Information Technology Policy And

Guideline
1.Part One : Introduction
 1. Introduction
1.1 Background
.IT Policy and strategy has become essential for any organizations, no matter
the size and business of the organization varies way.
.One of the importance of policy is to establish standards and guidelines for
Ethiopost, Information Technology (IT) environment to ensure the
confidentiality, integrity, and availability of company computing resources.
.This document outlines the technology options supported by Ethiopost and
guidelines for appropriate use, acquisition, and implementation.
.Ethiopost as an organization works with in a community, government and
with stakeholders of internal, external partners.
.In addition, IT technology is one of the main ways of communicating with
those outside the organization and even within the organization LAN system.
Unless the IT policy and strategy implemented and exercised, technology is
open to misuse which can do substantial business damage to an organization.
. IT Policy and strategy should also aim to have the protection of Ethiopost
resources and the staff as its fundamental objectives.
.The IT Policy clearly defining that the responsibility of the organization and
what staffs can do and cannot do with the organization equipment's.
 background continued.....
. To ensuring that the use of computers, laptops, Printer, POS Printer, UPS, fax
machines, photocopy machines and other IT resources in line with an organization's
overall polices, missions, values, objectives and to help the staff can feel secure and
comfortable in the knowledge they are operating within safe guidelines.
.The protection of confidential, sensitive, and proprietary information is critically
important to the organization. Therefore, it is essential that employees and
administrators take steps to appropriately safeguard such information. The
organization prohibits use of organizational information and information technology
resources for hate, bigotry violence or intimidation directed at any individual or
group or harassment of any kind.
 1.2 Purpose of the Policy
. The purpose of this document is to ensure that appropriate measures are put in
place to protect corporate infonnation Technology Services systems, IT equipment of
Ethiopost network associated infrastructure.
. It is intended to protect the tangible and intangible IT assets from accidental or
intentional attacks. Provide a baseline from which to acquire, configure and audit
computer systems and networks for compliance with the policy.
.It also aims to inform different Users about protecting network resources and
information assets of the Ethiopost.
.The IT investment of the organization is considerable, and the dependency on
computer technology in the delivery of Ethiopost missions, values and objectives is
high, therefore, the IT Policy will assist in maintaining systems at operational level.
 1.3 Scope of the Policy
.This policy applies to all Ethiopost staff and management, or any other persons
otherwise affiliated but not employed by the Ethiopost, who may use Ethiopost
IT infrastructure and/or access Ethiopost applications with respect to the
security and privacy of information.
1.4 Authority

.Authority to develop this policy code is Chief executive officers, of

Ethiopost.
2.Part two: IT users and support
policies
2.1.IT Users Policy
2.1.1. Definition It is the intent of this policy to establish guidelines for all employees using
Ethiopost computing facilities (USERS), including computer hardware, software, printers,
fax machines, e-mail, and Internet and intranet access, collectively called "IT
Infrastructure."
2.1.2. Objective This policy document outlines general guidelines and best practices in the
proper utilization of IT equipment and access credentials. Defined are the procedures that
need to be taken during and after termination of an employee.

2.1.3. Policy statement

2.1.3.1. Users of the computer system may not use the system for illegal or unlawful
purposes,
2.1.3.2. ITD shall implement a standard user authorization and authentication mechanism
2.1.3.3. Users are responsible for managing the IT equipment (PC, printer, installation CDs,
etc.) in a responsible manner
2.1.3.4. Concerned Departments of Ethiopost should notify the ITD in writing of
termination of employees.
2.1.3.5. On resignation or termination of employment, users should handover all the
equipment (including CDs) and credentials to the relevant bodies. This should be
considered as part of the clearance procedure.
2.1.3.6. ITD shall disable or delete user accounts belonging to terminated/resigned, users.
2.1.3.7. Data stored on equipment belonging to terminated users shall be removed in an
appropriate manner
2.1.3. Policy statement continued...................

2.1.3.8. HR and User Department Provide Role for users that could enable them to
get access to ICT infrastructure in general and to relevant applications, in
particular
2.1.3.9. Users shall Perform their operations through proper ICT equipment
2.1.3.10. Users Not use ICT equipment's for their personal business
2.1.3.11. Users Not install any application software on their PC without consulting
Information Technology Department
2.1.3.12. Users Not affect the identification codes of their machine by any means
2.1.3.13. Users Use their identity to get access to Ethiopost resources
2.1.3.14. Users Store their identity properly; change their passwords regularly
2.1.3.15. Users Not pass their identity to second party including colleague
2.1.3.16. Users shall place their equipment in an appropriate position
2.1.3.17. Users shall keep their equipment clean.
2. I. 3.18. Users Never put and/or use food or beverages near pcs
2.1.3.19. Users Keep all accessories, including drivers and recovery CDs in a safe
place
2.1.3.20. Users transferring/return of equipment shall include all accessories
2.2.Internet Usage Policy
2.2.1. Definition: Use of the internet by employees of Ethiopost is permitted and
encouraged where such use supports the goals and objectives of the Ethiopost.
2.2. Objective: Ethiopost is committed to preventing the occurrence ofinappropriate,
unethical, or unlawful internet usage for to create conducive working environment.
2.2.3. Policy Statement:
2.2.3.1. ITD shall ensure that the internet access facilities at Ethiopost are used in
accordance with the Ethiopost IT policy.
2.2.3.2. Access to the Internet to all Users or partially modality is provided to support
business activities and only to perform their jobs and professional roles.
2.2.3.3. ITD shall provide social network media access service as per its code of conduct.
And the Users should be governed accordingly.

This Policy upplies to:

All Ethioposl employees having access to internet.
2.3. Email Communications and Use Policy

2.3.1. Definition: An email communication and use policy elaborates the responsibilities
and conduct of the Ethiopost employees, when using email in their day-to-day working
activities.
2.3.2. Objective: Ensure that the facility of Electronic Mail hence forth and widely known
as E-mail is used in an efficient manner to accomplish the Ethiopost day to day business
activities.
2.3.3. Policy Statement:
2.3.3.1. ITD shall in consultation with all departments formulate an appropriate email use
and archiving policy.
2.3.3.2. ITD shall implement the necessary hardware and software infrastructure to
ensure that the Email facility is used by Ethiopost employees to achieve business
objectives.
2.3.3.3. All employees of Ethiopost and consultants working for Ethiopost are eligible to
use the Ethiopost email system.
2.3.3.4. All Users of Ethiopost mail are not allowed to conduct personal business.
2.3.3.5. Individuals must not send, forward or receive confidential or sensitive Ethiopost
information through non- Ethiopost email accounts.
2.3.3.6. Ethiopost retains the right to access and view all Emails sent and received by the
Email system. This right is exercised solely through the IT Staff on the
instructions of CEO.
2.3.3. Policy Statement continued..........
2.3.3.7. All Users are responsible for all emails sent from their email account.
2.3.3.8. It is forbidden to send pornography, or it is forbidden to send pornographic jokes
or stories by email.
2.3.3.9. Email service should not be used for junk or unsolicited bulk mail.
2.3.3.10. Every employee should be able to scan for viruses before accessing web or e-
mail information.
2.3.3.11. Any employee who wishes to download or download information related to
his / her work from a website that is related to his / her work and download it from a
trusted source must first copy and edit it into my document.
2.3.3.12. The user should discontinue the use of e-mail and notify the EPITD or remove
the existing ones when a warning message is received about the authorization of the
authorized database.
2.3.3.13. When the user receives a warning message about filling out the authorized
database, E-mail use should be discontinued and notified to the IT department or existing
ones removed.
2.3.3.14. All Users are not allowed to attempt to hack into another user's email address
or to hack or use emails is prohibited.
2.3.3.15. All Users are not allowed to register or compete in any of the online contests
that are not recognized by the Company.
2.3.3.16. All Users are not allowed to register or unregister on suspicious websites and
services using the corporate email address.
2.3.3.17. All Users are not allowed to send or receive abusive, defamatory, illegal
documents and discriminatory messages using the company's corporate e-mail.
2.3.3.18. All Users are not allowed to open anonymous e-mails or send e-mails to
unknown addresses at the corporate e-mail address used by any employee of the
2.4. End-user Support
Policy
2.4.1Definition: This policy focused on the daily IT operations and maintenance
of IT infrastructure through handling problems reported by the Ethiopost end
Users on timely basis.
2.4.2. Objective: To Ensure that all end-Users of the Ethiopost business IT
resources are supported to conduct their officially assigned duties.
2.4.3. Policy Statement:
2.4.3.1. ITD shall ensure that all end user support cases are properly logged into
a central base and reviewed on a regular basis for improvement in service
support.
2.4.3.2. ITD shall create appropriate Users account with privilege for persons
who submit user account request form formally.
2.4.3.3. Users of the computer system may not use the system for illegal or
unlawful purposes.
2.4.3.4. . Users are responsible loss of their user account and password.
2.4.3.5. Users are responsible to keep all computer and accessories, including
desktop computers, laptops, shared printers, network cables, drivers, and
recovery CDs in a safe place
2.4.3.6. Repairing computes, installing and/or deleting software is prohibited for
end Users.
2.4.3. Policy Statement continued............
2.4.3.7. ITD shall ensure that all end user support cases are properly
logged into a central base and reviewed on a regular basis for
improvement in service support.
2.4.3.8. ITD shall ensure that a centralized technical knowledge base
used for problem solving is established and training on the utilization of
this data base is provided to all end-user support staff.
2.4.3.9. On resignation or termination of employment, Users should
handover all the equipment (including CDs) and credentials to the
relevant bodies. This should be considered as part of the clearance
procedure.
2.4.3.10. ITD shall disable or delete user accounts belonging to
terminated/resigned, Users and data stored on equipment belonging to
terminated Users shall be removed in an appropriate manner.
2.4.3.11. ITD retains the right to delete any personal media files stored
in shared locations. The local storage of data on a personal device (e.g.,
laptops, desktops, mobile phones and tablets) will not be backed up,
and the loss of any information (in the event of a device failure) will be
the responsibility of the user.
2.4.3.12. End Users must lock the screen or log off when the device is
unattended, and End Users must regularly manage documents in shared
locations and delete files and folders that are no longer required.
This Policy applies to:
All IT infrastructure Users of the Ethiopost.
2.5. End users and IT staff's training policy
2.5.1. Definition: IT training policy reveals the capacity of all staffin
Ethiopost to operate IT systems and to take over their responsibility
accordingly.
2.5.2. Objective: To ensure that the appropriate staffs are engaged and
take over their tasks and responsibilities properly.
2.5.3. Policy Statement:
2.5.3.1. ITD shall ensure that all staff assigned with responsibilities for
various business critical IT System operations of the Ethiopost are
professionally trained.
2.5.3.2. ITD shall ensure that the skill sets, and competency levels of the
Employees are periodically reviewed and evaluated.
2.5.3.3. All Users shall ensure that capable of using basic computer
operations to conduct their tasks and responsibilities.
2.5.3.4. ITD shall ensure that the ICT training provided focuses on capacity
building and skills building.
2.5.3.5. ITD shall ensure that organizing IT related capacity building
trainings periodically based on the premises of business requirement
This Policy applies to:
All Departments within the Ethiopost.
3.Part Three: Hardware's and
Software's Policy
3.1. IT Hardware resource
Procurement Policy.
3.1.1. Definition: The IT resource procurement policy states the framework and
guidelines to be followed when procuring resources whether they are hardware and
software resources as per the operational and projected needs of the Ethiopost
3.1.2. Objective: This policy essential for a smooth functioning and consistent
3.1.3. Policy Statement:
3.1.3.1.Procurement department shall ensure that the hardware and software
vendors are meet minimum requirements of specification needs.
3.1.3.2.ITD shall develop procedures for evaluation testing and ranking of hardware
and software development.
3.1.3.3.All Departments and offices are responsible to get confirmation letter from ITD
before requests are submitted to Purchasing and property administration directorate.
3.1.3.4.All IT resource procurement shall be confirmed by ITD. Any IT resource
Purchased without the technical confirmation ITD is invalid.
3.1.3.5.ITD shall ensure that clearance confirmation for purchased hardware and
software based on specification and standards.
3.1.3.6.ITD and Procurement Shall implement norm of Laptop, desktop, printers, and
related resources that appropriate hardware must be delivered to prospective users
3.1.3.7.ITD shall identify and propose for upgrade of hardware that do not satisfy the
minimum requirement
3.1.3. Policy Statement continued..........

3.1.3.8. Parts from non-functioning equipment shall be used to upgrade or replace

faulty equipment
3.1.3.9. Hardware that could not be upgraded to the minimum requirement shall be
disposed off
3.1.3.10. ITD shall maintain up-to-date hardware inventory, including information like
type of equipment, owner, location, and other internal details of the equipment.
3.1.3.11. Users will be given access to appropriate network printers. In some limited
cases, users may be given local printers if deemed necessary by LTD
3.1.3.12. Users shall not in any way affect the proper utilization of shared resources,
such as printers.
3.1.3.13. No outside hardware equipment may be plugged into the Ethiopost network
without the ITD permission.
3.1.3.14. The owner of the hardware will have the responsibility for the acceptable use
of the hardware.
3.1.3.15. Users shall not be add/remove/replace any parts of the hardware and it's
forbidden to move hardware from one place to the other without the ITD approval.
3.1.3.16. ITD shall ensure that the physical infrastructure consisting of the LAN / WAN
infrastructure as well as server architecture conform to wellknown widely acceptable
standards.
3.1.3.17. The owner of the hardware will have the responsibility for the acceptable use
of the hardware.
3.1.3. Policy Statement continued..........

3.1.3.18. Repairs/maintenances or upgrades of all IT related hardware

shall be conducted by ITD professionals.
3.1.3.19. If Outsourcing is necessary for hardware maintenance, it shall be
done with the approval of ITD.
3.1.3.20. Since hardware installed on a computer may interact negatively
with other hardware or software devices, all employees must consult with
the ITD before installing any hardware on the workstation.
3.1.3.21. If during normal service/support activities, unapproved hardware
is found on the workstation, the ITD will remove the unapproved hardware
and notify to the Departments of the policy violation.

This Policy applies to:

All IT resources of the Ethiopost
3.2printer policy
3.2.1. Definition: This policy refers to appropriate printer use framework in
Ethiopost.
3.2.2. Objective: To improve efficient utilization of printing resources.

3.2.3. Policy Statement:

3.2.3.1.ITD shall ensure that all Ethiopost personnel are provided with access
10 printing resources as per requirement of their operational roles.
3.2.3.2. ITD shall be responsible for the maintenance and upkeep of all printers
installed in Ethiopost premises.
3.2.3.3. Users shall not in any way affect the proper utilization of shared
printers.

This Policy applies to:

All the Ethiopost owned printers.
3.3. IT Equipment Disposal Policy
3.3.1. Definition: To ensure that the Ethiopost confidential data is
protected and not allowed to get into unauthorized hands it is vital
that the user of the computer takes full responsibility for following
the recommended method of removing data. In addition, software
must be removed to adhere to various licensing agreements with
the Ethiopost suppliers and donners.
3.3.2. Objective: To sanitize retired and disposed equipment those
contain information or data that are confidential.
3.3.3. Policy statement:
3.3.3.1.ITD shall guarantee that equipment disposed of do not
contain information or data that are confidential.
3.3.3.2. ITD shall ensure that an inventory of all material disposed
of is maintained on a regular basis.
3.3.3.3. ITD shall give approval for all IT equipment and materials
before deposed offl
This Policy applies to:
All IT equipment used at Ethiopost.
3.4 Software Development and
acceptance Policy
3.4.1. Definition: This policy enumerates the essential principles and
methodology to be followed when pursuing the art and science of software
development either by software vendors or developers of by the Ethioposl
internally.
3.4.2. Objective: To ensure the application software developed either in-
house or by software venders are as per the business requirements of the
Ethiopost.
Policy Statement:
3.4.2. l . ITD shall ensure that the application software developed
internally or externally meets the business requirements, compatibility,
integrity, and security standards of the Ethiopost.
3.4.2.2.ITD shall ensure that Industry accepted standards for software
design and development have been followed during the development of
the software.
3.4.2.3. ITD shall ensure that software acceptance procedures are
formulated in accordance with internationally accepted software standards.
3.4.2.4ITD shall formulate the software acceptance test check list to
conduct acceptance test jointly with the user departments to verify and
validate delivered software system.
Policy Statement continued.........
3.4.2.5. ITD shall ensure that software must be installed in Ethiopost server and
managed by database administrators.
3.4.2.6. ITD shall ensure that the system developed should be able to continually
maintain or upgrade according to the change of business process requirements.
3.4.2.7. All software developed in the Ethiopost should be governed by software
development clearance directives and regulation.
3.4.2.8 ITD shall ensure that the Software infrastructure consisting of various
operating systems and software applications, as well as Databases and Relational
databases conform to widely established and well-known standards.
3.4.2.9. To the extent possible, priority shall be given to Open-Source applications
and development tools
3.4.2.10. ITD shall standardize software development tools for in-house as well as
third-party development based on the skills & knowledge of its IT.
3.4.2.1 1. ITD Shall ensure that All software developed in-house must be developed
according to the SDLC.
3.4.2.12. SDLC must include feasibility study; risk identification and mitigation;
systems analysis; general design; detail design; development; quality assurance and
acceptance testing; implementation; and post-implementation maintenance.
3.4.2.13. ITD shall undertake regular system requirement studies and decide on
implementation modality.
3.4.2.14. IT D shall develop different application software for Ethiopost use.
3.4.2.15. Unless certified and approved by ITD no payment shall be made for third
party software/application.
Policy Statement continued.........
3.4.2.16. When third party develops the software the system
development case team of ITD should fully participate in the software
development life cycle.
3.4.2.17. Software must be installed in Ethiopost server and managed by
system & database administrators.
3.42.18. ITD shall Consider security to be an integral part of application
development.
3.4.2.19. ITD Shall ensure that software Test data should not contain
confidential information.
3.4.2.20. ITD has the responsibility for maintain or upgrading the existing
in-house or third-party systems as needed.
3.4.2.21. Administration and User manuals must be designed and
prepared for any software developed.
3.4.2.22.The system must be tested with real data before implementation.
3.4.2.23. The system development team of ITD should have to deliver all
documents that are produced during SDLC.
3.4.2.24The system should be able to continually maintain or upgrade
according to the change of business process requiremen
3.4.2.25. The developed software should be presented and commented by
concerned department.
Policy Statement continued.........
3.4.2.26. The software should be developed and implemented within
reasonable time and cost.
3.4.2.27.This Policy applies to:Existing systems will be
extended/fixed/upgraded where possible rather than source innovative
solutions.
3.4.2.28All administrative systems will be developed centrally to prevent
duplication of effort and maximize resource utilization
2.4.2.29ITD shall standardize in house software development.
2.4.2.30All in house or third party (outsource) system development will be
started after the proposal of the system development is accepted and
approved by ITD
2.4.2.31During requirement definition studies, work processes should
provide full system information and assign relevant personnel to work as
counterparts
2.4.2.32Any in-house software must be developed using the latest available
technology.
2.4.2.33IT D shall provide training for users after the software is
implemented and deployed.
2.4.2.34Ethiopost can outsource software development to third parties
based on standard procedures.
All depaflments of the Ethiopost.
3.5. Software Installation
Policy
3.5.1. Definition: Allowing employees to install software on the
Ethiopost computing devices opens the organization up to unnecessary
exposure. Conflicting file versions or DLLs which can prevent programs
from running, the introduction of malware from infected installation
software, unlicensed software which could be discovered in an audit and
programs which can be used to hack the organization's network are
examples of the problems that can be introduced when employees install
software on company equipment.
3.5.2. Objective: To maintain all problems and issues faced while
installing software on any of the Ethiopost laptop, desktop, and servers.
Policy Statement:
3.5.2.1. ITD shall develop software installation procedure to safeguard the
Ethiopost laptop, desktop, and servers.
3.5.2.2.ITD shall ensure that the software installation procedure is well
and documented and the document is made available to staff on request
3.5.2.3. ITD shall ensure to have a confirmation from the eligible
department before installing special purpose and open-source software
which used operational tasks of Ethiopost.
Policy Statement continued.......

3.5.2.4. Users not allowed to install any unauthorized software on the

Ethiopost owned laptop and desktop.
3.5.2.5. ITD shall ensure assign responsible Staffs for Installation,
configuration, and maintenance support of ERP-SAP software (FICO,
HCM, and MM), operation software like post global, international
postal system, custom declaration system/software
3.5.2.6. The above-mentioned software backup also the responsibility
of the IT and kept in secured place.

This Policy applies to:

All software installed and operational at the Ethiopost.
3.6. IT Systems Change
Control Policy
3.6.1. Definition: Change control can be defined as a system by which changes
to facilities, equipment, and processes are documented and approved. The
change control system ensures that changes are evaluated and approved prior
to implementation to maintain the facilities, equipment, and processes in a
validated state.
3.6.2. Objective: To ensure all changes made on the infrastructure, IT related
Hardware, Software and Equipment are authorized and planned for, and the
Risks involved in making the changes to configuration and the costbenefit
analysis have been conducted by the staff concerned
3.6.3. Policy Statentent
3.6.3. l. ITD shall ensure that all changes to IT systems configuration including
servers, switches, routers, and active directory settings should be authorized.
3.6.3.2. Authorized staffs shall ensure that all changes to IT systems
configuration including that of servers, switches, routers, and active directory
settings are recorded.
3.6.3.3. ITD shall be responsible for the creation and maintenance of a central
recorded documentation database.
3.6.3.4. Any infrastructure and all critical equipment's shall not be moved from
its designated installation position without proper written authorization from
ITD.
This Policy applies to:
All IT operations taking place at Ethiopost.
 3.7. Web portal/site Development
& management Policy
3.7.1. Definition: This policy elaborates the principles to be followed while creating,
editing, and maintaining internal and external web site/ portals contents within the
Ethiopost IT system and its infrastructure.
3.7.2. Objective: To display information hosted on the Ethiopost Web Server(s) or
subsidiary pages and to promote and enhance Ethiopost relevant information to the
Employee, stakeholders, and Customer
3.7.3. Policy Statement:
3.7.3.1.All content on Ethiopost s web portals shall support the EthiopostMission
and business objectives
3.7.3.2. Contents hosted on the Ethiopost Web portals or subsidiary pages should
be confirmed by Chief of staff Office/PR Dept staffs to ensure the interest of
Ethiopost business.
3.7.3.3. ITD shall ensure that concerned department and personnel of the
Ethiopost, authorized personnel to have privilege for web portal, for publish, edit,
delete, disk space their pages and provide training on overall web page
management,
3.7.3.4. All Departments, offices are responsible for providing information/data
to be posted or published on the internal and external web ponal to Chief of staff
Office/PR Dept staffs of the Ethiopost ofT1cially.
3.7.3.5. Chief of staff Office/PR Dept staffs with ITD review the content
posting/publishing guidelines regularly, seek feedback on web content from
Ethiopost staff and the public at large and recommend revisions to the guidelines
Policy Statement continued.......
3.7.3.6. ITD and Chief of staff Office/PR Departments Shall ensure that
has the right to change or remove any information or link on the website
to assure accuracy and timeliness.
3.7.3.7. ITD Shall ensure that Ethiopost Web pages on the website will
be reviewed at least twice monthly for timeliness and accuracy and
updated as needed.
3.7.3.8. ITD and Chief of staff Office/PR Departments Time-sensitive
content, such as information promoting events will be removed as soon
as the event takes place.
3.7.3.9. ITD and Chief of stafT Office [PR Departments News should be
reviewed and updated on a timely base.
3.7.3.10. ITD and Chief of staiT Office/PR Departments Links to other
websites of similar mission will be provided on the site.
3.7.3.11. ITD Shali ensure that Regular Back up of the website
3.7.3.12. The website will be hosted on Ethiopost internal/ External
server,
3.7.3.13. ITD Shall ensure that possess state-of-the-art security
infrastructure as well as security policies to ensure the best possible
security for the website.
3.7.3.14. ITD Shall ensure that perform regular backups of the website.
Policy Statement continued.......
3.7.3.15. ITD shall ensure that provide technical support.
3.7.3.16. ITD and Chief of staff Office/PR Departments All content on
thewebsite will adhere to applicable copyright and other laws.
3.7.3.17. Copyright ownership of specific content should be clearly
indicated on screen and on items printed from the site.
3.7.3.18. Ethiopost website administrator should be sensitive
towards publishing any information having a third-party copyright.
The administrator should follow the proper procedures to obtain the
permission prior to publishing such information on the website.
.In cases where the document is in the public domain and there is n
o restriction on its reproduction, the copyright statement could be
stated as follows:

This Policy applies to:

All internal, external web portals and web servers owned, by
Ethiopost.
4.Part Four: IT system Security
Policy
 4.1. Network Access Control
and Usage Policy
4.1.1. Definition: Network access control means regulating access to
internal and external Users to the Ethiopost network infrastructure.
This is critical to avoid access of persons who has interest to attack or
corrupt the Ethiopost infrastructure and data.
4.1.2. Objective: To protect the Ethiopost infrastructure and data by
ensuring appropriate interfaces between the organization's network
and networks owned by other organizations, or public networks.
4.1.3. Policy Statement:
4.1.3.1. ITD shall ensure that adequate network access control
mechanisms and monitoring infrastructure is in place to protect the
Ethiopost critical networking infrastructure from harmful internal and
external entities.
4.1.3.2. ITD shall ensure that remote access privileges granted to
various external entities in accordance with Ethiopost policies.
4. l. 3.3. ITD shall utilize and install tools and utilities that ensure the
Judicious and appropriate use of expensive hard disk space to reduce
wastage and duplication of data.
Policy Statement continued.......
4.1.3.4. ITD shall establish standards to properly configure all network
security technology to protect sensitive infonnation.
4.1.3.5. ITD shall Approved server configuration guides must be
established and maintained by authorized person.
4.1.3.6. ITD shall ensure that the Ethiopost is provided with adequate WAN
links for the conduct of various business critical operations.
4.1.3.7. ITD department shall ensure that the bandwidth provided to
various departments is adequate as per their requirements.
4.1.3.8. Granting third party access to the Ethiopost business critical data
and resources should be permitted by ITD.
4.1.3.9. ITD shall ensure that third party access to Ethiopost s data and
resources is withdrawn after it is no longer required or the Ethiopost
decides to unilaterally withdraw such access.
4.1.3.10. IT D shall ensure that the Ethiopost data is protected from
unauthorized access and formulate an appropriate response to
4.1.3.11.This Policy applies to: incidents of unauthorized and malicious
access to the Ethiopost s data and business critical resources.

This intrusions are well documented.

All the Ethiopost critical networking infrastructure and devices
4.2. Wireless access policy
4.2.1. Definition: wireless access policy refers to define roles and
responsibilities for the design of any emerging wireless network, the
installation, registration and management of wireless access points,
adequate management and allocation of the wireless frequency
spectrum and the services offered to end Users for wireless access.
4.2.2. Objective: To ensure secured, effective, and efficient utilization of
wireless infrastructure installing or operating wireless devices on the
Ethiopost network based on the policy and the roles and responsibilities
of all parties.
4.2.3. Policy Statement:
4.2.3.1. ITD shall ensure wireless prioritization, security and usage
procedures are implemented during placement installing or operating
wireless devices on the Ethiopost network.
4.2.3.2. Proactive monitoring of wireless networks is undertaken by ITD
on a regular basis and any unauthorized Access Point will be removed
from the network.
4.2.3.3. Any Users attaching a wireless device to the Ethiopost network
shall be responsible for the security of the computer device and for any
intentional or unintentional activities arising through the network
pathway allocated Co the device.
Policy Statement continued.......
4.2.3.4. All Access Points and wireless devices used by staff on the EPSE
wireless network must follow the ICT Service standard configuration
settings.
4.2.3.5. The ICT Service has the right to disable any non-standard,
unauthorized devices which may cause interference with existing
approved Access Points or devices. Such devices may be removed
without prior notice

This Policy applies to:

All Users and IT systems and equipment installed in Ethiopost premises
having wireless communication capability.
4.3. IT Security Policy
4.3.1. Definition: A sound security policy should address the fundamentals of
Ethiopost information security governance structure, including Information
security roles and responsibilities, Statement of security controls baseline and
rules for exceeding the baseline; and Rules of behavior that IT Users are
expected to follow and minimumRepercussions for non-compliance.
4.3.2. Objective: to protect and secured IT resources of the Ethiopost form
unauthorized and malicious access.
4.3.3. Policy Statement
4.3.3.1.IT is securing activities should be governed by laws, regulations,and
organizational policies relevant requirements.
4.3.3.2.Information security responsibilities must be assigned andconducted
by appropriately authorized individuals.
4.3.3.3. Employees and managers of the Ethiopost responsible for
information security should be accountable for their actions orlack of actions.
4.3.3.4 Information security authorized person is responsible for continuous
monitoring, documenting, and incorporating the result for strategic decisions
to enhance the performance of the security activities.
This Policy applies to: All staff and personnel in various capacities involved in
the businesscritical IT operations of the Ethiopost.
4.4. Physical Security
Policy
4.4.1. Definition: The Ethiopost IT infrastructure consists of servers and LAN
as well as WAN connectivity equipment located at Ethiopost and should be
regularly reviewed to improve service delivery.
4.4.2. Objective: To prevent and secure unauthorized and /or malicious
access to hardware and software resources of Ethiopost.
4.4.3. Policy Statement:
4.4.3.1. ITD shall ensure that all the Ethiopost IT assets both hardware and
software are protected by physical means to prevent unauthorized and /or
malicious access to these resources.
4.4.3.2. ITD shall ensure that a regular periodic review of the physical
security of all IT infrastructures is conducted and a report to this effect is
published.
4.4.3.3. ITD shall ensure that build modern and secured IT Data center and
formulate guidelines for administration of the data center
4.4.3.4. ITD shall ensure that Accesses to data centers and secure areas
should be limited to those who have legitimate responsibility after the
approval from the manager of ITD.
4.4.3.5. Users shall ensure that all personal computers and accessory are
physically secured.
4.4.3.6. ITD shall ensure that A list of persons, who are authorized to gain
access to server room where computer equipment and data are located or
Policy Statement continued.......
4.4.3.7.ITD shall ensure that Install access control tools for door in
server room.
4.4.3.8. All access keys, smart cards, passwords, etc. for entry to any
of the computer systems and networks shall be physically secured or
subject to well-defined and strictly enforced security procedures.
4.4.3.9. ITD shall ensure that User workstation should be switched off,
if appropriate, before leaving work for the day or before a prolonged
period of inactivity.
4.4.3.10. All staff should lock the doors when their offices are not in
use Data Center to be conducted as efficiently as possible, it is
mandatory for all persons working within the Data Center to adhere
to the following rules:
4.4.3.11. ITD shall ensure that All work areas must be kept clean and
free of debris. Upon completion of any work in the room, staff
performing the work should ensure they have left the area as clean as
it was before their work began.
4.4.3.12. ITD shall ensure that Hazardous or combustible materials
should not be stored at the data center
4.4.3.13. ITD shall ensure that All rack enclosures should be kept neat
and free of manuals, diskettes, cables, etc. Doors on all racks should
always remain closed except during performing work.
Policy Statement continued.......
4.4.3.14. Appropriate fire detection and alarm equipment should be
placed in the data center
4.4.3.15. Cables should never be strung outside of rack enclosures.
Cabling between rack enclosures of adjacent racks is accepted provided
sufficient pass-through chassis are in place.

This Policy applies to:

All IT infrastructure including servers, computers, laptops, and storage
arrays as well as IT peripherals used in the execution of daily business
critical operations at the Ethiopost premises.
4.5.User Account Privileges Policy
4.5.1. Definition: This policy governs the creation, management, and
deletion of user accounts; granting and revocation of authorized privileges
associated with a useraccount; and authentication by which Users
establish their rights to use a given account.
4.5.2. Objective: To permit the user to install hardware, software, to
configure computer settings and to improve the security of the Ethiopost
IT system by providing appropriate access to the right Users.
4.5.3. Policy statement:
4 5 3 1ITD shall create and maintain clear records pertaining to accounts
created.
4.5.3.2.ITD shall provide appropriate account privilege to the appropriate
Users.
4.5.3.3. ITD shall ensure that privileges assigned to Users are reviewed on
a regular basis and modified update as required.
4.5.3.4. Employee who requires access to IT facilities and services for the
conduct of the organization activities must be properly identified, and the
request should come through the department head of the requester.
4.5.3.5.This Policy applies to:
All Ethiopost staff and managements shall be entitled to access to
Ethiopost IT facilities, at a level appropriate to their position and role, via a
unique account
Policy Statement continued.......
4.5.3.6.The Organization may impose quotas on the use of Ethiopost IT
facilities (including print, file storage, email, and internet download)
and will revise them, as necessary. Where quotas exist, account
holders are expecting to comply with them.
4.5.3.7.When account holders no longer have a relationship with the
organization, their accounts will be disable for a set period, and then
deleted. Hiring Managers/Chief human resource officer are responsible
for notifying the IT Department to terminate the access of the
terminated employee.
4.5.3.8.Account holders may have their IT access suspended
immediately where there is a suspected breach of organization IT
policy
4.5.3.9.All Ethiopost staff and managements must use their own
username and password to use the computers and other systems also
All Server operating system, application and other IT based user
accounts used at the headquarters, regional, zonal, and post office
level.
4.6.Password Policy
4.6. l. Definition: The password policy ensures that Ethiopost business critical
and confidential data to be protected by dependable and robust passwords.
4.6.2. Objective: To improve the security of all systems via using password
security policy.
4.6.3. Policy Statement:
4.6.4 ITD shall ensure that all passwords to all systems and devices in the
Ethiopost IT infrastructure are well protected and secured
4.6.5. ITD shall ensure that all passwords have adequate strength aligned
with password setting criteria's
4.6.6. ITD shall ensure that all IT systems passwords are periodically changed.
4.6.7. Any employee shall not share their password for others.
4.6.8. Users should change their passwords when prompted by the system in
the case of networked machines or on a regular basis for standalone
machines.
4.6.9. Users are responsible for the security of their password, which they
should not disclose and tell, even to colleagues.
4.6.10. yysworcls must consist of a mixture of at least eight alphanumeric
characters and be changed every 40 days and must be unique.
This Policy applies to:
All systems and devices in the Ethiopost infrastructure that are password
protected.
4.7. Antivirus Policy
4.7.1. Definition: This policy reveals the essential guidelines and
procedures required to protect the Ethiopost IT resources from malicious
and damaging code /programs/ Trojans that can affect critical operations.
4.7.2. Objective: The Stated objective of the Ethiopost Antivirus policy is
for continuous protection of the Ethiopost business critical data from
malicious and harmful virus and code.
4.7.3. Policy Statement:
4.7.3.1. ITD shall install and maintain centralized antivirus software
with an aim of ensuring the IT security systems of Ethiopost.
4.7.3.2. In the event of a viral infection, computers infected with
viruses shall be disconnected from the network until the infection has
been removed.
4.7.3.3. ITD shall install authorized antivirus software all the Ethiopost
laptops and ensure that the anti-virus software gets updated.
4.7.3.4. Users must not change, uninstall, or delete anti-virus software
that is installed on their computers.
4.7.3.5. ITD responsible for the implementation of an effective virus
security strategy. All machines networked and standalone and laptops will
have up-to-date anti-virus protection.
Policy Statement continued.......
4.7.3.6. The installation of anti-virus software on all machines is the
responsibility of the IT Staff.
4.7.3.7. The IT Staff must be ensuring the upgrade of the anti-virus software
on server and networked desktop PCs.
4.7.3.8.Staff should be aware of virus-scan for all media (including Flash Disks
and CDs) before first use. The IT Staff should help, and training where
required.
4.7.3.9.All workstation and server anti-virus software will be regularly
updated with the latest anti-virus patches by the IT Department.
4.7.3.10. No disk that is brought in from outside the organization is to be used
until it has been scanned.
4.7.3.11. All removable media containing executable software (software with .
EXE and .COM extensions) will be writing proleeted wherever possible.
4.7.3.12. Anti-virus policies and procedures will be reviewed regularly.

This applies to:

All IT equipment used at the Ethiopost.
4.8. Backup Policy
4.8.1.Definition: Backup policy refers to requirements for backup of all
Available IT equipment in the Ethiopost IT infrastructure.
4.8.2. Objective: To safeguard, prevent loss of data in the case of an
accidental deletion or corruption of data, system failure, or disaster is the
information assets of Ethiopost and permil timely restoration of information
and business processes.
4.8.3. Policy Statement:
4.8.3.1. ITD shall set and implement a standard backup and recovery
procedure for Elhiopost computing system.
4.8.3.2. ITD shall be ensure that authorized person is assigned to take reliable
backups of the Ethiopost business critical data.
4.8.3.3. ITD shall ensure all data on servers, desktops, switch, and other
permanently deployed devices at Ethiopost are regularly backed up.
4.8.3.4 ITD is not responsible for loss of personal data on equipment outside
of theElhiopost domain, and hence is not required to perform recovery
operations.
4.8.3.5.ITD shall ensure that information resource backup and recovery
4.8.3.6.process for each system must be documented and periodically
reviewed
4.8.3.7.ITD shall ensure that backups must have at a minimum the following
identifyingcriteria's: System name, creation date, sensitivity classification
(encryption) and Ethiopost contact information.
Policy Statement continued.......
4.8.3.8. ITD shall put in places processes and procedures that enable easy
and quick restoration of critical servers in case of any hardware or software
failure.

4.8.3.9. Users of networked computer and should store their data on their
local hard drives and on the server. Data stored on their local hard drive may
be lost if a problem develops with the PC, and the IT Staff may not be able to
assist in its recovery. Therefore, data should be stored on both the server and
local drive within the file directory (folder).

This Policy applies to:

All IT operations especially all Desktop, Servers, switches used at Ethiopost
properties.
4.9. IT systems Audit Policy
4.9.1. Definition: Evaluating the systems and processes currently in place that
work to secure Ethiopost data and Information.
4.9.2. Objective: The Main Objectives of the IT systems Audit Policy are to
ensure that the relevant business critical operations and procedures of the IT
department are reviewed by competent auditors as a part of the process of
Internal and External Audits.
4.9.3. Policy Statement:
4.9.3.1.All IT processes and procedures shall be subject to a periodical internal
and external audit.
4.9.3.2.ITD shall make sure to monitor all IT systems infrastructure and take
proactive measures.
4.9.3.3.All Ethiopost Departments at Head Office and Branch's may face
Security-related events shall be reported to ITD to review logs and report
critical incidents.
4.9.3.4. Auditing will be implemented on all systems to record login
attempts/failures, successful logins and changes made to all systems.
4.9.3.5.The IT Department reserves the right to monitor, log, collect and
analyze the activities of account holders in their usage of IT facilities as well as
conduct security audits on Ethiopost IT facilities.
This Policy applies to:
All IT processes and procedures executed at the Ethiopost.
4.10. IT Risk Management Policy
4.10.1. Definition Risk management means ensuring the sustainability of
the Ethiopost IT operations and the maintenance of services before the
risk occurred
4.10.2.Objective: To identify, reduce or eliminate risks of propenies,
minimize, and contain the costs and consequences in the evenl of
harmful or damaging incidents and act appropriately.
4.10.3. Policy Statement:
4.10.3.1. ITD shall appoint and from IT Risk Management task force to
minimize and contain the costs and consequences in the event of
hgrmful or damaging incidents arising from those risks, and to provide
for adequate and timely compensation, restoralion, and recovery.
4.10.3.2. ITD shall ensure the continuity of the Ethiopost IT operations,
and the maintenance of services to their customer.
4.10.3.3. ITD with co-ordination of all departments of ministries shall
identify, analyze, and assess the risks identified, and design and
implement cost-effective risk prevention, reduction, or avoidance control
measures.
This Policy applies to:
All Departments within Ethiopost
5.Part Five: Enforcement
 The following steps are
suggested for achieving policy
enforcement and compliance
5.1. Implementing Security Awareness Program
*The key to compliance with security policy is
education. Educating Users on the need for
security is important as it will help Users to
understand the importance of information
security, and how it will benefit them in their daily
works. Thus, implementing a security awareness
program is a major step in ensuring compliance
with security policy.
5.2. Communicating policy effectively

*Once IT policy has been established, it must be communicated formally to all

the people responsible for enforcing and complying with it. This should
include employees, vendors, stake holders, and other relevant Users. Given
the nature of the organization, it may also be necessary to communicate
some or all policies to customers as well. The endorsed final copy of policy
must be made easily available to all Users.
*There are some ways to distribute the policy to the Users. This Policy can be
introduced to the Users during new orientation and incorporated into the
company's Employee Handbook as a code of practice for employees. It can
also be published on to the Ethiopost intranet which available to all
employees for download, printing, and saving.
*Users are to acknowledge that the policy is read and understood by signing
and agree to comply with it written policy. The auditors who are responsible
for checking the compliance with the IT policy should be independent of the
persons implementing the policy. In checking user compliance, auditors need
to ensure that all Users are aware, understand and perform their roles and
responsibilities as stated in the policy. For technology compliance, the audit
should focus on technical security settings of network, operating systems as
well as other critical systems and applications.
 5.3. Monitoring and
corrective measures

*The monitoring process is important as new threats and technologies

appear due to the changing environinent and operations of the
organization. Risk assessment process that was conducted at the
beginning of the policy development phase should be reviewed again and
controls must be modified as necessary for any new threats introduced. It
is crucial to review the security policy continuously to maintain the
relevancy of the content. The frequency of review will depend upon the
nature of the policy. New policy must also be added when necessary and
obsolete policy must be removed.
*Any employee found to have violated this policy may be subject to
disciplinary action, up to and including termination of employment.
Deliberate, unauthorized disclosure of non-public information may result
in civil and/or criminal penalties.
Approval
This SOP is approved by