INFORMATION &

TECHNOLOGY POLICY
Policy Schedule

Title UCU ICT POLICY

Policy Lead Contact Director University ICT Services

Date of Approval

Approving body Vice Chancellor's Cabinet

This Version No. 1

Policy Linkage

Review Interval 3 Years

Vice Chancellor`s
Signature

UCU ICT POLICY Page 1

ABBREVIATIONS & ACRONYMS..........................................................................................4
Preamble.............................................................................................................................5
1. Introduction....................................................................................................................6
1.1. Policy Vision, Mission, Goals and Objectives................................................6
1.1.1. Develop ICT as an essential resource to support UCU’s vision and
mission 7
1.1.2. Support and promote ICT proliferation throughout the university...........7
1.1.3. Harness eLearning to support teaching and learning................................7
1.1.4. Support collaboration with other higher learning & research institutions
8
1.1.5. Ensure sustainable utilisation of ICT resources...........................................8
1.1.6. To ensure business continuity of university services.................................8
2. Policies.............................................................................................................................9
2.1. ICT Governance.......................................................................................................9
2.1.1. Introduction.............................................................................................................9
2.1.2. Policy Objective.......................................................................................................9
2.1.3. Policy Scope.............................................................................................................9
2.1.4. Policy Statements...................................................................................................9
2.1.5. Staff and Student Community............................................................................10
2.1.6. Policy Approach....................................................................................................10
e) Unacceptable use (Misuse).................................................................................18
f) Distribution Lists...................................................................................................19
g) Email retention and disposal..............................................................................20
5. DATA COMMUNICATIONS NETWORK POLICY.........................................................21
5.1. Introduction...........................................................................................................21
5.2. Objectives..............................................................................................................21
5.3. Scope......................................................................................................................21
5.4. Policy statements.................................................................................................22
5.4.1. Data Network Policy.............................................................................................22
5.4.2. Campus Local Area Network..............................................................................22
5.4.3. University Wide Area Network...........................................................................22
5.4.4. Access to Computing Infrastructure and ICT Services..................................23
5.4.4.1. Server rooms and network equipment........................................................23
5.4.5. Computer Lab Facilities.......................................................................................23
5.4.6. Printer and Photocopier Equipment..................................................................23

UCU ICT POLICY Page 2

5.4.7. Physical Surveillance data..................................................................................24
5.4.7.1. Use of Physical Security Data........................................................................24
5.4.7.2. Access to Physical Security Data..................................................................24
5.4.8. ICT Hardware.........................................................................................................25
5.4.9. Bring Your Own Device (BYOD)..........................................................................25
6. ICT BUSINESS CONTINUITY AND DISASTER RECOVERY POLICY.........................26
6.1. Introduction...........................................................................................................26
6.2. Objective................................................................................................................26
6.3. Scope......................................................................................................................26
6.4. Policy Statement...................................................................................................26
6.4.1. Policy Content.......................................................................................................26
6.5. IT Disaster Recovery Objectives........................................................................27
6.6. IT Disaster Recovery Plan Testing.....................................................................29
6.7. IT Disaster Recovery Training and Awareness...............................................29
7. SOFTWARE DEVELOPMENT AND ACQUISITION POLICY........................................31
7.1. Introduction...........................................................................................................31
7.2. Policy Objective.....................................................................................................31
7.3. Policy Scope...........................................................................................................31
7.4. Policy Statements.................................................................................................31
7.5. Policy Approach....................................................................................................32
8. NETWORK AND CYBERSECURITY POLICY................................................................33
8.1. Introduction...........................................................................................................33
8.2. Policy Objective.....................................................................................................33
8.3. Policy Scope...........................................................................................................33
8.4. Policy Statements.................................................................................................33
8.5. General use and ownership policy....................................................................33
8.6. Roles........................................................................................................................34
8.6.1. The University ICT Services (UIS) directorate shall;......................................34
8.6.3. Conditions of Use..................................................................................................35
8.6.4. Unacceptable Use.................................................................................................35
8.7. Suspension or Termination of Access...............................................................35
8.8. Password Policy.....................................................................................................36
9. Policy Enforcement Compliance...............................................................................37
APPENDIX 1..........................................................................................................................38
Terms of Reference for the Central ICT Committee.................................................38

UCU ICT POLICY Page 3

ABBREVIATIONS & ACRONYMS
ARIMS Academic Records Information Management
System
AUP Acceptable Use Policy
DB Database
DVC AA Deputy Vice Chancellor Academic Affairs
DVC F&A Deputy Vice Chancellor Finance and
Administration
HR Human Resource
ICT Information & Communications Technology
IDSMIS Integrated Decision Support Management
Information System
IP Internet Protocol
IT Information Technology
LAN Local Area Network
LCD Liquid Crystal Display
LDAP Lightweight Directory Access Protocol
NOC Network Operating Centre
NREN National Research and Education Networks
OS Operating System
PABX Public Branch Exchange
PC Personal Computer
PRO Public Relations Office
QoS Quality of Service
RENU Research and Education Network For Uganda
UCU Uganda Christian University
UIS University ICT Services
UPS Uninterruptible Power Supply
VC Vice-Chancellor
UCU Uganda Christian University
UIS University ICT Services
UPS Uninterruptible Power Supply
VC Vice-Chancellor
WAN Wide Area Network

UCU ICT POLICY Page 4

 Preamble
Uganda Christian University (UCU) is a private, not-for-profit University,
established by the Anglican Church of Uganda in 1997. In 2004, the University
was chartered as the first private University in the country. UCU operates 3
campuses (Mukono, Arua and Kampala) and 2 constituent colleges in Mbale and
Kabale. The Christian Identity of Uganda Christian University is espoused in the
Instruments of Identity, and the House of Bishops is corporately and exclusively
custodian of the Instruments of Identity.

Staff and Students are required to respect the Instruments of Identity and to
observe the laid down rules and the Code of Conduct both at the University and
while away on official or authorized events.

MOTTO: “Alpha and Omega: God the Beginning and the End”

VISION: “A Centre of Excellence in the Heart of Africa”

MISSION: “To equip students for productive, holistic lives of Christian faith and
service”
CORE VALUES: Christ-Contentedness, Diligence, Integrity, Servant-hood, and
Stewardship
THEME: “A complete Education for A complete person
UCU’s Niche: “Professionalism and Character”
In its Strategic Plan (2019-2023), UCU aims at achieving the following objectives:
I. Christian Identity: UCU’s identity as an authentic Christian
institution.
II. Governance and leadership: Accountable leadership.
III. Teaching and learning: A high quality education with a diverse yet
integrated curriculum.
IV. Targeted research: Rigorous, relevant, focused and innovative
research.
V. Service to the community: Assisting communities to achieve holistic
development.
VI. Student recruitment and development: A diverse array of
students.
VII. Staffing: Attracts, recruits, and retains a staff noted for excellence in
teaching, research, and praxis.
VIII. Great campuses: The physical infrastructure that meets the
education, ICT, and administrative needs and standards while
preserving campus history and beauty.

UCU ICT POLICY Page 5

 1. Introduction

The University ICT services directorate offers computing and networking

resources to its students, staff and partners. The adoption and utilization of
Information and Communications Technology (ICT) within Uganda Christian
University (UCU) is aligned to the University's Strategic Plan.

The purpose of this policy is to describe and document the ICT policies and
procedures that will support UCU’s objectives in the academic and
administrative units of the University. This policy is geared towards
increasing effectiveness and efficiency in the use of ICT resources at the
University.

As such, the development of these policies took into consideration alignment

to other existing University functional policies as well as globally recognized
ICT practices. The University will accordingly ensure university wide
dissemination of this Policy to user group categories.

ICT includes, but is not limited to, the Internet, the Intranet, Email,
Telephones, closed circuit television camera (CCTV), Business Continuity and
Disaster Recovery (BC&DRS) of ICT services (Disaster Recovery solutions) all
software systems accessed through the UCU network, computers &
associated office automation equipment and the telecommunications
infrastructure.

1.1. Policy Vision, Mission, Goals and Objectives

Vision:
To fully utilise ICT to provide enhanced support for teaching, learning,
research and administration.

Mission:
To Equip students for productive, holistic lives of Christian faith and service.

Policy Objectives:
The overall objectives of the ICT policy is to ensure the University's students
and staff have access to the necessary ICT facilities, applications and
services for teaching, learning, research, and collaboration and effectively
manage the University's ICT resources.

UCU ICT POLICY Page 6

 The specific objectives of the ICT policy are to:

I. Develop ICT as an essential resource to support UCU’s vision and mission

II. Support and promote ICT proliferation throughout the university
III.Harness e-Learning to support teaching and learning and research
IV. Support collaboration with other higher education institutions for learning
and research
V. Ensure sustainable use of ICT resources
VI. Ensure business continuity of digitised University services.

1.1.1. Develop ICT as an essential resource to support UCU’s

vision and mission
UCU seeks to ensure optimal availability of ICT resources & services
required for running its educational programs and the requisite support
services so that it meets its aim of being a centre of excellence in the
heart of Africa.
The ICT Policy applies to all UCU departments and Units and covers the
following areas:
I. Prioritise ICT use and development.
II. Provide user-level data communication services (for quality
access to centrally stored data, email, internet, intranet,
library resources, etc.) in UCU offices and all its supported
teaching points.
III. Establish efficient and cost-effective ICT infrastructure that
ensures equitable access to university-based and global
information resources that support cost-efficient
communications and provide reliable links between UCU and
its partners (both national and international).
IV. UCU seeks to ensure that the development of ICT resources
and services remains as mission—focused and strategy—
facilitating as possible.

1.1.2. Support and promote ICT proliferation throughout the

university
UCU seeks to promote utilization of ICT among all faculty, administrative staff
and students.
I. Encourage and support office automation in all University services
that results in improvement of service delivery to the UCU
community.
II. Provide adequate IT laboratory facilities to meet both teaching and
research requirements of UCU educational programs, with emphasis
on open-source software, especially for both students and staff.
III. Enhance resource management processes in UCU academic and
administrative functions by implementing integrated information
management systems for decision support to UCU management.

UCU ICT POLICY Page 7

 IV. Enhance and streamline student information management at the
main administration centres, faculties and all UCU campuses.
V. Enhance the utilization, scope and flexibility of library resources
through the implementation of an appropriate Library Information
Management System (LIMS).

1.1.3. Harness eLearning to support teaching and learning

UCU seeks to enhance flexibility and effectiveness of the learning process
as well as learning schedules for students in their fields of study by the
use of appropriate ICT facilities.
In this regard, UIS shall: -
I. Provide technical support to initiatives to implement eLearning
programs as part of their education delivery strategy.
II. Implement a suitable Learning Management System (LMS)
solution and to be the standard vehicle for e-learning delivery.

1.1.4. Support collaboration with other higher learning & research

institutions
UCU seeks to ensure that it is able to benefit from collaboration and
sharing information resources at both the local and international levels
through appropriate partnerships, human networking and requisite
infrastructure capacity.

In this regard, the UIS directorate shall advise management to support

collaboration by:-

I. Being an active member of the Research and Education Network

for Uganda (RENU).
II. Supporting the development of a regional Research and
Education Network.
III. Ensuring the reliable availability of adequate connection to other
academic networks and the World Wide Web (www) in general.
IV. Specifically catering for information sharing between UCU Main
Campus on one side and Constituent Colleges, remote
campuses, national partners, and international partners

1.1.5. Ensure sustainable utilisation of ICT resources

UCU seeks to ensure the sustainable harnessing and optimal utilisation of
available ICT resources.

The UIS directorate shall advise management to do this through: -

I. Consideration of Energy Star ratings in the procurement of

ICT equipment

UCU ICT POLICY Page 8

 II. Rationalisation of standalone printers to shared multi-function
devices to reduce equipment needs and associated energy
use
III. Driving the proportion of e-waste sent to landfill towards zero
via a comprehensive asset collection and re-sale process

1.1.6. To ensure business continuity of university services

UCU has robust measures in place to cope with major disruptions. The UIS
directorate shall ensure that;
I. ICT applications and systems used at the University are
redundant
II. The disaster recovery plan should be periodically tested in a simulated
environment to ensure that it can be implemented in emergency situations
and that the management and staff understand how it is to be executed

2. Policies

A number of policies are specified to enable the optimal management and

utilisation of ICT resources at requirements of this ICT policy. The policies will
be reviewed periodically to ensure they remain relevant and aligned to the
goals of the University.

General Scope
The ICT policy applies to all UCU academic and administrative units within the
University as well as any partners, contractors and authorised third party
relations. Under operational policy guidelines, the following are covered:
I. ICT Governance
II. Acceptable Use Policy
III. Internet and Digital Communications Polic y
IV. Data Communications Network Policy
V. ICT Business continuity and Disaster recovery Policy
VI. Software Development and Acquisition Policy
VII. Network and Cybersecurity Policy
VIII. Password

UCU ICT POLICY Page 9

 2.1. ICT Governance

2.1.1. Introduction

Effective ICT governance provides a conducive environment for the alignment

of all ICT resources in a rationalised manner that is aligned towards enabling
an organisation to meet its goals and objectives. This also contributes to the
attainment of value for money, management of risks and effective ICT
utilization

2.1.2. Policy Objective

To provide for the centralised effective Governance of all ICT related matters
within the University in a rationalised and harmonised manner
2.1.3. Policy Scope

This policy applies to all ICT related matters within the University.
2.1.4. Policy Statements

Directorate of University ICT Support

The directorate of University ICT Services (UIS) shall be the focal point of
contact for the ICT Service Management function within the University. UIS
Shall;
I. Provide effective ICT support that is responsible to the academic
and administrative functions of the university
II. Have the overall ownership of the professional and technical
mandate of all ICT designs and developments, management and
maintenance.
III. Contribute towards the sustainability of the unit in order to
enable effective execution of the directorates mandate
IV. Promote effective and appropriate utilization of ICT resources
V. Specify, verify and vet ICT standards, procedures and best
practices for all university ICT deployments and operations.
VI. Promote and environmentally friendly approach to the
acquisition, use and disposal of ICT resources
VII. Operationalise and guide the ICT policy implementation.

Heads of Academic and Administration Units

The Deans or Heads of units shall in consultation with UIS:
I. Integrate ICTs into their activities;
II. Implement the Unit specific components of the ICT Policy and
Strategy;
III. Ensure compliance to the ICT Policy Framework; and
IV. Act as active participants during the periodic stakeholder
consultations towards supporting and facilitating the effective
implementation of the ICT Policy and Strategy.

UCU ICT POLICY Page 10

 2.1.5. Staff and Student Community

Students and Staff shall ensure compliance to the ICT Policies.

2.1.6. Policy Approach

The Unit responsible for ICT has direct responsibility for maintaining and
guiding implementation of this policy.

UCU ICT POLICY Page 11

3. ACCEPTABLE USE POLICY
3.1. Introduction
Uganda Christian University makes available to students and staff computing
and network resources, including shared information technology resources
that use text, voice, images, and video to deliver information. This policy
details specific requirements for the use of all computing and network
resources at the University.

Definitions
In general, acceptable use means ensuring that the information resources
and technology of the University are used for their intended purposes
while respecting the rights of other computer users, the integrity of the
physical facilities, the confidentiality of data, information, and information
assets, and all pertinent licence and contractual agreements.

3.2. Objectives
The objectives of this policy are;
a) To encourage the use of both the Internet and computing hardware as
a conduit for learning, teaching and research without infringing the
rights of others.
b) To discourage the irresponsible use of hardware and network
resources, which use may result in the degradation of service.
c) To ensure the security, reliability and privacy of UCUs system and
network infrastructure.
d) To avoid situations that may result in the occurring of any form of civil
liability.
e) To protect and preserve the privacy of individual users on the UCU
network.
3.3. Scope
This policy applies to all users of computing resources owned or managed by
Uganda Christian University. This includes members of staff, students,
authorised visitors, guests and campus visitors who avail their devices to the
University’s temporary visitor wireless network access service or eduroam
access.

3.4. Policy Statements

3.4.1. Acceptable usage
All users of UCU’s ICT services must;
a) Protect their User IDs, digital or electronic signatures, other
authentication and authorization mechanisms, from unauthorized use
by not sharing them. users are liable for actions arising out of misuse
of their unique access credentials as long as their access profile is
active.

UCU ICT POLICY Page 12

 b) Use only legal versions of copyrighted software and documentation in
compliance with vendor licence requirements
c) Comply with the Computer Misuse Act (2011) and the Antipornography
Act (2014) of Uganda
d) Not use any unauthorised peer-to-peer software (torrents)
e) Be considerate in the use of shared resources. Refrain from
monopolizing systems, overloading networks with excessive data,
degrading services, or wasting computer time, connection time, disk
space, printer paper, manuals, or other resources
f) Not relocate or move any desktops assigned without the consent of the
UIS directorate
g) Revise passwords and other authentication and authorization
mechanisms suspected to be compromised.
h) Store confidential data only in University approved secured
locations.
i) Not use software for password cracking, spying, unauthorized network
port scanning and network reconnaissance, network and/or software
penetration
j) Shall report identified or suspected security incidents to the Security
Office or Information Technology (IT) Support/Help Desk in time.

3.4.2. Suspension of Access

The following constitute rationale for user access termination to university
computing resources:
a) End of student or staff employment tenure
b) Request from University Council, University Management, Heads of
Department and/ or University Human Resource Department
c) Occurrence of any of the unacceptable usage restrictions

UCU ICT POLICY Page 13

4. INTERNET AND DIGITAL COMMUNICATIONS POLICY
4.1. Introduction
Uganda Christian University has integrated the use of ICT in its major
operational areas of teaching, learning, administration and research. At the
core of this integration is the digitisation of most processes in the University.
UCU provides access to software, applications, the internet and facilities to
aid staff and students complete their tasks faster, more efficiently and to
assist them in using the latest available technology. The facilities represent a
considerable commitment of resources in respect to telecommunication,
networking, security and software - at significant costs to UCU and therefore
needs to be treated accordingly.
Definitions
Digital Communications: includes digital messages sent from one person to
one or more recipients via electronic systems. In the context of this policy, it
can include messages sent via email, Facebook, Twitter, LinkedIn, YouTube,
social media, wikis, blogs, etc. It uses Internet as a method to enable
communication and distribute information
The internet: The world-wide network linking together thousands of
computer networks and many millions of users through public and private
telecommunications lines; a global system of computer networks that are
interconnected to deliver a range of electronic, wireless, audio-visual
technologies.

4.2. Objectives
The purpose of this policy is to ensure that staff and students of UCU use
UCU's internet and Digital Communications systems in an appropriate
manner. This policy is designed to ensure that the integrity of the ICT system
is maintained whilst allowing appropriate management of each individual
workstation.

4.3. Scope
This policy applies to user categories within the teaching, learning,
administration and research units of the University as well as any contractors
and authorized third party relations.

4.4. Policy Statements

The following statements govern the implementation of this policy

a. Use of Digital Communications and the Internet by staff is permitted

and encouraged where such use is suitable for teaching or UCU
business purposes and supports the goals and objectives of UCU.

b. This policy will be subject to amendment in response to changing

circumstances as Internet and Digital Communications facilities

UCU ICT POLICY Page 14

 develop, whether operational or legislative. UCU will inform staff
and students of changes

c. All network, Digital Communications, Email and Internet accounts

maintained on UCU computing systems are the property of UCU,
and all users must comply with relevant policies and user access
permissions

d. Any user who breaches Ugandan legislation relating to copyright,

privacy, spam and or any other related laws will be held personally
liable for that breach.

e. This Policy is intended to clearly define the conditions of use of the

Internet and Digital Communications. All employees and students
authorised for Internet and/or Digital Communications access will be
provided with access to this policy

4.5. Policy Content

4.5.1. ICT services
a) The provision of secured University E-mail services and related
storage quotas will be centrally defined, managed and periodically
reviewed by the Unit responsible for ICT
b) All University websites and portals will be centrally hosted;
c) The UIS directorate shall centrally manage the provision of
computing resources to all user groups within the administrative
and academic units of the University
d) The University reserves the right to audit, without prior notice, any
ICT equipment connected to its networks for the purposes
protection against exploitable security vulnerabilities

4.5.2. The Internet

General
UCU provides Internet access to staff and students for the sole purpose of
allowing them to use the Internet as a research tool, to post
communications about UCU, to enhance learning and teaching, and to
provide services to our clients.

4.5.3. Access and Security

Internet facilities will normally be provided only to workstations attached
to the UCU network and connected to the UCU Internet Service Provider
(ISP). Wireless Internet and its infrastructure is provided by the University.
Access to wireless for both staff and students is managed by the
University ICT Support.All users of UCU ICT services shall be admitted to
use of the services through a process to be initiated by the head of the HR
directorate, student admissions office or by written permission from the
VC or a Deputy Vice Chancellor (DVC).

UCU ICT POLICY Page 15

 4.5.4. Restrictions of Access
Use of the Internet via UCU IT systems or devices, to access pornographic,
illegal, offensive or obscene materials, is regarded as gross misconduct
under the relevant UCU policies.

The uploading or downloading of commercial software, games, music

videos or other intellectual property in violation of its copyright. Besides
the legal issues, such downloads often create system instability with the
standard image, adding unneeded repair costs to IT and associated
support groups

UCU uses special monitoring and control software for network connections
to prevent access to the majority of undesirable sites. However, those
precautions cannot always prevent access to all such sites due to the
ever-changing nature of their design. If you accidentally access unsuitable
material, you must disconnect from that site immediately and inform UIS.
No action will be taken for genuine accidental access of this material, and
steps will be taken to ensure such sites are added to the UCU website
blacklists as soon as possible

4.5.5. Suspension and Termination of Access

The following constitute rationale for user access termination to university
computing resources:
a) End of student or staff employment tenure
b) Request from University Council, University Management, Heads of
Department and/ or University Human Resource Department
c) Occurrence of any of the unacceptable usage restriction

4.5.6. Digital Communications

4.5.6.1. General
Messages sent on Digital Communications systems are to be written in
accordance with the standards of any other form of written
communication. The content and language used in the message must
be consistent with our best practice. Also, you should avoid obscene or
defamatory language. The printing or forwarding of any Digital
Communications which breach any of the standards set out in this
Policy will also constitute a breach of these rules.

4.5.6.2. Defamation and Libel

For many purposes, Digital Communications have the same effect as if
they had been typed on notepaper. This means that you should never
under any circumstances make derogatory comments about anyone in
any Digital Communications that you send or post, whether internally
or externally.

UCU ICT POLICY Page 16

 Users must not participate in any online activities that are likely to
bring the university into disrepute, create or send material that may be
defamatory or incur liability on the part of the university, or adversely
impact the reputation and or image of the university.

4.5.6.3. Harassment and Bullying

UCU will not tolerate the use of Digital Communications systems for the
harassment or bullying of any person — whether on the grounds of
disability, gender, sexual orientation, marital status, race, colour,
religious belief, and age, national or ethnic origins or for any other
reason whatsoever. Any allegations of such harassment will be dealt
with under the UCU staff and students code of conduct.

4.5.6.4. Opening/Downloading Digital Communications and

Attachments
Although UCU wireless access is encrypted and is accessed through
managed user authentication, the University is not liable for any
security or privacy violation that may happen to wireless users due to
their negligence. The user must promptly inform UIS of any known
violation. A security violation that affects other users will be
handled in accordance with the staff and students code of
conduct.

4.5.6.5. Telephony

Fixed line phone service shall be provided to some members of staff and
student leaders to facilitate official communication. Credit allocation for
Fixed line and Mobile telephony shall be provided as per guidance given
by the Deputy Vice-Chancellor Finance & Administration (DVC F&A). The
fixed line users will be advised in writing, how to access the service, their
monthly credit limit and given their unique phone access code.
The University shall deploy toll free phone numbers to offices that cater to
emergencies ( as guided by the DVC F&A).

4.5.6.6. Electronic Mail

Introduction
Email is one of the authorized means of communication for academic and
administrative purposes within UCU. Staff and students shall be issued
with an official UCU email account upon appointment into University
service (staff) or upon admission to UCU (students)

Purpose
The purpose of this policy is to describe the permitted uses of
University email. Compliance with this Policy helps the University to
achieve two goals:
1. Improve the successful delivery of University communications to all
staff, students and partners

UCU ICT POLICY Page 17

 2. Reduce the risk of University data classified as High Risk going
through email systems not managed by the University

a) Access and acceptable use

The University ICT Services will provide email access to all authorized
users. Applications for account access, and other details concerning
network services may be found at the UIS office, or made through
helpdesk at http://helpdesk.ucu.ac.ug

The use of Email for illegal activities is prohibited. Illegal activities include
(but are not limited to) copyright violations, transmission of content
that breaks the laws of Uganda, unauthorised access to secured content
on other networks ,propagation of discriminatory or harassing content,
production, accessing and distribution of pornographic and obscene
content, propagation of content that is derogatory or defamatory to
individuals or groups of people, accessing gambling sites or any other
location whose content contradicts UCU’s staff and students code of
conduct

Users must not use university computing devices and/ or network to send
out any spam

The university reserves the right to implement e-mail quotas for both
employee and student accounts. Individuals are responsible for regularly
deleting old files from in-boxes and mail folders.

b) Email Convention
The staff official email address ends with @ucu.ac.ug and is usually of
the form [email protected] where F is the first character of the
firstname and LastName is the last name. For scenarios where different
staff have the same FirstName initial and LastName e.g. Doreen Mukasa
and Desire Mukasa. One member will follow the normal convention
dmukasa and the Second member will use the first two characters of the
first name. It is possible to also use full names for both FirstName and
LastName such as desiremukasa@ and doreenmukasa@.

For staff with more than two names,it may be of the form
[email protected] where FM is the first character of the FirstName
and first character of the MiddleName and LastName is the last name.

The student official email address ends with @students.ucu.ac.ug and is

usually of the form [email protected]. Students may
provide a preferred email address which may be different from their UCU
email account as a secondary point of contact in case the UCU email is
inaccessible. This also may be used when the student becomes an
alumnus.

UCU ICT POLICY Page 18

 Student email shall be deactivated as soon as they are cleared for
graduation by the academics office.

c) User Responsibilities

Staff and students are expected to read, and shall be presumed to have
received and read, all official UCU email messages sent to their official
UCU email account

All communication originating from one’s official email address will be

assumed and confirmed that they are the authors of the message
and shall be responsible for it, UNLESS it is reported to have been
hacked. In that case the onus will be with the email user to notify
UIS about the corruption on their address.

When staff members are out of office or on leave for extended periods of
time, arrangements must be made to provide automatic ‘out of office’
responses or delegated access to the mailbox.

To protect information in emails, staff and students are to be mindful of

privacy and confidentiality considerations as they distribute information
outside the university.

UIS is expected to attach a general signature to every new email

generated within the university. This signature includes the
university logo, theme, full address, and vision.

UIS shall regularly sensitise and educate users about managing their
disk space and all matters of general concern as outlined above in
the use of emails.

d) Email Security

It's the duty of every user to keep their email account secure. In this
regard, a user is advised to;Change their password every three months
that conforms to UCU Policy guidelines for password creation. No account
should have the same password longer than 3 months. The password
should adhere to the UCU password guidelines. The University’s
authentication system should also implement such guidelines.
Spam email should be reported to UIS immediately, either by email or
through the helpdesk ticketing system at http://helpdesk.ucu.ac.ug

Any request for a change of another user’s password will be done by

filling the change request form or sending an email to
[email protected].
Any request to activate/deactivate another user’s account under
circumstances that are not termination, end of contract or
graduation of a student shall be done by filling in the change
request form or sending an email to [email protected] .

UCU ICT POLICY Page 19

 UIS shall implement any content filtering it deems necessary and carry out
random monitoring of usage in order to ensure that only acceptable
content is transmitted over the university network and will carry out other
network performance and resource management evaluations.

Email correspondence and associated documents sent as attachments

may be considered official University records and as such, may need to be
retained longer than the established policy guidelines. It is the
responsibility of the sender and recipient of these email messages to
determine the required retention period, which must comply with
university email policies and procedures.

e) Unacceptable use (Misuse)

Policies and regulations that apply to other forms of communications at
the university also apply to electronic mail. It is and offence and a
violation for any user of official UCU email addresses to impersonate a
university officer, a member of faculty, staff or student body. In addition,
the following specific actions and uses of university email facilities are an
offence punishable under the University Code of Conduct.
These include but are not limited to:
A. Concealment or misrepresentation of names or affiliations or the
University in email messages
B. Communicate any content that is pornographic
C. Alteration of source or destination address of email.
D. Use of email for commercial purposes, or personal financial gain,
that have not been approved by the University.
E. Use of email for partisan political activity or political solicitation.
F. Use of email to harass or threaten other individuals.
G. Use of email that degrades or demeans other individuals. Email
users must also adhere to the University’s ICT Policy
H. Use of UCU email addresses to sign up for social media accounts
like Facebook, LinkedIn, Twitter and others
I. Users are prohibited from automatically forwarding UCU email to
third-party email systems. Individual messages which are forwarded
by the user must not contain UCU confidential information.

f) Distribution Lists
E-mail distribution lists are university property. They may be furnished
to an external third party only in conjunction with a legitimate
academic or administrative initiative, approved in writing by the
Director UIS. In such cases, contractual arrangements with the external
party must include language that prevents the vendor from furnishing,
duplicating or selling the distribution list to another party.

Under no circumstances may university distribution lists be sold to an

UCU ICT POLICY Page 20

 external party, nor may employees use these lists for individual gain or
to express unsolicited personal views and opinions (for example,
marketing a product or service or conveying a grievance). Creating for
any purpose self-constructed distribution lists comprised of faculty or
staff e-mail addresses is strictly prohibited.

Faculty, staff and students must exercise caution in using e-mail

distribution lists to conduct internal surveys, as most recipients find
unsolicited surveys tantamount to spam. Employee use of distribution
lists for surveying is allowed only for legitimate academic or
administrative purposes only.

Spam and Phishing

● Spam is defined as unsolicited and undesired advertisements

for products or services sent to a large distribution of users.
● Phishing is defined as the attempt to acquire sensitive
information such as usernames, passwords, or credit card
details (and sometimes, indirectly, money), often for
malicious purposes, by masquerading as a trustworthy entity
in an electronic communication.

All incoming email is scanned for viruses, phishing attacks, and

spam. Suspected messages are blocked from the user’s inbox. Due
to the complex nature of email, it is impossible to guarantee
protection against all spam and virus infected messages. It is
therefore incumbent on each individual to use proper care and
consideration to prevent the spread of viruses and other malware.
In many cases, viruses or phishing appear to be sent from a friend,
coworker, or other legitimate source. Users should not click links or
open attachments unless they are sure of the nature of the
message. If any doubt exists, the user should contact the Helpdesk
at [email protected]
Spam messages can be forwarded to [email protected] where
they may be added to the filter list.

g) Email retention and disposal

Each user account has a maximum storage limit. It is the responsibility of
each user to maintain their email account within that limit. Log files
associated with email messages which provide a record of actual email
transactions, but not the email content, are generally preserved for no
longer than thirty (30) days.

Email correspondence and associated documents sent as attachments

may be considered official University records and as such, may need to be
retained longer than the established policy guidelines. It is the
responsibility of the sender and recipient of these email messages to
determine the required retention period, which must comply with

UCU ICT POLICY Page 21

 university email policies and procedures.

Uganda Christian University reserves the right to immediately terminate e-

mail access for employees who have left university service.

Student e-mail accounts are deleted when the individual graduates from
the university.

UCU ICT POLICY Page 22

5. DATA COMMUNICATIONS NETWORK POLICY

5.1. Introduction

Over the years Uganda Christian University’s management made Information

Communication Technologies (ICTs) a priority and this resulted in their
integration into the teaching, learning, research and administrative process in
the University. This is in line with the University mission to be To Equip
Students for Productive, Holistic Lives of Christian Faith and Service.
The integration of ICTs into various aspects of University functions has led to
a robust working environment that is greatly digitised. The digitisation of
most core services has greatly benefited the teaching, learning and general
operation of the University.At the core of this digitisation is the Data
Communications Network.
This Policy sets out to guide the development, maintenance and usage of the
University’s backbone and communications channels through the UIS
directorate..
The university data communications network shall be broken down into the
following areas:
a) ICT Network Infrastructure (LAN and WAN)
b) Access to Computing Infrastructure
c) Printer and Photocopiers
d) Physical Surveillance
e) Remote Access

5.2. Objectives

The objective of this Policy is to guide the development, rollout,

maintenance and usage of the University's ICT infrastructure to ensure
high availability, stability and resiliency. This is geared towards ensuring
that the usage of the ICT infrastructure is aligned to the goals of the
University as laid out in the University overall strategy.

5.3. Scope

This policy applies to user categories within the teaching, learning,

administration and research units of the University as well as any
contractors and authorised third party relations.

UCU ICT POLICY Page 23

 5.4. Policy statements

5.4.1. Data Network Policy

The University shall provide a resilient, secured and stable fast data
communications network as an enabler to the processing, storage,
dissemination and accessing of information or ICT enabled services as
relates to the various needs 0f the teaching, learning, administration and
research domains
5.4.2. Campus Local Area Network

Definition
The wireless and wired network within each building on campus shall be
interconnected to form campus local area network (LAN).
Structure of Campus LANs
a) The university shall provide secure and resilient University LANs
b) The University will support the provision of reliable and secured
near-ubiquitous Wireless Access Points across the University
Campuses;
c) Only approved Wireless Access Points shall be allowed to
transmit wireless signals;
d) All Campus LANs will ensure compliance with approved
University ICT structured cabling standards and network
configurations
e) All Campus LAN extensions or modifications shall require
approval from the Unit responsible for ICT
f) The Network monitoring and technical support shall be the
responsibility of the Unit responsible for ICT.
5.4.3. University Wide Area Network

The University's network and associated infrastructure is the responsibility

of the UIS directorate
a) Activities, or improper use which could compromise the delivery,
integration and security of the network and associated
infrastructure and or network services is strictly prohibited
b) The UIS directorate reserves the right to disconnect without prior
notification any component on the network in order to protect the
security and or integrity of the network or deal with an unauthorised
activity
c) All users will be authenticated prior to being allowed access to any
UIS resource, via the provision of centrally managed user codes and
passwords
d) All network deployments shall be managed by the UIS directorate

UCU ICT POLICY Page 24

 e) All third-party ICT services propagated on the University Network
must be formally registered and pre-approved by the UIS
directorate
f) All network traffic may be monitored

5.4.4. Access to Computing Infrastructure and ICT Services

5.4.4.1. Server rooms and network equipment

a) Access to University Server rooms and other network equipment

installations shall be secured and only allowed to authorised
personnel
b) Unauthorised movement of any network equipment and/or
installation shall be only as authorised by the UIS directorate;
c) All network equipment and/or installation shall be labelled according
to the University approved ICT nomenclature specification;
d) The UIS directorate shall maintain an updated Network Equipment
asset register;
e) The UIS directorate shall maintain a service schedule for all network
equipment;
f) All ICT equipment to be installed onto the university network shall
comply with approved University specifications as spelt out by the
UIS directorate from time to time;
g) All installations or modifications of any network equipment shall be
approved and supervised by the UIS directorate
h) All installations of network equipment by academic staff for
educational purposes shall be authorised by the UIS directorate
i) The Unit responsible for ICT shall define and manage all Service
Level Agreements with third party service providers for bandwidth
provision and any other ICT related service
j) All external third party connections to the University network shall
comply with the University ICT Policies
k) All contractors or third party access to any server room or network
equipment installation shall be authorised and supervised by the
Unit responsible for ICT.

5.4.5. Computer Lab Facilities

The UIS directorate shall ensure that all Computer Labs are;
a) Accessed only by authorized students and/ or researchers
b) Locked down to prevent physical theft of any component
c) Routinely checked for unauthorized connections
d) Labelled according to approved ICT nomenclature
e) Professionally serviced and maintained
f) Protected against exposure to water leakages, fire and or dust
g) All buildings containing computing equipment are adequately
earthed with lightning conductors

UCU ICT POLICY Page 25

 5.4.6. Printer and Photocopier Equipment

The specific purpose of the printer and copier policy is to ensure

optimal use and management of imaging (print, copier, scanning)
resources so as to minimise cost and wastage.

Employees are required to use shared, network University printers

and photocopiers. Dedicated printers are permissible only with
advance approval from University management and the UIS
directorate.

Employees whose role very frequently involves the need to print

confidential documents will be permitted to use a dedicated non-
networked printer.

UIS may keep record of usage information, including print/copy

volumes, by-who, when and for-what.

5.4.7. Physical Surveillance data

Physical Surveillance at the University is carried out video surveillance

(using Closed Circuit Televisions (CCTV) cameras) and fingerprint
access systems for purposes of crime prevention. The Chief security
officer is responsible for the overall security measures at the
University. The UIS directorate is responsible for the Universities CCTV
and fingerprint access systems .

The objective of the security policy is to protect UCU students, staff,

visitors and assets from security problems that may have an adverse
impact on individuals, the university's activities and professional
standing.

5.4.7.1. Use of Physical Security Data

Recorded data will be stored for a period of at least 30 days, in a

secure location accessible by authorized staff only.

Individuals responsible for conducting video surveillance and card

access monitoring must limit their surveillance/monitoring activities
to authorized safety and security purposes, such as, but not limited
to:

a) protection of individuals, property, and buildings;

UCU ICT POLICY Page 26

 b) confirmation of alarms;
c) patrol of public areas;
d) ongoing operation of a secure data facility; and
e) investigation of policy violation or criminal activity.

5.4.7.2. Access to Physical Security Data

Entities authorized to request and review Physical Security Data are

strictly limited to:

1. Chief Security Officer – in conjunction with secure data facility

oversight
2. Human Resources – in conjunction with an official
administrative investigation
3. Legal officer – in conjunction with an investigation, granting
exceptions from this policy, or providing legal counsel
4. Internal Audit – in conjunction with an investigation, or
internal audit of a University

5.4.8. ICT Hardware

The specific purpose of the computer hardware component of this policy is

to provide direction and guidelines on the type of hardware to be
purchased and used on the UCU network in overall pursuit of the
University’s ICT resource optimisation, collaboration and equipment
standardisation principle.
It is the University’s policy that purchase or leasing of ICT equipment be
done with the guidance of the ICT directorate and according to agreed
levels of standardisation to enable easier support and optimal utilisation of
financial resources designated for ICT equipment.

5.4.9. Bring Your Own Device (BYOD)

The University shall allow the usage of personal devices on the

university network as long as such complies with the University policies
and offers a similar level of protection as specified by the Unit
responsible for ICT.
Such usage will be subject to the following:
a) No sensitive or confidential University information shall be stored on
such devices
b) The University will provide an acceptable level of protection for such
personal devices as defined by the Unit responsible for ICT from time to
time;
c) The University shall have the right to investigate the content on such
devices in case of any malicious activity, cybercrime or fraud that
affects the University.

UCU ICT POLICY Page 27

UCU ICT POLICY Page 28
6. ICT BUSINESS CONTINUITY AND DISASTER RECOVERY
POLICY

6.1. Introduction

Maintaining an IT Disaster Recovery(DR) plan as part of Continuity of

Operations Program (COOP) is of key importance to minimise the effects of a
manmade or natural disruptive event or disaster. An IT DR plan kept up-to-
date and tested on a regular basis allows UIS to resume critical functions in a
timely and predictable manner.

6.2. Objective

This Policy specifies the principles by which UCU will ensure appropriate
Information Technology (IT) resilience and maintain the delivery of IT services
to the University at predefined levels, in the event of major disruption,
emergency, or disaster.

6.3. Scope

This IT policy, and all policies referenced herein, shall apply to all members of
the University inclusive of students, staff, independent contractors, visitors
who access or utilise the Universities ICT resources

6.4. Policy Statement

6.4.1. Policy Content

Disaster events may be isolated, short term disruptions to service

continuity where there is a requirement to activate only the IT Disaster
Recovery (IT DR) plan of a single system, or may involve a wider
disruption, where the University may need to activate its full Business
Continuity Plan (BCP). In all cases, IT DR will be guided by the priorities of
the BCP.

The IT DR Framework will be aligned with the University’s business

continuity processes, and risk management approach (or policy) . This will
be achieved by:

a) ensuring that any IT DR focused business impact analysis identifies

the following for each individual application/service to properly
quantify and categorise its business recovery requirements:

i. Recovery Time Objective (RTO);

ii. Recovery Point Objective (RPO);

UCU ICT POLICY Page 29

 b) ensuring that any new University IT systems and applications
developed or procured, including associated infrastructure, include
new/amended IT DR plans during the system implementation life
cycle. New/amended applications will not be released to production
without the necessary plan updates, and approval;
c) ensuring that appropriate data protection strategies such as
backups, replication, and supplier contractual agreements are in
place, to maintain the integrity of the University data, and to
prevent or minimise data loss within any identified RPO;
d) requiring that all IT projects or system enhancements comply with
the IT DR Policy and Framework including classification of new
systems into the organisation’s IT DR tiers;
e) requiring that contracts for IT services provided by
vendors/suppliers include assurances for IT DR including detailing
system recovery times and potential data loss;
f) producing evidence of IT DR plans and regular testing of plans;
ensuring that IT DR is implemented and managed in accordance
with the processes and procedures set out in the University’s IT DR
Framework; and
g) undertaking a risk-based approach to all IT DR activities and phases
of event management (Response, Recovery, Resumption and
Restoration).

6.5. IT Disaster Recovery Objectives

The objectives of IT DR are to:

a) manage risk;
b) minimise the impact on the University’s operations of disruptions
affecting IT services by having in place effective responses,
including IT incident management and IT disaster recovery plans;
c) support the University’s service level commitments so that IT
systems underpinning services and/or time critical functions are
recovered as a priority;
d) ensure that all users of University IT resources and connected
systems suppliers, and vendors are competent and familiar with
their responsibilities and delivery of IT DR;
e) provide evidence-based criteria on which to develop the IT DR
strategies;
f) implement a continuous improvement process aligned with
business continuity; and
g) align IT DR with relevant University policy, procedures, and
guidelines.

IT DR is informed by the following high-level management processes

which facilitate the delivery of an integrated University IT DR Framework:

a) Business Continuity Management;

b) Risk Management;
c) IT Service Continuity; and
d) Information Security Management

UCU ICT POLICY Page 30

 The University through the University ICT Services directorate will:

a) define an IT DR Framework and develop IT DR Strategies;

I. ensure that the IT DR Framework follows industry best
practice, including relevant national and international
standards and guidelines;
b) ensure that IT DR plans to support the University’s business
recovery requirements are developed, reviewed, and
maintained. The relevant business and technical stakeholders
must be involved in the IT DR planning process;
i. ensure that IT DR planning is simple and practical
and that systems that reduce the manual
complexities of the recovery process are reviewed
on a regular basis.
c) develop and maintain a structured training and awareness
approach to ensure that all users of University IT resources and
connected systems are aware and have a competent
understanding of IT DR;
i. ensure that all users of University IT resources and
connected systems are made aware of and are
responsible for having input into IT DR plans that
affect their service areas;
ii. ensure that all aspects of the IT DR Policy are
effectively communicated to the appropriate IT
resources and University groups;
iii. ensure that all teams are educated in their
respective IT DR roles and responsibilities;
d) integrate IT DR within risk and incident management processes
including identifying, evaluating, and assessing potential
disaster scenarios that could impact on critical activities;
e) integrate IT DR into the technical, operational, change, design
and project management practices and procedures to promote a
culture of resilience that will underpin the continuous delivery of
services;
i. ensure that processes are in place that identify any
change(s) that would necessitate alterations to IT
DR plans or environment. Changes affecting IT DR
are not released without the necessary IT DR plan
updates;
f) ensure that contracts related to the development or supply of IT
systems provide assurances detailing system recovery times
and potential data loss; and provide evidence of IT DR planning
and regular testing;
g) ensure the continuous improvement of IT DR management and
management practices;
i. ensure that the IT DR Framework is ‘fit for purpose’
through testing, exercise, and internal audit
programs;
ii. schedule and conduct regular IT DR tests and
exercises based on an agreed maintenance plan;

UCU ICT POLICY Page 31

 iii. ensure that test outcomes reports are completed at
the end of each exercise and detail the actions
completed as well as remedial requirements for
improvement;
iv. ensure that the management and governance that
supports the IT DR Framework are implemented
effectively, maintained, and updated regularly.

6.6. IT Disaster Recovery Plan Testing

Periodic testing of the IT DR procedures shall be performed to determine the

effectiveness of the procedures and organizational readiness to execute the
IT DR Plan. IT DR procedures shall:
a) Be tested following the matrix below:
I. Essential IT Systems: Every two (2) years
II. Mission-Critical IT Systems: Every three (3) years
III. Non-Critical IT Systems: Every five (5) years
b) Tests of the IT DR procedures may include a range of testing
methods from virtual (e.g., tabletop) tests to actual events. The
tests shall be documented and the results shall be used to update
the procedures if necessary. The Information System Owner shall
approve the results of the tests and any resulting actions.
c) Provide for testing of backup and/or recovery media to ensure the
validity of the recovery media and process.

Alternate Site
An alternate site is an integral part of an IT DR plan.

Alternate sites:
a) Should be implemented based on business impact analysis results.
b) Must be geographically separated from the primary storage site to
reduce susceptibility to the same disruptive vent.
c) Must be configured to facilitate timely and effective recovery
operations.

6.7. IT Disaster Recovery Training and Awareness

The University must train personnel in their IT DR roles and responsibilities

and must provide periodic refresher training. 1. All participants who are
required to execute the IT Disaster Recovery Plan must participate in
annual IT Disaster Recovery Planning workshops and/or tabletop exercises

Definitions

UCU ICT POLICY Page 32

 a. Recovery Time Objective (RTO) - the time within which an
application or a service must be restored during an IT DR event.
The RTO specifies the time from when a recovery is initiated to
its completion.
b. Recovery Point Objective (RPO) - the maximum tolerable extent
of data loss for an IT application or service because of an IT DR
event.
c. IT Disaster Recovery - the planning, running, and governing of
activities to ensure that the University:
i. identifies and mitigates operational risks that can
lead to IT disruptions before they occur;
ii. prepares for and responds to disruptive events
(natural or otherwise, accidental, or intentional) in a
controlled manner; and
iii. recovers and restores IT systems that support
critical University operations, within pre-defined
timeframes and with known and acceptable data
loss following a disruption.

UCU ICT POLICY Page 33

7. SOFTWARE DEVELOPMENT AND ACQUISITION POLICY

7.1. Introduction

The specific purpose of the Software Development and Acquisition policy

component is to guide the development or acquisition of software and
information systems in UCU, so as to provide effective decision support to
University management, reduce costs and enhance service delivery to
students, staff and other people that UCU serves.

Therefore, the University shall judiciously invest in the development and/or

acquisition of suitable information systems to enable it better achieve its
strategic and management objectives. To facilitate online teaching and
learning at the University, acquisition and development of software is
necessary to run the various ICT equipment.

7.2. Policy Objective

The specific purpose of this policy component is to further guide UCU with
regard to planning, acquisition and deployment of software and should be
taken together with other relevant UCU policy components such as the
software copyright and value for money considerations.

7.3. Policy Scope

The policy refers to all software used to support university functions with
either developed internally (in house or outsourced) or off the shelf software

7.4. Policy Statements

UIS is directly responsible for maintaining and guiding the implementation

of this policy.
The following statements govern the implementation of this policy

a) UIS shall periodically define the systems life cycle methodology for:
▪ Systems and software developed in house or purchased
▪ Acquisition of software
▪ Maintenance of software
b) UIS shall test all software prior to installation in a production
environment within the university and ensure provision for:
 Roles for different levels of users (usage of the least privilege
principle)

UCU ICT POLICY Page 34

  Audit trails

c) Information systems development shall be guided by appropriate

collaboration between the owner department, UIS and external
consultants or vendors.
d) UIS shall where necessary make use of open source software that is
meets stringent industry standards and adheres to the risk
assessment as referenced in the Network and Cyber Security Policy
e) All University Units undertaking the development or acquisition of
any software shall ensure compliance to this policy and plan for end
user training
f) All acquired software shall where necessary contain provision for
technical support and upgrades

In general, the principles that will govern UCU software acquisitions

(irrespective of the originator of the acquisition) are:

a) Existence of strong rationale (learning, teaching, research, technical

and administrative) for the acquisition and use of the software.
b) UIS will work with the user departments in advance about the
software they require for the smooth running of their work.
c) UIS shall make sure that the software is available on university
computers but shall not install software on student’s laptops or
personal computers.
d) Meeting industry standards, compatibility or integration criteria.
e) Meeting an important technical or educational criterion (such as
being web-enabled, Lightweight Directory Access Protocol (LDAP)
compliance, compatibility with common database engines and
availability of some critical device drivers).
f) Value for money from the University’s perspective
g) Software features shall be specified that reflect both technical and
users’ requirements prior to initiating a procurement process.

7.5. Policy Approach

UIS technical staff shall work with user departments during systems’
specification.

UCU ICT POLICY Page 35

8. NETWORK AND CYBERSECURITY POLICY

8.1. Introduction

Network and Cyber security in this context refers to the protection of

university digital infrastructure and information assets against any
compromise or attack that may affect its confidentiality, integrity and/ or
availability

8.2. Policy Objective

To establish conditions for use of, and requirements for appropriate security
for University Computer and Network Resources

8.3. Policy Scope

This policy is effective at all University locations and applies to all system
users at any location, including those using privately owned computers or
systems to access University Computer and Network Resources. This policy
represents the minimum requirements that must be in place. This policy is
not intended to inhibit access to information services that University
employees and students have made accessible for public inquiry (e.g., World
Wide Web, or anonymous ftp). However, use of such services to access or
attempt to access information not intended for public display or use, or to
circumvent or violate the responsibilities of system users or system
administrators as defined in this policy, is prohibited.

8.4. Policy Statements

The following statements govern the implementation of this policy

8.5. General use and ownership policy

Appropriate security shall include, but is not limited to: protection of the
privacy of information, protection of information against unauthorized
modification or disclosure, protection of systems against denial of service,
and protection of systems against unauthorized access.

UCU ICT POLICY Page 36

 8.5.1. University Computer and Network Resources may be accessed or
used only by individuals authorized by the University. Issuance of an
account to a system user must be approved by an authorized
University representative. Any question with regard to whether a
specific use is authorized must be referred to UIS.

8.5.2. In order to protect the security and integrity of Computer and

Network Resources against unauthorized or improper use, and to
protect authorized users from the effects of such abuse or negligence,
the University reserves the rights, at its sole discretion, to limit,
restrict, or terminate any account or use of Computer and Network
Resources, and to inspect, copy, remove or otherwise alter any data,
file, or system resources which may undermine authorized use

8.5.3. The University reserves the right to inspect or check the

configuration of Computer and Network Resources for compliance
with this policy, and to take such other actions as in its sole discretion
it deems necessary to protect University Computer and Network
Resources.

8.5.4. The University further reserves the right to enforce these provisions
without prior notice to the user

8.5.5. The University shall not be liable for, and the user assumes the risk
of, inadvertent loss of data or interference with files or processes
resulting from the University's efforts to maintain the privacy,
integrity and security of the University's Computer and Network
Resources.
8.6. Roles

8.6.1. The University ICT Services (UIS) directorate shall;

a) Maintain an updated and tested Business Continuity and Disaster

Recovery Plan for all critical University digital infrastructure and
information assets
b) Maintain an updated ICT risk register
c) Ensure that the appropriate security controls and mechanisms have
been put in place based on a formal periodic risk assessment
d) Implement network filtering to protect the network against malware
related threats
e) Maintain updated and documented secure configurations baselines
for all hardware and software
f) Implement periodic systems and infrastructure audit based on the
Plan, Do, Check, Act (PDCA) cycle
g) Ensure that all software is up to date and develop and implement a
patch management plan

UCU ICT POLICY Page 37

 h) Ensure the controlled and audited usage of ICT administrative
privileges
i) Implement monitoring and real time analysis of all ICT network
device event security logs with a centralized mechanism
j) Ensure the limited and controlled use of network ports and controls
k) Ensure the implementation of appropriate Wireless Access Provision
protection mechanisms
l) Coordinate and conduct periodic security awareness trainings
m) Ensure all ICT equipment is installed with the appropriate active
malware protection that is continuously updated
n) Develop and maintain a handover mechanism for ICT equipment
and information during end of staff employment contracts aligned
to the University Human Resource Policy

8.6.2. Users Shall;

Ensure compliance to the cyber security policy
Report any cyber security incident to UIS

8.6.3. Conditions of Use

8.6.4. Unacceptable Use

a) The following activities shall be strictly prohibited, with no

exceptions:
b) Sharing of individual access passphrases
c) Usage of any pirated software on University computing devices
d) Usage of any unauthorized peer to peer software
e) Any user action that violates the rights of any person or entity’s
legally registered copyright and/ or Intellectual Property
f) Any user action that contravenes the Computer Misuse Act (2011)
or the Antipornography Act (2014)
g) Introduction of any malicious software onto any University
computing device or network
h) Any user action that disrupts the normal functioning of any
university computing device or network
i) Violations of the rights of any person or company protected by
Uganda’s copyright, trade mark, patent, or other intellectual
property (IP) law and the University’s Intellectual Property Policy,
other relevant policies, or the University’s code of conduct.
j) Any password cracking, software spying, privilege escalation,
unauthorized network port scanning and network reconnaissance,
network and/or software penetration
k) Usage of university computing devices and/ or network to disrupt an
external system or network

UCU ICT POLICY Page 38

 l) Usage of university computing devices and/ or network to send out
any spam
m) Usage of university computing devices and/ or network for any
gambling activity
n)
8.7. Suspension or Termination of Access

The following constitute rationale for user access termination to university

computing resources:
a) End of student or staff employment tenure
b) Request from University Council, University Management, Heads of
Department and/ or University Human Resource Department
c) Occurrence of any of the unacceptable usage restrictions

8.8. Password Policy

UIS shall define the password length and strength for all user categories from
time to time
All users shall ensure the privacy of their passwords
All default system or hardware passwords shall be changed
The UIS directorate shall implement and maintain centralized authentication,
authorization, and accounting service mechanism for all network core
equipment to all ICT resources
All software and applications used by the UIS directorate shall support
password encryption and user role segregation

UCU ICT POLICY Page 39

9. Policy Enforcement Compliance

9.1. Compliance Measurement

The UIS directorate will verify compliance to all ICT policies through
various methods, including but not limited to, periodic walk-throughs,
video monitoring, business tool reports, internal and external audits,
and feedback to the policy owner.

9.2. Exceptions
Any exception to any ICT policy must be approved by the Director UIS
through a formal request.

9.3. Non-Compliance
Any user found to have violated any ICT policy shall be subject to
disciplinary action as defined in the staff and student codes of conduct

9.4. Statement of Enforcement of Policy

UIS shall in partnership with the Central ICT Committee be responsible

for monitoring the implementation and compliance of these policies
and where necessary shall take appropriate remedial measures

UIS will ensure the policies’ enforcement and university wide

dissemination as well as awareness sensitization of this policy.

Violations of any policy areas listed herein or what is stipulated in the

staff and student Code of Conduct shall be addressed by the
appropriate University disciplinary mechanism as guided by the Central
ICT Committee.

UCU ICT POLICY Page 40

 APPENDIX 1
Terms of Reference for the Central ICT Committee
The UCU Central ICT Committee (CIC) was instituted by the Vice Chancellor and
his Cabinet and the terms of reference as extracted from cabinet communication
is as specified below.
Guide and oversee the following:
1. ICT Policy Development.
2. ICT Strategy Preparation.
3. Data Systems Acquisition and Integration.
4. Assessment of User needs and guide how they can be addressed to ensure
cohesion.
5. Integration of ICT into teaching, study and administration support.
The committee will be chaired by the DVC for Development and External
Relations and will have the following as members.
1. Director University ICT Services
2. A Representative of the DVC Academics
3. A Representative of The Dean, faculty of Science and Technology
4. A Representative of The Dean, faculty of Business and Management
5. Assistant Librarian in charge of ICT
6. Representative of the Academics Central Office
7. Representative of the Director Finance
8. Representative of the SRPGS
9. The University ICT Technical Manager
10. The Head of Department, IT & Computer Science
11. Representative of the Head of Department , Mass Communications
12. Student Guild Representative
13. Representative of Communication & Marketing
14. e-Learning Manager

The directorate of University ICT Services will be the secretariat for CIC.

UCU ICT POLICY Page 41