Acceptable Use of Computer Resources Policy

1. Introduction

1.1 Background
At XYZ, all data acquired, processed and shared with customers and stakeholders must be
adequately protected against unauthorized access and or modification, accidental or willful.
This protection is ensured with adequate technical controls and defining an acceptable use of
resources framework, by all associates/ subjects who access such information/ data in
performing their job functions. The technical controls that are used within the company
provide an essential element of the required protection. However, these only deliver part of
the solution, the most effective defense being achieved through awareness and good working
practices. This document, which forms XYZ’s Acceptable Use of Computer Resources Policy
(including Internet, web and email usage) in support of XYZ’s Information Security Policy,
defines both acceptable and unacceptable usage of IT facilities, contributing to the overall goal
of systems and information security management.

1.2 Applicability
This Policy concerns:
• The use of company owned assets; and,
• Network facilities, regardless of whether these are used through the XYZ LAN or
through external connection as in the case of mobile devices such as Laptops (where
this has been authorized).

It applies to the following:

• All full-time, part-time and temporary staff employed by, or working for or on behalf
of the company;
• staff who are employed by XYZ Group companies / initiatives and located at the
company premises;
• contractors and consultants working for or on behalf of company;
• All other individuals and groups who have been granted access to the IT and network
facilities, including visitors.

It is the personal responsibility of every individual to whom this Policy applies to adhere fully
with its requirements. The department heads are responsible for implementing this Policy
within their respective department and for overseeing compliance by associates under their
direction and/or supervision.

1.3 Scope
This Policy concerns all computer systems and network facilities operated by XYZ, regardless of
location.
2. Use of XYZ Computer Resources

2.1 Privilege for use

XYZ’s IT and networking facilities shall be used after due authorization by the following
personnel:
• associates of the company;
• an outsourced or contract associates working for the company;
• an external consultant undertaking consultancy activities for company’s businesses;
• an individual or a member of a group who has been permitted such access by an
appropriate authority of the company;
• A visitor to the company.

Anyone else wishing to use company’s computer resources, or access to company’s premises, or
wishing to connect equipment to the company’s network, must contact the appropriate
authority. Company’s IT infrastructure and networking facilities may only be used with proper
authorization. Only the system administration team for the respective computer systems can
grant access to / deny, if found inappropriate. All Associates will be assigned a unique USERID
and default PASSWORD on joining the company. A USERID entitles an individual to use
computer systems for performing their job including personal work, if any for a limited
acceptable time without impacting business emergencies. USER IDs are strictly confidential,
and shall not be shared with anyone. USER IDs and Passwords are strictly confidential. Best
practices on the selection and management of PASSWORDS shall be done in accordance with
the Password Usage & Management Policy. When USER IDs lapse on a timed basis, the
individual’s access credentials become invalid and will no longer provide access to systems.
However, files associated with the user will be retained for a reasonable period of time and
can be retrieved if necessary. A lapsed USERID will be re-instated on request where such
applications are authorized by the appropriate authority.

2.2 Use of Personal Equipment

Personally equipment (eg Laptops) belonging to any users (including visitors), shall not be
connected to the XYZ network without prior authorization. Generally, privately owned
equipment belonging to customer’s / clients authorized representatives may only be connected
to the respective network which is isolated from XYZ network. Location N&S shall maintain the
log as well register the dates of such access of all privately owned equipment that has been
approved for network connection, upon prior approval. Even for such connectivity within the
company, all privately owned equipment shall be checked for virus. N&S, reserves the right to
apply service packs, fixes, work-a-rounds and patches, either physically or electronically to
such equipment, and reserve the right to install anti-virus software and other software (in
accordance with relevant license conditions to allow remote security maintenance. The
company accepts no responsibility for the effects that any such installation may have on the
operability of privately owned devices, consequently all risks, however small, reside with the
owner. When connected to the XYZ’s network, privately owned equipment may be monitored
in accordance with clause 3.7 as given below. Any such equipment that is connected to the XYZ
network and is attributed to security problems, or which causes security concerns may be
disconnected without prior notification, and in certain circumstances, the associate user may
be held accountable and responsible.
2.3 Laws, Regulation & Correct Practices
No associate/ subject shall try to gain unauthorized access to any computer system/ resource.
This is commonly known as hacking and constitutes a criminal offence under various local,
national and international regulations. As a user of XYZ’s Network, an associate/ subject shall
abide by the underlying Policy and all other relevant Policies, Standards and, Codes of Practice
for the use of computers, software and networks that are in force, including those that are
specifically applicable. An associate shall not do anything maliciously, negligently or recklessly
which might cause harm of any magnitude to any computer system, or to any of the programs
or data residing on computer systems. In this context, ‘harm’ implies any kind of damage,
unauthorized access or alteration. During the process of official audits or by an authorized
person, if requested, the associate/ subject shall justify the use of XYZ IT and/or networking
facilities being accessed. The associate/ subject shall explain (in confidence, if necessary)
what tasks are being performed, and how and why they are being done. In accordance with
applicable practices and policies in force, the associate/ subject shall make any reasonable
changes requested by N&S Representative to comply with any reasonable restrictions placed
upon the associate/ subject. An associate/ subject shall comply with applicable regulations
covering the use of software and datasets. The regulations could be applicable either by law,
by the producer or supplier or client of the software or datasets, by the company or by any
other legitimate authority. Where clarifications are required, the associate/ subject shall
contact the N&S Representative, before using the software or dataset. Without prior
permission from an appropriate person or the organization, an associate/ subject shall not copy
any software (even as a backup copy) or share it, or make it available in any way to anyone
else. Failure to comply with this requirement is a serious cause for concern at the company,
and shall lead to disciplinary action as stated in the Policy.

2.4 Liability, Warranty and Related Matters

Whilst every reasonable endeavor is made to ensure that the IT and networking facilities are
available as scheduled and function correctly, no liability whatsoever can be accepted by the
company for any direct or consequential losses or delays as a result of any system malfunction,
despite its best efforts. Responsibility for ensuring that software is suitable for the purpose for
which it is designed, or that any result obtained through IT or network facilities is correct,
always rest with the respective associate/ subject Whilst every reasonable endeavor is made to
ensure the integrity and security of information held on computer media, no consequent
liability can be accepted as a result of any such information being inadvertently lost, corrupted
or inappropriately accessed. This includes programs and data held on privately owned
equipment when connected to the XYZ’s networks in accordance with 2.2.

3. Internet, Web and Email Usage

3.1 Policy Requirements

Personnel who use email, or who create, manage, or use web sites are responsible for ensuring
that their usage complies with the requirements outlined below.

3.2 Connectivity
Users will be provided with Internet, web access and email facilities either by Local Area
Network (LAN) connectivity, Wireless LAN connectivity, via Virtual Private Network (VPN) or
through any other means based on their profile in the organization. In addition, some XYZ
computing resources are available through web services. Access to these facilities is granted
subject to compliance with the policy requirements, responsible conduct and requirements
concerning ‘mobile and remote accesses.

3.3 Acceptable Use Applicable to All Users

XYZ IT facilities must not be used, or in connection with, the following activities:
• Deliberately accessing, creating or transmitting any obscene or indecent images, data
or other material, or any data capable of being resolved into obscene or indecent
images or material. All email traffic on XYZ Network shall be official and professional in
nature.
• Creating or transmitting material which is designed or likely to cause offence,
annoyance, inconvenience or needless anxiety to another;
• Creating or transmitting defamatory material or material that is libelous of any other
person’s or company’s reputation, products or services;
• Viewing, transmitting, copying, downloading or producing material, including (but not
exhaustively) software, films, television programs, music, electronic documents and
books which infringes the copyright of another person, or organization;
• Making offensive or derogatory remarks about the company or its Associates on
interactive sessions and surveys ;
• Posting offensive, obscene or derogatory photographs, images, commentary or
soundtracks on interactive life-style websites;
• Transmitting or producing material which breaches confidentiality undertakings;
• Attempting to gain deliberate access to facilities or services which are not authorized
for access;
• Deliberately undertaking activities that corrupt or destroy other users' data; disrupt the
work of other users, or deny network resources to them; violate the privacy of other
users; waste staff effort or networked resources;
• Creating or transmitting unsolicited commercial or advertising material unless that
material is part of an authorized campaign with specific subscribers;
• Making commitments via email or the Internet on behalf of the company without full
authority;
• Undertaking any activities detrimental to the reputation or business interests of the
company;
• Deliberately contributing to News Groups or web sites that advocate illegal activity
(hate sites);
• Initiating or participating in the sending of chain letters, ‘junk mail’, ‘spamming’ or
other similar mails.

Any user who inadvertently accesses an inappropriate Internet site must immediately close the
session. Any associate who receives an inappropriate email message or email content that
appears to have been sent by another associate may wish to report the matter to their
reporting manager immediately.

3.4 Additional precautions while connecting from residence/ private networks

The following additional restrictions apply to Associates connecting to XYZ Net from their
residence/ other private networks, regardless of whether the network connection is through
privately owned equipment, company provided equipment, or via equipment owned by any
third party.
Every associate is responsible for maintaining effective security of the equipment attached to
the XYZ network, by ensuring with latest service packs, applying security patches and
maintaining up to date virus protection software, etc. The resale (or making available to others
without charge) of network and computing services (for example through hubs, proxy services
or wireless facilities) is strictly prohibited. The connection of games consoles to XYZ network
resources is strictly prohibited. All such activity may be monitored. Privately owned and third
party equipment connected to the XYZ network will be subject to the same monitoring
activities as company’s own equipment (Ref. 3.7). Logs of computer system usage are recorded
and may be scrutinized. Such records are retained for periods appropriate for operational
purposes.
Disclaimer: XYZ accepts no responsibility for the security of any privately owned or third party
owned computer system attached to its network, or any liability for any damage to any such
device however so caused. This also extends to any other network which XYZ does not provide
(including its components) to which private, third party or XYZ equipment may be attached by
a student. XYZ reserves the right to restrict or block any device or services which have an
adverse affect on its network including degradation of its network services.

3.5 Website Management

The hosting and designing team of all intranet, externally accessible websites and websites in
public domain (www.XYZ.com) are accountable for ensuring that the contents comply with the
requirements of The Policy. As such, except where anonymous input is allowed (for example
guest accounts), scripting which enables others to alter the content is not to be made available
to anyone who is not subject to this Policy. Where anonymous input is allowed this must be
policed at regular and frequent intervals by the owner of the site to remove any inappropriate
content and to prevent further site access by anyone posting such material. XYZ’s IT Policy, the
relevant guidelines and codes of practice applicable to web pages, are to be strictly adhered
to, by all those creating and managing websites for the company.

3.6 Monitoring the Use of Facilities

It is the responsibility of the organization to monitor all activities with regard to usage of
Computer resources. The company reserves the rights to monitor users’ activities to:
• record evidence of official transactions;
• ensure compliance with regulatory or self-regulatory guidelines;
• maintain effective operations of systems (e.g. preventing viruses);
• prevent or detect undesirable activity;
• Prevent unauthorized use of computer and telephone systems – i.e. ensuring that the
users do not breach XYZ policies.

The publishing of this Policy is one of the means of company informing associates about
standard monitoring practices at the company. XYZ reserves the right to deploy software and
systems that monitor, block or record all Internet access. These systems and utility tools are
capable of recording (for each and every user) exactly how much Internet usage is being
exercised for each World Wide Web site visit (the date and time visited and how long was spent
on the site), each email message, and each file transfer into and out of our internal networks.
This right is reserved at all times, although it is anticipated that instances of such monitoring
will be minimal and proportional to operational needs. Privately owned equipment connected
to XYZ networks in accordance with 2.2 will be subject to the same monitoring activities as XYZ
equipment to ensure the security of XYZ Network at all times. Logs of computer system usage
shall be taken and scrutinized. These will be retained for periods appropriate for operational
purposes and Data may be archived.

3.7 Personal Use of Internet and Email

Significant bandwidth and disk space overheads are incurred through Internet and email traffic
usage, and for email and attachment serving and storage. XYZ’s IT facilities are provided for
operational and business purposes only. However, non-excessive and reasonable personal use of
these facilities by associates may be permitted provided, that such use does not interfere with
the work performance of the employee or the activities of other associates, and such use is
compliant with the requirements and the terms of this Policy. Associates who use XYZ
computing resources to make purchases, pay bills or conduct on-line banking or similar
activities do so at their own risk. The company shall not be responsible for any direct or
indirect losses sustained by those using its computer resources for personal transactions.

3.8 Privacy and Third Party Access

A degree of privacy is ensured in the private use of the XYZ’s computing facilities. However, all
users shall be aware that owing to the company's obligations (statutory and otherwise) there
are limitations to the privacy that can be enjoyed. For operational purposes it may be
necessary for the company to access email folders and file stores occasionally during periods of
unexpected associates’ absence. This applies when no-one else can access the data required,
and arrangements for them to do so could not have been made in advance of their absence.
Likewise, when associates have ceased XYZ employment it may be necessary for N&S associates
to recover or copy archived data that needs to be subsequently accessed by another associate
or business, depending on the criticality and sensitivity of the data involved. With these points
in mind, associates shall not use XYZ systems for the transmission or storage of any material
that is strictly personal. Any associate of the company who is granted operational access to
another associate’s data may only view material that it is considered necessary to see for the
operational reason for which access was granted. They are required to treat all material as
confidential and not to act upon it or disclose it to any other person except those directly
associated with the operational requirement for which the access was granted, and they must
preserve the confidentiality of any private or personal data that they may view inadvertently
whilst undertaking operational matters. As an additional safeguard against inadvertent
disclosure, associate may wish to precede the subject title with 'PRIVATE' in the subject line of
any personal emails, or use the ‘personal’ or ‘private’ sensitivity settings available through
‘message options’ in Microsoft Outlook.

3.9 Mass Mailing Restrictions & Controls

The company encourages and promotes the use of electronic mail to further its business,
support and service missions for legitimate and administrative purposes. However, sending of
bulk XYZ-wide / inter-circle / unit emails has to be regulated to prevent misuse or abuse. This
Policy provides a framework for the authorization of bulk, unsolicited emailing by any delivery
means.

3.10 XYZ-Wide and Inter-Circle emails

The distribution of XYZ-wide emails by Associates using the ‘XYZ Associates Global’ address list
or by harvesting global address lists is prohibited unless the messages have been formally
approved by N&S Head, or are sent by or on behalf of a member of the Management Forum or
Board of Directors. Messages that are sent outside of the authorization process will not be
released by the N&S mailing list moderator. Messages those are likely to be approved for XYZ-
wide distribution generally will be restricted to urgent operational matters that need to be
brought to the attention of the company’s associates. However, this mechanism may also be
used for notifying associates of certain personnel issues and for the undertaking of official
company surveys and compliance issues.
Messages that may be approved as being appropriate for widespread distribution include, but
are not limited to, those concerning:
• Security issues, such as bomb or terrorist threats and computer system viruses and
other threats;
• health and safety matters such as hazard warnings and natural disaster alerts;
• urgent upgrades of the XYZ’s IT/IS services that may result in temporary disruption to
systems;
• the announcement of XYZ policies that are time critical or which associates have to be
made aware of for legal compliance reasons;
• informing associates of new accreditation or registration information;
• informing associates of new pay structures or industrial action;
• important announcements from the XYZ’s executives/governance groups
• Time critical financial and administrative deadlines.

Anyone wishing to send an inter-circle email must obtain authorization for sending it from the
head of the respective circle. All approved bulk email messages are to contain the following
information:
• Subject line: with clearly stated subject;
• From: line that contains the email address of sender;
• To: line that includes XYZ group/s to which the mass email will be sent;
• Signature information providing the name, business unit, and telephone number of the
sender.

The email body is to contain:

• plain text only - graphics are not permitted;
• no attachments - a link to an appropriate web page which includes the detailed
information is to be provided by the sender;
• Brief, and to the point messages only, although instructions on how additional
information can be obtained may be included.

Business Units wishing to announce organization level sponsored events should use the facilities
available, such as ‘Common Info’ etc. Alternatively, there is provision for associates to
subscribe to opt in mailing lists.

3.10.1 Mass Mailing within Circles

The department head of each department is authorized to send bulk emails to those associates
of their unit / circle using the respective address lists, and may provide authority for
respective unit heads of their department to do the same. However, the use of business unit
wide mailing must be restricted to important matters where this communication mechanism is
considered to be both appropriate and necessary to reach the required audience. Details of less
important matters such as conferences, events, etc. are to be published using other facilities.
3.10.2 Mass Mailing – Mailing Lists, Address Book and Database Held Addressees
Users who send emails to multiple recipients by compiling a list from a personal address book
or database are to enter the email addresses in the BCC field so that they cannot be seen and
harvested by others. With the exception of emails to mailing lists to which users have chosen to
subscribe, such mailings shall also include the following statement in the body of the mail: “If
you are not the intended recipient of this message, please delete the same. Or, if you no
longer wish to continue on this mailing list, please reply and your address will be removed from
the list”. Actions to be immediately initiated by the recipient on receipt of all removal
requests.

3.11 Computer Crime and Misuse

The company expects users to use IT facilities, and in particular email and the Internet,
responsibly at all times. Suspected computer crime and misuse of XYZ IT facilities, including
excessive personal use by associates, shall be investigated. Associates should check and agree
conditions of personal usage of computers with their Reporting Manager, if they are in any
doubt

XYZ Confidential