it code of conduct

Version: 4.0

Date of version: 20th of August, 2015

Updated by: Hassan Gulzar

Reviewed by: M. Atif Hussain

Approved by: Mudasser Farooq Mian

IT Code of Conduct

Responsible use of Technology is everyone’s responsibility

Change history

Version Date Remarks

1.0 Nov 2008 Developed by Shariq Saifuddin

2.0 Dec 2008 Reviewed by Feroz Rizvi

3.0 Jan 2013 Modified by Mohammad Ali Khawaja

4.0 August 2015 Updated by Hassan Gulzar to reflect major changes in ICI IT Code of Conduct based on new IT Security Policy as per ISO27001:2013 standards

4.0 August 2015 Reviewed by Mudasser Farooq and Atif Hussain

4.0 20th August,

2015 Approved by Mudasser Farooq Mian

Table of Contents

1. Introduction: ...................................................................................................................................... 1

2. General Principles and Guidelines .............................................................................................. 2

3. Specific Requirements.................................................................................................................... 3

3.1. Clear Desk and Clear Screen Guidelines ........................................................................... 3

3.2. Unattended User Equipment ................................................................................................. 3

3.3. Internet / Intranet Use.............................................................................................................. 3

3.4. Information Disclosure and Electronic Communication ............................................... 4

3.5. Wireless and Remote Access ............................................................................................... 6

3.6. Access Rights ........................................................................................................................... 7

3.7. Third Party Access Rights to Secure Areas ..................................................................... 7

3.8. Password use ............................................................................................................................ 7

3.9. Use of Cryptographic Controls ............................................................................................ 8

3.10. Guidelines for handling Removable Media: .................................................................. 8

3.11. Software Use ......................................................................................................................... 9

3.12. Hardware Use ........................................................................................................................ 9

3.13. Mobile Device ...................................................................................................................... 10

3.13.1. General Guidelines on usage of Mobile Devices ............................................... 10

3.13.2. Mobile Device Data Security Guidelines .............................................................. 10

3.13.3. Guidelines for Mobile Device Physical Security ................................................ 11

3.13.4. Mobile Device Tempering ........................................................................................ 11

3.14. Information Retention ....................................................................................................... 11

3.15. Intellectual Property Rights ............................................................................................. 12

3.16. Responding to security incidents and malfunctions................................................ 12

3.17. Compliance Process ......................................................................................................... 12

3.18. Update Process .................................................................................................................. 13

ICI Pakistan Ltd. IT Code of Conduct Page 1 of 13

“Effective Information Technology behavior is a state of mind that is adopted and accepted at all levels of the organization”

1. Introduction:

Undoubtedly, use of Information Technology has grown in every facet of business extensively and functioning without it is no longer an option. However emergence of new tools, information and communication systems, internet and electronic means of communication pose a number of potential threats and concerns that must be dealt with.

If IT is not properly used, it can expose both ICI Pakistan and individual users to liability and antitrust and/or copyright violations for improper usage, receipt, downloading or dissemination of information.

The ICI IT Code of Conduct comprises of requirements that are applicable to all users across ICI Pakistan making use of IT related resources. ICI Pakistan user includes employees and non-employees such as temporary staff, consultants, contractors/vendors, support staff, clients and/or visitors.

All third parties must be, where applicable, aware of IT Code of Conduct and ICI Pakistan Information Security Policy and must commit to adhere to it, particularly in case of providing outsourcing services or facility management services to ICI Pakistan that may involve using ICI Pakistan information systems, databases, ICI networks, intranet and internet services.

It is advised that users having any concerns or doubts about this document to contact either their respective Line Manager or IT Head of Department.


2. General Principles and Guidelines

As a general rule, all IT related resources and facilities are provided only for internal use and/or business-related matters.

A certain amount of limited and responsible personal use by users is also permitted provided that such use is legal, is insignificant and does not interfere with the operation of information systems & a technology, burden ICI Pakistan with incremental costs, or interferes with the user's employment or other obligations to ICI Pakistan. IT facilities should never be used for user’s personal gain or profit.

Disclosure or dissemination of confidential or proprietary information regarding ICI Pakistan or its associated or holding companies, its products or its customers outside the official communication structures is strictly prohibited.

IT related resources and facilities should not be used in any way that is unethical or illegal, or that could embarrass, defame, misrepresent or convey an unjust or unfavorable impression of ICI Pakistan or its business affairs, employees, suppliers, customers, competitors, or stakeholders.

Unauthorized access to information and information systems is prohibited; access must be authorized by the owners of the information and in line with the user’s job description.

Information systems can be secured by personal passwords and/or additional authentication means like hardware tokens; users must use these in a responsible way, keeping them personal and securing them against misuse.

Any installation, change, removal or personal use of software provided by ICI Pakistan or available on ICI Pakistan Information Systems must be authorized and managed by the Information Management organization or a delegated party.

In order to prevent theft, loss or unauthorized use of information and systems a user has to take care for the physical security of provided hardware like laptops, phones, tokens, USB sticks, etc.

To protect the availability of company data, users have to secure relevant business information timely, by making back-ups or storing data on network drives.

Information Security related incidents or violation of Information Security principles must be reported to the local IT Helpdesk or Head of IT.

Every employee of ICI Pakistan is required to be familiar and to comply with the Information Security Policy, rules and procedures applicable to his or her specific department and site.,

ICI Pakistan reserves the right to review the activities performed by the user using company-provided IT facilities. However, when doing so, responsible line management might be asked to authorize such activity and will be informed on the objectives and the results of the review. All applicable national laws will be followed.


3. Specific Requirements

3.1. Clear Desk and Clear Screen Guidelines

As per mentioned in ICI IT Security Policy a clear desk and clear screen policy should be followed by all users this includes:

Hard copy classified information or removable media on which such information is stored (such as diskettes, compact discs) should be locked away when not required, especially when the office or workspace is vacated.

Classified information shall not be left displayed on unattended computer screens or screens that can be viewed by individuals not authorized to view such information.

Classified information, when printed, shall be cleared from printers immediately.

Consideration shall be given to protecting incoming and outgoing mail points, unattended fax machines and photocopiers.

3.2. Unattended User Equipment

Users shall not leave computers and related equipment (e.g. PCs, workstations, terminals, servers) unattended without taking one or more of the following precautions:

Lock the office (where this is feasible and allowed)

Secure the computer, or lock it away out of sight

Activate an approved password-protected Screen Saver/Lock or log-out of the system

Switch off the device and remove system-operating disks

Ensure security devices used for access are not left available

Ensure that ICI Pakistan classified information shall not be left displayed on unattended screens.

ICI Pakistan staff shall clear their personal work areas of all ICI Pakistan classified information at the end of each working day and ensure that it is securely stored

3.3. Internet / Intranet Use

It is expected of user to:

Use the Internet sensibly, being aware of the fact that, whenever visiting an Internet site, information identifying user’s computer may be monitored / logged. Therefore any activity user engages in via the Internet may affect ICI.

Access web sites by always complying with the terms and conditions governing the web site use.


Be aware of personal usage which must be insignificant and is only permitted subject to the same rules as are set out for personal e-mail usage in this document.

That it is strongly discouraged from providing his/her ICI e-mail address when using public web sites for non-business purposes. This must be kept to a minimum and done only where absolutely necessary, as it may result in user and ICI receiving substantial amounts of unwanted e-mail.

Be aware of the fact that certain web sites are blocked, restricted or limited by ICl; if user has a particular business need to access such sites; they should please contact their local IT support staff.

User must not:

use any images, text or material which are copyright protected, other than in accordance with the terms of the license under which they were permitted to download them;

introduce packet-sniffing or password-detecting software;

seek to gain access to restricted areas of ICI's network;

access or try to access data which you know or ought to know is confidential;

Introduce any form of computer virus, or disable or modify any protection software.

Carry out any hacking activities.

3.4. Information Disclosure and Electronic Communication

Employees may disclose or disseminate electronic communication or information contained in, and/or received by electronic communication, only to authorized and/or need-to-know personnel.

Electronic messages, which may be intimidating, disparaging, discriminating, harassing, hostile or offensive on the basis of, for example, gender, race, age, color, religion, national origin, sexual orientation or disability, must not be communicated. Usage and storage of these messages is also prohibited. Receipt of such unsolicited messages should be deleted.

All electronic communication containing for instance technical or proprietary information must be marked according to ICl information classification rules, including an appropriate disclaimer message.

Every employee should be aware that electronic communication can be used as official documents in legal proceedings and can be placed in the possession of people outside the company.

In light of the security risks inherent in Internet-based e-mail accounts, such as Yahoo and Hotmail, user must not e-mail business documents to personal web-based


accounts. User may send documents to an external party's web-based account if he/she has the external parties express written permission to do so. However, under no circumstances should user send price sensitive or highly confidential documents to an external party’s personal web-based e-mail account, even if the external party asks to do so. In exceptional cases where there is a specific requirement to personal web based account, permission must be requested from CFO.

All personal e-mails sent must be marked PERSONAL in the subject heading, and all personal e-mail sent or received must be filed in a folder marked "Personal" in user’s mailbox. Contact IT Support if any guidance is required on how to set up and use a personal folder. All e-mail contained in other folders, including in-box and sent items box are deemed to be business communications for the purposes of monitoring.

User must ensure that his/her personal e-mail use:

Is insignificant and does not interfere with the performance of your duties;

Does not take priority over your work responsibilities;

Does not cause unwarranted expense or liability to be incurred by ICI Pakistan;

Does not have a negative impact on ICI Pakistan in any way; and is lawful and complies with this standard.

All users should be well aware of:

Procedures designed to protect exchanged information from interception, copying, modification, misrouting, and destruction

Procedures for the detection of and protection against malicious code that may be transmitted through the use of electronic communications

Procedures for protecting communicated sensitive electronic information that is in the form of an attachment

Policy or guidelines outlining acceptable use of electronic communication facilities

Use of cryptographic techniques to protect the confidentiality, integrity and authenticity of information

Retention and disposal guidelines for all business correspondence, including messages, in accordance with relevant national and local legislation and regulations

Advising personnel to take appropriate precautions not to reveal confidential information

Not to have confidential conversations in public places or over insecure communication channels, open offices and meeting places


By making personal use of ICI Pakistan’s facilities for sending and receiving e-mail user signifies his/her agreement to abide by the conditions imposed for their use, and signifies consent to ICI Pakistan monitoring his/her personal e-mail

Sometimes it is necessary for ICI Pakistan to access user’s business communications during his/her absence, such as when user is away because of illness or availing holiday. Unless user’s mailbox settings are such that the individuals who need to do this already have permission to view your in-box, access will be granted only with the written permission of the Chief Executive.

Any e-mail which are not stored in user’s "Personal" folder in your mailbox and which are not marked PERSONAL in the subject heading will be treated, for the purpose of availability for monitoring, as business communications since there is no way of knowing that they were intended to be personal. It is up to user to prevent the inadvertent disclosure of the content of personal e-mail by filing your personal email in accordance with this standard. In particular, user is responsible to anybody outside ICI Pakistan who sends to user, or receives from user, a personal e-mail, for the consequences of any breach of their privacy which may be caused by user’s failure to file his/her personal e-mail.

In certain very limited circumstances it may be required to, subject to compliance with any legal requirements, access e-mail marked PERSONAL. Examples are when there is reasonable suspicion that these may reveal evidence of unlawful activity, including instances where there may be a breach of ICI Pakistan Code of Conduct. Permission to access user’s personal e-mail will be given only with the written permission of the Chief Executive.

It is only allowed to auto-forward e-mails within the ICI Pakistan infrastructure.

Every employee must comply with the governing legal, and company, rules regarding personal privacy and personnel data.

Every employee should be aware that he/she can be held liable on infringing company copyright and trademarks

All actions where it can be foreseen that these may will lead to information system malfunctioning are prohibited

3.5. Wireless and Remote Access

All the policies applicable on Internet and Intranet are applicable on wireless and remote networks

Employees can also get access to ICI network through wireless access points in some locations e.g. conference rooms

Visitors to ICI premises will also be able to get wireless access to internet for limited time. However this must be approved by the user which is accompanying those visitors and respective department’s HOD


Employees working remotely can get access to company network through VPN or emails through internet. This also needs to be approved from user’s department HOD

Employees working remotely need to make sure their surrounding and equipment are secure for working on company data

3.6. Access Rights

Users must be aware of the User Access management policies section detailed in ICI Pakistan IT Security Policy and must comply accordingly.

Mechanisms to identify oneself (e.g., User ID and password) are strictly personal. Users are responsible for keeping these mechanisms confidential and to make sure to select passwords that follow the rules for the information system being accessed.

Users are responsible for ensuring that the access authorization granted is understood and no attempt is made to exceed it.

Every employee must be aware that unauthorized access to and modification of company data is prohibited.

For any required authorization for application, ERP System and/or database user must comply to procedures set out in ICI Pakistan IT Security Policy generally this constitutes submission of a formal request using correct authorization forms from existing OneWindow Solution Application mentioning the required authorization followed by approvals of line management of applicant or by an employee authorized by this management, user ID of applicant (known), name and organization unit.

3.7. Third Party Access Rights to Secure Areas

Third party or own personnel that not usually have access to secure areas shall be under surveillance when working in such areas. This should be done either by presence of authorized own personnel or by camera surveillance.

All visitors and third party personnel must wear badges stating the level of access to secure areas.

Access rights to secure areas shall only be granted on a need for access basis.

External personnel, such as contractors, consultants or outsourcing partners shall sign a non-disclosure agreement. A copy of all such agreements shall be kept with the Local Information Security Officer and/or respective Help Desk Staff.

3.8. Password use

Users shall follow good security practices in the selection and use of passwords. All users must:

keep passwords confidential;


avoid keeping a paper record of passwords, unless this can be stored securely;

select passwords that follow the rules for the information system being accessed;

do not include passwords in any automated log-on process, e.g. stored in a macro, function key or the Operating System

do not share individual user passwords

Even if some systems give the possibility to have shorter passwords than 8 characters a password that is at least 8 characters shall be used.

3.9. Use of Cryptographic Controls

In circumstances where users might need to have applied cryptographic controls for safeguarding of sensitive information or electronic media, user must only utilize approved encryption productions in accordance with:

The ICI Pakistan Security policy on encryption; and

The laws of the country they are operating within and the laws of the country to/from which encrypted information or software is being sent / received.

Users must also ensure that

No encrypted data/information shall be sent into countries where the use of encryption is illegal or restricted (unless ICI Pakistan has dispensation to use encryption), or to countries where the law of the sending country prohibits the use of encryption. This does not, therefore, permit the transfer of unencrypted data to/from such countries.

Where approved encryption processes involve the allocation of encryption keys, ICI Pakistan’s users are responsible for safeguarding their encryption keys(s), passwords and/or digital certificates, and making them available to ICI Pakistan management when there is a business need and on leaving the company.

3.10. Guidelines for handling Removable Media:

Usage of removable computer media should be physically secured in line with its level of classification as per defined in ICI IT Security Policy. Example of removable computer media includes tapes, disks, cassettes and printed reports.

Data media, such as hard drives, diskettes and tape, shall be disposed of securely and safely when no longer required.

Users must comply with their business defined procedures in coordination with IT, whenever transportation of computer media from one location to other is required, to ensure safeguard of physical media. In particular the following controls shall be considered:


The couriers to be used and the procedures by which they are identified.

Packaging standards to protect media.

3.11. Software Use

Users should only use authorized copies of software and should never remove any ICI Pakistan standard software installed on PCs.

The terms and conditions of software licenses are embedded in the software description and the agreements between ICI Pakistan and software suppliers should be followed.

Users may not download, use or distribute software or executable programs from computer networks without proper:

authorization from the IT function,

payment of fees (where applicable),

prior verification of the operational integrity.

All data and software received on whatever medium from internal and external sources as well as data and software to be run on ICI Pakistan IT facilities must be scanned for viruses prior to use. The most up to date version virus check program, disseminated by ICI Pakistan, is to be used.

Users should be aware of corporate anti-virus software policy and must comply with procedures to inform about any malicious software/email attachment/download and malware to their local Help Desk Support

Peer-2-Peer applications and other file sharing applications are prohibited to use.

Use of streaming media is not allowed (streaming audio, radio and video, etc.).

Users may not install any software or code on computer equipment.

3.12. Hardware Use

Users shall ensure that unattended equipment has appropriate protection by:

logging-off computers when the session is finished (i.e. not just switch off the workstation)

securing workstations from unauthorized use by screensavers with passwords, keyboard locks or equivalent controls

only using portable PC's outside the office location when approved by line management


ensuring that portable PC's are subjected to proper measures (e.g. not unattended, encryption with power-on passwords, screen savers with password, locked in cabinet when no proper supervision) to prevent theft, loss, and unauthorized use of data, programs and network/hardware

following good security practices when using smart cards/tokens

All users shall:

keep smart cards/tokens safely to prevent theft

not keep a paper record of their PIN

not share smart cards/tokens or PIN numbers

3.13. Mobile Device

The use of a Smartphone in connection with ICI Pakistan business is a privilege granted to employees through approval of their management. ICI Pakistan reserves the right to revoke these privileges in the event that users do not abide by the policies and procedures set out below. These policies are aimed to protect the integrity of company data and ensure the safety of sensitive business information. It should also be noted that there may be certain exceptions to these policies owing to device limitations between vendors.

3.13.1. General Guidelines on usage of Mobile Devices

Users of personal smart phones are not permitted to connect to ICI Pakistan infrastructure without documented consent from IT support and their respective Business Heads and/or Line Managers.

For purchase of additional devices such as iPad or tablet devices approval from respective HODs will be required.

Employees that purchase a device on their own that is not in line with our standard approved device lists may not be able to or allowed to have their devices added to company servers. It is highly recommended that the employee refer to ICI Pakistan IT support to review approved devices.

In context to mobile device security users must comply with ICI Pakistan IT Security policy best practices specifically laid out for usage of portable/mobile devices

users are expected to make use of the device belonging to them in an ethical manner and in accordance with ICI Pakistan IT policies

User can connect their Android, Blackberry, iOS, Symbian and Windows Mobile devices after approvals; however IT is not bound to support users in use of their personal mobile devices.

3.13.2. Mobile Device Data Security Guidelines

User device should automatically be locked with a PIN Code (personal identification number set by the current owner of the device).


If left idle, your device must automatically activate its PIN after a maximum time-out period of 5 minutes.

In general it is not recommended using Browser Add-ons; however such tools may be installed if they enhance productivity of the device and IT Help Desk may be able to provide assistance in such cases.

User has the responsibility to keep the company data safe and inform IT Help Desk of any potential threat

IT have the rights under certain conditions to remotely wipe off Mobile device, such circumstances may include

The device is lost.

User terminates employment with the company.

IT Help Desk detects a virus

Data and/or policy breach is detected or reported.

If incorrect password is entered 4 consecutive times.

Antivirus should be installed wherever possible, IT may provide assistance to Help Desk for this in areas as such selection and making recommendation for antivirus software and technical support were necessary.

3.13.3. Guidelines for Mobile Device Physical Security

In the event of loss or theft of device, user must inform ICI Pakistan IT Helpdesk within 24 hours of incident.

All employees shall assist in protecting devices issued by ICI Pakistan or storing ICI Pakistan data. Mobile devices are defined to include laptops, PDAs, Tablet PCs and cell phones.

Mobile devices are very desirable to steal, therefore they need to be physically protected in accordance with company health and safety requirements

3.13.4. Mobile Device Tempering

Using the device in ways not designed or intended by the manufacturer is not allowed. This includes, but is not limited to, ‘jail breaking’ or ‘rooting’ your Smartphone.

3.14. Information Retention

Data, which is not stored on network file servers, must be regularly backed up. This is the responsibility of the user of the data. All data storage media must be physically secured when not in use.

It is not allowed to store any music or video files not directly work related. The same applies to pictures in any format.


Secret data should not be kept on a portable media, unless adequate measures have been taken (e.g., encryption or password protection) and approved by the Business / Function Head.

The receiver of electronic messages should preserve those items that are important for business operations, accountability, and/or documentary evidence on behalf of ICI in accordance with legal requirements.

3.15. Intellectual Property Rights

Unauthorized copying and use of copyright material is illegal and can expose the employee to civil and criminal liability under the copyright law. This applies to all types of copyright work, including music, films, software and other literary and artistic works.

Employees must not put unauthorized copies of copyright material on computers, networks or media owned by ICI Pakistan nor should employees put unauthorized copyright material on the internet or engage in activities such as peer-to-peer file indexing or transmissions that are likely to promote or lead to copyright infringements.

Proprietary software products are usually supplied under a license agreement that limits the use of the products to specified machines and may limit copying to the creation of backup copies only. Proprietary software that is not licensed must not be used on any of company’s computers, as well as on servers and/or workstations.

3.16. Responding to security incidents and malfunctions

Users are responsible to report security incidents, security weaknesses and software malfunctions to their local IT Helpdesk or IT Management through appropriate management channels as quickly as possible. Examples of incidents that are to be reported:

The antivirus software has detected a virus.

The server/workstation is rebooted without any interaction from the user.

Unexplainable loss of files.

Programs that the user has not started are running on the workstation/server.

Login attempts that are not accounted for or unexplainable blocking or disabling of user accounts on workstations/servers.

Loss of IT equipment.

3.17. Compliance Process

Any employee discovering use of IT related resources or IT facilities inconsistent with this IT Code of Conduct should immediately notify his departmental manager.


Failures to comply with this guideline or any of the provisions may result in disciplinary action and will be reported to HR department. In case of contract or agency staff, failure to comply will be considered a serious breach of the contract under which their services are provided to ICI Pakistan.

3.18. Update Process

The IT function is responsible for initiating employee education and training programs regarding IT for all users so that each user will be able to perform his or her job in an effective and reliable manner. Every user has the obligation to participate in such education and training programs.

Any implemented means of security (technical and organizational) must be subject to regular reviews (at least yearly) and updates (if technical, at least monthly).

it code of conduct

Documents