2.1 GENERAL

2.1.1 Policy Statement

This policy defines the ICT Department’s approach to managing, securing, and maintaining information and communication technology infrastructure. It ensures the organization’s digital assets are protected from unauthorized access, cyber threats, and data breaches while ensuring compliance with applicable standards and regulations. Moreover, this policy will cover the allotment of devices, Wi-Fi access, official email addresses, website content upgrades or changes, and the stock management of SWF’s ICT assets.

2.1.2 Purposes of the Policy

The primary purpose of this policy is:

• Security: Ensuring the integrity, confidentiality, and availability of data.
• Efficiency: Ensuring efficient use of ICT resources through standardized processes.
• User-Centricity: Delivering IT services and support that meet the needs of employees and stakeholders.

The purpose is to establish clear guidelines and practices to ensure that the ICT Department functions optimally, minimizing risks and ensuring business continuity.

2.1.3 Scope of the Policy

This policy applies to:

• All the employees access or interact with the ICT systems.
• All hardware, software, network infrastructure, website, and data within the SWF.
• Any remote access systems used for SWF.
• All ICT staff, including support, system administrators, and network engineers.

2.1.4 Definitions of Terms

• ICT: Information and Communication Technology,
• End Users: Any individual who interacts with the organization’s IT systems and infrastructure.
• Incident: Any event that disrupts normal IT service operation.
• Data Privacy: Protection of personal data from unauthorized access or misuse.
• Email: Official email address on SWF website.
• Wifi: Official wifi of SWF.

2.1.5 Policy Description

This policy outlines the procedures, roles, and responsibilities for:

• Securing the organization’s IT systems against cyber threats.
• Managing IT assets such as hardware, software, and network infrastructure.
• Ensuring business continuity and disaster recovery processes are in place.
• Providing user support and troubleshooting within the ICT systems.
• Managing and controlling access to sensitive data.

• The allotment of devices will take place when the application is given to the Managing Director.
•  Wifi access will not be given to volunteers. Employees should provide an employee card or access card to use the internet.
• Official email address will only be given to Directors when they will provide their employee card copy.
• Website content and upgradation should first be approved by the Managing Director and then can be uploaded on the website.
• The ICT department is responsible and in charge of all stock management of ICT assets.

2.2 IMPLEMENTATION OF POLICY

2.2.1 General SOPs

1. Access Control SOP
   Purpose: Ensure only authorized users can access sensitive systems and data.
   Procedure:

• Users will be granted access based on their roles and responsibilities.
• Access requests must be submitted via the IT service desk.
• Multi-factor authentication (MFA) is required to access critical systems.
• Accounts will be reviewed annually to ensure access levels are appropriate.

1. Incident Response SOP
   Purpose: Ensure a structured and timely response to IT incidents, minimizing damage and recovery time.
   Procedure:

• Incident identification via monitoring tools or end-user reports.
• Immediate containment actions, including isolating affected systems.
• Investigation and root cause analysis.
• Documentation of the incident and resolution steps.
• Follow-up review to prevent recurrence.

iii. Backup and Recovery SOP
Purpose: Ensure that critical data is regularly backed up and can be restored in the event of data loss.
Procedure:

• Daily backups of critical data to on-site and off-site storage locations.
• Regular testing of backup restoration processes.
• Off-site backups will be encrypted to ensure data security.
• The backup retention period will be 12 months.

1. Equipment Responsibility SOP

Purpose: Ensure that all accessories are taken good care of and checked daily.

Procedure:

• Daily checkups of the company’s accessories.
• Make sure that the accessories are working and in good condition.
• Handle the organization’s accessories carefully, set them before, and put them back after the meeting.
• Provide a small cabinet or cupboard where the organization’s accessories are kept.

2.2.2 Policy Disbursement Procedure

• The policy will be distributed electronically to all employees via the internal portal and email notification.
• New employees will be required to read and acknowledge the policy as part of their onboarding process.
• Policy updates will be communicated to all staff within 24 hours of the update.

2.2.3 Policy Impact Assessment Procedure

• The ICT Department will perform a semi-annual review of the policy to assess its effectiveness in mitigating risks, ensuring compliance, and meeting organizational goals.
• An impact assessment report will be generated, which includes feedback from stakeholders, audit results, and incident data.
• Necessary adjustments will be made to address any gaps or inefficiencies identified.

2.2.4 Approval & Signature Authority and Procedure

• The final approval of this policy lies with the Chief Executive Officer (CEO).
• The CEO will sign and date the policy document to signify approval.
• All amendments to the policy require re-approval by the CEO before they are enforced.

1. ICT DEPARTMENT ORGANOGRAM
2. Appendix

4.1 Device Receiving Proforma