These regulations are meant to serve two purposes: to regulate the use of the University’s Information and Communication Technologies and Resources, and to educate users on their responsibilities in relation to the use of these resources.

1. Definitions:

1. Information and Communication Technology Resources (ICT Resources) include application systems, Information, ICT infrastructure and people owned by, or under the jurisdiction of, the University.
2. Applications Systems are the automated user systems and manual procedures that process the information.
3. Information is the data, in all their forms, input, processed and output by the information systems in whatever form is used by the business.
4. ICT Infrastructure is the technology and facilities (i.e., hardware, operating systems, database management systems, networking, multimedia, and the environment that houses and supports them) that enable the processing of the applications.
5. People are the personnel required to plan, organize, acquire, implement, deliver, support, monitor and evaluate the information systems and services. They may be internal, outsourced or contracted as required.
6. ICT resources’ owners are designated individuals under whose jurisdiction particular information system resources have been placed. These are ordinarily senior officials of the University including heads of departments but may also be any individual so designated by the Management Board.
7. Authorization is permission granted by the owner of an ICT resource to a user to use that resource.
8. Scope: These regulations have the status of “University Regulations” which apply to all members of the University.
9. Director, Information and Communications Technology Services (Director, ICT Services): the person designated as the head of the University’s ICT services.
10. ICT Resource Custodian: Director of ICT Services is the Custodian of all shared ICT resources and services.
11. Acceptable use refers to rules governing the good use of ICT resources in the University.
12. Unacceptable use refers to bad conduct that users must avoid when using the University’s ICT resources.

1. Access Management
All users of the University’s ICT resources must be authorized to access the appropriate systems and their resources. Access is controlled and monitored in accordance with University Statutes. The elements involved in controlling and monitoring access include identification, authorization and authentication.

1.1 Identification

1. All system users are assigned unique IDs (i.e. Username/PIN and passwords) to use in accessing the University’s systems and applications.
2. User IDs (i.e. Username/PIN and passwords) Must Not be shared.
3. Users are responsible for maintaining the security of their IDs and all activity occurring under those IDs (i.e. Username/PIN and passwords). IDs (i.e. Username/PIN and passwords) are issued in accordance with approved standards.
4. In special circumstances, temporary generic accounts may be approved by the ICT Director or delegate.

1.2 Authorization

1. Every user shall require authorization before using any ICT resources. This authorization shall be obtained through written authority by the ICT resource owner or head of department and will be implemented by the ICT Custodian by issuing the user a user name and password and facilitating access to the resources so authorized.
2. No one shall use any University ICT resource without proper authorization. Users shall not assist, encourage, or conceal from authorities any unauthorized use, or attempt at unauthorized use, of any of the University’s ICT resources.
3. Users shall not disclose any information which may lead to compromise in the security of the University’s ICT resources. Security includes the integrity, confidentiality and availability of the University’s ICT resources. Specifically, users shall not disclose their user names and passwords to any person whether authorized or not, nor obtain any other person’s password by any unauthorized means whatsoever. Access credentials (i.e. Username, passwords, Tokens, Cards, PINs etc.) are issued in accordance with approved standards.
4. A user shall not misrepresent his or her identity or relationship to the University when obtaining or using University ICT resources.

1.3 Authentication

1. Authentication ensures an identity. Each ID (i.e. Username) requires a technique, usually a password, for validating identity.
2. Standards apply to all systems requiring authentication.

1.4 Account Management

1. System custodians must be authorized by the system owner before giving users access to a system. This advice must include the respective access levels for each user.
2. System Custodians must determine who should be able to get network access from off campus or remote locations. (For example through Virtual Private Networks)
3. At a minimum, a quarterly review of all system access levels of users should be carried out. The System Custodians should ensure any non-compliance as a result of this activity is addressed as a matter of priority. All records of non-compliance must be kept until all matters arising from non-compliance have been resolved.
4. When employees terminate employment or change positions within the University, Human Resource Office should effect the necessary changes by advising the ICT system custodians to modify access rights and privileges of affected users in the appropriate system.
5. This is important in ensuring proper segregation of duties within University systems.

1.5 Privileged Users Access

1. Certain system users have high-level access rights, enabling them to access any data stored on the University’s ICT systems. These staff members can be generically termed as System Administrators.
2. Staff with high-level access rights should abide by a high Code of Ethics.
3. The ICT Department should constantly review access rights for System Administrators
4. System Administrators found guilty of breaching security are subject to disciplinary action in accordance with the University Statutes and Regulations.

1.6 Contractors, Vendors & Third party access

1. Contractors, Vendors and third-party access are permitted only if authorized by the Systems Owner and agreed by System Custodian.
2. These parties must comply with access control standards which require, at a minimum, that a unique user ID (i.e. username) identify each user. This ensures that only authorized individuals receive access to systems.
3. All temporary accounts should have an expiration date based on contract completion date.

2.1 Server & System Backup

1. All critical University information must be backed up on a regular basis. Frequency of backup is determined by the frequency with which the data changes and the effort required to recreate the information if lost.
2. Standards apply to the backup of data from all University systems.

2.2 Personal Computer and Mobile Device Backup

1. All critical University information should be stored on centrally maintained corporate networked disk storage.
2. Any other data stored on desktops, laptops and other mobile devices becomes the responsibility of the user to ensure it is backed up on a regular basis.
3. Frequency of backup is determined by the frequency with which the data changes and the effort required to recreate the information if lost.

2.3 Recovery

1. All backups of critical data must be tested periodically to ensure that they support full system recovery.
2. System Administrators must document all restore procedures and test these on a regular basis, at least semi-annually.
3. Backup media must be retrievable within 24 hours, 365 days a year.
4. Standards apply to the recovery of data from all University systems.

2.4 Off-Site Storage

1. Off-site is synonymous with “out of the building”.
2. The off-site storage location must provide evidence of adequate fire and theft protection and environmental controls.
3. A formal Service Level Agreement (SLA) must exist with the off-site storage provider when one exists and a site visit should be undertaken on a bi-annual basis.
4. Where this service is provided within the organization, the site should be visited monthly and at a minimum quarterly.

2.5 Data Retention

1. Owners of University data are responsible for defining and documenting the length of time data must be retained.
2. The retention period, legal requirements, responsible parties, and source of legal requirement should be specified.
3. System Administrators or other parties as may be specified are responsible for ensuring that these requirements are adhered to.

2.6 Business Continuity

1. As part of the Information Services Risk Management Framework, Business Continuity and Disaster Recovery Plans should be prepared and tested for all of the University’s major systems.
2. The testing strategy to be implemented will be influenced by the importance of the system to the University’s business operations and the ability to recover the system within agreed time frames (that is, recovery point objective, RPOs and recovery time objectives, RTOs)
3. A copy of each plan should be stored offsite in a secure manner to ensure that the plan can be implemented in the case of a disaster.
4. A review of any major disruption to information services should be undertaken to identify the cause of the disruption and where appropriate adjust the plan and/or procedures to minimise the risk of the event occurring again.

2.7 Security
All major information assets must be accounted for and have a nominated custodian who is responsible for the implementation and management of this policy in relation to those assets.

1. Data Security and Classification
   1. Different types of data require different levels of security. The University classifies data into various categories which in general are : Public, Proprietary and Restricted. It is the System Custodian’s responsibility to establish authentication and authorization guidelines for custodial data. Please note that:
      1. Public data can generally be made available or distributed to the general public;
      2. Proprietary data is for internal University use and not for external distribution; and
      3. Restricted (moderately to highly sensitive) data is to be used only by individuals who require it in the course of performing their University responsibilities, or data, which is protected by local or country legislation. Restricted data can only be deleted with the permission of the System Owner
   2. Staff should be aware of their legal and corporate responsibilities concerning inappropriate use, sharing or releasing of information to another party. Any third party receiving proprietary or restricted information must be authorized to do so and that individual or their organization should have adopted information security measures, which guarantee confidentiality and integrity of that data.
2. Security Standards for different ICT Resources do apply

The University’s mission can be understood broadly as including education, research, self-training, and discussion on a wide range of subjects, not just those immediately necessary for a person’s job or course of study. In this context, University employees are still accountable for how they use time and equipment at work. The University’s ICT Resources are provided to departments, faculty and schools in support of their academic mission. ICT Services department encourages the use of these resources and makes them widely available to the University community. Nonetheless, their use constitutes acceptance of this policy and is subject to the following requirements.

1. Users must comply with all applicable Acts of Parliament and jurisdiction by laws as they may apply.
2. All users shall share ICT resources in accordance with policies set for the ICT resources involved, giving priority to more important work and cooperating fully with the other users of the same resources.
3. All users in designated departments will be subjected to staff employment termination procedures as prescribed by the University under HR Management regulations.
4. Users must seek permission or have approval from the owner of an ICT resource or head of department concerned to read, alter, or delete another person’s computer files or electronic mail. Where this is not possible, the approval may be obtained from the ICT Director in consultation with a senior member of University Management. Preferably a member of the Management Board.
5. Various policies permit members of the University community to earn additional income by writing books and articles related to their academic work, and to use University resources for this purpose, including ICT resources. Staff shall be permitted to use these Resources for outside consulting jobs provided the University is reimbursed for costs incurred. All such uses must be approved by their head of department.
6. Whilst the University network is being used to access outside networks, any abuses against such networks will be regarded as an unacceptable use.
7. Users are responsible for the security of their files in the University computers. This includes ensuring its privacy, confidentiality, integrity and availability of the files. ICT Services department provide security control mechanisms to secure files and information in the university’s systems and computers. However, for the controls to be effective it is expected that users shall observe security control procedures and directives.
8. Users shall take full responsibility for information that they transmit through the University ICT Resources. The Management Board reserves the right to order the screening and eventual filtering or blocking of users’ access privileges to ICT resources whenever the need arises.

The University grants the use of its ICT Resources to numerous organizations whose activities contribute to its mission, such as student organizations, professional societies, and the campaign for charities.

1. The University ICT Resources must not be provided to individual consumers or organizations that do not support the mission of the University. In this respect any other use of ICT Resources must have been granted permission by the ICT Director acting on behalf of the Management Board.
2. Users shall not modify or reconfigure software or hardware on any University computer or network facility without proper authorization.
3. Users must not move any ICT Resources without prior permission of the designated owner and/or the Director of ICT Services.
4. No user shall copy, install, or use any software or data files without authorization from the Director of ICT Services or in violation of applicable copyrights or license agreements.
5. The University ICT Resources must not be used for the following activities:
   1. The creation, dissemination, storage and display of political campaigns, personal fund-raising, commercial enterprises, mass mailings.
   2. The creation, dissemination, storage and display of obscene or pornographic material; indecent images; hate literature; defamatory materials or materials likely to cause offense to others; and any data that is illegal.
   3. The downloading, storage and disseminating of copyrighted materials including software and all forms of electronic data without the permission of the holder of the copyright or under the terms of the licenses held by the University.
   4. Any activities which do not conform to the Kenyan Laws and other University guidelines and policies regarding the protection of intellectual property and data.
   5. The deliberate interference with or gaining illegal access to user accounts and data including viewing, modifying, destroying or corrupting the data belonging to other users.
   6. Use of a username and password belonging to another user.
   7. Attempts to falsify your identity, or to pretend of having a different affiliation with the University when using University ICT Resources.
   8. Attempts to crack capture passwords or decode encrypted data unless supported by genuine business needs as authorized by the Director, ICT Services
   9. Any other use that may bring the name of the University into disrepute or expose the University to the risk of civil action.
   10. Intentional creation, execution, forwarding or introduction of any viruses, worms, trojans or software code designed to damage, self-replicate or hinder the performance of the University network.
   11. Deliberate actions that might reduce the effectiveness of any antivirus or other ICT security controls installed by authorized University staff.
   12. Purposefully scanning internal or external machines in an attempt to discover or exploit known computer software or network vulnerabilities.
   13. Engaging in commercial activities that are not under the auspices of the University.
   14. Using computing resources (cpu, time, disk space, bandwidth) in such a way that it causes excessive strain on the computer systems or disrupts, denies or create problems for other users.
   15. Connecting any computing device to the University network unless it meets the security standards established by University ICT Services department.

1. Administrative Computing systems are those system applications that deal with financial, academic, administrative, or other business information that is an integral part of running the business of the University.
2. Administrative systems may constitute all applications developed at Strathmore University, acquired from external vendors, built from open-source components, as well as those extended from existing or purchased applications, whether the systems are developed in central offices, in schools or in departments.
3. Every administrative computing system at Strathmore University must have a designated Business Owner who ensures that the system meets the business needs of the University and is appropriately available, secure and sustainable.
4. System owners have the responsibility to ensure that each system meets its functional requirements, is appropriately documented, is secure and controlled, has been adequately tested, and is maintainable.
5. This policy applies to any application that affects more than one person’s job responsibilities.
6. Standards do apply for the development and/or acquisition of Administrative Computer Systems and Applications in the University

Users who publish World Wide Web pages or similar information on University ICT Resources shall take full responsibility for what they publish; shall respect the Acceptable-Use and Unacceptable-Use requirements.

1. The University encourages the use of the Internet for the purpose of educational research and learning and to allow greater efficiency in teaching, research, administrative and service functions. Internet access is provided with the understanding that it is the individual user’s responsibility to demonstrate judgment and respect for others, and to use the facility in an ethical, legal, accountable and considerate manner. Members of staff are discouraged from using the facility in a way that is in direct conflict with their official duties.
2. It is prohibited to use the facility for any other purposes that contravene Acceptable-Use and Unacceptable-Use.
3. Internet Standards guiding usage of the internet facility do apply.

1. Users shall comply with the regulations and policies of newsgroups, mailing lists, and other public forums through which they disseminate messages.
2. It is prohibited to use the facility for any other purposes that contravene Acceptable-Use and Unacceptable-Use.
3. Standards guiding usage of the Electronic Boards do apply.

1. The University fully supports and where possible observes the internationally recognized standards of personal data privacy protection, in compliance with the legal requirement of Personal Data (Privacy).
2. In doing so, the University will ensure all users respect others privacy and comply with the aforementioned laws with the strictest standards of security and confidentiality. However, the Management Board reserves the right to authorize access to any information including personal information for purposes of investigation as spelt under Penalties section below.
3. Information collection at the University’s web pages and related resources will adhere to data privacy requirement as established by the University and dictated in Law.
4. Standards on privacy of personal information do apply.

A leaving employee may, after termination of employment, require certain information resources (e.g. files in PC hard disk or storage facility, etc) held, or services (e.g. email redirection) to be provided, by the University. The following procedure will be followed in providing such access:

1. The leaving employee shall request access through the Executive Director for Human Resources specifying in writing the resources or services required.
2. The Executive Director for Human Resources (HR), on consultation with the employee’s former HOD, determines that such access or service is wholly or partly allowable and is authorized. The Executive Director – HR requests ICTS to provide the resources or services to the employee. In making this request, The Executive Director – HR specifies the resources or services to be provided to the employee.
3. A terminated employee shall, at no point after termination, access information resources directly unless authorized in writing by the University Secretary, who will have consulted with the Director of ICT Services on guidance over possible risks to the University resulting from granting such access.

1. Violation or infringement of these regulations shall constitute an offense under the applicable procedures and shall incur similar disciplinary measures as violations of other University regulations, including criminal prosecution in serious cases.
2. The Director of ICT Services may recommend to the Management Board withdrawal of access to facilities from any user for the purposes of investigating a breach of these regulations. Any recommendations for withdrawal of service will be notified to the user’s head of department. The Director of ICT Services may also make recommendations to the Management Board for withdrawal of access to facilities from any user found guilty of breaching these regulations.
3. Information stored on central systems, including files and electronic mail messages, will usually be treated as strictly confidential and will not be accessed by any member of the University. However, where there is a good reason to believe that a breach of the University’s Regulations has taken place, the Management Board may authorize Director of ICT Services to investigate the contents of a user’s files and email folders. In every case, the user will be informed that this action has been taken.

1. The University accepts no responsibility for the loss of any data or software or the failure of any security or privacy mechanism.
2. No claim shall be made against the University or its employees in respect of any loss alleged to have been caused whether by defect in the resources or by act or neglect of the University or its employees.