it code of conduct - v1

Global Procedure

Document no.: 127938 Edition no.: 2.0

Internal no.: - Page no.: 1 of 11

IT Code of Conduct

▼ S3 IT

▼ S3.03 Deliver and Support

► S3.03.05 Ensure Systems Security (DS5)

Scope

This procedure describes the rules and guidelines for all end-users of Novo Nordisk IT equipment and mobile devices.

More information can be found on http://itsecurity.novonordisk.com [4].

Applies to

All Novo Nordisk employees who use Novo Nordisk IT equipment must comply with the IT Code of Conduct. This also applies to non-Novo Nordisk employees, such as consultants and technicians [4]. In countries where local legislation does not comply with the IT Code of Conduct, an adapted local procedure may be applied. The local procedure must be aligned with the IT Code of Conduct, and local users must be trained in this. Misuse of Novo Nordisk IT systems or violation of the IT Code of Conduct may result in a reprimand, warning and dismissal.



Table of contents

Scope .......................................................................................... 1

Applies to .................................................................................... 1

Table of contents ........................................................................ 2

Novo Nordisk Security Principles ................................................ 4

1 ................................................................ 4

1.1 Approved equipment ........................................................... 4

1.2 Private use ........................................................................ 4

1.3 Monitoring ......................................................................... 5

1.4 Mobile devices .................................................................... 5

1.5 Disposal of equipment ......................................................... 5

2 ................................................................ 5

2.1 Secure connection .............................................................. 5

3 ............................................................... 6

3.1 E-mails ............................................................................. 6

3.2 Web surfing ....................................................................... 6

4 .................................................................. 6

4.1 Intellectual Property ............................................................ 6

4.2 Work related use ................................................................ 6

5 ................................................. 7

5.1 Social networks .................................................................. 7

5.2 Cloud services .................................................................... 7

6 ................................................................... 7

6.1 Encryption ......................................................................... 7



6.2 External use ....................................................................... 7

7 .................................................................. 8

7.1 Passwords ......................................................................... 8

7.2 Virus and Malware .............................................................. 8

7.3 Updates............................................................................. 8

7.4 Server equipment ............................................................... 8

7.5 IT Security Incidents ........................................................... 8

Definitions .................................................................................. 9

References ................................................................................ 10

Change log ................................................................................ 11



Novo Nordisk Security Principles As an end-user of Novo Nordisk IT equipment and mobile devices you must comply with the following seven IT Security Practices:

1

1.1 Approved equipment

You are not allowed to connect any unapproved equipment to Novo Nordisk Corporate networks.

All Novo Nordisk approved IT equipment is published on the Global IT Standardisation Programme (GISP) list, and can be accessed by local IT departments. All other equipment must first be approved by Novo Nordisk IT Security and IT Infrastructure before being used [2]. Local Guest network and “Bring Your Own Device” service has been established in some affiliates [1]. When working, do not use local drives and the computer desktop. All files must be stored on file servers to ensure back-up (Department/project shares or GlobeShare). You must only use approved USB sticks [2]. Do not share Novo Nordisk equipment with anyone who is not authorised to use Novo Nordisk equipment [2].

1.2 Private use

Private use is permitted to a limited extent, but must not include any professional activity outside Novo Nordisk. All data transmitted and stored on Novo Nordisk systems belong to Novo Nordisk. Novo Nordisk can, to the extent permitted by law, use data and e-mail correspondence in legal actions involving Novo Nordisk. If you write a private e-mail, the word ‘private’ must be inserted into the subject field.



1.3 Monitoring

To the extent permitted by law, Novo Nordisk reserves the right to continuously monitor the use of Novo Nordisk IT systems, computers and mobile devices. Novo Nordisk only has access to private correspondence as part of the general operational monitoring.

Novo Nordisk monitors activities on internal IT systems and the internet (IP-address, IT system accessed, location and date). This monitoring is used for security reasons and to safeguard Novo Nordisk assets.

1.4 Mobile devices

You are allowed to install personal applications on your mobile device and take personal pictures. However, you are responsible for your own data, including backing up such data. If required, Novo Nordisk can initiate that all data will be deleted [1].

1.5 Disposal of equipment

All Novo Nordisk equipment that is no longer in use must be securely disposed in an environmentally sound manner. Hard drives and other storage media must be erased with an approved tool or must be destroyed [2]. Equipment containing information under legal hold must follow the rules defined in Protecting and Handling Information [6].

The Line Manager is responsible for disposal of equipment belonging to direct reports and consultants. System Owner and System Manager are responsible for servers and services used [5].

2

2.1 Secure connection

When connecting Novo Nordisk equipment to external networks, make sure to always establish VPN or another approved connection to Novo Nordisk [4]. Home networks are considered external networks.



3

3.1 E-mails

Never open suspicious attachments or click on suspicious links in emails from unknown senders [8].

You must also immediately discard emails that ask you to share any sensitive information like credit card numbers or internal company information.

3.2 Web surfing

Visiting any illegal or objectionable sites containing e.g. pornographic or racist material, is prohibited, as is storage of such material on Novo Nordisk IT equipment.

4

4.1 Intellectual Property

Always respect software licenses or information protected by copyright laws. This includes downloading and streaming of copyright protected music, radio- or TV-transmissions, and video files. Use of trial license software requires approval [2].

4.2 Work related use

In general, only download work-related files to your work devices. However, limited private use is allowed [2].



5

5.1 Social networks

When you use social media, do not discuss internal or confidential matters. Be aware that any content you share (text, pictures, video etc.) can have long lasting impact on Novo Nordisk‘s reputation. Novo Nordisk has a set of guidelines that guide you on how to behave and represent Novo Nordisk on social media [7]. Contact Corporate Communications if you want to know more about social media at Novo Nordisk.

5.2 Cloud services

You are not allowed to transfer or automatically forward Novo Nordisk information to web-based services (e.g. Gmail, Dropbox, etc.) that are not approved by Novo Nordisk [2]. Downloading material made public by other parties is allowed (see section 4). Be cautious when using online services e.g. translation services. Visit IT Security Central to learn more about approved cloud solutions [4].

6

6.1 Encryption

Confidential data should be encrypted according to the data classification rules [6]. Unencrypted storage of confidential information on USB memory sticks, DVDs or other removable media should only be used in special cases and must be kept physically secure. Learn more about this in the IT Security FAQ [2].

6.2 External use

When you take IT equipment outside Novo Nordisk, always consult the Document Catalogue [6] for specific requirements. If you print confidential information, do not leave the printed materials unattended.



7

7.1 Passwords

Passwords are personal and secret and must not be shared with anyone. Passwords should not be easy to guess, must be changed regularly, and should include: • At least 8 characters • Numbers (0-9) • Small and capital letters (a-z, A-Z) • Special characters (e.g. $#!”) If you suspect that any of your current passwords have been revealed, you must initiate actions to change the password, and report potential misuse immediately to the local IT department or Service Desk.

7.2 Virus and Malware

If you suspect that your equipment has been infected by malware, you must immediately disconnect from all networks, including wireless networks, and contact the local IT department or Service Desk.

7.3 Updates

Software installation and update instructions must be followed and security measures must not be challenged or changed. GISP Technology Manager and GISP dispensation owner are responsible for timely identification, decisions and availability of updates to GISP components. System Owner is responsible for timely installation [3].

7.4 Server equipment

Novo Nordisk Servers must not be used for Web surfing or e-mail accesses.

7.5 IT Security Incidents

An IT security incident is defined as a situation indicating attempted or actual harmful destruction, alteration or disclosure of Novo Nordisk information or IT systems, or a violation of IT security requirements. All actual or suspected IT security incidents or possible weaknesses must be reported to Novo Nordisk IT Security, your local IT department or the Service Desk [4].



Definitions This list contains definitions of abbreviations and terms used in this document.

Term Definition

Business Critical Information

Information can be classified as business-critical as a result of:

Ongoing business value or importance for Novo Nordisk

Requirements from external authorities Business-critical information must be properly protected and handled throughout its whole life cycle.

BYOD Bring Your Own Device

GISP Global IT Standardisation Programme

IT equipment Any IT hardware or IT software performing it operation and tasks.

IT Security Incident A situation indicating attempted or actual harmful destruction, alteration or disclosure of Novo Nordisk information or IT systems, or a violation of IT security requirements

Malware Short for “malicious software” (one example of malware is computer virus).

Mobile Device Any kind of smartphone or tablet that enable processing of Novo Nordisk information.

Personal Data Information directly or indirectly relating to individuals.

Service Desk Local established support functions. Please consult local intranet and IT function for more information.

Suspicious mail Mails from unknown individuals or companies, mails with unexpected contents and all links with underlying shortcuts should be treated as suspicious and clicked with caution.

Third Party Person or organisation outside the Novo Nordisk Group.

VPN Virtual Private Network.



References

No. Title

1 http://anydevicehome AnyDevice Home

2 http://globeshare.novonordisk.com/ITQCD/IT/ITOM/ITSecCentral/Pages/FAQ.aspx IT Security FAQ

3 127939 - (QBIQ Document) IT Security Procedure

4 http://itsecurity.novonordisk.com Novo Nordisk IT Security website including FAQs on IT Security

5 129026 - (QBIQ Document) Personal Data Protection

6 011863 - (QBIQ Document) Protecting and handling information

7 http://globeshare.novonordisk.com/CR/CC/CorpCom/online_social/Pages/GuidelinesStrategy.aspx Social Media Guidelines

8 http://itsecurity.novonordisk.com Novo Nordisk IT Security FAQ or see definitions



Change log Edition no. 1.0 Effective date: 04-Apr-2011

CR number 178676

Changes to document

New document. This document along with 127938 and 127939 replaces 044869.

Rationale for document change

Replaced document(s)

Edition no. 2.0 Effective date: See Signature

Page

CR number CR601125

Changes to document

Two new sections regarding “Social Media” and “Mobile devices” added. In general updated to reflect Best Practice as of today. All sections restructured to match awareness training material and text rewritten to ease understanding.

Rationale for document change

Updated

Replaced document(s)

1.0

Novo Nordisk A/S Electronic Signature Page

Object ID

Edition:

Document ID:

QBIQ Number:

Effective Date:

This is a representation of an electronic record that was signed electronically and this page is the manifestation of the electronic signature. Document signed by: Initials Full Name Meaning Date and Time of Signature

(Server Time)

Page no. 1 of 1

090239b780bdf427 2.0 000698409 127938

IT Code of Conduct

22-Dec-2014

tbah TBAh - Thor AhrendsAuthor Approval 06-Oct-2014 09:53 GMT+0000

vtur VTUR - Vincent TurgisOwner Approval 20-Oct-2014 09:30 GMT+0000

lpm LPM - Lars Peter MortensenQuality Assurance Approval 20-Oct-2014 13:58 GMT+0000

cidr CIDR - Cecilie Damgaard RasmussenDocument Release Approval 21-Oct-2014 08:19 GMT+0000

it code of conduct - v1

Documents