Administrative Instruction ICC/AI/2006/001 COMPUTER AND NETWORK SERVICES POLICY The Registrar, for the purpose of delineating the acceptable use of the Information and Communication Technologies of the Court promulgates the following: Section 1 Definition of Terms a. ICT: Information and Communication Technologies b. ICT Resources: all hardware and software issued by the Court related to information and communications technology c. Mobile Devices: Laptops, Personal Desktop tools, mobile telephones, remote access cards and all future mobile devices introduced in the ICC. d. Internet: a public and open network connecting many thousands of computer networks. Internet utilizes multiple communication protocols to create a world wide communication medium. e. Intranet: a private network based on the communication standard of the Internet. Only the staff members of the ICC and authorized users can access this network. f. Authorized Users: All staff members, elected officials of the Court, Visiting Professionals and Interns/Clerks, Consultants, Contractors and other persons granted access to use the ICT Resources. g. Account: The Unique Log on Identification that is allocated to each user by the ICT Section and which is used to access the ICC network or applications. Page 1 of 9 Maanweg 174, 2516 AB The Hague, The Netherlands Maanweg 174, 2516 AB La Haye, Pays-Bas Telephone Téléphone +31(0)70 515 85 15 / Facsimile Télécopie +31(0)70 515 85 55 www.icc-cpi.int
h. Virus: a piece of programming code usually disguised as something else that causes some unexpected and, for the victim, usually undesirable events and which is often designed so that it is automatically spread to other computer users Section 2 Objectives of the Administrative Instruction 2.1. This Administrative Instruction aims to: (a) Ensure that staff members and other authorized users are informed of the rules regarding the use of ICT Resources. (b) Make certain that these resources and services are used in an ethical manner consistent with the nature of the work of the Court. (c) To ensure that the availability, functionality, integrity and security of ICT Resources is maintained. Section 3 Proper usage 3.1. All staff members, elected officials of the Court, Visiting Professionals and Interns/Clerks shall be assigned an account for the duration of their employment or mandate within the ICC. The supervisor of the staff member, Visiting Professional and Intern/Clerk shall be responsible to make the appropriate request to add, modify, or delete an account. 3.2. Contractors or consultants who have signed the Oath of Office and/or the Confidentiality Undertaking may request to be assigned an account if this is necessary to fulfil the terms of their contract. The ICC representative who is responsible for overseeing the work of the contractor or consultant shall make the request on behalf of the contractor or consultant to the ICT Section and shall be responsible for management of the account. Access shall be withdrawn automatically when the contractor or consultant no longer works for the Court or upon the completion or termination of the contract, whichever comes first. 3.3. Any account shall be the responsibility of a specific person assigned to a specific function. Except in the instances of email, accounts that allow many people access to information through a single account name are not allowed unless no other technical solution exists. 3.4. All users shall be provided with password protected systems. Users are responsible for the security of their passwords, tokens that store or generate their passwords and their accounts using the guidelines outlined below: (a) Under no circumstances may passwords be shared between users; (b) Passwords must not be written down; (c) Passwords must contain at least six characters containing a number and a symbol. An example would be @2morrow or _doit4me; 2 / 9
(d) The password administration system forces a password change every three (3) months. 3.5. With the exception of material owned by third parties, the Court is the legal owner of all information stored on or passing through its systems. Section 4 Prohibited Use 4.1. Certain materials are incompatible with the ethical standards of the Court. The ICT Resources must not be used to view, store or disseminate such materials. These include, but are not limited to: a) Pornographic texts or images; b) Material promoting sexual exploitation or discrimination, racism and violence; c) Messages that are derogatory, inflammatory or discriminatory regarding race, age, disability, religion, national origin and sexual preference; d) Destructive codes (e.g. viruses, self replicating programs) and material concerning ʹhackingʹ mass mail or chain letters; e) Personal solicitations, promotions, and commercial advertisements; 4.2. In general, the Court shall not allow its ICT Resources to be used to display, store or send (by email or any other form of electronic communication such as external bulletin boards, chat rooms, Usenet groups) material that is: fraudulent, harassing, embarrassing, sexually explicit, profane, obscene, intimidating, defamatory or otherwise inappropriate or illegal. 4.3. In cases where there is a professional need to use the ICT Resources and Internet services to consult material prohibited above; authorization from the appropriate supervisor should be obtained. 4.4. Users must not post Court related information to public forums on the Internet (such as public discussion or chat groups), unless this refers to materials that have been appropriately authorized and express permissions have been granted. 4.5. Use and treatment of the ICT Resources and Internet services that may limit computer resources availability or unfairly monopolize these resources are not allowed. This includes, but is not limited to: a) Downloading games or entertainment software for playing on line games; b) Copying of private audio CDs onto the network; c) Engaging in on line chat groups, uploading or downloading large files for other purposes than discharging duties as established by the Rome Statute, the Rules of Procedure and Evidence or any other applicable rules or regulations governing the procedures and work at the ICC; 3 / 9
d) Subscription to real time automatic information distribution services the Internet (socalled ʹpush servicesʹ) unless related to work activities e) Peer to peer networking, file sharing services; f) Instant messaging or similar; g) Any services which can disrupt, disable or otherwise affect the proper functioning of the Court or its ICT Resources. 4.6. In principle, the ICC does not allow the personal use of its ICT Resources. However, authorized users may exceptionally use their account for urgent personal matters if this does not affect their work or the integrity and security of the system and does not unduly consume ICT Resources. Users must be aware that the ICC will not guarantee any privacy of personal usage of its ICT Resources. 4.7. Personal use of the ICT Resources, including network, internet and the e mail system, must satisfy the following provisions: (a) The ICT Resources should not be used in a manner that has a negative impact on the availability of the resources; (b) No personal use may be made by, or on behalf of, any organization or third party; (c) No personal soliciting is allowed. Resources may not be used to lobby, solicit, recruit, sell, or persuade for or against commercial ventures, products, religious or political causes, outside organizations, or the like; (d) Other than minor transactions like Internet banking and online purchases, the resources may not be used for any activity that would result in a commercial gain for an employee; (e) Resources must not be used to engage in or support offensive activities. Section 5 Copyright Compliance 5.1. The ICT Section shall be the sole distributor of licensed software in the organization. 5.2. Users are responsible for complying with copyright law and licenses that apply to software, files, graphic, documents, messages or other material that can be downloaded or copied. Users must neither use nor make copies of software unless they have verified that the copies comply with the license agreement signed between the vendor and the Court. 5.3. Users may not use the Court s ICT Resources to copy material protected under copyright law or make such material available to others for copying. 5.4. The ICT Section reserves the right to remove unauthorized or improperly licensed software from its ICT Resources. 4 / 9
Section 6 Use of email 6.1. There is no guarantee of privacy or confidentiality for e mail; therefore, users of the e mail system should carefully consider the nature of information sent via e mail. 6.2. Mailbox messages must be archived regularly by the authorized user to ensure the proper functioning of the mail servers and the roaming profiles of the users. Mailbox messages shall be automatically archived by the e mail system 30 days after reading; sent mail shall be automatically archived by the e mail system 30 days after sending. Trash shall be deleted automatically 7 days after deletion from the mailbox. Manually deleted trash is not retained in any way. 6.3. Incoming email is checked by a virus checker. In some cases email may be blocked if it is flagged as suspicious. The ICT Section shall release blocked email only after the email has been declared virus free. 6.4. There is a limit of 2MB file size on incoming and outgoing mail for personal use. 6.5. Functional accounts (like Personnel, Public Information, Investigation Teams, etc) shall be allowed broader access on request. 6.6. Email used for business purposes (attachment sizes of functional accounts) shall be dealt with on a case by case basis, depending on the services required. Alternative methods for the electronic transfer of large amounts of data will be available. 6.7. The following official email disclaimer (both the English and French version) shall be added automatically at the foot of every outgoing email message. This message contains information that may be privileged or confidential and is the property of the International Criminal Court. It is intended only for the person to whom it is addressed. If you are not the intended recipient, you are not authorized by the owner of the information to read, print, retain copy, disseminate, distribute, or use this message or any part hereof. If you receive this message in error, please notify the sender immediately and delete this message all copies hereof «Les informations contenues dans ce message peuvent être confidentielles ou soumises au secret professionnel et elles sont la propriété de la Cour pénale internationale. Ce message n est destiné qu à la personne à laquelle il est adressé. Si vous n êtes pas le destinataire voulu, le propriétaire des informations ne vous autorise pas à lire, imprimer, copier, diffuser, distribuer ou utiliser ce message, pas même en partie. Si vous avez reçu ce message par erreur, veuillez prévenir l expéditeur immédiatement et effacer ce message et toutes les copies qui en auraient été faites.» 6.8. When an account holder leaves the employ of the Court, the corresponding e mail account shall be suspended for 30 days. After that it shall be deleted. During the 30 days period and upon request (with authorization) it may be possible to add an out of office message that tells the recipient who to contact within the Court or to retrieve information from the email account. 5 / 9
6.9. E mail shall not be automatically forwarded to external accounts. All requests for automatic e mail forwarding shall not be granted. Users are not permitted to configure their email account to automatically forward their e mail to an external account. 6.10. Individuals are not permitted to send (personal or business) messages to all ICC. The ICT Section provides functional e mail accounts for this purpose. Requests for functional accounts of this nature must be made through ICT Service Desk. This measure does not apply to the Heads of Organ. 6.11. The ICT Section may block inappropriately addressed email and inappropriately named email addresses. 6.12. Users may request secure remote access to Court email by contacting the ICT Service Desk, using the appropriate procedures as advertised on the Court s Intranet. Section 7 Internet Access 7.1. The Internet is not to be regarded as a safe medium and should not be used to transmit confidential or sensitive information without encryption. 7.2. The domain ICC CPI.INT is the unique official registration for the International Criminal Court. Internet registration is effected through the ICT Section. 7.3. Court computers or networks may only be connected to the public Internet through approved access control systems. 7.4. Users must be aware that Internet usage is not anonymous; Internet usage leaves traces on the ICT Resources of the Court and external parties. Users must therefore not misrepresent, obscure, suppress or replace their own or another userʹs identity on the Internet or on any Court information system. 6 / 9
Section 8 Monitoring and logging 8.1 Under the guidance of the Chief of Section, the ICT Section monitors all ICT Resources for business continuity purposes, proactive support and integrity checking. This routine monitoring shall not extend to the content of the information communicated or stored by such resources, which shall be monitored only in accordance with sections 8.2 and 8.3 below. 8.2. The Court reserves the principled right under conditions laid in item 8.3, to monitor and log any and all aspects of its ICT Resources, for the purpose of verifying compliance with this Administrative Instruction and guaranteeing the integrity and security of the ICT Resources. Such monitoring and logging may include but is not limited to: (a) The content inventory of its personal computers; (b) Chat groups, news groups; (c) Internet sites visited; (d) Files downloaded; (e) Communications sent and received electronically. 8.3. The Court may monitor and log the use of its ICT Resources by authorised users whenever there is a well founded suspicion that illegal or otherwise prohibited or wrongful conduct is taking place. Supervisors shall submit requests to monitor application and system usage, including but not limited to e mail use and messages for cause to the relevant authorizing executive: The President (for Presidency and Chambers staff), The Prosecutor (for staff of the Office of The Prosecutor), the Registrar (for Registry staff), and the Director of the Secretariat of the Assembly of States Parties (for staff of the Secretariat of the Assembly of States Parties). 8.4. Users can request or consent to monitoring for the purposes of identifying and/or neutralizing threatening, offensive or otherwise inappropriate emails addressed to them. 8.5. The monitoring activity shall be executed by the staff of the ICT Section under the guidance of the Information Security Officer and will be logged. The log files shall be made available to the appropriate relevant authorizing executive on request. 8.6. Any personal data that is collected by the ICT Section shall, as a minimum, be treated in conformity with the International Labour Organisation s Code of practice on the protection of workers personal data. All authorised users shall be informed about any data collection process, the rules that govern that process and their rights in this respect. 7 / 9
Section 9 Conditions of use of telephones and Mobile Devices (PDA s, laptops, mobile telephones) 9.1. Identified Court Sections (i.e. Finance and ICTS) shall have access to detailed mobile and landline phone call records for the sole purpose of invoicing staff members for those calls where appropriate. 9.2. Unless noted in the contract of employment, or authorized in writing by the Division Head or Senior Manager, staff members and other registered users shall be responsible for the cost of all personal telephone calls and other communications (both outgoing and incoming, if roaming charges apply). These costs will be automatically deducted from the salary. 9.3. For property control and audit purposes, the loss or theft of a Mobile Device must be reported immediately to the local police, ICT Service Desk, the Court Security Section, Property Control and Inventory Unit and followed up with a written report. Liability for loss of such device shall be ascertained and dealt with in accordance with Administrative Instruction ICC/AI/2005/04. Section 10 Viruses 10.1. The Court has strict zero tolerance for viruses. A file identified as infected by a virus shall not be allowed on the Court network. The sender shall receive an email notification indicating the action taken. 10.2. All files coming through the central e mail service shall be scanned for viruses. All files that are considered to be suspicious shall be moved to a safe area and the user shall receive a message that a suspicious e mail has been received. 10.3. In order to avoid infection of files, the ICT Section may shut down ICT services as necessary for a limited time in case of threats to its proper functionality. The ICT Section shall inform the Heads of Organ and users as appropriate. Section 11 Responsibility 11.1. The Chief of the ICT Section shall be responsible for the day to day implementation of this Administrative Instruction, under the supervision and delegated authority of the Registrar, and in consultation with the Prosecutor, the President and the Information Systems Technology Board. 11.2. In addition, the Chief of the ICT Section is responsible for; (a) Security of communications and protection of electronic data; 8 / 9
(b) Providing a standard desktop configuration that complies with the security standards of the Court; (c) Administering the Court network, network servers and client configurations, including provision of access rights that may affect configuration changes; (d) Provision of secure services for data exchange of large data transfers (like secure FTP). Section 12 Final Provisions 12.1. Violations of this Administrative Instruction or other Court policies governing the use of the ICT Resources may result in disciplinary action in accordance with the Staff Rules and Regulations, as applicable. 12.2. Users wishing to request exceptions to any section of this policy should do so by written communication to the ICT Section. 12.3. This policy applies to all users based in the Headquarters and in Field Offices of the Court. 12.4. This policy shall be reviewed at least annually. 12.5. This Administrative Instruction takes effect on 7 th August 2006 Bruno Cathala Registrar 9 / 9