Introduction

​

The ICT Policy manual provides the policies and procedures for selection and use of ICT within Ampersand. It also provides guidelines Ampersand will use to administer these policies, with the correct procedures to follow.

​

Ampersand will keep all ICT policies current and relevant. Therefore, from time to time it will be necessary to modify and amend some sections of the policies and procedures, or to add new procedures.

 

Any suggestions, recommendations or feedback on the policies and procedures specified in this manual are raised with the IT department.

​

1. General Information

​

This policy was created and is maintained by Ampersand’s IT department. The web version of the policy available via the company’s official website is the definitive version and shall always be the most up to date.

 

2. Principles

​

1. Ampersand recognizes that information is an asset and is vital to the operational and economic well being of the company, and shall therefore create security measures and assign responsibilities to protect this asset from loss, theft, and unauthorized modification or disclosure

2. Ampersand recognises that it holds confidential personal information data from its employees, applicants, customers, contractors, and other stakeholders across multiple jurisdictions.

3. Ampersand recognises that it is under non-disclosure and confidentiality obligations for various third parties including legal Non-Disclosure Agreements. 

4. All measures must conform to established company policies and legal requirements

5. Every cost effective measure shall be made to ensure confidentiality, integrity, authenticity and availability of information

6. It is a priority for all employees at all levels of the company to protect the confidentiality, integrity, and availability of information and resources including information they receive about present and past employees, applicants, clients, partners and the company itself.

 

3. Objectives

​

The purpose of this ICT policy is to: 

​

1. Establish direction, procedures and requirements to ensure the appropriate protection of information handled by the company computer resources 

2. Emphasize the importance of following ICT policy in the various computer environments and the roles of staff at each level

3. Assign specific responsibilities to ensure policy implementation. 

 

4. Scope

​

1. The ICT policy applies to all company owned information or data in all forms including electronic and physical

2. The ICT policy applies to all employees both full-time and part-time, contractors, consultants and other workers at the company, including those affiliated with third parties who access the company’s ICT resources 

3. The ICT policy applies equally to networked servers, stand-alone computers, peripheral equipment, personal computers, laptops, workstations, mobile phones, and other electronic devices within Ampersand. It also applies to equipment outside of the company network but authorized for access to the company resources. Resources include data, information, software, hardware, facilities and telecommunications. 

5. Enforcement of ICT Policy

1. Enforcement

​

The IT Manager shall be responsible for enforcing the policy and for any appeals against IT department decisions. 

This policy document shall be reviewed during the first quarter of each year by the IT department as stated in the final section of this policy, and changes shall be approved by the leadership team of Ampersand. 

 

   2. Violation of ICT Policy

​

Sanctions for violation of the ICT Policy may include, but not limited to deactivation of the user's accounts and prosecution by law enforcement agencies. 

​

If misuse of user accounts lead to a violation of policy and compromise of confidential data, the person responsible shall be subject to disciplinary action, which may include termination of employment contract. 

 

ICT users who receive unsolicited offensive or inappropriate material electronically should delete such material  immediately. Offensive or inappropriate material received from people inside the company and known to the receiver should be deleted immediately and the sender of the material should be reported to the IT department and asked to refrain from sending such material again. In the event that a user does not cease sending unsolicited offensive or inappropriate email, disciplinary action shall be taken and shall include de-activation of the user accounts and legal action. 

​

Computer crimes such as unauthorized access to company and/or personal digital resources, computer fraud, hacking and damage to programs and data and introducing and spreading computer viruses shall normally result in legal action. 

​

I. IT procurement & Assets management policy

​

IT Equipment means computer hardware, servers and ancillary equipment, telephones, computers (laptops and desktops) and other telecommunications products, office products such as photocopiers, projectors, screens, printers and scan machines, or other hardware technology or equipment that is used in the creation, conversion, or duplication of data or information.

​

Purpose of the Policy

​

This policy provides guidelines for the purchase of IT hardware for the company to ensure that all hardware technology is appropriate, value for money and where applicable integrates with other technologies. The objective of this policy is to ensure that there is maximum control in purchase and delivery of hardware within the company.

​

​

Procedures

 

IT Procurement

​

All requests of IT equipment are raised to the IT department which receives, reviews and contact requester’s line manager for initial approval when necessary. In order to ensure that IT equipment is delivered to the requester as soon as possible, an IT inventory should be maintained with items and quantities listed in the IT department forecast sheet.

​

If the requested item is not present in the IT inventory or available in insufficient quantity, the request is forwarded to the procurement team which takes charge of both local and international purchases. For more details, refer to section 10 of Ampersand’s local procurement manual.

​

​

IT Assets management System (ITAMS)

​

The IT department is the primary owner of the IT assets, including hardware devices, software licenses, and other ICT resources, and is responsible for their acquisition, deployment, maintenance, and disposal. The IT department is responsible for managing and maintaining the IT asset management database as part of the IT asset management process.
The IT department may work closely with other departments, such as procurement, and finance to manage the IT asset register and ensure that it aligns with the organization's overall business strategy and goals.

 

II. Policy for Getting Software 

​

Purpose of the Policy

​

This policy provides guidelines for the purchase of software for the company to ensure that all software used by the business is appropriate, value for money and where applicable integrates with other technologies. This policy applies to software obtained as part of a hardware bundle or pre-loaded software.

 

Procedures

​

Request for Software

​

All employees are required to obtain approval from the IT department before installing any commercial software on their corporate computers. Commercial software refers to any software that requires a license or is not freely available for public use. Software freely available for public use can be installed without approval.  

​

Purchase of software

​

The purchase of all software must adhere to this policy.

​

All purchased software must be purchased by the IT department. The requester sends a request to the IT department specifying clearly all the software specifications, beneficiaries and license details. In some cases, the department manager of the requester may be contacted to approve the purchase.

 

III. Policy for Use of Software

​

Purpose of the Policy

​

This policy provides guidelines for the use of software for all employees within the business to ensure that all software use is appropriate. Under this policy, the use of all open source and freeware software will be conducted under the same procedures outlined for commercial software.

​

Procedures

​

Software Licensing

 

All computer software copyrights and terms of all software licenses will be followed by all employees of the business.

​

Where licensing states limited usage (i.e. number of computers or users etc.), then it is the responsibility of the IT Manager to ensure these terms are followed.

​

The IT department is responsible for completing an annual software audit to ensure that software copyrights and license agreements are adhered to.

​

Software Installation

​

All software must be appropriately registered with the supplier where this is a requirement.

 

Only software obtained in accordance with the getting software policy (Section 2)  is to be installed on the business’s computers.

​

All commercial software installation is to be carried out after informing the IT department.

 

A software upgrade shall not be installed on a computer that does not already have a copy of the original version of the software loaded on it.

​

Software Usage

​

Only software purchased in accordance with the getting software policy (Section 2) is to be used within the business.

​

Prior to the use of any software, the employee must receive instructions on any licensing agreements relating to the software, including any restrictions on use of the software.

​

All relevant employees must receive training for new software. This includes new employees to be trained to use existing software appropriately. This will be the responsibility of the employee’s department manager.

 

Employees are prohibited from bringing commercial software from home and loading it onto the business’s computer hardware without approval from their respective department’s manager.

 

Unless express approval from the IT Manager and staff department’s manager is obtained, commercial software owned by the company cannot be taken and loaded on a employees’ personal computer

 

Where an employee is required to use software on his personal computer, an evaluation where the employee can use a portable business computer should be undertaken in the first instance. Where it is found that software can be used on the employee’s personal computer, authorisation from the IT Manager and staff department’s manager is required to purchase separate software if licensing or copyright restrictions apply. Where software is purchased in this circumstance, it remains the property of the business and must be recorded on the software register by the IT department.

​

The unauthorized duplicating, acquiring or use of software copies is prohibited. Any employee who makes, acquires, or uses unauthorized copies of software will normally be subject to disciplinary actions, which may include legal action. The illegal duplication of software or other copyrighted works is not condoned within Ampersand. The IT, legal and HR departments are authorized to undertake disciplinary actions where such an event occurs.

​

Breach of Policy

​

Where an employee is aware of a breach of the use of software in accordance with this policy, they are obliged to notify the IT department immediately. In the event that the breach is not reported and it is determined that an employee failed to report the breach on time, then that employee will normally be subject to disciplinary actions, which may include legal action.

​

Unauthorized software

​

Unauthorized software is prohibited from being used in business operations. This includes the use of software fully owned by an employee and used within the company. The following list includes all software categories that are prohibited from being downloaded, installed or used across all company devices and network:

​

• Any torrent client software (Bittorrent, uTorrent, qTorrent, Tixati and all others)

• Any VPN client without express approval from the IT Manager and staff department’s manager

• Any cracked, patched, modded or illegally distributed copy of a commercial software without a genuine official license.

​

​

IV. IT Project Management Policy

​

Purpose of the Policy

​

This policy contains rules and guidelines which are followed during different phases of IT projects.

 

Procedures

​

All major ICT projects must follow a formal project management methodology. This methodology must, at a minimum, stipulate the following project deliverables within the respective phases of the project:

•  Project Initiation – Project charter

• Project Definition – Project definition report, Project plan and Business justification

•  Execution – Project status reports

• Close out – Project completion report

• Maintenance

​

V. Electronic and Physical Media Disposal Policy

 

Purpose of the Policy

​

This policy governs the secure disposal of corporate electronic and physical media according to the purpose, time of usage, lifespan, and retention period, ensuring compliance with applicable laws and regulations.

 

Procedures

​

Devices may be retired to mitigate the risk of important data being lost or difficult to retrieve due to hardware failure. When a device is retired, all data on the device must be securely erased as indicated in the disposal options below. 

 

Devices that are not retired may be repaired and repurposed. This cost-effective option  helps to reduce the environmental impact of ICT waste. When a device is repaired, it should be tested to ensure that it is working properly. Once the device has been repaired, it can be assigned to a new user or used for a different purpose.

 

Disposal Options

​

When electronic or physical media is no longer needed, it must be disposed of in a secure manner. The company has the following disposal options:

 

• Shredding: Physical media, such as paper documents are securely disposed of through shredding. This ensures that information cannot be accessed or reconstructed.

• Data wiping: For electronic devices which need to be reused such as laptops, a special software is used to overwrite the data on the storage media as an effective way to protect the data from being recoverable.

• Resell: For unused electronic devices, the company can also decide to calculate their current value and sell them to individuals after the data has been wiped out to prevent stocking unused ICT assets.

 

VI. Performance & Capacity Management Policy

 

Purpose of the Policy

​

This policy provides information about how the IT department ensures that devices and systems are operating smoothly according to their expectations.

​

Procedures

​

Weekly health checks must be conducted on critical ICT resources. The checks must include, amongst others critical devices functionality, storage capacity, network bandwidth, error logs, consumables e.g. printer toner, printer paper, WAN and LAN connectivity checks.

 

Performance reporting must occur on all critical IT resources on a regular basis. Capacity planning reviews must also be conducted regularly to forecast future ICT requirements.

​

​

VII. Bring Your Own Device Policy

​

At Ampersand we acknowledge the importance of mobile technologies in improving business communication and productivity. In addition to the increased use of mobile devices, staff members are allowed the option of connecting their own mobile devices to Ampersand 's network. We encourage you to read this policy in full and to act upon the recommendations and to re-read the policy, or view an instructional video (if available) or participate in training once a year.

​

Purpose of the Policy

​

This policy provides guidelines for the use of personally owned notebooks, smart phones, tablets and other electronic devices for business purposes. All staff who use their personal technology or  equipment at Ampersand’s workplaces are bound by the conditions of this policy.

​

Procedures

​

Current mobile devices approved for business use

​

The following personally owned mobile devices are approved to be used for business purposes:

​

• Personal smartphones

• Personal laptops

• Personal computer peripherals such as monitors, keyboards, mice, webcams, stands and others.

 

Registration of personal mobile devices for business use

​

Employees using their personal devices for business use, especially at the workplace, have to inform the IT department to register the device within the IT register to avoid confusion. The IT department will record the device and all applications used by the device.

​

Each employee who utilizes personal devices agrees:

​

• Not to use the registered mobile device as the sole repository for Ampersand 's information. All business information stored on mobile devices should be backed up to the employee’s business Google drive storage

• To make every reasonable effort to ensure that Ampersand 's information is not compromised through the use of mobile equipment in a public place. Phones containing sensitive or critical information should not be used by unauthorized persons and all registered devices should be password protected

• Not to share the device with other individuals to protect the business data access through the device

• To abide by Ampersand 's internet usage policy for appropriate use and access of internet site

• To notify the IT department immediately in the event of loss or theft of the registered device

• Not to connect to the device USB memory sticks from untrusted or unknown sources.

All employees who have a registered personal device for business use acknowledge that the company:

• Owns all company related intellectual property created on the device

• Will regularly back-up data held on the device

• Will delete all data held on the device in the event of loss or theft of the device

• Has first right to buy the device where the employee wants to sell the device

• Will delete all data held on the device upon resignation or termination of the employee’s contract. The resigned / terminated employee can request personal data be reinstated from back up data

• Has the right to deregister the device for business use at any time.

• ​

Keeping mobile devices secure

​

The following must be observed when handling mobile computing devices (such as notebooks and smartphones):

​

• Mobile computer devices must never be left unattended in a public place, or in an unlocked house, or in a motor vehicle, even if it is locked. Wherever possible they should be kept on the person or securely locked away

• Cable locking devices should also be considered for use with laptop computers in public places, e.g. in a seminar or conference, even when the laptop is attended

• Mobile devices should be carried as hand luggage when traveling by aircraft.

 

Breach of this policy

​

Any breach of this policy will be referred to the IT department who will together with the HR department, review the breach and determine adequate consequences, which can include disciplinary actions and/or restriction from using personal devices for business purposes again.

​

VIII. Onboarding / Offboarding Policy

​

Purpose of the Policy

​

Ampersand understands that developing a consistent process to onboard new employees into the company ensures that from the very start they feel as though they are part of a cohesive team, while management can also be assured that important information is consistently shared with everyone new. The same applies to offboarding where a consistent offboarding process ensures that both the employees and the company remain in a safe and secure state.

​

This can be achieved by having a standardized IT onboarding / offboarding policy that is delivered in conjunction with an IT checklist for new employees.

​

Procedures

​

Onboarding

​

IT onboarding is the process of setting up a new employee in the company’s IT environment and then introducing them to it when they commence. This is achieved by following a new employee IT checklist.

 

The HR department  informs the  IT department with the new employee’s name, job title, workspace location, starting date and any other relevant information that is needed to set everything up.

 

The HR, IT, and new employee’s department have to make sure that the aforementioned IT checklist has been respected and completed within the appropriate time frame.

​

Offboarding

​

Whereas onboarding provides a smooth transition into the company, offboarding provides a smooth transition out of the company. Offboarding is a process that completes the end of a professional relationship between an employee and the company they work for. It involves all the tasks and procedures that need to be completed when an employee leaves a job, whether it is voluntary or involuntary.

 

This process is initiated and carried out by the HR department. In order to make sure that everything is taken care of, the IT department has to be notified with all relevant details when an employee offboarding process has started. This is to guarantee that below key tasks are planned for and executed in time:

​

• Collecting company IT property from the employee

• Disabling employee access to company systems and data

​

Effective and consistent offboarding is important because it helps to ensure a smooth transition for the departing employee and minimize disruption to the company. It also helps to protect the company's confidential information and intellectual property, and maintain a positive relationship with the departing employee.

​

IX. Information Technology Security Policy

​

Purpose of the Policy

​

This policy provides guidelines for the protection and use of information technology assets and resources within the business to ensure integrity, confidentiality and availability of data and assets.

 

Procedures

​

Physical Security

​

Information security encompasses the protection of digital assets and the physical security of the company’s premises, equipment, and resources. The following controls are in place at the company premises:

​​

• Access Control Systems: We utilize access control systems with keypad and biometric lock to manage and control access to our premises and specific areas within. These systems enable us to track and restrict entry to authorized personnel only.

• Security Personnel: Trained security personnel, including security guards, are stationed at strategic points throughout our facilities. They monitor access points, conduct regular patrols, and respond to security incidents or breaches promptly.

• Closed Circuit Television (CCTV) systems: A network of CCTV cameras is in place to monitor and record activities in key areas of our premises. These cameras provide real-time surveillance and aid in investigations if any security incidents occur.

• Perimeter Security: We have implemented physical barriers, such as fences, gates to secure the perimeter of our premises. These measures prevent unauthorized access and provide an additional layer of protection.

​

For all physical servers and other network assets, the area must be secured with adequate ventilation. It will be the responsibility of the IT Manager to ensure that this requirement is followed at all times. Any employee becoming aware of a breach to this security requirement is obliged to notify the IT department immediately.

 

All security and safety of all portable technology, such as laptops, notepads, iPads etc. will be the responsibility of the employee who has been issued with them. Each employee is obliged to use passwords and other authentication measures and to ensure the asset is kept safely at all times to protect the security of the asset issued to them.

 

In the event of loss or damage, the IT Manager will assess the security measures undertaken to determine if the employee will be required to reimburse the business for the loss or damage.

 

All electronic devices such as laptops, notepads, iPads and smartphones when left at the office desk or anywhere alone are to be locked immediately.

​

Each employee who utilizes a business phone, computer, or any other electronic device agrees:

• Not to use the registered device as the sole repository for Ampersand 's information. All business information stored on mobile devices should be backed up to the employee’s business Google drive storage

• To make every reasonable effort to ensure that Ampersand 's information is not compromised through the use of that device in a public place. Portable devices containing sensitive or critical information should not be used by unauthorized persons and they  should be password protected

• Not to share the device with other individuals to protect the business data access through the device

• To abide by Ampersand 's internet usage policy for appropriate use and access of internet site

• To notify the IT department immediately in the event of loss or theft of the device

• Not to connect USB memory sticks from an untrusted or unknown source to Ampersand 's equipment

 

Each employee who utilizes a business phone, computer, or any other electronic device acknowledge that the business:

​

• Owns all company related intellectual property created on the device

• Can access all data held on the device, including personal data

• Will regularly back-up data held on the device

• Will delete all data held on the device in the event of loss or theft of the device

• Will delete all data held on the device upon resignation or termination of the employee’s contract.

 

Information Security

​

All business data such as sensitive, valuable, or critical employee, department, or company data is to be backed-up on secure online storage.

​

The company provides secure online storage facilities to enable efficient and reliable data backups. It is the responsibility of each employee to initiate regular backups of their work-related files and folders, including documents, presentations, spreadsheets, and other important data. Any unauthorized use of company online storage or failure to comply with this policy may result in disciplinary actions.

 

It is mandatory for all corporate computers to have antivirus software installed and running with up-to-date virus definitions. Windows Defender is the minimum accepted antivirus solution for all Windows-based workstations. Employees can also use other licenced commercially recognized antivirus software, subject to approval from the IT department. It is the responsibility of each employee to regularly update their antivirus software and ensure that it remains active and functional. Compliance with this requirement is essential to safeguard our network, data, and systems from malware, viruses, and other security risks.

 

All information used within the business is to adhere to the privacy laws and the business’s confidentiality requirements. Any employee breaching this will be subject to disciplinary actions.

 

Two-factor authentication (2FA) and password policies

​

To enhance the security of our work-related applications and protect sensitive data, employees are strongly encouraged to enable and use two-factor authentication (2FA) whenever it is supported, especially on corporate Google and Microsoft accounts. Employees are advised to combine password and one or more OTP medium such as mobile phone number or personal email. Failure to adhere to this policy may result in restricted access to work-related applications or disciplinary actions.

 

Passwords  are  an  important  aspect  of computer  security.  They  are  the  front  line  of protection for user accounts. A poorly chosen password may compromise the company network. As  such, all  company employees, including contractors, consultants, vendors and visitors with  access  to  company  systems,  are  responsible  for  taking  the  appropriate  steps,  outlined below, to  select and secure their passwords. 

 

General password policies:

​

• All system-level passwords shall be changed every 3 months

• All user-level passwords shall be changed every 60 days with password reuse disabled

• Passwords shall not be inserted into email messages or other forms of electronic communication

 

Password protection standards:

​

• Do not reveal a password over the phone to  ANYONE

• Do not reveal a password in an  email message

• Do not talk about your password in front of others

• Do not hint at the format of a password (e.g. "my family name")

• Do not share a password with  family members, co-workers or  reveal it  at any time

• If someone demands a password, refer them to this document or have them call someone at the IT department

• Employees are strongly encouraged to utilize password-less sign-in options, such as two-factor authentication (2FA), whenever available. Additionally, the use of password manager applications, such as LastPass, is highly recommended to securely manage and store passwords for different systems and applications.

• Change  passwords  every  2 months  (except  system-level  passwords  which must  be  changed  at  least  every  three  months  or  according  to  the  system specific procedure)

• If you  think  an  account  or  password  has  been  compromised,  the  incident shall be  reported to the IT department immediately and change  all  passwords.

​

The  IT department has rights to perform password  cracking or  guessing on  a periodic or  random basis.  If a password is  guessed or cracked  during one of these scans, the  user shall  be required to  change  it immediately.

​

File sharing and file storage

​

To safeguard company information, employees are responsible for storing all work files on company-approved storage mediums, such as Google Drive or Microsoft OneDrive. These storage mediums are encrypted and backed up regularly, which helps to protect the company's data from unauthorized access, loss, or damage. It is essential for employees to respect and follow below information security guidelines when sharing files online:

 

• Set access expiration dates when sharing files with external parties

• Only share files with people who need access to them

• Use the "Share with specific people" option when sharing files with external sources

• Set correct permissions for each person who has access to the file

• Review the file permissions and expiration dates regularly to make sure that they are still correct

• Delete files that are no longer needed.

​

Technology Access

​

Every employee will be issued with unique identification credentials to access the business technology and will be required to change a password for access every 180 days.

​

System administrators are responsible for the issuing of the accounts and initial password for all employees.

 

Where an employee forgets the password or is ‘locked out’ after multiple attempts, then the IT department is authorized to reissue a new initial password that will be required to be changed when the employee logs in using the new initial password.

 

The following table provides the authorisation of access:

​​​​​

​

Technology                                Primary Administrator

​

AmperOps                                 Louange Hirwa

Atlassian Apps                           Louange Hirwa

Cin7 Core                                   Irene Wanjiku

Grafana                                      Mick Ganza

Office 365                                  Louange Hirwa

Syft                                            Andy Williams

Xero                                           Andy Williams

Google WorkSpace                   Louange Hirwa

AutoDesk                                   Taiei Harimoto

​

It is the responsibility of the IT Manager to keep all procedures of this policy up to date.

 

Data inventory and classification

​

The company has implemented data inventory and classification mechanisms to ensure the appropriate handling and protection of data. The following methodology is employed:

 

• Data Inventory: The company maintains a detailed data inventory that includes an overview of the types of data stored and processed within the company. This inventory includes data stored in various mediums, including cloud storage platforms like Google Drive.

• Data Classification: Data within our organization is classified based on its sensitivity and criticality. This classification helps in identifying the appropriate security controls, access permissions, and protection measures for each category of data.

• Confidential Data Protection: Confidential data, such as HR records, financial information, trade secrets, or proprietary data, is given special consideration in terms of protection. Access to confidential data is limited to authorized personnel only, and strict access controls and permissions are implemented to prevent unauthorized disclosure or misuse.

• Cloud Storage Mediums: The company utilizes cloud storage mediums, especially Google Drive, for storing and sharing data. Access and permissions are regularly reviewed to ensure that confidential data is adequately protected. User access is granted based on a need-to-know basis, and data sharing settings are configured to align with the data classification and privacy requirements.

• Ongoing Review and Monitoring: The data inventory and classification methodology are reviewed periodically to ensure they align with changing data protection regulations and organizational requirements. This includes regular assessments of the sensitivity and criticality of data, as well as reviewing access permissions and security controls for data stored in cloud storage mediums.

 

Electronic Records Retention

​

Ampersand recognizes the importance of properly managing and retaining electronic records, including customer and investor confidential data, in a secure and compliant manner. Below Records Retention Policy outlines guidelines and retention schedules specific to different types of records.

 

Retention Schedule

​

The following table lists the types of electronic records and the required retention periods:

 

Type of record                                       Retention period

 

Customer information  The company retains information about active customers for the duration of their engagement with our services. Information is securely stored for a period of one year after our relationship with the customer is discontinued.

Restricted data (third-party information)

Records are retained only when in active use. 

 

Disposal of Records

​

At the end of the retention period, all electronic records must be destroyed in a secure manner. This may involve shredding and/or deleting the records using appropriate software as it is stated in the fifth policy of this document.

​

Exceptions

​

In some cases, it may be necessary to retain electronic records for a longer period of time than specified in the retention schedule. This may be required by law, regulation, or a court order.

​

Temporary suspension

​

In below cases, a user account is temporarily suspended until the HR and IT department agrees to re-grant access:

 

• Security concerns: If there is reason to believe that a user's account has been compromised, it is suspended to prevent unauthorized access and protect the security of the system and the data

• Policy violations: User accounts can be suspended if a user violates the organization's policies, such as sharing confidential information, accessing unauthorized resources, or engaging in inappropriate conduct

• Inactivity: If a user account is inactive for a period longer than 1 month, it may be suspended to free up resources and reduce the risk of unauthorized access. This applies to employees who are on long leave of absence due to different reasons including maternity, sickness and others.

• Maintenance or upgrades: User accounts may be suspended temporarily during maintenance or system upgrades to ensure that the system remains stable and secure during the process.

 

Overall, suspending user accounts is an important tool for organizations to manage their resources and protect their systems and data. It allows them to respond quickly to security threats, enforce policies, and ensure that users are paying for the services they use.

​

Surveillance Systems

​

Ampersand recognises the value of people, assets and other properties located inside its operating areas and understands all possible incidents which may occur in those areas including but not limited to theft, frauds, disputes, accidents and natural disasters. It is for those reasons why the company uses surveillance systems in different areas of the head office and charging stations .

​

Benefits of surveillance systems include:

​

• Prevent and reduce chances of theft

• Useful criminal and accident evidence

• Resolve internal business disputes

• Cut down security-related costs

• Monitor high-risk areas.

​

It is the responsibility of the IT department to ensure that surveillance systems are operational and automatic video data back-ups are being recorded and accessible for future use. The backed up data is either kept on the recording device local storage or company cloud storage mediums when it is necessary.

 

The IT department is also in charge of accessing video data recorded by surveillance systems and distributing access of those video data to internal or external entities when necessary.

 

All information recorded by company surveillance systems is critical and non-shareable, it should only be viewed by relevant staff. Any employee breaching this policy will be subject to disciplinary actions.

 

X. Network Policy

​

Purpose of the Policy

​

Ampersand has different network services available to a large number and variety of users,  including staff,  contractors and  external  parties.  Compromised security  for  any networked system can have a detrimental impact on other networked systems and even bring  down  the  entire  company network.  The IT department  has company-wide responsibility to  maintain the integrity and security of its networks and to  provide the wiring and cabling infrastructures that support voice, data and video services.

 

This policy encompasses all systems directly connected to the Ampersand networks and systems.  This includes  company internet  connections,  ethernet  connection,  fiber  connection  and wireless networks.

 

Procedures

​

Network traffic

​

The  IT department  shall  control  access  to  all  intra-company  traffic,  all  inbound  and outbound Internet traffic. The IT Manager shall determine  what  Internet  traffic  shall  be  permitted.  The  IT department  shall  provide oversight to  ensure that the traffic limitations are  consistent with the business goals of Ampersand.

 

Network bandwidth

​

Bandwidth  is  the  amount  of data  that  can  be  sent  from  one  computer to  another through  a network  connection  in  a certain  amount of time.  Data  flow is  negatively impacted  by  a  steady increase  in  users  on  the  network who  transfer  data  above  a standard level or size.  This increase in users and demand causes contention, slowing down the speed of transfer for everyone.

​

• The amount of internet bandwidth available to the company will be increased when feasible

• The IT department may prioritize certain types of internet traffic to  improve interactive performance

• The IT department will  implement access control to  discourage excessive use of the network so that users do not negatively impact others. This may include blocking traffic of certain applications / websites.

​

A Service Level Agreement (SLA) with the ISP must specifically state how much bandwidth the company receives monthly, performance measurements, agreed upon service levels and problem management.

 

Network management

​

• The  IT  department is  the  primary administrative  contact  for all  network security related activities

• The  IT  department  shall  coordinate  investigations  into  any  alleged  computer  or network security compromises, incidents, and other problems. To  ensure that this  coordination  is  effective,  the  IT  department requests security compromises to be reported by victims immediately

• The IT department shall  monitor backbone  network traffic  in  real-time to  detect unauthorized activity or intrusion attempts

• If  scans  or  network  monitoring  identifies  security  vulnerabilities,  the cooperation  of the IT department and appropriate departments  shall  be  required.  If  the  appropriate  contact  cannot  be determined,  the  relevant  management  shall  be  notified.  When  a  security problem (or potential security problem)  is identified the  IT department shall take steps  to  disable  system access  to  alleged users  and their  devices  until  the problems have been rectified

• The  IT department has  the  right  to  remove or disable  any  network  segment in real-time from the  company network until problems  affecting the  network segment are  identified and  solved.

 

Blocked websites

​

To prevent extreme usage of the network, the IT department has rights to block certain applications and websites that are prohibited to be used at the workplace, identified as illegal or bandwidth-consuming from running on the internal company network. Those websites include but not limited to:

​​

• All social media websites  except WhatsApp and LinkedIn

• All movies, series, and video sharing websites except Youtube

• All websites with adult contents

• All torrents sharing websites and P2P clients.

​

Any staff who bypasses company firewalls and is found using any of the above websites without permission from the IT department will be immediately asked to terminate all the processes associated with that website. If the same staff does not respect the first warning, the HR department will be involved in taking disciplinary actions including tight access control.

​

XI. Website & Social media Policy

​

Purpose of the Policy

​

This policy provides guidelines for the maintenance of all relevant technology issues related to the business official websites and all official social media handles of the company.

​

Procedures

​

Website & Social media Register

​

The website & Social media register must record the following details:

​

• List of domain names registered to the business

• Dates of renewal for domain names and hosting packages

• List of hosting service providers

• Expiry dates of hosting

• Hosting package details and third party providers associated to the website

• List of all official social media handles of the company

• Contributors on each social media handle

• Procedures to get content posted on the business social media page.

 

Keeping the register up to date will be the responsibility of the communications officer.

The communications officer will be responsible for any renewal of items listed in the register.

 

Website & Social media content

​

All content on the business website and all social media handles is to be accurate, appropriate and current. This will be the responsibility of a communications officer.

 

The content of the website is to be reviewed every 3 months.

​

The following people are authorized to make changes to the business website and google maps profile:

• Mick Ganza

• Joyeux Didier N.

• George Obiero

• Louange Hirwa

• Pacifique clement

• Duly authorized and contracted web design and PR agencies /contractors.  

 

The following people are authorized administrators of the business social media handles::

• Josh Whale

• Joyeux Didier.

• Staff at Ampersand duly authorized Public Relations agency(ies).

 

Basic branding guidelines must be followed on all website pages and social media handles to ensure a consistent and cohesive image for the business.

​

All data collected from the website and social media handles is to adhere to Ampersand’s privacy policy

 

 

XII. Electronic Collaboration & Information Exchange Policy

 

Purpose of the Policy

​

Ampersand  provides communication  and  collaboration  services, including  email,  and  video  and  voice  conferencing  to  all  employees of  the  company, enhancing efficiency and effectiveness of collaboration, communications and scheduling.

​

Procedures

​

Email

​

E-mail is an  official communication channel among staff and third party entities within and outside the  company.  Proper  use  of  e-mail  and  other  electronic  communication mechanisms will avoid waste of resources and enable proper communication with target recipients.

 

The use of company official email has the following advantages:

1. Sustainably keeps the records and back up  of work related information

2. They serve to  uphold confidentiality and integrity of work related information

3. They  serve  to  reduce  potential  bad  practices  associated  with  use  of emails  in communication (Personal Email Accountability)

4. They  reduce  unnecessary use  of papers  and  implied  costs  with  recognition  of official emails as  a formal company communication medium.

​

To maintain a secure and unified communication environment, all employees are strongly encouraged to use their corporate emails when signing up for external work-related applications, whenever it is supported. By utilizing your corporate email, you ensure consistency, security, and professionalism in your communication with external parties. It also enables the company to better manage and protect your data in accordance with our privacy and security policies.

 

Any  information that is  not legally required to  be  kept  and presented as  hard copy e.g. Invoices,  Cheques,  Receipts,  and  Delivery  Notes, should be shared  on official emails  or using  other  appropriate  software  applications  and  recognized  as formal communication.

 

The company’s  Email system shall not be used for the  creation or distribution of any disruptive  or  offensive  messages,  including  offensive  comments  about  race,  gender, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or origin.

 

The  IT department  will  make  an  effort  to  prevent  unsolicited  mail  or  content  deemed  as undesirable by  the  company senior management.  It  is,  however,  the  responsibility of each and every employee to  ensure that they do not in any way  forward any spam mails. Any violation of the rule shall normally result in disciplinary actions.

​

Google Chat

​

Google chat is acknowledged as one of the recognized methods of communication within Ampersand. Google Chat offers a secure and efficient platform that enables real-time messaging and collaboration among employees. It provides a convenient way to engage in discussions, share files, and coordinate work across teams, departments, and projects, which  streamline collaboration and enhance productivity.

 

 

XIII. ICT Service Agreements Policy

​

Purpose of the Policy

​

This policy provides guidelines for all ICT service agreements entered into on behalf of the business.

 

Procedures

​

The following ICT service agreements can be entered into on behalf of the company:

• Provision of general ICT services

• Provision of network hardware and software

• Leasing, repairs and maintenance of ICT equipment

• Provision of business commercial software

• Provision of mobile phones and relevant plans

• Provision of commercial web services including hosting.

​

All ICT service agreements must be reviewed by respective department’s manager and company legal entities before the agreement is entered into. Once the agreement has been reviewed and recommendation for execution received, then the agreement must be approved by the person in charge.

 

All ICT service agreements, obligations and renewals must be recorded and stored in a protected cloud storage folder (Google Drive, Onedrive, Mega or others) with strict access restrictions.

 

Where an ICT service agreement renewal is required, in the event that the agreement is substantially unchanged from the previous agreement, then this agreement renewal can be authorized by the respective department’s manager.

 

Where an ICT service agreement renewal is required, in the event that the agreement has substantially changed from the previous agreement, then this agreement needs to be reviewed by respective department’s manager and company legal entities before the renewal is entered into. Once the agreement has been reviewed and recommendation for execution received, then the agreement must be approved by the respective department’s manager.

 

In the event that there is a dispute to the provision of ICT services covered by an ICT service agreement, it must be referred to the company legal entities who will be responsible for the settlement of such dispute.

 

 

XIV. Emergency Management of Information Technology

 

Purpose of the Policy

​

This policy provides guidelines for emergency management of all information technology within the company.

​

Procedures

​

ICT Hardware Failure

​

Where there is a failure of any of the company’s IT hardware assets, this must be referred to the IT department immediately.

​

It is the responsibility of the IT department to assess the damage and provide repair or replacement solutions in the event of ICT hardware failure.

​

It is the responsibility of the IT department to undertake tests on planned emergency procedures every 6 months to ensure that all planned emergency procedures are appropriate and minimize disruption to business operations.

​

Internet Service Disruptions

​

Where there is significant drop in the speed of company wireless / wired internet, this must be referred to the IT department immediately using any of the available real-time channels (Whatsapp, Chats, Calls) to speed up the troubleshooting processes and reduce possible damages.

 

As well as the ISP, the IT department does not guarantee maximum and consistent internet speeds during every minute of the day as there are different short time causes of internet disruptions including internal network congestion, ISP’s link congestion, bandwidth throttling and so on. However, the IT department will always ensure that any issue that disrupts the internet connection is quickly and effectively resolved and communicated to the users.

 

In case of a planned network upgrade which will stop the internet connection on the whole network or certain segments of the network, the IT department will normally schedule the upgrade outside company working hours and notify relevant users about the upgrade at least 3 hours prior.

​

Virus or other security breach

​

In the event that the business’s information technology is compromised by software virus, trojan, malware, spyware, or any other computer / network attack, such breaches are to be reported to the IT department immediately regardless of working hours or time of day.

 

The IT department is responsible for ensuring that any security breach is dealt with within a reasonable timeframe to minimize disruption to business operations.

​

Website / Application Disruption

​

In the event that business website is disrupted, the following actions must be immediately undertaken:

• Website host to be notified if it is a technical issue

• The IT department must be notified immediately.

​

​

XV. Backup, Recovery & Archiving Policy

​

Purpose of the Policy

​

This policy provides guidelines for the Backup, Recovery & Archiving Policy. Introduction The purpose of this Section of the policy is to:

​

1. Safeguard the information assets of the company

2. Prevent the loss of data in the case of an accidental deletion or corruption of computer system failure, or disaster

3. Permit  timely  restoration  of information  and  business  processes,  should  such events occur

4. Manage and secure backup and restoration processes and the media employed in the process.

 

The retention periods of information contained within system level backups are designed for recoverability and provide a point-in-time snapshot of information as it existed during the time period defined by system backup policies.

​

1. Backup retention periods are in contrast to  retention periods defined by  legal  or business requirements

2. System backups are not meant for the following purposes: 

• Archiving data for future reference

• Maintaining a versioned history of data.

​

Procedures

​

Employee data backups

​

Each employee with business email is obliged to backup all device business-related data to a Google Drive folder. This will ensure that in case of device failure or disaster, company data and information will still be available.

​

System / Configuration backups

​

Although commercial third party systems have their own ways of ensuring data integrity and backup, company network devices such as routers need periodic configuration backups to ensure fast service recovery in the event of device failure or disaster.

 

 

Approval, Review and Amendment

​

Approval

​

This policy is approved and has been circulated to the leadership team, department managers and all staff.

 

Review

​

In order to ensure that Ampersand ICT resources are adequately protected and that this policy 

remains relevant, a mandatory review of this policy will occur once in every quarter of the year.

​

Records of amendments

​

Version no                                   Description of amendment                                     Date

 

 

Signed by:  Ampersand Management                                                               Signed by: HR Department

 

Emmanuel Hakizimana                                                                                            Valerie Okinda

 

Country Manager                                                                                                      Chief People Officer

 

Date:                                                                                                                              Date: