Acceptable use Policy (AUP)
Content
4. Rights to Audit and Monitor
5. MOHT-Owned ICT Assets and MOHT-Issued Accounts
7. Sensitive Document Handling
9. Using the Internet (including MOHT Internal Networks)
11. Cessation or Termination of Employment/ Change of Role
13. Changes to AUP and MOHT COPs
14. APPENDIX A: Document Version History
15. APPENDIX B: Authorised Cloud IT Services Utilised For MOHT Work
1. Introduction
1.1 The Objective of this Acceptable use Policy (AUP) is to govern the appropriate usage of MOHT’s Information and Communication Technology (ICT) systems, devices, or technologies. Users of MOHT’s IT resources have a responsibility to ensure the appropriate use of these IT resources and the safe protection of MOHT’s data.
1.2 This AUP take reference from and is to be read with all other prevailing MOHT Corporate Operating Policies (MOHT COPs) including but not limited to:
- IT Systems and Cybersecurity Manual (For User)
- MOHT-ADM-002-Computer Issuance and Maintenance
- MOHT-ADM-003-Information Security
- ICT Security Policy (HIM-ISP)
- Code of Conduct Handbook
Please refer to References for details.
2. Scope and AUP Statement
2.1 This AUP Sets forth the general parameters for the appropriate use of MOHT’s IT resources. Users should consult the respective MOHT COPs for detailed policies on permitted use and the extent of use MOHT considers appropriate.
2.2 This AUP applies to all staff who are:
a. users of MOHT-owned ICT assets (for the avoidance of doubt, including but not limited to MOHT’s
internet computers, smartphone or other mobile device, VPN token, and portable storage media),
b. users of MOHT-issued accounts (including but not limited to login to MOHT Corporate Network,
Microsoft Outlook, and technology resources administered by individual departments as well as centrally such as Apple Developer, Google Developer, Zoom),
c. provided with or have access to MOHT Data.
2.3 All capitalised terms used in this AUP shall have the meanings ascribed to them in the respective MOHT COPs. The definitions used in this AUP are set out below for ease of reference.
– “ED” as defined in Clause 1.2.1 of Systems and Cybersecurity Manual for User, means MOHT’s Executive Director
– “COO” as defined in Clause 1.2.2 of Systems and Cybersecurity Manual for User, means MOHT’s Chief Operating Officer
– “CTS” as defined in Clause 1.2.2 of Systems and Cybersecurity Manual for User, means MOHT’s Chief Technology Strategist
– “SA” as defined in Clause 1.2.5 of Systems and Cybersecurity Manual for User, means MOHT Corporate IT’s System Administration unit.
– “staff” as defined in Clause 1.2.11 of IT Systems and Cybersecurity Manual (for User), means every individual conducting or engaged in MOHT business, including but not limited to employees, fellows, seconded staff, agency-employed staff, volunteers, interns, agency workers and anyone who has access to MOHT’s IT and communication systems.
– “ICT assets” as defined in Clause M10.1.1-R of HIM-ISP Ver 1.1 includes “hardware, software (including operating system), storage equipment, network equipment and network- attached equipment such as printers.”
– “Internet Computers” as defined in Clause 3.1(i) of MOHT-ADM-002 – Computer Issuance and Maintenance, means computers with internet access.
– MOHT Data referred to in this AUP means all work-related information, including but not limited to the following:
– “MOHT Data” as defined in Clause 1.2.6 of IT Systems and Cybersecurity Manual (for User), means Sensitive Information and/or Personal Identifiable Information and/or Sensitive Health Information.
– “Sensitive Information” as defined in Clause 1.2.8 of IT Systems and Cybersecurity Manual (for User), means any privileged or proprietary information which, if compromised through alteration, corruption, loss, misuse, or unauthorised disclosure, could risk financial or reputational damage to MOHT, Ministry of Health (MOH) and/or MOHT’s partners. Note: Sensitive Information includes non-public information, matters and materials of MOHT (including its subsidiaries or affiliates), including but not limited to all trade secrets, data, application for trademarks and/or patents where such application(s) are not yet public information, copyrighted materials, discoveries, concepts, ideas, prototypes, software, systems in various stages of development, designs, drawings, specifications, techniques, methodologies, algorithms, inventions, research, schematics, procedures, know-how, plans, strategies, forecast, price list, pricing policies, budgets, business and financial plans/information, technology and processes, product development, product specifications and formulations, operational methods, business and marketing plans and policy or strategy, and other proprietary information of MOHT and includes all information relating to transactions and proposed transactions, the business and affairs, customers, staff, patients and suppliers of MOHT, which are made available or provided to or are accessible by staff in the course of performing staff’s duties. It does not include information which, at the time of such acquisition by staff, is in or which subsequently comes into the public domain otherwise than as a consequence of any default, breach of duty or wrongdoing by staff.
– “Personal Identifiable Information” as defined in Clause 1.2.9 of IT Systems and Cybersecurity Manual (for User), means information, whether true or not, that can be used on its own or with other information to identify, distinguish or trace an individual‘s identity, such as full name, NRIC/FIN/Passport number, mobile telephone number, personal email address, and demographic information. Personal information also includes data collected on patients(e.g. medical history, test and laboratory results), customers, and employees.
– Sensitive Health Information as defined in Clause 1.2.10 of IT Systems and Cybersecurity Manual (for User), refers to information that is associated with disclosure risks such as possibility of discrimination, social stigma. Examples of SHI are medical records, discharge summaries, diagnosis, and lab test results that contain the following information:
a. HIV infection, sexually transmitted disease, sexual assault, homosexuality, sterilisation, etc.;
b. Termination of pregnancy;
c. Mental disorders;
d. Abuse of drugs and alcoholism;
e. Child abuse.
– “Confidential information” as defined in Clause 5.2 of MOHT-ADM-003 – Information Security, means any information that, if shared with unauthorised entities, can risk financial or reputational damage to MOHT, Ministry of Health (MOH) and/or MOHT’s partners
– “Personal information” as defined in Clause 5.3 of MOHT-ADM-003 – Information Security, means
information wherein the identity of an individual is apparent, or can be reasonably ascertained.
3. Compliance
3.1 All staff are to ensure that the use of MOHT-owned ICT assets, MOHT-issued accounts, and/or MOHT Data do not violate:
a. the laws of the Republic of Singapore (including but not limited to Computer Misuse Act, Cybersecurity Act and Personal Data Protection Act), and
b. prevailing MOHT COPs or any other relevant policies, standards, and procedures.
3.2 In the event of any breach of this AUP, the staff concerned will be subjected to potential liability and disciplinary actions in accordance with MOHT disciplinary policy(s).
3.3 Apart from taking action under MOHT disciplinary policy(s), MOHT also reserves the right to:
a. report such breach to the relevant authorities; and/or
b. file civil suits against the staff concerned to seek compensation for any damage or loss suffered by MOHT arising from the staff’s breach of this AUP.
4 Rights to Audit and Monitor
4.1 MOHT reserves the right to audit and actively monitor all activities related to the use of MOHT’s IT
resources and MOHT Data, to ensure the proper and secure use of MOHT’s IT resources and MOHT Data.
Staff will be asked to account for any unauthorised activity.
5. MOHT-Owned ICT Assets and MOHT-Issued Accounts
5.1 Staff must only use MOHT-issued accounts in work-related communications and purposes by default. Where allowable, MOHT-owned ICT assets should be used. Staff should also avoid utilising assets or accounts that are not MOHT-issued for work related communications and purposes, unless necessary given the circumstances (e.g. communicating passwords out of band). Clause 5.1 of this AUP is to be read in concurrence with Clause 6.2 of this AUP.
5.2 All MOHT-owned ICT assets and MOHT-issued accounts ( including all contents therein) shall at all times remain the property of MOHT.
5.3 Staff is responsible for the security of all MOHT-owned ICT assets and MOHT-issued accounts, allocated to or used by staff, and must not allow it to be used by anyone other than in accordance with the MOHT COPs.
5.4 Staff is responsible for the security of any MOHT-issued accounts. Staff should log off the MOHT-issued account when leaving it unattended or on leaving the office, to prevent unauthorised users accessing the system in staff’s absence.
5.5 For staff assigned privileged access rights to MOHT-owned ICT assets or MOHT-issued accounts, privileged access right must be assigned to a user ID different from those used for regular business activities(e.g. email correspondence, document development). Regular business activities must not be privileged account from unauthorised access.
5.6 Staff must use passwords on all MOHT-owned ICT assets and MOHT-issued accounts, particularly for assets or accounts that staff takes out of or uses outside of the office. Staff must not use another person’s username and password or make available or allow anyone else to log on using staff’s username and password unless authorised in writing by COO. On the termination of a staff’s service at MOHT, staff must provide details of staff’s passwords for MOHT-owned assets and MOHT-issued accounts to SA and return any MOHT-owned assets, key fobs, cards or accounts.
5.7 Staff must ensure that all MOHT-owned ICT assets are kept secure at all times, especially when travelling. Password must be used to secure access to MOHT Data kept on such ICT assets to ensure that MOHT Data is protected in the event of loss or theft. Staff should also be aware that when using MOHT-owned assets away from the workplace, document may be read by third parties, for example, passengers on public transport.
5.8 Staff must not leave MOHT-owned ICT assets unattended(including any devices issued by MOHT and its related entities for work-related purposes), especially in public places. Staff may be liable to play for lost or stolen ICT assets.
5.9 Staff must use non-obvious and strong passwords (including personal identification number – PIN) and keep them confidential. All passwords shall comply with the following:
a. be at least 15 characters long for privileged accounts; and at least 12 characters for non-privileged account (except for portable storage devices) and contain characters from at least 2 of the following 4 categories:
i. Upper Case: A through Z;
ii. Lower Case: a through z;
iii. Digits (0-9);
iv. Special Characters (!,$,#,%, etc.).
b. For ICT systems that cannot support password length of at least 12 characters, staff shall ensure passwords:
i. are to be made up of at least 8 characters
ii. contain characters from at lest 2 of the following 4 categories:
a) upper case: A through Z;
b) lower case: a through z;
c) digits (0-9);
d) special characters (!,$,#,%,etc.); and
iii. enforce passwords to be changed once every 90 days.
c. not match any of your past 6 passwords.
d. not contain characters which match your username
e. be changed once every 12 months,
f. PIN or passcode accounts
i. Must be at least 4 characters long
ii. Should contain one character from each of the following group of characters (if the system supports as such):
– Number (0-9)
– Symbols (!,@,#,$,%,^,&,*…)
iii. Cannot match any of your past 6 PINS or passcodes.
iv. Must be changed once every 12 months.
5.10 Staff must change passwords regularly and comply with the password complexity requirements in accordance with the prevailing requirements outlined in Clause 5.8 of this AUP, and not share the passwords with anyone, including other staff and family members.
5.11 Staff must not delete, destroy or modify existing systems, programs, information or data (except as authorised in the proper performance of staff’s duties).
5.12 Staff must ensure that all MOHT-owned ICT assets such as removable media (such as thumb drives, CDs, DVDs, back up tapes) containing MOHT Data are encrypted, and password protected. Encrypted thumb drives and external hard disks are non-transferrable between staff. Where no longer required, staff are to return the same to SA.
6. Handling of MOHT Data
6.1 Staff must not store or copy onto any personal devices or removable media, any MOHT Data that staff comes into contract with or deals with, in the course of performing their duties. Any MOHT Data that staff comes into contact with or deals with, in the course of performing their duties, must only be stored or kept on MOHT-owned ICT assets or MOHT-issued accounts.
6.2 Staff must comply with this AUP and/or MOHT COPs when accessing MOHT IT services or Data on a personal device. Other than aforesaid, staff must not access any MOHT Data on their personal devices and accounts and/ or via a personal or external network.
6.3 Unless authorised in writing by the staff’s Team lead, staff must not store or copy onto any storage and collaboration applications aside from “APPENDIX B: Authorised Cloud IT Services For MOHT Usage”. Under no circumstances shall any staff store any Personal Identifiable Information or Sensitive Health Information on unauthorised storage and collaboration applications.
6.4 Staff must take appropriate actions to protect the confidentiality, integrity and availability of MOHT-owned ICT assets, MOHT-issued accounts, and MOHT Data.
7. Sensitive Document Handling
7.1 Staff must not view or handle sensitive (or classified) information unless there is an authorised purpose for the activity.
7.2 Scanning/copying/printing of documents with sensitive information are allowed only if necessary, with production and distribution of all copies tracked and controlled. Where printed information is sensitive, staff shall use physical measures to ensure access is secure, for example, locked cabinets, bags.
7.3 Staff shall ensure that all sensitive documents are shredded and disposed appropriately when no longer required, with consideration of data preservation requirements as needed.
8. Use of MOHT Emails
8.1 Only MOHT emails shall be used for electronic correspondence for work-related communications and purposes. Personal or commercial email accounts shall not be used.
8.2 MOHT Data must not be forwarded to personal email accounts or unauthorised email accounts.
8.3 Staff must not misuse MOHT emails for personal matters.
8.4 in the use of MOHT-issued accounts(including emails), staff:
a. must not send abusive, obscene, discriminatory, racist, harassing, derogatory, defamatory, pornographic, or otherwise inappropriate content(including but not limited to emails);
b . must not send offensive or seditious information will impinge on another’s culture, ethics, morality, and religion;
c. must take care with the content of all email messages, as incorrect or improper statements can give rise to claims for discrimination, harassment, defamation, breach of confidentiality or breach of contract. Remember that staff has no control over where emails may be forwarded by the recipient. Avoid saying or writing anything which may cause offence or embarrassment if it were to be forwarded to colleagues or third parties, or found its way into the public domain;
d. must not send, forward or read private emails at work which staff would not want a third party to read;
e. must not contribute to system congestion by sending trivial messages, copying or forwarding emails to those who do not have a real need to receive them, or using “reply all” unnecessarily on an email with a large distribution list;
f. must not agree to terms, enter into contractual commitments or make representations by email unless appropriate authority has been obtained. A name typed at the end of an email is a signature in the same way as a name written at the end of a letter;
g. must not download or email text, music or any other content on the internet which is subject to copyright protection, unless it is clear that the owner of such works allows this;
h. must not send messages from another person’s email address (unless authorised by COO or ED) or under an assumed name;
i. must not send confidential messages via email or the internet, or by other means of external communication which are known not to be secure;
j. must not send advertisements, chain letters, and other unsolicited types of messages;
k. must not send messages for personal gain or profit;
l. must not send commercial solicitations including tontines and pyramid schemes for themselves or for others; and
m. must not knowingly send malicious software or codes.
9. Using the Internet (including MOHT Internal Networks)
9.1 Internet access using the MOHT Corporate Network is provided solely for MOHT work-related purposes.
9.2 When a website is visited on a MOHT-issued device, or on a MOHT network (including MOHT-issued Virtual Private Network accounts), devices such as cookies, tags or web beacon may be employed to enable the site owner to identify and monitor visitors. if the website is one of a kind described in Clause 10.1 of IT Systems and Cybersecurity Manual(for User), such a marker could be a source of embarrassment to the visitor and MOHT, especially if inappropriate material has been accessed, downloaded, stored or forwarded from the website. Such actions may also, in certain circumstances, amount to a criminal offence if, for example, the material involves overseas gambling or money lending. This is further considered under Clause 10 of IT Systems and Cybersecurity Manual(for User).
9.3 Staff must not circulate, access, render or download on a MOHT-issued device, or MOHT-issued account or MOHT network any resource(e.g. any web page, image, document or other file) which could be regarded as illegal, offensive, discriminatory, in bad taste or immoral. As a general rule, if any person (whether intended to view the said resource or not) might be offended by the contents of a said resource, or if the fact that MOHT’s software or device or staff has accessed the page or file might be source of embarrassment if made public, then viewing such activity will be a breach of MOHT COPs.
10. Incident Reporting
10.1 Staff is obliged to report to COO immediately in the event of any actual, potential , or suspected breach of MOHT COPs or any other relevant policies.
10.2 Staff is also obliged to report to COO, CTS and ED immediately in the event of:
a. MOHT-issued ICT assets are lost or stolen or intentionally damaged. A police report must be made immediately and a copy of the police report submitted to COO’s office( as Corporate IT System Administrator); or
b. that the MOHT-issued ICT assets and/or MOHT-issued accounts have been compromised (e.g. unauthorised access, cyberattacks, tampered with or infected with malicious software); or
c. of any actual, potential, or suspected Data Breach and further considered at Clause 15 of IT Systems and Cybersecurity Manual(for Users)
11. Cessation or Termination of Employment/ Change of Role
11.1 Upon the cessation or termination of employment or of any change of role, staff shall cooperate with
the Team Lead and comply with the relevant MOHT COPs for:
a. the return of MOHT-issued ICT assets;
b. handing over, suspension, cancellation or termination of MOHT-issued accounts; and/or
c. the removal of MOHT Data in the possession or under the control of the staff.
11.2 Staff shall at all times( during his/her employment, and on and after the termination date) keep and maintain the integrity of all MOHT Data and must not any time ( during his/her employment and after discharging his/her obligations to MOHT and / or it s partners:
a. directly or indirectly in any manner whatsoever use, divulge or disclose or permit the disclosure of any or all MOHT Data to any entity; and/or its partners:
b. copy, extract or translate in any form or manner any document, paper or other medium which may contain or in which may be stored or recorded in any form whatsoever any MOHT Data or permit or allow any entity to do so.
c. knowingly alter or erase ( either directly or by instruction to others) any recording, discussion or activity log of activities related to clause 10 of this AUP except in accordance with the directions of MOHT.
Staff shall immediately at the request or direction of MOHT(whether made or given before, on or after the termination date) return or destroy all documents, papers and other media in his/her possession or control which may contain or in which may be recorded or stored ( in any form whatsoever) any MOHT Data and in accordance with the direction of MOHT.
12. Disclaimer
MOHT accepts no responsibility for any damage to or loss of data, hardware, or software arising directly or indirectly from the use of MOHT’s IT resources or for any consequential loss or damage. MOHT makes no warranty, express, or implied regarding the facilities offered, or their fitness for any particular purpose.
13. Changes to AUP and MOHT COPs
MOHT may amend this AUP and MOHT COPs or implement additional policies periodically. Although MOHT will inform staff of policy changes, staff must share the responsibility of staying informed about the use of MOHT IT’s resources and complying with all other applicable policies. The current version of all policies can be found on MOHT’s shared drive.
14. APPENDIX A: Document Version History
| Version | Date |
|---|---|
| 1.02 | 1 Mar 2021 |
| 1.03 | 25 Jul 2022 |
15. APPENDIX B: Authorised Cloud IT Services Utilised For MOHT Work.
LAST REVIEWED IN AUG 2022
EFFECTIVE FROM 1 SEP 2022
NEXT REVIEW ON 30 AUG 2023
| ICT System (or server) Name |
Team (Not Exhaustive) |
|---|---|
| For details, kindly refer to the AUP document stored in MOHT Intranet | |
Teams and Users agree that the authorised Cloud IT services list in Appendix B are not intended to and are not able to process information classified above Restricted, Sensitive (Normal).
Teams and Users agree to promptly inform MOHT Corporate IT in writing if there is intent for or awareness of any MOHT Data that is collected, used or disclosed via any of the authorised Cloud IT services listed in Appendix B that meets any of the following criteria:
a. MOHT Data that is known to be at RCST classification above Restricted – i.e. Confidential, Secret, Top-Secret; or
b. MOHT Data that is known to be at ISF classification above Sensitive(Normal)-i.e. Sensitive(High).
For details on Data Classifications, kindly refer to the AUP document stored in MOHT Intranet.
- IT System and Cybersecurity Manual(For User)
- MOHT-ADM-002-Computer Issuance and Maintenance
- MOHT-ADM-003-Information Security
- ICT Security Policy (HIM-ISP)
- Code of Conduct Handbook
- Chapter 3 [Issuance of Computers]
- Chapter 4 [Maintenance of Computers]
- Chapter 5 [Return of Computers]
- Chapter 6 [Baseline Requirements]
- Chapter 7[Breach of Information Security]
- Chapter 4 [Equipment Security and Password]
- Chapter 5 [Systems and Data Security]
- Chapter 6 [Email]
- Chapter 7 [Using the Internet]
- Chapter 8 [Personal Use of MOHT’s Systems]
- Chapter 9 [Monitoring]
- Chapter 10 [Prohibited Use of MOHT’s Systems]
- Chapter 11 [Measures Taken to Protect MOHT’s Data]
- Chapter 12 [Staff Responsibility To Protect MOHT’s Data]
- Chapter 13 [Confidentially and Proprietary Rights]
- Chapter 14 [Cybersecurity Obligations]
- Chapter 15 [Data Breach]
- Clause 2 [General Conduct and Discipline]