it-01 company electronic data policy

DOCUMENT NO:REVISION NO:EFFECTIVE DATE:PAGE NO:PREPARED BY:APPROVED BY:

IT-01 0 1-August-2009 1 of 6 Hong Chan Chuen Lim Hock Chee

COMPANY ELECTRONIC DATA POLICY

1.0 PURPOSE:

1.1 To establish and maintain a policy on use of company information systems.

2.0 SCOPE:

2.1 This policy applies to all CMM employees and all CMM information systems.

3.0 REFERENCES:

3.1 IT-02 (IT Password Standards)

3.2 IT-05 (Physical Security of IT Equipment)

3.3 IT-09 (Third Party and Contractor Access Policy)

4.0 DEFINITIONS:

4.1 IT – Information Technology

5.0 EXHIBITS:

5.1 None

6.0 RESPONSIBILITIES:

6.1 All Employees- Accountable for the use of company electronic data systems in accordance with the

following policies and in a professional manner.

6.2 All Managers / Head of Department- Responsible for ensuring appropriate usage of company resources.- Ensuring that all staff in their area of responsibility including temporary and

contractor staff are familiar with and comply with this policy.

6.3 IT Management / IT Support Leader- Ensuring that the information security policies, practices and procedures are

implemented and adhered to within the organization. This includes securing information systems and networks, and monitoring system usage for possible abuse.

- Ensuring that procedures in support of the policy are maintained.

2-MAY-23



7.0 PROCEDURE:

7.1 CMM provides computer equipment and access to e-mail and other electronic data systems solely for the purpose related to the business of CMM and the associated duties of the employee. It is important that employees exercise good judgment in ensuring that use of this technology does not interfere with Company business, negatively impact employee productivity or result in inappropriate Company expense. All CMM computers, network, email, voicemail, Internet access equipment, and access routes are solely the property of CMM as is the electronic data created by such access. The IT department may periodically monitor these systems to correct problems and to ensure proper use and security. Employees cannot expect any personal privacy for communications or data that is sent, received or stored on these systems.

7.2 Access to any CMM electronic data services is dependent on your acceptance of this policy.

7.3 Violation of any provisions of this policy as described will result in disciplinary action up to and including termination.

8.0 PRACTISE:

8.1 Acceptable Usage and Privacy8.1.1 Personal computers and all associated electronic resources (including internet

access and email) are provided to meet the legitimate business needs of CMM. Personal files and emails are not to be stored on company assets or on shared network drives. IT Department personnel are authorized to immediately delete any unauthorized files or software found on workstations.

8.1.2 Information system activities (e.g email and Internet usage) are logged and monitored for inappropriate use. The Company reserves the right to monitor access of disclose electronic messages or files. This action will be taken when there is a need, perceived or implied, to protect system security, fulfill company obligations, detect employee wrongdoing, comply with legal process or protect the rights or property of the company.

8.1.3 Employees may not use company systems, including email or Internet access to infringe the copyright or other intellectual property rights of third parties, to view, initiate or distribute defamatory, pornographic, fraudulent or harassing messages, or otherwise to engage in any illegal or wrongful conduct.

8.1.4 Although receipt of unauthorized non-company related messages is not under an employee’s direct control, it is each employee’s responsibility to delete such information and notify the originator that it is against company policy for an CMM employee to receive non-company related information, without prior

2-MAY-23



management authorization. In the event of misuse of this system, access to these resources will be denied.

8.2 System Authentication and Password8.2.1 System authentication is the process of reliably and correctly identifying an

individual by providing appropriate credentials. The current method of authentication at CMM is the use of a unique username and password. This method provides an appropriate level of security for most CMM electronic data (information) systems.

8.2.2 Every employee must protect the confidentiality of their password and all information entrusted to them. Employees will be held responsible for all activity originating from their account.

8.2.3 Passwords should not be written down and must not be shared with anyone.

8.2.4 Shared accounts, which is also known as ‘generic accounts’ or ‘group logons’ are typically not permitted. The only instances when a shared account is allowed is for allowing ‘inquiry’ only access to non-confidential information. In such cases, the need for the shared account must be documented and approved by the CIO.

8.2.5 Third party accounts (Consultants/Vendors/etc) must only be assigned for a defined period of time (start date/end date) and accounts must be automatically reviewed following the end of this period, and either be revoked or renegotiated for another defined period.

8.2.6 Employees will only be provided with system access rights or capabilities required to perform the normal duties of their job. The access rights will be defined in such a way to prevent incompatible duties. For example, an employee should not have the access rights to both create a purchase order and pay for the goods or service received against the order.

8.2.7 Standard password rules have been defined and are required for key information systems. The password rules must be automatically configured into the information systems wherever possible. Specific details about the standard password rules can be found in the Corporate IT policies library. Generally accepted password requirements can include, but not limited to:

Minimum password length of 8 characters Complex passwords (e.g 1 numeric character, 1 upper case letter) Difficult to guess passwords (e.g avoid family names) Password expiry that requires the password to be changed every 45 days

2-MAY-23



Accounts to be ‘locked’ after 3 invalid password entries.

8.2.8 Employees are responsible for the reasonable protection of data and applications stored on portable computing devices (e.g PCs, handheld devices such as Blackberry’s and removable disks) by ensuring that there is appropriate password protection. (Refer to IT-02 IT Password Standards)

8.2.9 Employees are not allowed to access the accounts of other employees either by guessing their password or by the use of automated means such as password ‘cracking’ or monitoring software.

8.2.10 A password protected screensaver is installed on all computers and will be activated after 30 minutes of system inactivity. The employee’s network password is required to login to the system again.

8.3 Hardware and Software

8.3.1 All computers attached to the CMM network must have CMM standard anti-virus software installed. This software will automatically check, in real-time, for a variety of virus types and modes of infection (i.e email virus, boot sector virus, internet virus, etc). The ‘signature’ files for the anti-virus software are updated regularly.

8.3.2 All files received from outside sources must be checked for computer viruses.

8.3.3 Employees must not modify, disable, tamper with or remove the standard system configuration settings unless perform or approved by authorized IT department personnel. This includes anti-virus software and screen saver passwords.

8.3.4 All computer hardware and software must be in compliance with the standard hardware and software product list maintained by the IT department. The acquisition and installation of any non-business-related or unauthorized software or hardware, including software from the internet, is prohibited without explicit permission from both the employee’s head of department and IT Management. IT personnel can detect and remove unauthorized hardware and software.

8.3.5 Employees must ensure that all programs and data loaded on CMM owned computing devices are legal and appropriately licensed. All software must be authorized by the Corporate IT department and its use must comply with the manufacturer’s license agreement.

8.3.6 Access to the CMM network must originate from assets that are owned by CMM and supported by the IT department or by systems duly approved by the IT department.

8.4 Backup and Recovery2-MAY-23



8.4.1 Employees are responsible for ensuring that backup files are created for important files or that their data files are stored on a shared network drive that is backup by the IT department.

8.5 Email and Internet Usage8.5.1 Remote access to Company email is only to be accessed through channels

approved by the IT department (e.g. SSL VPN connection or Outlook Web Access (OWA) connection). Requests from remote access must be approved by the employee’s head of department and submitted to the IT department for approval set-up.

8.6 Physical Security and Theft8.6.1 Employees are responsible for the physical protection of portable computing

devices assigned to them. This includes Palm Pilots, Blackberry’s, USB storage devices and laptop computers.In the office, employees must ensure all portable devices (laptops, PDA’s, etc) are locked away in a desk or cabinet, or secured using a locking cable after hours.Outside the office, employees must take prudent care to avoid the theft or loss of assigned computing devices. This includes the use of a hotel safe while traveling and not leaving devices unattended in public or left in plain sight in a vehicle.

8.6.2 If a personal computing device is lost and stolen, it must be immediately reported to your head of department, the IT department and local police, when appropriate. A description of the device and the data and applications stored on the device will be required.

8.7 Audit and Enforcement8.7.1 Any significant incidents of non-compliance, or suspected non-compliance,

must be reported to your head of department and the CIO, who will investigate as appropriate.

8.7.2 The IT department will monitor CMM systems for appropriate usage. In an event an employee is found to be misusing the Company’s electronic data systems, the IT department will document the issue found and the name of the employee misusing the system. The IT department will notify the employee’s head of department and the Human Resources Department, describing the issue found.

9.0 REVISION HISTORY:

Rev # Sec./PageNo Name Change

Date Changes

0 - Hong Chan Chuen 6-Jul-09 New

2-MAY-23



2-MAY-23

it-01 company electronic data policy

Documents