ICT Policy for Active Directory (AD)

Implementation and Management

Table of Contents

ICT Policy for Active Directory (AD) Implementation and Management....................................1

1. Introduction..............................................................................................................................................2
1.1 Background..................................................................................................................................... 2
1.2 Purpose of the Policy...................................................................................................................4
1.3 Policy Objectives...........................................................................................................................4
1.4 Scope and Applicability...............................................................................................................5
2. Policy Framework..................................................................................................................................6
2.1 Legal and Regulatory Compliance........................................................................................... 6
2.2 Alignment with County ICT Strategy...................................................................................... 6
2.3 Governance Structure.................................................................................................................7
3. Active Directory (AD) Overview......................................................................................................... 9
3.1 What Active Directory Is.............................................................................................................. 9
3.2 Why Active Directory Is Important...........................................................................................9
3.3 Benefits of AD to the County ICT Environment..................................................................10
3.4 Risks of Not Implementing AD................................................................................................10
4. Policy Statements..................................................................................................................................11
4.1 AD Deployment Principles......................................................................................................... 11
4.2 AD Roles and Responsibilities................................................................................................. 11
4.3 User Account Management......................................................................................................11
4.4 Group Policy Management...................................................................................................... 12
4.5 Authentication and Access Control.......................................................................................12
4.6 Integration with Other Systems.............................................................................................. 12
4.7 Data Protection and Privacy.....................................................................................................13
4.8 Change and Configuration Management............................................................................ 13
4.9 Incident Response and Security.............................................................................................13
5. Implementation Guidelines............................................................................................................... 14
5.1 AD Architecture Design............................................................................................................. 14
5.2 Domain Structure and Naming Conventions...................................................................... 14
5.3 Organizational Unit (OU) Structure........................................................................................ 15
5.4 Role-Based Access Control (RBAC).......................................................................................15
5.5 Password and Authentication Policies................................................................................. 16
5.6 Backup and Disaster Recovery for AD................................................................................. 16
5.7 System Monitoring and Logging.............................................................................................16
6. ICT Policy Controls Beyond AD....................................................................................................... 18
6.1 Hardware and Software Management...................................................................................18
6.2 Network and Infrastructure Security..................................................................................... 18
6.3 Data Management and Storage Standards.........................................................................19
6.4 Email and Communication Policy...........................................................................................19
6.5 ICT Procurement Standards.................................................................................................... 19
 6.6 Acceptable Use of ICT Resources........................................................................................20
6.7 Mobile Device and Remote Access Policy......................................................................... 20
7. Capacity Building and Awareness................................................................................................... 21
7.1 ICT Staff Training.......................................................................................................................... 21
7.2 User Awareness Programs.......................................................................................................21
7.3 Continuous Improvement........................................................................................................ 22
8. Compliance and Audit....................................................................................................................... 23
8.1 Internal Compliance Monitoring............................................................................................. 23
8.2 External Compliance................................................................................................................ 23
8.3 Reporting and Accountability.................................................................................................24
9. Enforcement......................................................................................................................................... 25
9.1 General Enforcement Principles.............................................................................................25
9.2 Levels of Violations...................................................................................................................25
9.3 Enforcement Roles....................................................................................................................26
9.4 Appeals Mechanism................................................................................................................. 26
10. Review and Update...........................................................................................................................27
10.1 Review Cycle.............................................................................................................................. 27
10.2 Responsible Authority.............................................................................................................27
10.3 Policy Update Procedure....................................................................................................... 27
10.4 Version Control.........................................................................................................................28
1. Introduction

1.1 Background

The County Government of Nairobi recognizes the central role that Information and
Communication Technology (ICT) plays in enabling efficient service delivery, improving
transparency, and strengthening accountability in public administration. In the modern digital
era, government services must be delivered in a manner that is reliable, secure, and
accessible to citizens, businesses, and internal stakeholders.

The implementation of ICT systems across county departments has grown rapidly over the
last decade. However, without a centralized management framework, these systems risk
fragmentation, inefficiencies, and security vulnerabilities. To address this challenge, the
County Government has identified Microsoft Active Directory (AD) as the foundational
technology for centralized identity management, authentication, authorization, and policy
enforcement across ICT resources.

This ICT Policy provides a comprehensive framework to guide the implementation,

management, and governance of Active Directory services, while also setting out the broader
standards for ICT usage, data security, and infrastructure management across the Nairobi
County Government.

​
1.2 Purpose of the Policy

The purpose of this policy is to establish a structured, standardized, and secure approach to
ICT governance within the County Government. Specifically, the policy seeks to:

●​ Provide a formal foundation for the design, deployment, and management of Active
Directory (AD) services.​

●​ Ensure that all ICT resources are used in a manner that promotes efficiency, integrity,
confidentiality, and accountability.​

●​ Align county ICT practices with national legislation, international best practices, and
regulatory requirements.​

●​ Provide a reference document for ICT officers, system administrators,

departmental/sector heads, and end-users on the appropriate use of ICT resources.​

1.3 Policy Objectives

The objectives of this ICT policy are to:

1.​ Centralize Identity and Access Management – through the use of Active Directory to
authenticate and authorize all users and devices.​

2.​ Enhance ICT Security – by enforcing password policies, access controls, and audit
mechanisms.​

3.​ Improve Service Delivery – by ensuring ICT systems are standardized, reliable, and
user-friendly.​

4.​ Promote Accountability and Compliance – by aligning ICT practices with county
laws, national ICT standards, and international frameworks such as ISO/IEC 27001.​

5.​ Ensure Business Continuity – by implementing backup, recovery, and redundancy

measures for Active Directory and other critical ICT systems.​

6.​ Build ICT Capacity – by providing continuous training, awareness, and technical
support to ICT staff and system users.​
1.4 Scope and Applicability

This policy applies to:

●​ All county government sectors/departments, agencies, and offices utilizing ICT

systems.​

●​ All employees, interns, contractors, consultants, and third-party service providers

with access to county ICT resources.​

●​ All ICT systems, applications, devices, and networks managed or operated by the
Nairobi County Government.​

●​ The design, deployment, and management of Active Directory and any other
directory or identity management service implemented within the Nairobi County ICT
infrastructure.​

The policy is mandatory and shall be enforced across all departments and agencies of the
Nairobi City County Government. Exceptions shall only be granted upon written approval by
the Chief Officer, ICT, and must be documented with justification.
2. Policy Framework

2.1 Legal and Regulatory Compliance

The Nairobi City County Government’s ICT operations shall comply with all relevant laws,
regulations, and standards governing information security, data protection, and service
delivery. This includes, but is not limited to:

●​ The Constitution of Kenya, 2010 – particularly the provisions on access to

information, data protection, and public service delivery.​

●​ The Data Protection Act, 2019 – ensuring that personal data collected, stored, or
processed within County ICT systems is handled lawfully, securely, and with due
regard to the rights of data subjects.​

●​ The Public Finance Management Act, 2012 – ensuring prudent use of ICT resources
and accountability in ICT-related expenditures.​

●​ The Kenya Information and Communications Act (KICA), 1998 (Revised 2013) –
compliance with standards for ICT service provision and cybersecurity.​

●​ The Computer Misuse and Cybercrimes Act, 2018 – protecting county ICT systems
from unauthorized access, cybercrime, and misuse.​

●​ International Standards such as ISO/IEC 27001 (Information Security Management

Systems) and ITIL (ICT Service Management best practices).​

All ICT initiatives, including the implementation of Active Directory, must align with these laws
and standards. Non-compliance may expose the Nairobi City County Government to legal,
financial, and reputational risks.

2.2 Alignment with County ICT Strategy

The ICT Policy is anchored on the County’s overall ICT Strategy and supports the County’s
development agenda as outlined in the County Integrated Development Plan (CIDP) and
national digital transformation initiatives.

The implementation of Active Directory is aligned to:

●​ Enhancing Service Delivery – through reliable, secure, and centralized ICT systems.​
 ●​ Promoting Good Governance – by ensuring transparency, accountability, and
auditability of ICT processes.​

●​ Driving Efficiency and Cost Savings – by reducing duplication of systems,

consolidating infrastructure, and automating processes.​

●​ Supporting Innovation and Digital Transformation – by creating a secure foundation

for cloud services, e-government applications, and digital citizen services.​

2.3 Governance Structure

To ensure effective implementation and oversight of this policy, the following governance
framework shall apply:

1.​ County Executive Committee Member (CECM) for IDE​

○​ Provides policy direction and ensures alignment with the County’s

development agenda.​

○​ Approves major ICT projects and investments.​

2.​ Chief Officer, ICT​

○​ Acts as the Policy Custodian.​

○​ Responsible for overall ICT governance, enforcement of policy provisions, and

reporting to the CECM.​

○​ Authorizes exceptions to this policy where justified.​

3.​ ICT Directorate (ICT Infrastructure & Smart Nairobi)​

○​ Responsible for the day-to-day implementation and monitoring of ICT systems.​

○​ Oversees the deployment, administration, and maintenance of Active

Directory.​

○​ Develops standard operating procedures (SOPs) to operationalize this policy.​

4.​ Departmental ICT Champions​

 ○​ Serve as focal points in their respective departments for ICT-related matters.​

○​ Liaise with the ICT Directorate to ensure compliance with policy requirements.​

○​ Support user training and awareness initiatives.​

5.​ System Administrators (AD Administrators)​

○​ Manage Active Directory infrastructure and ensure its secure and efficient
operation.​

○​ Enforce user account policies, group policies, and access controls.​

○​ Maintain logs, monitor system health, and conduct regular audits.​

6.​ All ICT Users (Employees, Contractors, and Third Parties)​

○​ Expected to comply with this policy and follow ICT usage guidelines.​

○​ Responsible for safeguarding their login credentials and reporting suspicious

activity.​
3. Active Directory (AD) Overview

3.1 What Active Directory Is

Active Directory (AD) is Microsoft’s directory service that provides a centralized and secure
platform for managing users, computers, applications, and other ICT resources within an
organization. It acts as the backbone of identity management by storing information about
objects in a network and making this information available to administrators and authorized
users.

Key features of Active Directory include:

●​ Authentication and Authorization – validating user credentials and controlling access

to systems.​

●​ Group Policy Management – enforcing security settings, configurations, and user

permissions across devices.​

●​ Centralized Administration – enabling ICT administrators to manage users, devices,

and applications from a single point of control.​

●​ Scalability and Integration – supporting growth and integration with third-party

applications, cloud services, and enterprise systems.​

3.2 Why Active Directory Is Important

For the Nairobi City County Government, Active Directory is critical for the following reasons:

1.​ Security: Provides centralized control over user authentication, password policies, and
access permissions.​

2.​ Efficiency: Reduces ICT administration overhead by allowing automation of user and
device management.​

3.​ Standardization: Ensures consistent application of security and operational policies

across all departments.​

4.​ Transparency and Accountability: Facilitates logging and auditing of user activities,
supporting compliance with data protection and anti-corruption frameworks.​

5.​ Support for Digital Transformation: Provides the foundation for advanced systems
such as e-government portals, document management systems, and cloud-based
 services.​

3.3 Benefits of AD to the Nairobi City County ICT Environment

●​ Single Sign-On (SSO): Users log in once and access multiple systems without
repeatedly entering credentials.​

●​ Centralized User Management: Easy onboarding and offboarding of employees,

interns, or contractors.​

●​ Role-Based Access Control (RBAC): Ensures staff only access resources necessary
for their duties.​

●​ Policy Enforcement: Group Policies allow uniform application of security rules, such as
password complexity and device restrictions.​

●​ Scalability: Can grow with the County’s ICT needs without major reconfigurations.​

●​ Interoperability: Integrates with Microsoft 365, cloud services, ERP systems, HR

systems, and other enterprise applications.​

3.4 Risks of Not Implementing AD

Failure to implement and enforce Active Directory within the County ICT infrastructure
exposes the government to several risks, including:

●​ Fragmented ICT Environment: Each department may maintain its own systems
without central oversight, leading to inefficiency.​

●​ Weak Security: Lack of centralized authentication increases the risk of password

sharing, weak passwords, and unauthorized access.​

●​ Data Breaches: Sensitive information may be accessed, altered, or stolen due to

inconsistent security policies.​

●​ High Administrative Overhead: ICT staff may waste significant time manually
managing users and systems.​

●​ Compliance Failures: Inability to meet legal and audit requirements, potentially

leading to sanctions or reputational damage.​

●​ Service Disruptions: Lack of standardized ICT infrastructure can result in frequent

outages and longer recovery times.
4. Policy Statements
The following policy statements shall govern the deployment, management, and use of Active
Directory (AD) services in the Nairobi City County Government.

4.1 AD Deployment Principles

●​ Active Directory shall be implemented as the official identity and access

management system for the County Government.​

●​ Deployment shall follow international best practices (e.g., Microsoft AD design

standards, ISO/IEC 27001, ITIL).​

●​ AD infrastructure shall be redundant, scalable, and secure to support business

continuity.​

●​ All county ICT resources, including servers, workstations, mobile devices, and cloud
services, shall be progressively integrated into the AD environment.​

4.2 AD Roles and Responsibilities

●​ AD Administrators shall be appointed by the Chief Officer, ICT, and granted

administrative rights according to their job functions.​

●​ Role-Based Access Control (RBAC) shall be enforced, ensuring administrators have

the minimum level of access required.​

●​ Delegated administration (e.g., departmental ICT officers managing users within their
department) shall be controlled and regularly audited.​

4.3 User Account Management

●​ Each employee, intern, contractor, or third-party service provider shall be issued a

unique AD account.​

●​ Generic/shared accounts are strictly prohibited, except where approved in writing by

the Chief Officer, ICT (e.g., for system services).​

●​ User accounts shall be created and disabled based on HR workflows (appointment,

transfer, termination).​
 ●​ Inactive accounts shall be automatically disabled after 30 days and deleted after 90
days unless otherwise justified.​

4.4 Group Policy Management

●​ Group Policies shall be used to enforce security settings, application restrictions,

and device configurations across all AD-joined systems.​

●​ All Group Policies shall be tested in a staging environment before deployment to

production.​

●​ A standard baseline policy shall be applied to all systems to ensure consistent

security posture.​

4.5 Authentication and Access Control

●​ Strong password policies shall be enforced, including:​

○​ Minimum length: 12 characters​

○​ Complexity: Mix of upper/lower case letters, numbers, and symbols​

○​ Password expiry: 90 days​

○​ Account lockout after 5 failed attempts​

●​ Multi-Factor Authentication (MFA) shall be enabled for privileged accounts and

remote access.​

●​ Access to ICT resources shall be role-based and granted strictly on a need-to-use

basis.​

4.6 Integration with Other Systems

●​ AD shall serve as the primary authentication source for enterprise systems (e.g.,
email, ERP, HR, document management, cloud services).​

●​ System integrations shall use secure protocols such as LDAPS, SAML, or OAuth.​

●​ Third-party applications must be vetted for compatibility and security before

integration.​
4.7 Data Protection and Privacy

●​ AD user attributes containing personal data (e.g., name, email, job title) shall be
managed in compliance with the Data Protection Act, 2019.​

●​ Access to personally identifiable information (PII) shall be logged and monitored.​

●​ Data minimization principles shall apply — only relevant data shall be stored in AD.​

4.8 Change and Configuration Management

●​ Any changes to AD (e.g., schema extensions, domain controllers, group policies) shall
follow a formal Change Management Process.​

●​ All changes shall be logged, tested, and approved by the ICT Directorate before
implementation.​

●​ Unauthorized modifications to AD infrastructure are prohibited and will be subject to

disciplinary action.​

4.9 Incident Response and Security

●​ AD logs shall be collected, stored, and reviewed regularly for suspicious activities.​

●​ Any compromise of AD (e.g., suspected breach, privilege escalation) shall trigger the
County ICT Incident Response Plan.​

●​ Affected accounts shall be immediately disabled pending investigation.​

●​ System backups shall be maintained to ensure rapid restoration in the event of a

security incident.
5. Implementation Guidelines
The Nairobi City County Government shall adopt the following guidelines to ensure the
secure, reliable, and efficient implementation of Active Directory (AD). These guidelines shall
serve as standard operating procedures (SOPs) for system administrators and ICT officers.

5.1 AD Architecture Design

●​ AD shall be deployed in a multi-domain controller environment to ensure

redundancy and fault tolerance.​

●​ Domain Controllers (DCs) shall be hosted in physically secure server rooms with
access restricted to authorized ICT personnel.​

●​ DCs shall be configured with uninterruptible power supply (UPS), backup power, and
redundant networking.​

●​ Virtualized DCs shall be supported but must follow hypervisor hardening guidelines.​

●​ Forest and domain functional levels shall be set to the latest stable version supported
by the County’s ICT infrastructure.​

5.2 Domain Structure and Naming Conventions

●​ The AD forest shall be named using a standardized naming convention, e.g.:​

○​ Forest Root Domain: nairobi.go.ke​

○​ Child Domain (optional): subcounty.nairobi.go.ke​

●​ Domain names shall reflect the County’s official ICT identity and align with DNS
standards.​

●​ Service accounts, computers, and user accounts shall follow clear and consistent
naming conventions. Examples:​

○​ Users: firstnameletterlastname (e.g., jmwangi)​

○​ Service accounts: svc_[systemname] (e.g., svc_payroll)​

 ○​ Computers: dept-deviceID (e.g., finance-PC001)​

5.3 Organizational Unit (OU) Structure

●​ OUs shall be structured based on departmental/sectoral and functional needs.

Suggested hierarchy:​

○​ County Headquarters​

■​ Finance Department​

■​ Health Department​

■​ Education Department​

■​ ICT Department​

■​ Sub-County Offices​

●​ Group Policies shall be applied at the OU level to enforce departmental/sectoral

policies.​

●​ OU design must ensure separation of administrative duties to prevent excessive

privileges.​

5.4 Role-Based Access Control (RBAC)

●​ Permissions shall be granted based on job roles rather than individual users.​

●​ Privileged accounts (e.g., Domain Admins, Enterprise Admins) shall be strictly limited
and regularly audited.​

●​ A “least privilege” principle shall apply — users shall only have the minimum
permissions necessary.​

●​ Temporary elevated privileges shall be managed through a Just-In-Time (JIT) process

with automatic expiry.​
5.5 Password and Authentication Policies

●​ Enforce strong password complexity (see Section 4.5).​

●​ Administrative accounts shall have separate, stronger passwords than standard user
accounts.​

●​ Multi-Factor Authentication (MFA) shall be enabled for:​

○​ Domain administrators​

○​ Remote access users​

○​ Cloud-based applications integrated with AD​

●​ Service accounts shall use managed passwords or certificates where possible.​

5.6 Backup and Disaster Recovery for AD

●​ Full system state backups of Domain Controllers shall be taken daily.​

●​ Backups shall be stored in at least two secure locations (onsite and offsite/cloud).​

●​ Backup integrity shall be tested quarterly to ensure recoverability.​

●​ A documented Disaster Recovery (DR) Plan shall define recovery objectives (RPO,
RTO) for AD services.​

●​ In case of catastrophic failure, authoritative restore procedures shall be followed to

ensure data integrity.​

5.7 System Monitoring and Logging

●​ AD logs shall be collected centrally using a Security Information and Event

Management (SIEM) tool.​

●​ Logs shall include user logins, failed login attempts, privilege escalations, and policy
changes.​
●​ Automated alerts shall notify ICT administrators of unusual activity (e.g., multiple failed
logins, new administrator creation).​

●​ Regular audits and penetration testing shall be conducted to evaluate the resilience
of AD.​

●​ A monthly health check shall be performed to verify replication, DNS resolution, and
system performance.​
6. ICT Policy Controls Beyond AD
The Nairobi City County Government recognizes that Active Directory is only one component
of a wider ICT ecosystem. To ensure a secure, efficient, and sustainable ICT environment, the
following general ICT controls shall apply.

6.1 Hardware and Software Management

●​ All ICT hardware (servers, desktops, laptops, mobile devices, printers, networking
equipment) must be procured, configured, and maintained in line with ICT
Directorate standards.​

●​ Only licensed and approved software shall be installed on county devices. Use of
pirated, unlicensed, or unauthorized software is prohibited.​

●​ An ICT asset register shall be maintained to track ownership, location, and lifecycle of
all ICT equipment.​

●​ Hardware and software shall undergo regular maintenance, patching, and upgrades
to ensure reliability and security.​

6.2 Network and Infrastructure Security

●​ All County networks shall be secured using firewalls, intrusion detection/prevention

systems (IDS/IPS), and antivirus solutions.​

●​ County ICT systems shall be segmented into secure network zones (e.g., internal
network, DMZ, public services).​

●​ Wireless networks shall use WPA3 encryption or the strongest available standard.​

●​ Remote access to the County’s internal network shall only be allowed through VPN
with MFA.​

●​ Regular vulnerability assessments and penetration tests shall be conducted to

identify and remediate risks.​
6.3 Data Management and Storage Standards

●​ All county data shall be classified into categories (e.g., Public, Internal, Confidential,
Restricted).​

●​ Sensitive and confidential data must be encrypted at rest and in transit.​

●​ County information systems shall include backup and recovery procedures aligned
with business continuity requirements.​

●​ Cloud storage solutions must comply with Kenya Data Protection Act, 2019 and
county ICT security requirements.​

●​ Data retention schedules shall be defined in line with legal and operational needs.​

6.4 Email and Communication Policy

●​ The official county email system shall be used for all work-related communications.​

●​ Personal email accounts (e.g., Gmail, Yahoo) shall not be used for official government
business.​

●​ Email attachments and links shall be scanned for malware and phishing threats.​

●​ Use of offensive, discriminatory, or inappropriate language in official communications

is strictly prohibited.​

●​ All electronic communications are subject to monitoring and audit in accordance with
applicable laws.​

6.5 ICT Procurement Standards

●​ All ICT procurement shall follow the Public Procurement and Asset Disposal Act,
2015 and County procurement procedures.​

●​ ICT Directorate must be involved in all ICT-related purchases to ensure compatibility

and standardization.​
 ●​ Procurement decisions shall consider total cost of ownership (TCO), including
licensing, maintenance, training, and support.​

●​ Preference shall be given to solutions that comply with open standards and ensure
vendor neutrality.​

6.6 Acceptable Use of ICT Resources

●​ ICT resources shall only be used for official county government purposes.​

●​ Users are prohibited from:​

○​ Accessing unauthorized systems or data.​

○​ Installing unauthorized applications or devices.​

○​ Downloading or distributing pirated content.​

○​ Using ICT systems for personal gain, harassment, or illegal activities.​

●​ Limited personal use of ICT systems is permitted only if it does not interfere with
official duties, consume excessive resources, or violate security standards.​

6.7 Mobile Device and Remote Access Policy

●​ All mobile devices accessing County systems must be enrolled in a Mobile Device
Management (MDM) solution.​

●​ Devices shall have mandatory security controls including PIN/biometric lock,

encryption, and remote wipe capability.​

●​ Lost or stolen devices must be reported immediately to the ICT Directorate.​

●​ Remote access to county ICT systems shall require VPN + MFA and be limited to
authorized users.​

●​ Personal devices (BYOD – Bring Your Own Device) may only access county systems
with explicit approval and must comply with security standards.
7. Capacity Building and Awareness
The success of ICT systems, including Active Directory (AD), depends not only on the
technology itself but also on the skills, awareness, and behavior of the people who use and
manage it. The Nairobi City County Government shall invest in continuous training, awareness
programs, and capacity-building initiatives to strengthen ICT resilience.

7.1 ICT Staff Training

●​ ICT Directorate staff, including system administrators and support officers, shall
undergo regular technical training on:​

○​ Active Directory administration and security.​

○​ Network and server management.​

○​ Cybersecurity and incident response.​

○​ Cloud integration and emerging technologies.​

●​ Specialized training and certification (e.g., Microsoft Certified: Identity and Access
Administrator, CISSP, ITIL) shall be encouraged to build technical expertise.​

●​ Training budgets shall be allocated annually to ensure ICT staff remain up-to-date with
technological advances and industry best practices.​

7.2 User Awareness Programs

●​ All employees shall undergo mandatory ICT induction training upon joining the
County Government. This training will cover:​

○​ Proper use of AD accounts, passwords, and MFA.​

○​ Acceptable use of ICT resources.​

○​ Email and internet security (phishing, malware awareness).​

○​ Data protection and confidentiality obligations.​

 ●​ Regular awareness campaigns (e.g., quarterly newsletters, workshops, posters) shall
reinforce ICT security culture.​

●​ Simulation exercises (e.g., phishing attack drills) shall be conducted to test user
readiness and response.​

7.3 Continuous Improvement

●​ ICT Directorate shall establish a Knowledge Management System (KMS) to capture

lessons learned, standard operating procedures (SOPs), and best practices.​

●​ Periodic policy review workshops shall be conducted to gather feedback from users
and ICT champions in departments.​

●​ The County shall participate in national ICT forums, workshops, and benchmarking
programs to stay aligned with evolving trends.​

●​ Performance indicators (e.g., number of ICT incidents, average system uptime, training
participation rates) shall be tracked to measure the effectiveness of capacity-building
programs.
8. Compliance and Audit
Effective ICT governance requires strong compliance and audit mechanisms to ensure that
policies are followed, risks are identified, and corrective actions are taken promptly. The
Nairobi City County Government shall establish a compliance and audit framework covering
both technical systems (such as Active Directory) and user behavior.

8.1 Internal Compliance Monitoring

●​ The ICT Directorate shall conduct continuous monitoring of AD and other ICT
systems using:​

○​ Automated monitoring tools (e.g., SIEM solutions).​

○​ Periodic reviews of logs, system configurations, and user activities.​

●​ Compliance with ICT policies (e.g., password policy, acceptable use, access control)
shall be monitored regularly.​

●​ Quarterly internal compliance reviews shall be conducted, and reports submitted to

the Chief Officer, ICT.​

8.2 External Compliance

●​ The Nairobi City County Government shall comply with audits conducted by:​

○​ Auditor-General (financial and systems audits).​

○​ National Information Security bodies (e.g., Communications Authority of

Kenya, NIS, ICT Authority).​

○​ Other regulators as mandated by law (e.g., Data Commissioner).​

●​ Independent third-party security assessments and penetration tests shall be carried

out at least once every two years to validate system resilience.​
8.3 Reporting and Accountability

●​ A Compliance Register shall be maintained to track identified issues, corrective

actions, and timelines.​

●​ All policy violations, security incidents, or breaches shall be formally documented and
escalated according to the County’s Incident Response Plan.​

●​ Departmental heads shall be accountable for ensuring that their staff comply with ICT
policies.​

●​ Annual ICT compliance reports shall be presented to the County Executive Committee
and included in performance audits.
9. Enforcement
The effectiveness of this ICT Policy depends on consistent enforcement. Clear rules,
accountability, and consequences shall ensure that all users adhere to the policy and that
violations are dealt with fairly and decisively.

9.1 General Enforcement Principles

●​ All County employees, contractors, and third-party service providers are obligated to
comply with the ICT Policy and related procedures.​

●​ Enforcement shall be guided by the principles of:​

○​ Fairness: All users are treated equally.​

○​ Transparency: Disciplinary processes are documented and communicated.​

○​ Proportionality: Sanctions match the severity of the violation.​

○​ Accountability: Offenders are held responsible for their actions.​

9.2 Levels of Violations

Violations of the ICT Policy shall be categorized as follows:

1.​ Minor Violations​

○​ Examples: Forgetting to log off, weak password practices, unauthorized

software installation.​

○​ Action: User training, written warning, or temporary account restrictions.​

2.​ Moderate Violations​

○​ Examples: Sharing login credentials, repeated minor violations, accessing

unauthorized systems.​

○​ Action: Formal disciplinary action, suspension of ICT access, or reporting to

HR.​
 3.​ Severe Violations​

○​ Examples: Data theft, intentional system sabotage, cybercrime, gross

negligence leading to data breaches.​

○​ Action: Dismissal, legal prosecution, reporting to law enforcement and

regulators.​

9.3 Enforcement Roles

●​ ICT Directorate: Detects, investigates, and recommends disciplinary measures for ICT
violations.​

●​ Human Resource (HR): Ensures disciplinary processes are consistent with County HR
policies.​

●​ Departmental/Sectoral Heads: Responsible for first-level enforcement within their

departments.​

●​ Legal and Compliance Units: Provide guidance on regulatory compliance and

potential legal implications.​

9.4 Appeals Mechanism

●​ Users subjected to disciplinary measures shall have the right to appeal through HR
and the County Public Service Board.​

●​ Appeals shall be resolved within 30 days of filing.​

●​ The appeals process ensures fairness while maintaining ICT system security and
policy compliance.
10. Review and Update
The Nairobi City County Government recognizes that ICT systems and cybersecurity risks
evolve rapidly. Therefore, the ICT Policy shall not remain static but shall be regularly reviewed,
updated, and improved to ensure continuous alignment with best practices, laws, and County
needs.

10.1 Review Cycle

●​ The ICT Policy shall be formally reviewed every two (2) years.​

●​ Interim reviews may be conducted earlier in response to:​

○​ Changes in national ICT laws, regulations, or standards.​

○​ Significant technological developments (e.g., cloud adoption, AI, big data).​

○​ Major ICT incidents, breaches, or audit findings.​

10.2 Responsible Authority

●​ The ICT Directorate shall lead the review process in consultation with:​

○​ County Human Resource Directorate.​

○​ County Legal Department.​

○​ Departmental ICT Champions.​

○​ External regulators (e.g., ICT Authority, Office of the Data Commissioner).​

●​ The Chief Officer – ICT shall present proposed revisions to the County Executive
Committee (CEC) for approval.​
10.3 Policy Update Procedure

1.​ Assessment: ICT Directorate conducts gap analysis against current risks, technology,
and standards.​

2.​ Consultation: Feedback is collected from departments, staff, and stakeholders.​

3.​ Drafting: Updates are incorporated into the policy document.​

4.​ Validation: Draft is reviewed by legal, compliance, and audit teams.​

5.​ Approval: Revised policy is approved by the CEC.​

6.​ Communication: Updates are communicated to all staff through official circulars,
workshops, and awareness sessions.​

10.4 Version Control

●​ Each policy revision shall be clearly documented with:​

○​ Version number.​

○​ Date of approval.​

○​ Summary of changes made.​

○​ Approval authority.​

●​ Previous versions shall be archived for audit and reference purposes.