Privacy Policy

4.1 Access Control

1. Access to information and systems must be based on least privilege and role-based access principles.
2. Multi-factor authentication (MFA) is mandatory for all remote access.
3. Access rights must be reviewed semi-annually to ensure they remain appropriate.
4. Information stored on electronic and computing devices whether owned or leased remains the sole property of Utrax Agency LTD and must be protected in accordance with the Data Protection Standard.
5. All mobile and computing devices that connect to Utrax network must comply with the Network Access Policy.
6. System and user level passwords must comply with the Password Policy. Providing access to another individual, either deliberately or through failure to secure its access, is prohibited.
7. All computing devices must be secured with a password-protected screensaver. Users must lock the screen or log out when the device is unattended.
8. Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain malware.

4.2 Data Protection

1. All sensitive and confidential data must be encrypted at rest and in transit.
2. Personal Identifiable Information (PII) and financial data must be handled in compliance with relevant laws.
3. Data retention policies must be enforced, with data stored only for as long as required by legal, regulatory, or business needs.
4. Under no circumstances is an employee to engage in any activity that is illegal under local or international law while utilizing Utrax's ICT resources.
5. Accessing data, a server or an account for any purpose other than conducting official business is prohibited.
6. Avoid introduction of malicious programs into the network or server (viruses, worms, Trojan horses, e-mail bombs, etc.).
7. Avoid revealing your account password to others or allowing use of your account by others.
8. Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the Internet/Intranet/Extranet is prohibited.
9. Avoid sending unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (email spam).

4.3 Technology Hardware and Software Acquisition

Utrax's ICT equipment is in form of hardware as well as software. These include desktops, laptops, communication infrastructure like switches, routers, and servers. It also includes a wide range of software both applications and operating.

Procedures

1. All the procurement of technology will follow the standard procedure as provided for in the Public Procurement and Disposal Act (PPDA).
2. The service provider to be procured must meet the guidelines by the National Technology Authority of Uganda (NITA U).
3. ICT Department will from time to time provide specifications to guide the acquisition of both hardware and software.
4. No equipment whether a donation or procured will be put use before verification the ICT department.

4.3.1 Software Usage

1. Only software purchased in accordance with this policy will be used within Utrax.
2. Prior to the use of any software, the employee must receive instructions on any licensing agreements relating to the software, including any restrictions on use of the software.
3. All employees must receive training for all new software. This includes new employees to be trained to use existing software appropriately. This will be the responsibility of Head ICT department.
4. Unless express approval from Head ICT department is obtained, software cannot be loaded on an employee's Personal computer.
5. Where an employee is required to use software on personal computer, an evaluation of providing the employee with a portable computer should be undertaken in the first instance. Where it is found that software can be used on the employee's personal computer, authorisation from ICT department is required to purchase separate software if licensing or copyright restrictions apply. Where software is purchased in this circumstance, it remains the property of Utrax and must be recorded on the software register.

4.3.2 Breach of the Guidelines

1. Unauthorised software is prohibited from being used. This includes the use of software privately owned by an employee, contractor and used with Utrax ICT infrastructure.
2. The unauthorised duplicating, acquiring or use of software copies is prohibited. Any employee, who makes, acquires or uses unauthorised copies of software will be referred to the accounting officer for disciplinary action. The illegal duplication of software or other copyrighted works is not condoned.
3. Where an employee is aware of a breach of the use of software in accordance with this policy, they are obliged to notify the Head ICT department immediately. In the event that the breach is not reported and it is determined that an employee failed to report the breach, then that employee will be referred to the Accounting Officer for disciplinary action.

4.4 Security of Information Technology

Confidentiality, Integrity and Availability (CIA) of information are very important pillars of any organisation information management. The procedures under this chapter aim at ensuring that these pillars are upheld so that there is no compromise to Utrax's information and technology infrastructure. Protection against damages and liability created when unauthorized access occurs, and also against threats and physical damages to the infrastructure is emphasized.

Physical Security

1. All communication infrastructure (servers, routers, switches and other network assets), must be secured.
2. Appropriate access control measures must always be provided so that only authorized personnel are allowed access to the technology infrastructure.
3. Security and safety of all portable technology, such as laptop, notepads, iPad will be the responsibility of the employee who has been issued with the device.

4.4.1 Information Security

1. All Utrax critical data will to be backed up and secured on a monthly basis.
2. All technology that has internet access must have anti-virus software installed.
3. It is the responsibility of Head ICT Department to install all anti-virus software and ensure that this software remains up to date on all technology used by Utrax Agency LTD.
4. All information used within the Utrax is to adhere to the privacy laws and confidentiality requirements.
5. Any employee breaching this will face disciplinary actions.

4.4.2 Network Access

1. All users accessing any of Utrax's network infrastructure must get authorization from the Network administrator.
2. The access and use of the network resources shall be restricted to official duties only.
3. All Wi-fi enabled devices must be secured with password and user authentication.
4. All computers and devices on the network must be logically and physically secured when leaving them unattended.
5. All devices must run up to date software applications and properly configured firewall.
6. All network resources are the property of the company and can be subject to monitoring without recourse to the staff and the company reserve the right to grant or deny access to the network.

4.4.3 Technology Access

1. Every employee will be issued with a unique identification code to access the company technology for example Wi-Fi and will be required to set a password for access to domain services every six months.
2. Each password is to be at least 8 characters and alpha-numeric and is not to be shared.
3. Head ICT Department is responsible for the issuing of the identification code and initial password for all employees.
4. Where an employee forgets the password or is 'locked out' after three attempts, then Head ICT Department is responsible to reissue a new initial password that must be changed when the employee logs in using the new initial password.

4.5 ICT Governance

Effective ICT Governance provides a conducive environment for the alignment of all ICT investments in a rationalized manner that is aligned towards enabling the Utrax Agency LTD meet its goals and objectives. This contributes to the attainment of value for money, management of risks and effective ICT utilization.

Procedures

ICT Committee

The Board of Directors shall appoint an ICT Committee whose role and duties include:

1. Ensure that ICT strategy is aligned with the strategic objectives of the Ministry.
2. Monitoring the quality of the ICT projects.
3. Providing advice (and sometimes making decisions) about changes to the ICT projects.
4. Providing support, guidance and oversight function to the ICT Division.

ICT Department

The Department shall be responsible for the day to day running of the ICT activities in Utrax Agency LTD and these shall include:

1. Coordinate the development of ICT strategy that supports the company's business objectives and helps build a strong competitive advantage.
2. Support employees to make the most effective use of ICT resources, by providing various forms of user support.
3. Develop and operate a network to support effective communication and collaboration.
4. Protect the ICT infrastructure and corporate data against attacks from viruses, cybercriminals and other threats.
5. Develop tools to collect, store, manage, secure and distribute data to employees who need access to the latest information to make decisions about strategic, financial and operational issues.
6. Conduct a technology audit annually to ensure that all information technology policies are being adhered to.
7. Maintain and manage all service agreements for the Ministry's technology.

4.6 Data and Information Management

This includes data generation, storage, protection and sharing. This part of the policy provides guideline for the management of the data generated and in possession of Utrax.

1. All data / information generated and / or received at different levels in all forms and in possession belongs to Utrax Agency LTD.
2. Units responsible for Data / information Processing (Registries, Depository, Resource Centre) shall process the Data / information in their custody for the purpose of easy access.
3. Data / information shall be accessed by only authorized personnel.
4. Database Administrator shall be responsible for all the electronic information management.

4.7 Management of ICT Service Agreements

For the purpose of this policy, ICT Service Agreement means an official commitment that prevails between a service provider and Utrax Agency LTD. Particular aspects of the service quality, availability, responsibilities are agreed between the service provider and Utrax. This chapter therefore provides guidelines for all ICT service agreements entered into on behalf of Utrax.

ICT service agreements may include following:

• Provision of general ICT services and equipment
• Provision of network hardware and software
• Repairs and maintenance of ICT equipment
• Provision of business software
• Website design, hosting, maintenance and updates

All ICT service agreements must be reviewed by Utrax's legal Department or solicitor general before the agreement is entered into. The service agreements shall be approved by the Accounting Officer.

All ICT service agreements, obligations and renewals will be recorded and a record kept in accordance the records management procures of Utrax.

4.8 Emergency Management of Information Technology

For the purpose of this policy, attention is given to the following as ICT emergency issues:

• Internet Failure
• Email Service Failure
• ICT Hardware Failure
• Virus or other security breach
• Website Disruption

This provides guidelines for emergency management of all information technology within the Utrax. All Technology failure and disruptions shall be reported to the ICT Department immediately to take necessary action.

It is the responsibility of ICT Department to undertake tests on emergency procedures to ensure that they are appropriate and minimize disruption to Ministry operations.

All actions must be taken immediately to minimize disruption to business operations.