Kim Irvine

COMPANY NAME Information Security Policy South Africa Documentation K. Irvine-T00:00:00 The Information Security Policy is an over-arching policy which incorporates a set of underpinning specific policies, set out to cover all areas of security in order to meet the needs of the business. This and any relevant documentation will be made readily available to all users and customers requiring any access to Any Information, Communications Technology Systems, in order for their full understanding of roles and responsibilities and to help ensure adherence to the Policies set out in the afore mentioned documentation. These policies are backed by Management representing IT and Management representing the business. LOGO Information Technology – South Africa Issued by: K. Irvine Subject: DocumentationDocumentation Title: Information Security Policy South Africa - Approved: Company Management Table of Contents POLICY STATMENT ............................................................................................................................ 4 PURPOSE ........................................................................................................................................... 4 SCOPE ................................................................................................................................................ 4 RESPONSIBILITIES ......................................................................................................................... 4 COMPANY RESPOSIBILITIES: ...................................................................................................... 5 INFORMATIONS COMMUNICATIONS TECHNOLOGY ACCEPTABLE USE POLICY.............. 6 OVERVIEW ....................................................................................................................................... 6 MONITORING ................................................................................................................................... 7 RETRIEVAL ...................................................................................................................................... 7 MESSAGING / INTERNET SYSTEM .............................................................................................. 8 EQUIPMENT AND SOFTWARE POLICY .......................................................................................... 9 EQUIPMENT ..................................................................................................................................... 9 PRINT / FAX / SCAN / COPY / PHOTO (CAMERA/VIDEO) – OUTPUT CONTROL .............. 10 BACKUP PROCEDURES: .............................................................................................................. 11 PASSWORD CONTROL POLICY...................................................................................................... 12 OVERVIEW ..................................................................................................................................... 12 INFORMATION TECHNOLOGY GLOBAL ENTERPRISE ACTIVE DIRECTORY PASSWORD STANDARDIZATION POLICY .............................................................................. 13 1. Password Policies...................................................................................................................... 13 2. Account Lockout Policies ......................................................................................................... 15 INFORMATION TECHNOLOGY SYSPRO (SOUTH AFRICAN ERP SYSTEM) PASSWORD STANDARDIZATION POLICY ..................................................................................................... 16 1. Password Policies...................................................................................................................... 16 2. Account Lockout Policies ......................................................................................................... 17 HR ACCSYS PAY ROLL SYSTEM PASSWORD STANDARDIZATION POLICY .................. 18 1. Password Policies...................................................................................................................... 18 2. Account Lockout Policies ......................................................................................................... 18 EMAIL POLICY .................................................................................................................................. 19 OVERVIEW ..................................................................................................................................... 19 EMAIL USAGE................................................................................................................................ 19 INTERNET POLICY............................................................................................................................ 21 Revision: v1.1 Page 2 of 27 Revision Date: May 18, 2012 LOGO Information Technology – South Africa Issued by: K. Irvine Subject: DocumentationDocumentation Title: Information Security Policy South Africa - Approved: Company Management OVERVIEW ..................................................................................................................................... 21 INTERNET ACCESS POLICY ....................................................................................................... 21 SECURITY ....................................................................................................................................... 23 ANTI-VIRUS POLICY ........................................................................ Error! Bookmark not defined. REMOTE ACCESS POLICY............................................................... Error! Bookmark not defined. SUPPLIER / EXTERNAL CONSULTANCY ACCESS TO IT SERVICES, INFORMATION AND COMPONENTS POLICY .................................................................... Error! Bookmark not defined. ASSET DISPOSAL POLICY ............................................................................................................... 24 INFORMATION CLASSIFICATION POLICY .................................................................................. 24 DOCUMENTATION CLASSIFICATION POLICY ........................................................................... 24 RECORDS RETENTION POLICY ..................................................................................................... 24 SECURITY POLICY............................................................................................................................ 24 PHYSICAL SECURITY .................................................................................................................. 25 NETWORK SECURITY .................................................................................................................. 25 DOCUMENT REVIEW TABEL.......................................................................................................... 27 Revision: v1.1 Page 3 of 27 Revision Date: May 18, 2012 LOGO Information Technology – South Africa Issued by: K. Irvine Subject: DocumentationDocumentation Title: Information Security Policy South Africa - Approved: Company Management POLICY STATMENT This policy has been written to establish procedures to protect the validity and integrity of company information / data and related assets against any actual or potential security threats and to minimise the impact of any such incidents that could potentially disrupt business continuity. This Information Security Policy has been approved and is supported by: Management! PURPOSE The purpose of this Policy is to protect all of the company’s information assets from any or all threats that may be deliberate or accidental from internal or external sources. SCOPE The scope of this policy covers but is not limited to:  Data stored on computers, mobile storage devices and or any other forms of electronic media  Data transmitted across networks, email, internet, instant messaging, social networking  Data printed or written on paper  Mobile phone conversations and any other forms of mobile communications, text messages, etc.  Land-Line and Teleconferencing communications in any form!  Access Control RESPONSIBILITIES Managers are directly responsible to ensure that all existing and or new employees who fall within their business areas are granted access to, understand and adhere to the Policy and any underpinning policy and procedures pertaining to it. Each Employee has the responsibility of making sure they have read and understood the contents set out in these documents and; ensure that to the best of their abilities, they adhere to the policy and any underpinning or additional documents pertaining to it. It is also the sole responsibility of the Employee to make sure that should they not understand or are not sure of anything set out in these afore mentioned documents that they seek advice from either their Manager or IT Department. Failure to adhere to the, afore mentioned policy and any documents and or procedures pertaining to the policy could result in Disciplinary processes being carried out! Revision: v1.1 Page 4 of 27 Revision Date: May 18, 2012 LOGO Information Technology – South Africa Issued by: K. Irvine Subject: DocumentationDocumentation Title: Information Security Policy South Africa - Approved: Company Management COMPANY RESPOSIBILITIES: It is the responsibility of the Company to:  Ensure that all company data/information and or assets are protected against unauthorised access  Ensure the confidentiality of company data/information  Maintain the integrity and availability of company data/information  To ensure that any Data protection, privacy of personal information and Intellectual property rights are adhered to as set out by any legislative and regularity rules / requirements  To devise and test Business Continuity Plans which are to be checked and updated on a regular basis  Information Knowledge systems are set up and maintained in order to ensure that ALL staff receive sufficient training  Ensure that any breaches in Information Security either suspected or actual are reported, investigated and dealt with by an appointed IT Security / Management Team. Revision: v1.1 Page 5 of 27 Revision Date: May 18, 2012 LOGO Information Technology – South Africa Issued by: K. Irvine Subject: DocumentationDocumentation Title: Information Security Policy South Africa - Approved: Company Management INFORMATIONS COMMUNICATIONS TECHNOLOGY ACCEPTABLE USE POLICY OVERVIEW  provides a variety of electronic communications systems for use in carrying out its business. All communication and information transmitted by, received from or stored in these systems are the property of and, as such, are intended to be used for job-related purposes.  All use of information and communications facilities are governed by the terms of this , failure to adhere to the terms and conditions as laid out in this policy will be regarded as a breach of these rules. Which, depending on the seriousness of the offence, these facilities may be curtailed or withdrawn and disciplinary action may thereafter follow! If you do not understand any part of the policy, it is your responsibility to obtain clarification from your manager or the IT department.  intention for publishing an Acceptable Use Policy are for the purpose of establishing a culture of openness, trust and integrity within the company and to protect the company, the employees, partners, affiliates, clients and customers from any illegal or damaging actions by individuals, either knowingly or unknowingly!  It is the responsibility of every authorized Information and Communications user to know and understand this policy and to conduct their activities accordingly!  It is the responsibility of local management to ensure that all current and future employees granted access to any information and communication systems/equipment have been given a copy of the Information Technology Acceptable Use Policy.  Employees are required to sign an acknowledgment form before receiving access to the various systems in use at . The following summary guidelines regarding access to and disclosure of data on any electronic communication system will help you better determine how to use these systems in light of your own and the company's privacy and security concerns. The following are only summary guidelines; employees should contact the Information Technology (IT) department for more detailed information.  The IT department maintains the Computer and Technology Resource Usage Policy on behalf of . However, other departments may develop supplemental policies and controls to accommodate specific requirement so long as these policies do not compromise corporate policies and controls. Revision: v1.1 Page 6 of 27 Revision Date: May 18, 2012 LOGO Information Technology – South Africa Issued by: K. Irvine Subject: DocumentationDocumentation Title: Information Security Policy South Africa - Approved: Company Management MONITORING  , provides the network, personal computers, electronic mail and other communication devices for your use on company business.  may access and disclose all data or messages stored on its systems or sent over its electronic mail system.  reserves the right to monitor communication and data at any time, with or without notice, to ensure that company property is being used in the best interests of the company and within, but not limited to the IT Acceptable use policy and any other corporate policies that may govern this use of Company Equipment.  The company also reserves the right to disclose the contents of messages for any purpose at its sole discretion.  No monitoring or disclosure will occur without the direction of either the human resources department, or executive leadership, unless otherwise noted. RETRIEVAL  Notwithstanding right to retrieve and read any e-mail messages and or files, such data and or messages should be treated as confidential by other employees and accessed only by the intended recipient and or authorised personnel.  Employees cannot retrieve and or read any data that they are not granted permission to access unless authorized to do so.  Employees cannot retrieve and or read e-mail messages that are not sent or meant for them unless authorized to do so.  Passwords cannot not be retrieved or changed by any Employee except those authorized to do so. Revision: v1.1 Page 7 of 27 Revision Date: May 18, 2012 LOGO Information Technology – South Africa Issued by: K. Irvine Subject: DocumentationDocumentation Title: Information Security Policy South Africa - Approved: Company Management MESSAGING / INTERNET SYSTEM / DATA STORAGE  The company e-mail and internet system is not to be used to solicit or proselytize for commercial ventures, religious or political causes, outside organizations or other non-jobrelated solicitations.  The system is not to be used to create any offensive or disruptive messages. Among those which are considered offensive are any messages/internet content which contain sexual implications, racial slurs, gender-specific comments or any other comment that offensively addresses someone's age, sexual orientation, religious or political beliefs, national origin or disability. The organization’s overall employee manual or code of conduct shall be considered the prevailing authority in the event of possible misconduct.  Employees should note that any data and information on the system will not be deemed personal or private. In addition, the company e-mail / internet system may not be used to send (upload) or receive (download) copyrighted materials, trade secrets, proprietary financial information, or similar materials without prior authorization.  Information sent by employees via the electronic mail system may be used in legal proceedings. Electronic mail messages are considered written communications and are potentially the subject of subpoena in litigation. may inspect the contents of electronic mail messages in the course of an investigation and will respond to the legal process and will fulfil any legal obligations to third parties.  The Internet is to be used for business purposes only. Employees with Internet access are expressly prohibited from accessing, viewing, downloading, or printing pornographic or other sexually explicit materials. In addition, employees should be mindful that there is no assurance that e-mail texts and attachments sent within the company and on the Internet will not be seen, accessed or intercepted by unauthorized parties. Revision: v1.1 Page 8 of 27 Revision Date: May 18, 2012 LOGO Information Technology – South Africa Issued by: K. Irvine Subject: DocumentationDocumentation Title: Information Security Policy South Africa - Approved: Company Management EQUIPMENT AND SOFTWARE POLICY EQUIPMENT  IT will configure all workstations with virus protection software, which should not be removed or disabled.  Each employee is responsible for protecting their computer against virus attack by following IT guidelines for scanning all incoming communications and media, and by not disabling the anti-virus application installed on their workstation.  All data disks and files entering or leaving should be scanned for viruses.  Any equipment related to IT and or telecommunications or production systems that are to be attached to the networking infrastructure must be authorized and assessed by IT before any purchase, acquirement or installation can take place. Failure to authorize the equipment could result in it being taken off the network and may cause a delay in it being utilized.  NO unauthorized persons are allowed to access any IT and or related equipment without prior and or written consent! Failure to adhere to this is a criminal offence and will be dealt with accordingly.  Any lost or stolen equipment must be reported immediately to your manager and or IT department in some cases a police report may be required. SOFTWARE  Only legally licensed software will be installed on computers!  Users are expected to read, understand and conform to the license requirements of any software product(s) they use or install.  Software cannot be copied or installed without the express permission or involvement of the IT department.  Employees are expected to use the standard software provided by IT, or identify applications they need in the course of their work. Staff members are not permitted to download applications, demos or upgrades without the involvement of IT.  Employees will use the standard e-mail system provided by for official email communications, and should not install their own e-mail systems. Additionally, use of instant messaging programs, such as ICQ, AOL Instant Messenger, Microsoft Messenger, and all OTHERS that may fall into this category, is prohibited unless otherwise approved by management or the IT department. Revision: v1.1 Page 9 of 27 Revision Date: May 18, 2012 LOGO Information Technology – South Africa Issued by: K. Irvine Subject: DocumentationDocumentation Title: Information Security Policy South Africa - Approved: Company Management PRINT / FAX / SCAN / COPY / PHOTO (CAMERA/VIDEO) – OUTPUT CONTROL  All Multifunctional and Single function Print Devices, Camera’s and Video devices must be logged with IT and any new purchase of such a device is to be authorized, approved and installed by IT.  All Multifunctional and Single function Print Devices that have a need to be shared must first be approved by IT and can ONLY be configured and set up by IT.  No changes may be made on any Multifunctional and Single function Print device unless authorized, overseen or initiated by IT.  All ink, toners, ribbons, services due or required to / for any such devices must be acquired through the IT department unless authorized otherwise (please note that IT IS NOT RESPONSIBLE for paper, paper clips, staples or any related products that may be a function on these devices).  All Memory cards / Memory upgrades for either Printing devices or Camera and or Video devices must be logged, approved, authorised, acquired and installed by the IT department.  All copies, printouts, faxes, scans, pictures, videos (in all formats) to and from these devices are the property of and therefore are governed by the acceptable usage policy. Any misuse of this equipment could lead to disciplinary action, the confiscation of the device should this apply and or the exemption for utilizing the device.  All copies, printouts, faxes, scans, pictures, videos (in all formats) to and from these devices may only be used by authorised personnel any unauthorized use / access could lead to prosecution.  Passwords and user accounts setup on these devices are done so by IT and it is the users sole responsibility to safe guard their own id and passwords by keeping them confidential and NOT disclosing them to anyone else unless with written authorised consent by both the user and the IT Department! It is the user’s sole responsibility to report any suspected or actual breach of their passwords confidentiality.  All toners, ink cartridges, ribbons and disposable printer waste must be disposed of in accordance with the Environmental Management Systems standard ISO 14001:2004. Any and ALL vendors supplying Printing equipment / Printing peripherals must be in accordance with this. Revision: v1.1 Page 10 of 27 Revision Date: May 18, 2012 LOGO Information Technology – South Africa Issued by: K. Irvine Subject: DocumentationDocumentation Title: Information Security Policy South Africa - Approved: Company Management BACKUP PROCEDURES:  All Fileserver services are are backed up nightly  All Friday, Monthly and Yearly tapes not required for the period of the backup are stored offsite at a Data storage facility.  It must be noted that networked PC’s are NOT backed up unless there is a specific requirement to do so and is authorised by the IT Department, and as such important data and applications should not be stored on the local hard drives of these machines. Therefore employees working on especially crucial information are encouraged to backup these projects to network.  Computer users will be responsible for ensuring that the data stored on their local machines is backed up as required by the owner to their shared data server. Please ensure that IT is made aware of the data being backed up and there is an agreement as to the directories used for this backup.  Please be aware of the data that is being backed up to the local network and ensure that local PC data is being backed up. IT retains the right to check all such data on the network and once again this falls within the Acceptable Usage policy and as such any misuse will be penalised in accordance to this policy.  Please note that usage of certain external storage media is prohibited by , please always check with local IT before using any storage media / device. Revision: v1.1 Page 11 of 27 Revision Date: May 18, 2012 LOGO Information Technology – South Africa Issued by: K. Irvine Subject: DocumentationDocumentation Title: Information Security Policy South Africa - Approved: Company Management PASSWORD CONTROL POLICY OVERVIEW  Initial passwords are assigned by the IT department and should not be given to other staff or persons outside the organization.  Employees should change any password provided or issued by IT as soon as possible using the instructions provided by the IT staff.  reserves the right to override any employee-selected passwords and/or codes. This includes the right to revoke access to any system!  Employees are required to provide the company with any such codes or passwords to facilitate access as needed.  Periodically, staff may be required to change their passwords.  At no time should employees allow a temporary, contractor or another employee use of their login and / password.  In the case where an employee does provide another person access to their account, they will be responsible for the actions of the individual using their account.  Passwords should not be stored in computer data files, on the network, or be displayed openly at any workstation.  Any required password changes or accounts to be un-locked must be requested through the local helpdesk. Should the employee in question not be able to do so themselves, they must have their immediate supervisor / manager authorise and send the helpdesk request on their behalf! PLEASE NOTE THAT NO UNAUTHORISED changes or account unlocks will be done by the IT Department without this authorisation. Revision: v1.1 Page 12 of 27 Revision Date: May 18, 2012 LOGO Information Technology – South Africa Issued by: K. Irvine Subject: DocumentationDocumentation Title: Information Security Policy South Africa - Approved: Company Management INFORMATION TECHNOLOGY GLOBAL ENTERPRISE ACTIVE DIRECTORY PASSWORD STANDARDIZATION POLICY It is important that all passwords be safeguarded. User passwords are required to be changed regularly. Certain passwords such as Service Account passwords should not be changed so as not to cause an interruption in services. The password policy will be applied via the Group Policy Object. In the case of users moving from one region to another it is necessary to have the same policy applied in all user domains so that users are working in the same manner wherever they are located. The policy must conform to all regional and organization constraints. 1. Password Policies User Domains  Enforce password history. Passwords may not be reused until after five (5) different passwords have been used.  Minimum password age is zero (0) days. Passwords may be changed more than once on the same date.  Maximum password age is ninety (90) days. Passwords are required to be changed at least every ninety (90) days.  Minimum password length is six (6) characters.  Password must contain characters from three (3) of the four (4) following categories: o English uppercase characters (A through Z) o English lowercase characters (a through z) o Base digits (0 through 9) o Non alphanumeric characters (e.g. !, $, #, %)  Password must not be stored using reverse encryption.  Password must be set to expire. Revision: v1.1 Page 13 of 27 Revision Date: May 18, 2012 LOGO Information Technology – South Africa Issued by: K. Irvine Subject: DocumentationDocumentation Title: Information Security Policy South Africa - Approved: Company Management Resource & Root Domains   Enforce password history. Passwords may not be reused until after five (5) different passwords have been used.  The minimum password age is zero (0) days. Passwords may be changed more than once on the same date.  The maximum password age is sixty (60) days. Passwords are required to be changed at least every sixty (60) days.  Minimum password length is six (6) characters.  Password must contain characters from three (3) of the four (4) following categories: o English uppercase characters (A through Z) o English lowercase characters (a through z) o Base digits (0 through 9) o Non alphanumeric characters (e.g. !, $, #, %)  Password must not be stored using reverse encryption.  Password must be set to expire. Exceptions  Domain Admin Accounts o Should only contain service and/or application accounts, if required. o Password never expires.  Service Accounts o Password never expires.  Shared Accounts o Password never expires. Revision: v1.1 Page 14 of 27 Revision Date: May 18, 2012 LOGO Information Technology – South Africa Issued by: K. Irvine Subject: DocumentationDocumentation Title: Information Security Policy South Africa - Approved: Company Management 2. Account Lockout Policies User Domains  Accounts will be locked out for duration of sixty (60) minutes after the maximum number of attempts to log on.  Accounts will be locked out after six (6) attempts.  Reset account lockout will occur after thirty (30) minutes. Resource and Root Domains  Accounts will be locked out for duration of one hundred and twenty (120) minutes after the maximum number of attempts to log on.  Accounts will be locked out after six (6) attempts. Reset account lockout after sixty (60) minutes.  Reset account lockout will occur after sixty (60) minutes. Revision: v1.1 Page 15 of 27 Revision Date: May 18, 2012 LOGO Information Technology – South Africa Issued by: K. Irvine Subject: DocumentationDocumentation Title: Information Security Policy South Africa - Approved: Company Management INFORMATION TECHNOLOGY SYSPRO (SOUTH AFRICAN ERP SYSTEM) PASSWORD STANDARDIZATION POLICY 1. Password Policies Syspro User Accounts  Enforce password history. Passwords may not be reused until after ten (10) different passwords have been used.  Minimum password age is zero (0) days. Passwords may be changed more than once on the same date – operators may change their own Password.  Maximum password age is thirty (30) days. Passwords are required to be changed at least every thirty (30) days. Warning Period for the expiration starts at ten (10) days prior to expiry.  Minimum password length is five (5) characters.  Password must contain at least one (1) character from three (3) of the four (4) following categories: o English uppercase characters (A through Z) o English lowercase characters (a through z) o Base digits (0 through 9) o Non alphanumeric characters (e.g. !, $, #, %)  Password must not be stored using reverse encryption.  Password must be set to expire. Force New Password at Next Login must be set. Exceptions  Admin Account o Password never expires. o Allow unlimited login attempts Revision: v1.1 Page 16 of 27 Revision Date: May 18, 2012 LOGO Information Technology – South Africa Issued by: K. Irvine Subject: DocumentationDocumentation Title: Information Security Policy South Africa - Approved: Company Management 2. Account Lockout Policies Syspro User Accounts  Accounts will be locked out for duration of ten (10) minutes after the maximum number of attempts to log on.  Accounts will be locked out after three (3) attempts.  Reset account lockout will occur after helpdesk authorization and action.  Timeout required in Menu and Queries – this is set due to License Seat restrictions to: o Timeout Period is one (1) hour o Timeout Action is set to ask the operator to re-enter their Syspro Password to reinitiate session Revision: v1.1 Page 17 of 27 Revision Date: May 18, 2012 LOGO Information Technology – South Africa Issued by: K. Irvine Subject: DocumentationDocumentation Title: Information Security Policy South Africa - Approved: Company Management HR ACCSYS PAY ROLL SYSTEM PASSWORD STANDARDIZATION POLICY 1. Password Policies Accys User Account  Enforce password history. Passwords may not be reused until after one hundred and twenty days (120) different passwords have been used.  Minimum password age is zero (0) days. Passwords may be changed more than once on the same date – operators may change their own Password.  Maximum password age is thirty (30) days. Passwords are required to be changed at least every thirty (30) days. Warning Period for the expiration starts at ten (10) days prior to expiry.  Minimum password length is five (5) characters.  Password must contain at least one (1) character from three (3) of the four (4) following categories: o English uppercase characters (A through Z) o English lowercase characters (a through z) o Base digits (0 through 9) o Non alphanumeric characters (e.g. !, $, #, %)  Password must not be stored using reverse encryption.  Login name cannot be used as part of the password.  Password must be set to expire. Force New Password at Next Login must be set. Exceptions  No exceptions 2. Account Lockout Policies Accsys User Account  Account is not set to lockout as there is only one account per system license  Timeout after approximately 20 minutes of idle time Revision: v1.1 Page 18 of 27 Revision Date: May 18, 2012 LOGO Information Technology – South Africa Issued by: K. Irvine Subject: DocumentationDocumentation Title: Information Security Policy South Africa - Approved: Company Management EMAIL POLICY OVERVIEW provides employees with the use of electronic mail in order to enable employees to efficiently and effectively communicate for and on behalf of the company to other employees / departments, vendors, clients and other such persons / companies! Thus all usage of the Companies e-mail system is governed by the Acceptable Usage Policy and failure to adhere to this policy will result in disciplinary actions. EMAIL USAGE  It is the responsibility of each employee assigned an email address to check their e-mail on a regular basis.  Make sure that messages are addressed and sent to the intended recipients  Subject / Titles to a message encourage the recipient to attend to emails in a more timely and efficient manner  Adhere to any and all data and software legal protections such as copyright and licenses  Do NOT send harassing or threatening messages as this may result in legal or disciplinary action  Do NOT express views which could be regarded as defamatory or libellous  Restrict e-mail to business-related subjects. Profanity, sound files, screen savers, jokes, or animated graphics are not only open to misinterpretation / representations but also potentially cause legitimate business e-mails deliveries being delayed  Do not use the Company e-mail system for personal use, all e-mails sent or received through the company e-mail system are regarded as Company Records and are monitored  Do not send mass / chain / pyramid or similar messages and do NOT participate in any of these schemes through Company email  Keep printing of e-mail to a minimum and only if really necessary  Do not forward e-mail that has been sent to you personally to others, especially newsgroups or mailing lists without the express permission of the originator.  Do not send large e-mail messages or attachments especially to a large number of recipients Revision: v1.1 Page 19 of 27 Revision Date: May 18, 2012 LOGO Information Technology – South Africa Issued by: K. Irvine Subject: DocumentationDocumentation Title: Information Security Policy South Africa - Approved: Company Management  Do not send unnecessary messages such as electronic greeting or other non-work items through the company e-mail system  Do not misrepresent yourself.  Do not create any offensive or disruptive messages. Among those which are considered offensive are any messages which contain sexual implications, racial slurs, gender-specific comments or any other comment that offensively addresses someone's age, sexual orientation, religious or political beliefs, national origin or disability. The organization’s overall employee manual or code of conduct shall be considered the prevailing authority in the event of possible misconduct.  Do not open any e-mails that may appear suspicious in any way without first checking with the IT Department.  It is the employees responsibility to keep their mailboxes at an acceptable mail usage limit and to delete all e-mails no longer required  Information sent by employees via the electronic mail system may be used in legal proceedings. Electronic mail messages are considered written communications and are potentially the subject of subpoena in litigation. may inspect the contents of electronic mail messages in the course of an investigation and will respond to the legal process and will fulfil any legal obligations to third parties.  Employees should note that any e-mail sent through the Company e-mail system will not be deemed personal or private. In addition, the company e-mail system may not be used to send (upload) or receive (download) copyrighted materials, trade secrets, proprietary financial information, or similar materials without prior authorization.  The company e-mail system is not to be used to solicit or proselytize for commercial ventures, religious or political causes, outside organizations or other non-job-related solicitations.  E-mail coming into and or leaving the Company is scanned for viruses  It is the employee’s responsibility to ensure that they fully understand the E-mail policy and if they have any doubts about an issue affecting the use of the e-mail system that they consult their immediate supervisor / manager or the IT Department in order to gain clarification.  Failure to comply or adhere to the rules and guidelines of the Companies E-mail policy will be seen as a breach and may lead to disciplinary action. Revision: v1.1 Page 20 of 27 Revision Date: May 18, 2012 LOGO Information Technology – South Africa Issued by: K. Irvine Subject: DocumentationDocumentation Title: Information Security Policy South Africa - Approved: Company Management INTERNET POLICY OVERVIEW It is the responsibility of local management to implement this policy for all their employees who are granted access to the Internet. Access to the Internet may be provided either via a network or through a standalone PC . For sites on the Wide Area Network access to the internet requires:  Corporate virus detection software must be installed on all PCs and Servers.  All access to the Internet will be through an approved firewall managed by the global network team. For sites not on the Wide Area Network access to the internet requires:  Corporate virus detection software must be installed on all PCs and Servers.  All access to the Internet will be through a firewall approved by the global network team. For access to the internet via a standalone PC (on or off WAN)  Virus detection software must be installed on the PC  The PC’s should be assigned solely for use to access the Internet.  No files will be transferred from the standalone pc to the network without IT approval. INTERNET ACCESS POLICY  will limit Internet access to those employees who demonstrate a legitimate business need.  Access to the Internet for personal use may be provided during non-business hours, provided it complies with this policy and is with the permission of local management and users adhere to any and all policies governing the use of the companies systems and facilities.  All users accessing the internet must sign the Access Policy, which is issued by the HR team. The local policy will have to be amended to take into account local legislation (equivalent of the Data Protection Act in the UK).  may use software and systems to monitor and record all Internet usage.  Employees should be aware that security systems are capable of recording (for each and every user) each World Wide Web site visit, each chat, newsgroup or email message, and each file transfer into and out of our internal networks, and we reserve the right to do so at any time. No employee should have any expectation of privacy or confidentiality as to his or her Internet usage. Revision: v1.1 Page 21 of 27 Revision Date: May 18, 2012 LOGO Information Technology – South Africa Issued by: K. Irvine Subject: DocumentationDocumentation Title: Information Security Policy South Africa - Approved: Company Management  The Company reserves the right to inspect any and all files stored in private areas of the TI Automotive network in order to assure compliance with policy.  The display of any kind of sexually explicit or violent image or document on any company system is a violation of policy. In addition, sexually explicit or violent material may not be archived, stored, distributed, edited or recorded using the network or computing resources.  Internet facilities and computing resources must not be used knowingly to violate the laws and regulations of the United States, UK, EU or any other nation, or the laws and regulations of any state, city, province or other local jurisdiction in any material way. Use of any company resources for illegal activity is grounds for disciplinary action; will co-operate with any legitimate law enforcement activity.  Any software or files downloaded via the Internet onto networks or computers become the property of . Any such files or software may be used only in ways that are consistent with their licenses or copyrights. Use of shareware and trial software downloaded should be consistent with the conditions of use and authorised by the IT Department.  No employee may use company facilities knowingly to download or distribute pirated software or data.  No employee may use the Group’s Internet facilities to deliberately propagate any virus, worm, Trojan horse, trap-door program code or similar.  No employee may use the Company Internet facilities knowingly to disable or overload any computer system or network, or to circumvent any system intended to protect the privacy or security of another user.  Each employee using the Internet facilities of shall identify himself or herself honestly, accurately and completely (including company affiliation and function where requested) when participating in chats or newsgroups, or when setting up accounts on outside computer systems. N.B. Caution should be exercised when providing E-mail addresses to non-secure sites.  Only those employees or officials who are duly authorised to speak to the media, to analysts or in public gatherings on behalf of may speak/write in the name of to any newsgroup or chat room. Other employees may participate in newsgroups or chats in the course of business when relevant to their duties, but they do so as individuals speaking only for themselves.  Where an individual participant is identified as an employee or agent of , the employee must refrain from any unauthorised political advocacy and must refrain from the unauthorised endorsement or appearance of endorsement by of any commercial product or service not sold or serviced by , its subsidiaries or its affiliates. Only those managers and company officials who are authorised to speak to the Revision: v1.1 Page 22 of 27 Revision Date: May 18, 2012 LOGO Information Technology – South Africa Issued by: K. Irvine Subject: DocumentationDocumentation Title: Information Security Policy South Africa - Approved: Company Management media, to analysts or in public gatherings on behalf of may grant such authority to newsgroup or chat room participants.  retains the copyright to any material posted to any forum, newsgroup, chat or World Wide Web page by any employee in the course of his or her duties.  Employees are reminded that chats and newsgroups are public forums where it is inappropriate to reveal confidential company information, customer data, trade secrets, and any other material covered by existing Company secrecy policies and procedures. Employees releasing protected information via a newsgroup or chat - whether or not the release is inadvertent - will be subject to disciplinary action under existing data security policies and procedures.  Use of Internet access facilities to commit infractions such as misuse of company assets or resources, sexual harassment, unauthorised public speaking and misappropriation or theft of intellectual property are also prohibited by general company policy.  Employees with Internet access may not upload any software licensed to or data owned or licensed by without explicit authorisation from the manager responsible for the software or data.  Employees attention is drawn to the requirements of the Data Protection Act . This Act covers data stored in the UK. All employees are required to comply with the requirements of the Data Protection Act (for the UK) or such other equivalent legislation applicable in the country in which they are operating.  Data hosted on a non (third party) server must be covered by a confidentiality agreement.  No Internet based commercial transactions should be undertaken by, or on behalf of, any company unless they are supported over a verifiable secure link. will not be responsible for any financial loss by an employee as a consequence of that employee undertaking a commercial transaction on behalf of the over a non-secure link. SECURITY  User IDs and passwords help maintain individual accountability for Internet resource usage. Any employee who obtains a password or ID for an Internet resource must keep that password confidential. policy prohibits the sharing of user IDs or passwords obtained for access to Internet sites.  Any file that is downloaded must be scanned for viruses using the latest anti-virus software before it is run or accessed. Revision: v1.1 Page 23 of 27 Revision Date: May 18, 2012 LOGO Information Technology – South Africa Issued by: K. Irvine Subject: DocumentationDocumentation Title: Information Security Policy South Africa - Approved: Company Management  may install a variety of firewalls, proxies, Internet address screening programs and other security systems to ensure the safety and security of networks. Any employee who attempts to disable, defeat or circumvent any company security facility will be subject to disciplinary action.  E-mails and/or files containing sensitive company data that are transferred in any way across the Internet must be encrypted. If you are unsure as to whether or not your systems can encrypt please contact your local IT department.  A networked PC must never be connected to the Internet via a Modem. Computers that use their own modems to create independent data connections are not protected by company network security mechanisms. An individual computer’s private connection to any outside computer can be used by an attacker to compromise any company network to which that computer is attached. That is why any computer used for independent dial-up or leased-line connections to any outside computer or network must be physically isolated from company’s internal networks.  A stand-alone PC used to connect to the Internet should not also contain company confidential data or be used to provide or support business critical services. ASSET DISPOSAL POLICY As per policy held with Quality Department INFORMATION CLASSIFICATION POLICY As per policy held with Finance Department DOCUMENTATION CLASSIFICATION POLICY As per policy held with Finance Department RECORDS RETENTION POLICY As per policy held with Finance Department SECURITY POLICY Revision: v1.1 Page 24 of 27 Revision Date: May 18, 2012 LOGO Information Technology – South Africa Issued by: K. Irvine Subject: DocumentationDocumentation Title: Information Security Policy South Africa - Approved: Company Management PHYSICAL SECURITY  Access to computer rooms will be limited to staff who require access for the normal performance of their jobs.  Computers with sensitive information installed on the local disk drive should be secured in a locked room or office during non-business hours.  Equipment which is to be removed from property must be approved in advance with the IT department and an inventory of this equipment maintained by IT.  All equipment removal from the premises by an individual must be documented, including the makes, manufacturers and serial numbers on an IT supplied form, and a copy of this form shall be filed in the employees HR folder.  If the employee leaves the organization, he or she must return the equipment to prior to the last day of employment. NETWORK SECURITY  IT will monitor network security on a regular basis.  Adequate information concerning network traffic and activity is monitored to ensure that breaches in network security can be detected.  IT will also implement and maintain procedures to provide adequate protection from intrusion into computer systems from external sources.  No computer that is connected to the network can have stored, on its disk(s) or in its memory, information that would permit access to other parts of the network.  Staff should not store personal, business, member or other credit card/account information, or passwords within word processing or other data documents  All staff will log out of the network and turn their computers off before leaving the office at night.  Staff should log off of the network when they will be away from their desk for an extended period or lock the computer using the standard Windows system set for between 5 – 10 minutes.  will provide computer accounts to all staff that have been identified to use any IT or related equipment whether stand alone or attached to the company network(s) Revision: v1.1 Page 25 of 27 Revision Date: May 18, 2012 LOGO Information Technology – South Africa Issued by: K. Irvine Subject: DocumentationDocumentation Title: Information Security Policy South Africa - Approved: Company Management  External people who are identified to be strategically important to , such as temporary staff, volunteers, or contractors, will also be provided accounts as appropriate, on a case-by-case basis. The employee managing the temporary or contract staff assumes responsibility for the identification of access requirements and use of the account.  ALL USER Accounts will be revoked on request of the user or manager or when the employee terminates employment at . Revision: v1.1 Page 26 of 27 Revision Date: May 18, 2012 LOGO Information Technology – South Africa Issued by: K. Irvine Subject: DocumentationDocumentation Title: Information Security Policy South Africa - Approved: Company Management DOCUMENT REVIEW TABEL DATE 17/05/2012 17/05/2012 18/05/2012 18/05/2012 Revision: v1.1 COMMENTS Documented Emailed Updated Emailed ACTION Creation For comment Updated For comment REVISION- Page 27 of 27 REVIWED BY Kim Irvine Manager Kim Irvine Manager Revision Date: May 18, 2012