Information Communication Technology (ICT) has grown pervasive throughout government ministries and divisions across the country. Due to a lack of effective cyber security policies being followed on the ground, the adoption and usage of ICT has expanded the attack surface and perceived threat to government. The Ministry of Compliance has followed this guideline to provide a clean and safe environment. According to the Cyber security standards for Government Employees, the CISO is responsible for raising cyber security awareness among government employees, contractual/outsourced personnel, and the general public. The CISO of each Ministry or Department is ultimately responsible for ensuring that their organisation abides by this rule.
Policies and Procedures to Protect Government Personnel from Cyber Attacks 1. SCOPE AND INTENDED READERS The following guidelines are to be adhered to by all government employees, including outsourced/contractual/temporary personnel, who work for government Ministry/Department.2. OFFICE COMPUTER/PORTABLE DEVICE AND PRINTER SAFETY Use just Standard User (non-administrator) account for accessing the computer/laptops for daily work. Only those with the CISO’s blessing will be granted administrative privileges. Boot password protection can be set up in the BIOS.
Make sure you have the most recent updates/patches installed for your operating system and BIOS firmware. You should enable automatic updates for your operating system from a reliable source. Always use the most recent virus definitions, signatures, and updates for your Antivirus client software. Any software or application not specifically allowed by the Chief Information Security Officer (CISO) shall not be used. It is good practise to always log off of a computer while it is not being used.
Make sure to log out of your desktop computer. Maintain the most recent software patch or update for your printer. Secure shared printers with individual passcodes. The printer must be blocked from being used online. The printer’s settings must be altered so that print histories are not saved.
Turn on your computer’s firewall to restrict who can access what. Disable all location services, wireless connections, and sensor functions on all computers, mobile devices, and tablets. One option is to disable them until needed. For remote access to the corporate data center’s IT resources, a hardware VPN token is required. Do not jot down passwords, IP addresses, or network diagrams on sticky notes, post-it notes, plain paper pinned to a user’s desk, or any other kind of insecure material.
Don’t use Cam scanner or any other mobile app-based scanning service for official government documents. Immediately remove any and all pirated operating systems and other software/applications that are not on the approved list.3. MANAGING YOUR PASSWORDS Passwords should be at least 8 characters long and comprise a mix of uppercase and lowercase letters, numbers, and symbols. Passwords should be changed at least once every 30 days. When possible, sign in with a combination of different methods of identification.
Don’t repurpose your passwords across different platforms. Never store a password in an unencrypted text file or in the browser’s saved passwords. Passwords, IP addresses, and network diagrams are all things you shouldn’t jot down on unprotected material (such as sticky notes, post-it notes, or plain paper pinned or put on your desk). Don’t let anyone in without a system password, printer pass code, or Wi-Fi password. FOURTH, SAFE BROWSING ON THE INTERNET Always use Private Browsing/Incognito Mode in your browser when visiting government applications/services, email services, banking/payment related services, or any other critical application/services.
To avoid being redirected to a login page, always go to the site’s login page by typing the domain name/URL directly into the browser’s address bar. Always use the most recent version of your preferred browser and instal all available security fixes. Avoid having the browser remember any login information. Never save sensitive financial data on a web browser. To avoid being tracked, you must avoid using any anonymizing services provided by outside parties (ex: Nord VPN, Express VPN, Tor, Proxies etc).
Don’t install any additional toolbars (such a download manager, a weather toolbar, a “ask me” toolbar, etc.)into your browser. Avoid downloading illegal material (such as movies, music, e-books, or software) from the internet. Avoid putting any games on or playing them on any official devices. Be wary of abbreviated URLs (such as tinyurl, bitly) as they could lead to malicious content. URL shortening services are frequently used by malicious and phishing websites.
Following one of these URLs could infect your device with malware or phishing software. Security for Mobile Devices, No.5 Make that the mobile OS is running the most recent updates and fixes. Don’t go hacking your phone in any way. Many of your device’s security features will be rendered ineffective if you root or jail break it. Disable any and all wireless capabilities, including Wi-Fi, GPS, Bluetooth, and Near Field Communication, on your mobile devices.
One option is to disable them until needed. Google Play (Android) and the Apple App Store (iOS) are the best places to find and download apps (for iOS). Check the app’s ratings and reviews from previous users before installing it on your device. Be wary about installing software that has a poor rating, low number of users, etc. Turn off your phone or place it in a safe location outside the meeting room if you need to participate in confidential discussions.
Never agree to a Bluetooth link with an unfamiliar device or share files with an unknown sender. Always check what permissions an app needs to run on your smartphone and why it needs them before installing it. Users should be cautioned against downloading an app if there is a discrepancy between the permissions it requests and the features it offers (Ex: A calculator app requesting GPS and Bluetooth permission). Make a note of the mobile phone’s 15-digit IMEI number and store it in a secure place. In the event that you lose your mobile device, you can report it missing.
You can prevent unauthorised use of your mobile device by activating auto lock or a pass code/security pattern-protected keypad lock. If your mobile device gets lost or stolen, you can use the Mobile Tracking feature, which notifies you and a second contact of your choice through text message. Make sure you back up your phone and any additional storage regularly. The data on the computer should be examined with up-to-date antivirus software before it is transferred to the mobile device. Be wary of clicking on links sent to you by text message or shared on social media that promise you exclusive deals or exclusive information on breaking news.
Following one of these URLs could infect your device with malware or phishing software. If you lose your phone or have it stolen, contact the police and your service provider right once. Turn off your phone’s automatic downloads immediately. Maintaining an up-to-date antivirus programme is a must.
Use the “login history” page in Email service on a regular basis to review past login actions. Any inconsistencies in the login record should be reported promptly to administration. Encrypt sensitive information sent over email with PGP or a digital certificate. Be wary of macro-enabled documents when downloading attachments; if given the choice, always go with “disable macros,” and make sure protected mode is turned on in office productivity software like Microsoft Office. Seventh, Protected Removable Media Before using the media for the first time, perform a low format. If you access critical online systems like Paypal or Stripe (Is stripe safe?), make sure you turn on Two Factor Authentication (2FA). Also, stay updated with latest security news and incidents related to those services.
The data stored on the removable media should be erased using a secure wipe. Before opening any files on removable media, do an anti-virus scan. Files and folders on external storage should be encrypted. A strong password should be used to secure all important documents. Please don’t insert the removable media into any unapproved computers or other gadgets.
Protecting your accounts on social media should be a top priority. Reduce the risk of unwanted disclosure of personal information by restricting your use of and time spent on social networking sites. Before adding someone as a friend or contact, be sure they are who they say they are. Protect your social media profiles by using multi-factor authentication. Do not open attachments or visit URLs received by somebody you do not know.
Don’t put sensitive government documents online. Never spread false information on social media without first verifying its veracity. The @gov domain should not be shared on any public network.