Contact Us Now

Effective Date May 4th, 2025

ARC_ESM Security Policy

A. INTRODUCTION

The risk of data theft, frauds, and security breaches can have a detrimental impact on a company’s systems, technology infrastructure, and reputation. As a result, Africa Resource Center for Excellence in Supply Chain Management (ARC_ESM) has created this policy to help outline the security measures put in place to ensure information remains secure and protected. This Cyber Security Policy is a formal set of rules by which those people who are given access to company technology and information assets must abide.

 

The Cyber Security Policy describes the technology and information assets that we must protect and identifies, various threats to those assets. The Cyber Security Policy also describes the user’s responsibilities and privileges. What is considered acceptable use? What are the rules regarding Internet access? The policy answers these questions, describes user limitations, and informs users there will be penalties for violation of the policy. This document also contains procedures for responding to incidents that threaten the security of the company computer systems and network.

B. PURPOSE

The purpose of this policy is to (a) to inform ARC_ESM’s users: employees, contractors, and other authorized users of their obligatory requirements for protecting the technology and information assets of ARC_ESM’s data and infrastructure, (b) outline the protocols and guidelines that govern cyber security measures, (c) define the rules for company and personal use, and (d) list the ARC_ESM’s disciplinary process for policy violations.

C. WHAT ARE WE PROTECTING?

It is the obligation of all users of the company systems to protect the technology and information assets of the company. This information must be protected from unauthorized access, theft, and destruction. The technology and information assets of the company are made up of the following components:

  • Computer hardware, Computer Storage devices, Email, web, application servers, PC systems, application software, system software, etc.
  • System Software includes operating systems, database management systems, backup and restore software, communications protocols, and so forth.
  • Application Software: used by the various units. This includes custom written software applications, and commercial off-the-shelf software packages like QuickBooks, Microsoft, etc.
  • Communications Network hardware and software including routers, routing tables, hubs, modems, multiplexers, switches, firewalls, private lines, and associated network management software and tools.
D. DEFINITIONS

ARC_ESM defines “Cyber Security” as: the practice of protecting the computer, hardware, software, servers, mobile devices, electronic systems, and data from malicious attacks that will compromise the efficiency of ARC_ESM to safeguard the confidentiality and integrity of all the access and applications.
ARC_ESM defines “Confidential Data” as:

  • Unreleased and classified organization and project information.
  • Clients, suppliers, partners, members on platforms, and donor information.
  • Project designs, innovations, business processes, and/or new tools and technologies.
  • Employees’ and consultants’ passwords, assignments, and personal information.
  • Company contracts and legal records.
E. CYBER SECURITY TRAINING AND AWARENESS

ARC_ESM will provide Cyber Security training with a certified Cyber Security Professional for its employees and long-term contractors- consultants, interns, and volunteers) to help them discern all their activities that involve networks, computers, and the use of the internet for their safety as well as the Company’s. The Cyber Security Training and Awareness may involve the following topics:

  • How to Recognize Phishing Attacks
  • Unique Passwords and Authentications
  • The Proper Use of Removable Media
  • Devices Security: Mobile, Laptops, and Computers
  • Working Remotely and Security at Home
  • The Dangers of Public Wi-Fi
  • Physical Security Within and Outside the Premises of the Company
    Social Media Etiquette
F. ACCESS CONTROL

A fundamental component of our Cyber Security Policy is controlling access to critical information resources that require protection from unauthorized disclosure or modification. The fundamental meaning of access control is that permissions are assigned to individuals or systems that are authorized to access specific resources. Access controls exist at various layers of the system, including the network. Access control is implemented by logon ID and password. At the application and database level, other access control methods can be implemented to further restrict access. The application and database systems can limit the number of applications and databases available to users based on their job requirements.

User System and Network Access – Normal User Identification.

All users will be required to have a unique logon ID and password for access to ALL systems on ARC_ESM Network (Company issued or privately owned devices). The user’s password should be kept confidential and MUST NOT be shared with management & supervisory personnel and/or any other employee whatsoever. All users must comply with the following rules regarding the creation and maintenance of passwords:

  • Password must not be found in any English or foreign dictionary. That is, do not use any common name, noun, verb, adverb, or adjective. These can be easily cracked using standard “hacker tools”.
  • Passwords should not be posted on or near computer terminals or otherwise be readily accessible in the area of the terminal. Refrain from sharing private passwords with co-workers, personal acquaintances, and/or clients.
  • Password must be changed every (90 days).
  • Employees who forget their password must call the IT designated staff to get a new password assigned to their account.
  • Employees will be responsible for all transactions occurring during Logon sessions initiated by use of the employee’s password and ID. Employees shall not log on to a computer and then allow another individual to use the computer or otherwise share access to the computer systems.
  • Regularly update devices with the latest security software. They should inform the Admin Unit when they require software updating.
  • Always use secure and private networks.

Employee Logon IDs and passwords will be deactivated as soon as possible if the employee is terminated, fired, suspended, placed on leave, or otherwise leaves the employment of the company office. Supervisors / Managers shall immediately and directly contact the company IT designate
to report a change in employee status that requires terminating or modifying employee logon access privileges.

G. USER RESPONSIBILITY

This section establishes usage policy for the computer systems, networks, and information resources of the office. It pertains to all employees and contractors who use the computer systems, networks, and information resources as project partners, and individuals who are granted access to the network for the work purposes of ARC_ESM.

Acceptable Use.

User accounts on company computer systems are to be used only for the business of the company and not to be used for personal activities. Unauthorized use of the system may be in violation of the law, constitutes theft and can be punishable by law. Therefore, unauthorized use of ARC_ESM computing system and facilities may constitute grounds for either civil or criminal prosecution.

Users are personally responsible for protecting all confidential information used and/or stored on their accounts. This includes their logon IDs and passwords. Furthermore, they are prohibited from making unauthorized copies of such confidential information and/or distributing it to unauthorized persons outside ARC_ESM. Users shall not purposely engage in activity with the intent to: harass other users; degrade the performance of the system; divert system resources to their own use; or gain access to company systems for which they do not have authorization.

 

Users shall not attach unauthorized devices on their PCs or workstations unless they have received specific authorization from the employees’ manager and/or ARC_ESM’s IT designee. Users shall not download unauthorized software from the Internet onto their PCs or workstations. Users are required to report any weaknesses in the company computer security, any incidents of misuse or violation of this policy to their immediate supervisor.

Internet Use.

ARC_ESM will provide Internet access to employees and contractors who are connected to the internal network and who has a business need for this access. Employees and contractors can obtain access permission from the designated IT support within the office. The Internet is a business tool for the company. It is to be used for business-related purposes such as: communicating via electronic mail with suppliers and business partners, obtaining useful business
information and relevant technical and business topics. The Internet service may not be used for transmitting, retrieving, or storing any communications of
a discriminatory or harassing nature or which are derogatory to any individual or group, obscene or pornographic, or defamatory or threatening in nature for “chain letters” or any other purpose which is illegal or for personal gain.

Email Security.

Protecting email systems is a high priority as emails can lead to data theft, frauds, and carry malicious software like worms and bugs. Therefore, ARC_ESM needs all employees and consultants to:

  • Verify the legitimacy of each email, including the email address and sender name.
  • Avoid opening suspicious emails, attachments, and clicking on links.
  • Look for any significant grammatical errors.
  • Avoid clickbait titles and links.
  • Contact the Admin Unit regarding any suspicious emails.
Transferring Data.

ARC_ESM recognizes the security risks of transferring confidential data internally and/or externally. To minimize the chances of data theft, we instruct all employees and consultants to:

  • Refrain from transferring classified information to employees and outside parties.
  • Only transfer confidential data over ARC_ESM networks.
  • Obtain the necessary authorization from the management team.
    Verify the recipient of the information and ensure they have the appropriate security measures in place.
    Adhere to ARC_ESM data protection law and confidentiality agreement.
    Immediately alert the Admin Unit regarding any breaches, malicious software, and/or scams.
H. MONITORING USE OF COMPUTER SYSTEMS

ARC_ESM has the right and capability to monitor electronic information created and/or communicated by persons using company computer systems and networks, including e-mail messages and usage of the Internet. It is not the company policy or intent to continuously monitor all computer usage by employees or other users of the company computer systems and network. However, users of the systems should be aware that the company may monitor usage, including, but not limited to, patterns of usage of the Internet (e.g., site accessed, on-line length, time of day access), and employees’ electronic files and messages to the extent necessary to ensure that the Internet and other electronic communications are being used in compliance with the law and with company policy.

I. DISCIPLINARY ACTION

ARC_ESM takes the issue of security seriously. Violation of this policy can lead to disciplinary action, up to and including termination. Those people who use the technology and information resources of the company must be aware that they can be disciplined if they violate this policy. The specific discipline imposed will be determined by a case-by-case basis, taking into consideration the nature and severity of the violation of the Cyber Security Policy, prior violations of the policy committed by the individual, state and federal laws and all other relevant information. Discipline which may be taken against any employee and/or contractor shall be administrated in accordance with ARC_ESM’s disciplinary protocols. In a case where the accused person is not an employee/contractor of ARC_ESM, the matter shall be submitted to the CEO. The CEO may refer the information to law enforcement agencies and/or prosecutors for consideration as to whether criminal charges should be filed against the alleged violator(s).

Security Incident Handling Procedures

This section provides some policy guidelines and procedures for handling security incidents. The term “security incident” is defined as any irregular or adverse event that threatens the security, integrity, or availability of the information resources on any part of the company network. Some examples of security incidents are:

  • Illegal access to a company computer system. For example, a hacker logs onto a production server and copies the password file.
  • Damage to a company computer system or network caused by illegal access. Releasing a virus or worm would be an example.
  • Denial of service attack against a company web server. For example, a hacker initiates a flood of packets against a Web server designed to cause the system to crash.
  • Malicious use of system resources to launch an attack against other computers outside of the company network. For example, the system administrator notices a connection to an unknown network and a strange process accumulating a lot of server time.

Employees who believe their terminal or computer systems have been subjected to a security incident, or have otherwise been improperly accessed or used, should report the situation to the Senior Officer HR and Admin immediately. The employee shall not turn off the computer or delete suspicious files. Leaving the computer in the condition it was in when the security incident was discovered will assist in identifying the source of the problem and in determining the steps that should be taken to remedy the problem.

Halima Baba

Manager

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc vulputate libero et velit interdum, ac aliquet odio mattis. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Curabitur tempus urna at turpis condimentum lobortis. Ut commodo efficitur neque. Ut diam quam, semper iaculis condimentum ac, vestibulum eu nisl.

 

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc vulputate libero et velit interdum, ac aliquet odio mattis. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Curabitur tempus urna at turpis condimentum lobortis. Ut commodo efficitur neque. Ut diam quam, semper iaculis condimentum ac, vestibulum eu nisl. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc vulputate libero et velit interdum, ac aliquet odio mattis. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Curabitur tempus urna at turpis condimentum lobortis. Ut commodo efficitur neque. Ut diam quam, semper iaculis condimentum ac, vestibulum eu nisl.

 

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc vulputate libero et velit interdum, ac aliquet odio mattis. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Curabitur tempus urna at turpis condimentum lobortis. Ut commodo efficitur neque. Ut diam quam, semper iaculis condimentum ac, vestibulum eu nisl. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc vulputate libero et velit interdum, ac aliquet odio mattis. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Curabitur tempus urna at turpis condimentum lobortis. Ut commodo efficitur neque. Ut diam quam, semper iaculis condimentum ac, vestibulum eu nisl.

 

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc vulputate libero et velit interdum, ac aliquet odio mattis. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Curabitur tempus urna at turpis condimentum lobortis. Ut commodo efficitur neque. Ut diam quam, semper iaculis condimentum ac, vestibulum eu nisl. Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc vulputate libero et velit interdum, ac aliquet odio mattis. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Curabitur tempus urna at turpis condimentum lobortis. Ut commodo efficitur neque. Ut diam quam, semper iaculis condimentum ac, vestibulum eu nisl.

 

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nunc vulputate libero et velit interdum, ac aliquet odio mattis. Class aptent taciti sociosqu ad litora torquent per conubia nostra, per inceptos himenaeos. Curabitur tempus urna at turpis condimentum lobortis. Ut commodo efficitur neque. Ut diam quam, semper iaculis condimentum ac, vestibulum eu nisl.