IB, FIA in case of suspected loss and
disclosure of sensitive information as well as physical access
through hacking or attempted hacking through internal or external
network.
f. CERT as and when established must provide a valid contact of their
organizations security officer to assist their information system
under crises.
g. The use of Internet facility for personal use including e-mails, games
and chatting etc will not be allowed on any official connections/
PCs.
24
h. Unauthorized encryption software will not be used by any
user/organization unless duly authorized/certified by the NTISB.
i. For information security during transmission, the files/ data to be
transferred will be encrypted with a commensurate encryption
algorithm so that level of secrecy is ensured during transmission.
Department of Communications Security (DCS) will provide
encryption software both for Inter/ Intra government exchange of
classified documents and to MoFA for secure communication with
missions abroad.
j. No facility for walk-up network connection will be provided in
any of the networks i.e. LAN, WAN or Federal Intranet.
31. Central Mail Service Network Using LAN/WAN. E-mail in letter and
spirit is the electronic mailing platform for government business conducted
between one government office to another. A special Metropolitan Network
(MAN) for the purpose is already laid down through EGD for electronic
exchange of information from ministry to ministry, departments and other
autonomous bodies. All such exchanges will be terrestrial ground based
networks for sensitive official government business that in no way should be
exposed to outside agencies. This connectivity may take place in two phases:-
a. Phase 1. At first stage Federal Government Divisions, Ministries
and departments will be connected through a MAN/WAN.
b. Phase 2. Subsequently network infrastructure for connecting
Federal Government to Provincial Governments networks will also
be established so that all the electronic information exchange
within government going takes place without going through
Internet. For the first stage Fiber Ring laid for FGDC by EGD through
NTC will be used for Federal government mail services.
Hosting of Government Web Portal/Websites and Web Mail Servers
32. Government portal, websites and mail servers are some of the public
interface platforms that enable a carefully calculated dialog with citizens,
25
organizations and world wide exchange of information through an
infrastructure of hardware, software and network nodes, that are exclusively
provided for outward interface essentially separated from government internal
networks and databases. A special care is therefore, exercised to provide
secure and spam free bandwidth for government networks, and secure
hosting with structured configuration of network devices / routing tables,
protocols and ports that provide multilayered protection. Following policy
guidelines will enable future course of action in hosting government website:-
a. Web Hosting. All the government departments will place their
bandwidth requirements with NTC informing Ministry of IT and NTISB.
Government websites / mail servers will be hosted under secure
hosting environments by NTC through its own IP bandwidth and
servers.
35. Internet and its allied resources as provided by the GoP are for business
purposes only. Therefore, the GoP maintains the right to monitor the volume of
internet and network traffic, together with the internet sites visited. The specific
content of any transactions, however, will not be monitored unless there is a
suspicion of its improper usage.
a. Acceptable Internet Usage Policy. The Government of Pakistan
(GoP) encourages Government Organizations and their employees
to use e-mail, internet, organizational web sites and other means of
electronic media to conduct the business of Government to
communicate with other offices within Government and with
general public; to gather information relevant to their duties, and
to develop expertise in using such tools and services. However,
GoP has a policy for the use of the internet whereby employees
must ensure that they:-
(1) Comply with rules and regulations imposed by Federal
Government and its subordinate bodies as issued from time
to time.
(2) Use the internet in an appropriate way.
30
(3) Should avoid creating unnecessary business risk to the
Federal Government by their internet misuse.
(4) Understand and do safe browsing. Avoid sites that attach
viruses, Trojans and exploits.
(5) Do not visit illegal / shameful / objectionable websites with
pornographic and social engineering profile.
(6) Avoid visiting / browsing sites that promote terrorism, ethnicity,
religion ,racism, injusticity, sexual abuse or invite hackers.
Miscellaneous Aspects
37. In addition to above, several other important aspects merit attention to
protect government information from falling to hostile elements. Following
actions are recommended as part of the policy:-
a. Proper education/ training to government employees about
appropriate handling of systems. An awareness program must be
undertaken with willing support of top management.
b. Now that sizable take off in IT use has been achieved, national IT
policy may be devised to build safeguards and controls.
c. Federal budget be enhanced to make possible the internet
working of Ministries / Divisions / Departments to amicably realign
with the electronic mailing concept enshrined in this policy
document.
d. Arrangements be made to protect the systems from external
attacks by isolating the free networks like Internet.
e. Internet Security Policy be in consistence to cover any security
breach. In this connection, systems have secure auditing tools,
monitoring the access to or other activity of the system/ users.
f. Web site security policies to be reviewed frequently and modified
periodically.
g. To audit any outgoing wrong activity/missing information users logs
will be maintained and examined frequently. Logs will also be
presented to audit teams subsequently.
h. All government organizations must make an endeavor on:-
33
(1) Creating awareness and security consciousness among the
users down to the operator level.
(2) Periodic conduct of lectures/ seminars/ workshops on the
subject by IT experts of the organization.
b. Make the network secure for all possible intruders and threats.
*****
36
Annex-A
GLOSSARY OF TERMS
1. General
a. GoP. It stands for Government of Pakistan.
b. Approved ISPs/Operators. Internet service providers(including
GSM, WLL) that are approved/ licensed by the PTA to provide
services in areas where NTC network is not available. These ISPs will
be bound by certain regulations and restrictions for ensuring
security to government Internet clients.
2. IT Terms
ll. Internet User and Email User. Any person with access and
facilities at his/ her disposal to get connected to www cloud for use
of browsers, search engine, data transfer are any of the features
provided by Internet, will be termed as Internet User. While a person
who identifies himself/ herself with an email address through
worldwide Web making use of free mail services of hotmail, yahoo,
gmail or Facebook etc or using official webmail services of the
department through www cloud will be termed as email users in
this context.
pp. BIOS. It stands for Basic Input/Output System, the built-in software
that determines what a computer can do without accessing
programs from a disk. On PCs, the BIOS contains all the code
required to control the keyboard, display screen, disk drives, serial
communications, and a number of miscellaneous functions.
vv. Backup Data/ Mail Recovery. Keeping the data files in multiple
copies to safeguard against any loss or disaster and recovering of
lost/ affected/ infected files by some procedure/ software.
3. Administrative Terms
a. Controlling Authority. Head of respective Ministry, Division,
Department, or Autonomous Body shall be the controlling authority
for the purpose of this policy.
IT SECURITY GUIDELINES
(6) Use the first one letter of a phrase, event, song or poem that
you can easily remember. Add a punctuation mark and a
number.
51
(7) Users are required to change their password within 30 days. If
a user does not change his/her password within 30 days,
he/she will be automatically prompted for the change of
password.
(a) All LANs where installed within the department are not
to be linked with internet or intranet.
(5) Loss of same is the responsibility of the user to whom issued for
that period in which the loss occurred.
(9) Defective hard drives are not to be taken out for repair
without Head of the Departments approval. Only those
vendors who are security wise cleared by the organization
may be contacted. However, the hard drive is to be repaired
55
in supervision of Head of the Departments representative.
Where the level of security and sensitivity of information
outweighs the risks involved in possible breach of information
the hard drive is to be destroyed physically by dismantling,
breaking of disk platters and incineration. Head of the
Department is authorized to approve destruction of hard disk
on case to case basis, forwarded by department stating
justification for the same. Nevertheless repair of the hard
drive by calling the technician onsite for repair be given
preference where possible.
(11) Use of floppy disc or rewritable CDs may be limited. They are
to be clearly marked and handled in accordance with their
classification.
Physical Security
g. All sensitive data (papers, disks, tapes, CDs etc) should be kept
protected at all times and only authorized persons should have
access to these. Their movement must be properly
logged/documented with time stamp.
4. The Offices internal network introduces new resources and new services
through Local Area Network and Internet connectivity. This connectivity not
only results in new technology and services, but also poses new risks and
threats. This document formally defines a departmental IT security policy
regarding Network resource usage, rights and restrictions. All network users are
expected to be familiar with and to comply with the instructions appended in
succeeding paras:-
7. Any software required by users should have security clearance from the
Network Administrator(s).
(1) Firstly, if server crashes then one can recover all data from
the tape cartridge/storage device placed in server room.
9. The backup may be taken of the following servers, users folders and their
E-mails:-
10. File and print services will be limited to local systems and under no
circumstances Internet will be used for remote printing both file and network
printing.
12. Specific Auditing, which monitors user interaction with the key system
resources, should be enabled on the hard drives of laptops, which will help
administrators to monitor any improper use of the laptops.
Internet Access
13. The following Standard Internet services will be provided to users after the
prior approval of Controlling Authority:-
14. To further improve network security and to optimize Internet access, the
following measures should be adhered by the users:-
d. Where necessary with the approval of NTISB, Remote users can dial
into the access server using VPN client software.
Mail Management
15. The email addresses should be created keeping in mind a standard
naming convention as follows:-
b. But in case of same first alphabet of first name and same last
name, first two alphabets of first name may be used to avoid any
confusion.
16. Users should consider the following to better manage E-Mail activities:-
a. Users should compress large size files before attaching them with
the E-Mail. This will help to optimize the bandwidth.
63
b. Users should delete items from their inbox and outbox when they
are no longer needed. If a mail item needs to be retained it should
be moved to an archive folder, a disk, or be printed or deleted.
Unsolicited mail should be deleted immediately.
c. Users should check their e-mail with a frequency appropriate to
their jobs. Employees who will be absent for more than one day
should make arrangements for a supervisor or co-worker to check
for messages that need attention, OR, an automatic reply message
may be configured with the help of Network/System Administrator.
d. It is possible to receive a virus when receiving E-Mail, and some
viruses are embedded in attachments. If you receive a suspicious
E-Mail, do not open it, but instead contact the Network/System
Administrator.
e. Some computer features increase E-Mail traffic, and employees
should strive to keep message and attachment sizes as small as
possible.
f. Avoid the use of graphics in auto-signatures or other parts of the
message or attachments. Use of stationary should be avoided, as
well as moving graphics and/or audio objects as they consume
more disk space, network bandwidth, and detract from the
message content.
g. Users may only use proper official language in their e-mails, and
refrain from using words in other languages transcribed in English.
h. Users shall not:-
(1) Discuss their opinions on religious/sectarian, ethnic, linguistic,
or political matters.
(2) Use e-mail to propagate indiscipline in office matters.
(3) Use e-mail for purposes of disrepute/ill repute of any
individual or organization.
(4) Use/share objectionable material / porno.
64
i. It is also advised that users should use a standard e-mail disclaimer,
with each outgoing email. E-mail disclaimer can be standardized
for every organization with the help of Network/System
Administrator and Head of Department.
Network / PC Usage
17. The users should adhere to the following practices:-
b. Log off the network at the end of each day and power off their
workstations.
c. Users are responsible for the security of their LAN user ID and
Password.
d. Users are accountable for any action that are taken with their user
ID and Password.
Network Protection
18. Internet connectivity presents the organization with new risks that must
be addressed to safeguard the facilitys vital information assets. Network
Administrator(s) will ensure that properly configured firewall and filtering systems
are in place to technically support the access requirements defined by this
policy. In-bound traffic from the Internet will not be permitted except for E-Mail
and access to public mail servers.
Non-Organization Personnel
21. External clients or non-organization personnel are not permitted access
to government organizations internal network resources unless specifically
approved in advance by the Controlling Authority.
Removal of Privileges
Virus Protection
23. The Network should be protected from viruses by using industry standard
licensed/copyrighted Antivirus software (Corporate Editions). This should be
scheduled to automatically update the clients and servers after daily
centralized downloading of latest virus definition files (DAT file) from the
Internet at night.
*****
66
Annex-C
The following Dos and Donts will be followed in general provided these
guidelines do not supercede the main policy directives.
1. Dos
a. Keep passwords secure and do not share accounts. Authorized
users are responsible for the security of their passwords and
accounts. System level passwords should be changed quarterly;
user level passwords should be changed every month.
e. All hosts used by the employees that are connected to the Federal
Internet/Intranet, shall be continually executing approved virus-
scanning software with a current virus database.
q. Solicitation of email for any other email address, other than that of
the poster's account with the intent to harass or to collect replies.
*****