Fill and Sign the 609 Form License of Technology and Non Assertion of

7.14 Form: Employee Policy for Information Security[COMPANY] EMPLOYEE POLICY FOR INFORMATION SECURITY 1. Introduction. 1.1. Why Does [COMPANY] Need an Employee Policy for Information Security? [COMPANY] relies on its information assets and computer resources to conduct and support its business operations with its customers, employees and suppliers. [COMPANY] has developed these information security policies to promote the security, integrity and reliability of its information assets. Adherence to this Employee Policy for Information Security will help ensure proper and consistent controls and procedures, overcome ambiguity in decision-making, and communicate security objectives to employees, suppliers and current and potential customers. This policy has been prepared to ensure that [COMPANY] is able to support future growth, as well as ensure a consistently high level of customer, supplier, employee, business-partner and shareholder service. 1.2. Scope of Employee Policy for Information Security. This Employee Policy for Information Security pertains to all [COMPANY] employees, regardless of location or position and to all of [COMPANY]'s information assets. All employees are responsible for adhering to these policies. 1.3. [COMPANY] Employee Policy for Information Security is a Living Document. The policies contained within this document are designed to be mutable and evolve to meet [COMPANY]'s inevitably changing needs in the future. Any deviations required for business purposes must be approved through the Information Security Deviation Process (see Section 1.5 below for more details). This document is subject to modifications, additions, deletions and revisions, in part or in its entirety, as [COMPANY] deems appropriate or necessary to reflect business needs or changing conditions. 1.4. What Types of Information Do We Want to Protect? Here are some examples: ¥ Business development information¥ e.g., sales leads, customer information, quotes, NPI information, product forecasts ¥ Manufacturing and operations information¥ e.g., quality/defects rates, inventory pricing, test information ¥ Employee information¥ e.g., salary, medical, benefits, personal contact information ¥ Financial and accounting information¥ e.g., Fiscal budgets, profit/loss information, human resource plans ¥ Software and product development information¥ e.g., board designs, software source code, patent information ¥ Data security information¥ e.g., security logs, encryption keys, passwords ¥ Network, communication and system infrastructure ¥ e.g., networking topologies, IP addresses, user name and password, server administration information, system configurations 1.5. Employee Policy for Information Security Deviation Process. The Information Security Deviation Process has been developed for you to request a deviation to a specific policy statement based on business requirements. All [COMPANY] employees must follow these Information Security policies to protect [COMPANY]'s information assets while fulfilling business requirements. This process is designed to provide a mechanism for you to document your requirements, request the deviation, and receive permission to go forward with a specific solution. The purpose of this request process is to ensure that the solution designed and approved meets business requirements, as well as security requirements. You must fill out the [COMPANY] Information Security Deviation Form and forward it to [E-MAIL ADDRESS]. 1.6. Why Do I Need to Sign the [COMPANY] Employee Policy for Information Security Acceptance Agreement? [COMPANY] employees will be expected to sign the [COMPANY] Information Security Policy Acceptance Form acknowledging that you were trained on the policy, you understand the policy and its contents, and you will abide by the policy requirements. 1.7. Adherence to Employee Policy for Information Security. Violations of this policy may result in the loss of the violator's user privileges and/or disciplinary action up to and including termination. At [COMPANY]'s sole option, additional civil, criminal and equitable remedies and recourse may be pursued. 2. Definitions. Specific terminology is used throughout the Employee Policy for Information Security to help guide employees when adhering to the policy. This section provides for general definitions of particular terms used throughout the policy since these terms may have highly subjective meanings and vary from employee to employee. Please refer to the Glossary for additional definitions of unfamiliar technology terms. 2.1. "Authorized business use," "business use," or "business purposes" refers to the use of [COMPANY] property or information that is related to the employee's specific job function and duties. All other use, while not necessarily forbidden, is to be considered non-business use. 2.2. "Computing devices" or "computers" refers to any device used to process information. Common examples include: laptop or notebook computers, desktop PCs, workstations, servers and handheld devices such as integrated cell phones, personal digital assistants (PDAs), BlackBerry(tm) wireless devices, and pagers. 2.3. "Information assets" refers to the hardware and software constituting [COMPANY]'s entire network, computing and telecommunications systems, as well as any data or information used by the organization to make business decisions. Examples of information assets include, but are not limited to: various servers, telecommunications devices, host computers, standalone computers, desktop workstations, laptops, messaging devices, databases, applications and intellectual property (see also Section 1.4 above for additional examples). 2.4. "Sensitive information" is any data or information whose stakeholders (employees, data owners, customers, vendors, shareholders, etc.) would expect is protected against inappropriate disclosure, unauthorized or inaccurate modification, unauthorized access, or unavailability. Common examples include, but are not limited to: financial and accounting information, employee personal and performance information, passwords, business plans and initiatives, and Information Technology Department administration information.Employees are encouraged to treat all information as sensitive unless they can clearly determine that the information is not sensitive. 3. Computer, Password and Account Policies. 3.1. Personal use of [COMPANY] Equipment. [COMPANY] computer and communication systems are provided to conduct [COMPANY] business. Incidental personal use is permissible providing it does not interfere with worker productivity and does not preempt any business activity. 3.2. Locking Computing Devices. All computing devices must be locked when left unattended for 60 minutes or more and a password-protected screensaver must activate at 60 minutes or less of inactivity. Employees who have access to sensitive data should use extra caution. This policy statement excludes computing devices on the production line. 3.3. Locking Computing Devices in Common Areas .Employees who log in to common area computing devices (e.g.: hallways, cafeterias, conference rooms, lobbies, etc.) with unique log-in names (personal network account) must completely log off after each use. 3.4. Software Installation. Only approved software may be installed on [COMPANY]'s systems and must be installed according to [COMPANY]'s license agreement. Employees may not install any [COMPANY] software onto a Non-[COMPANY] computer without the department manager's approval. Please direct questions and concerns to your local Information Technology Department. 3.5. Anti-virus Software. All [COMPANY] systems (PCs, servers, wireless devices, etc.) must have anti-virus software updated and enabled. Virus protection software that has been installed on employees' computing devices must not be circumvented, altered or disabled without written permission from [COMPANY]'s Information Technology Department. 3.6. Security Related Service Patches and Hot Fixes. All systems, computing devices, software, etc. must have appropriate security service patches and hot fixes applied within the designated timeframe as approved by the Global Information Security Team. 3.7. Portable Devices. When leaving a [COMPANY] facility, all portable- computing devices must be securely stored and protected from possible theft. Data stored on [COMPANY]'s equipment such as laptops, PDA devices and BlackBerrys are the property of [COMPANY]. Employees are required to enable the password protection or lock code functions available on the equipment in order to prevent unauthorized access to the data. 3.8. Computing Device Repair. Sensitive information must be removed from hard drives prior to shipping for external repair. For internal repair, employees must not attempt to perform repairs on computer hardware without permission from [COMPANY] Information Technology Department personnel. 3.9. Hacking and Snooping. Employees must not test or attempt to compromise internal controls of information access. Employees must not exploit vulnerabilities or deficiencies in information systems security to damage systems or information, to obtain resources beyond those they have been authorized to obtain, to take resources away from other employees, or to gain access to other systems for which proper authorization has not yet been granted. Observed security vulnerabilities and deficiencies should be promptly reported to [COMPANY] Information Technology Department Management personnel. Do not download or bring any hacking tools into [COMPANY]. They are strictly prohibited.3.10. Passwords.3.10.1. Creation. Employees are required to create passwords that are difficult to guess. The password must not be easily deducible words or characters such as the employee's first or last name, spouse's name, name of pet, a sequence of numerals, symbols or letters or any word found in a standard English dictionary. Password lengths must be 8-14 characters; it must contain at least 1 alphabetic character, contain at least 1 number and contain no spaces. The first three characters must not be the same. 3.10.2 Forced Password Change at Initial Log In. Employees must change each password upon first log in. This applies both to passwords that are assigned to a new user account and passwords that have been reset by an administrator for access into applications and networks. 3.10.3. Password Expiration. Employees will be forced to change their password every 90 days and may not use a password that has been used in the last 12 months. 3.10.4. Storage. A Password must not be written down and left in a place where others might discover the password. A written password must be kept in a secure place and away from the system to which it pertains and separate from the user ID (see Section 3.11 below). 3.10.5. Sharing Passwords (Accounts). NEVER share your password with anyone outside of [COMPANY] or within [COMPANY], including your management chain, except for someone in the Information Technology Department for support purposes only. After which, you must change your password immediately. 3.11. User Identity (ID). Misrepresenting, obscuring, suppressing or replacing another employee's identity on any system is forbidden. All employees are responsible for any activity performed with their assigned user ID. User IDs must never be shared with anyone (friends, family members or associates) other than members of the Information Technology Department or helpdesk for support services. 3.12. Employee Termination and Department or Site Transfer. Each site, regional group or corporate group must have an employee termination process and an employee transfer process (transferring to other sites or departments) to remove or restrict system access appropriately for each network, system and application. Each manager must follow this process consistently to ensure that each employee has access based on current business requirements. The helpdesk must be notified within 24 hours of each employee termination or site transfer to ensure that employee job changes are properly administered. 4. Electronic Mail (E-mail). 4.1. E-mail Usage. E-mail systems are provided to conduct [COMPANY] business. Any personal use must not interfere with normal business activity. 4.2. E-mail Content Restrictions. Employees who use [COMPANY] Information Systems are prohibited from storing and sending E-mail messages that contain or could be construed as sexually explicit, racist, obscene, threatening, libelous or otherwise potentially offensive material. Users of [COMPANY] information systems who discover they have received an electronic message that contains sexually explicit, racist, obscene, threatening, libelous or otherwise potentially offensive material must immediately contact Human Resources or Information Technology Department Management. 4.3. E-mail Forwarding-Externally. Employees must use caution when forwarding E-mail outside of [COMPANY]'s network. Forwarded information should either be public in nature or the message owner/originator should have agreed to the message being forwarded in advance. Automatic forwarding of E-mail messages to any outside address is prohibited. 4.4. E-mail Forwarding-Internally. Unless the information is clearly not sensitive, employees must not forward electronic mail to any address inside of [COMPANY]'s network without ensuring that the information is intended for each recipient. Employees must use caution when sending sensitive information using E-mail distribution lists. Do not forward chain or pyramid messages or similar schemes internally on the network. 4.5. E-mail Accounts for Non-[COMPANY] Individuals. E-mail accounts for Non-[COMPANY] individuals will only be created after Operations Manager or Director approval. All Non-[COMPANY] E-mail accounts will be labeled with (Non- [COMPANY]) in the E-mail account's name and will be set to expire in 90 days. 4.6. E-mail Distribution Lists for Non-[COMPANY] Accounts. External (Non- [COMPANY] individual) E-mail addresses may be placed on an E-mail distribution list only after functional manager approval. Non-[COMPANY] accounts must not be added to department, site or worldwide distribution lists. Distribution lists containing Non-[COMPANY] accounts must not be added to other distribution lists. 4.7. Sensitive E-mail Distribution. If sensitive information must be sent by electronic communication systems, employees must ensure that only intended recipients are listed. Employees must consider encrypting E-mail, password protecting file attachments, or using other means of distributing the information. 4.8. E-mail Attachments. Employees must never open an E-mail attachment from an unknown or distrusted source. Employees must also exercise a reasonable level of caution when opening any attachments from known or trusted sources. Contact your help desk for procedures on scanning your attachment for viruses. 4.9. Sharing File Passwords (Protected Files via E-mail). In the event that passwords must be shared for file-sharing purposes, employees are responsible for ensuring that only the intended parties receive the password and the protected file. Employees must never simultaneously share the password and the file to be protected (i.e., do not E-mail the file and the password in the same E-mail). Sharing file passwords using E-mail distribution lists is prohibited. 5. Internet. 5.1. Internet Usage. Internet access is provided to employees to help conduct [COMPANY] business. Any personal use must not interfere with normal business activities, must not involve solicitation, and must not be associated with any for-profit business activity. 5.2. Internet Content Restrictions. Employees using [COMPANY] information systems are prohibited from viewing or visiting Internet sites that contain material that is or could be construed as sexually explicit, racist, obscene, threatening, offensive, libelous or otherwise potentially offensive. 5.3. Internet E-mail. Use of Internet E-mail systems such as Yahoo(tm), Hotmail(tm), AOL(tm), Juno(tm), etc., must not interfere with normal business activities. Internet electronic mail systems cannot be used to store or communicate business data. Attachments from Internet mail accounts must never be transferred to any [COMPANY] owned computing device. 5.4. Internet Software Downloading. Downloading software from Internet sources is required to conduct [COMPANY] business. Incidental downloading of software from Internet sources is permitted provided it does not interfere with normal business activities or violate any other policy (e.g., content, virus, licensing, hacking, etc.). Downloading any software or files from the Internet has potential hazards and may contain viruses, data collecting programs (spy ware), or other malicious or unwanted threats. 5.5. Interactive (Instant) Messaging. All interactive messaging software used must provide secure connections. Some individuals or departments use interactive messaging to conduct [COMPANY] business. Any personal use must not interfere with normal business activities, must not involve solicitation, and must not be associated with any for-profit business activity. 5.6 Chat Room and Message Board Participation. Employees must use caution when participating in Internet forums. Use of the following must be used for legitimate business purposes only: chat rooms, Internet discussion groups, message threads, and other public electronic forums. 6. [COMPANY] Information Disclosure. Maintaining the confidentiality of [COMPANY] sensitive information is essential for competitive, security and other business reasons, as well as to comply with securities laws. Also, the timing and nature of [COMPANY]'s disclosure of material information to outsiders is subject to legal rules, the breach of which could result in substantial liability to the employee, [COMPANY] and its management. Accordingly, it is important that only specifically designated representatives of [COMPANY] discuss [COMPANY] and its affiliates and subsidiaries with persons not subject to agreements to maintain the confidentiality of such information, including, without limitation, the news media, securities analysts and investors. Accordingly, no [COMPANY] employee may disclose sensitive information in [COMPANY]'s possession to anyone other than authorized [COMPANY] employees and third parties either during or subsequent to the employee's employment. Such sensitive information includes, without limitation, sensitive information provided to [COMPANY] by other employees or persons or organizations doing business or in discussions with [COMPANY]. Failure to abide by this policy can result in reprimand and/or termination of employment. 7. Travel. 7.1. Possession of [COMPANY] Equipment. Employees in possession of portable computing devices (i.e., laptop computers, notebook computers, palmtop computers, handheld devices, smart phones, personal digital assistants, or other transportable computers) containing [COMPANY] information must not check these computers in airline luggage systems. These portable-computing devices must remain in the possession of the traveler as hand luggage to avoid damage and theft.7.2. Working Away from the Office. Employees are required to ensure that their surroundings are reasonably secure when working with sensitive information during travel. Displaying sensitive information in crowded airplanes, restaurants, etc. should be done with caution. 7.3. Internet Cafes or Wireless Kiosks. Employees must use caution when accessing or exchanging [COMPANY] information from Internet cafes and kiosks. Downloading or opening attachments is prohibited. Upon completion of activity, employees must log off immediately and close the Internet browser. 8. Information Handling. 8.1. Information Storage. Employees must ensure that any sensitive information stored on PC or workstation hard-drive disks is adequately protected from unauthorized access and is backed up regularly. 8.2. Information Transfer and Copying. Any sensitive information stored or transferred to floppy disks, CD-ROMs, Zip(tm) Drives or other external storage media must be locked in a secure container when not in use. 8.3. File Backup. All sensitive information and software resident on [COMPANY] information systems must be backed-up regularly. Backing up [COMPANY] information to Non-[COMPANY] systems (home PCs, external networks, etc.) is strictly prohibited and will be considered theft. 8.4. [COMPANY] Files Stored on Personal PCs. Accessing and storing sensitive [COMPANY] information on personal PCs (Non-[COMPANY] PCs) is prohibited. 8.5. Information Protection. All drives and storage media must be formatted by Information Technology Department support personnel prior to redistributing, exchanging, selling or disposing of computing devices or hard drives. 9. Networking, Telecommunications and Faxing. 9.1. Connecting [COMPANY] Networks to Non-[COMPANY] Networks. [COMPANY] will not connect its network to another network (customer, vendor or supplier networks) without prior approval through the Information Security Deviation Process. All Internet connections to and from the [COMPANY] network must also receive prior approval through the Information Security Deviation Process. 9.2. Connecting Devices to [COMPANY] Networks. While in a [COMPANY] facility, employees must not directly connect any unapproved device to a [COMPANY] network. All devices must meet the minimum network device security requirements prior to connecting to a [COMPANY] network. See your local Information Technology Department for device approval. 9.3. Connecting [COMPANY] Computers to Home Networks. Employees must ensure that all other home PCs connected to the home network are adequately protected (secured) from viruses and other vulnerabilities whenever employees connect [COMPANY] equipment to home networks.9.4. Connecting Wireless Devices to [COMPANY] Networks. Employees must not connect any wireless devices to a [COMPANY] network without permission from Information Technology Department Management. Wireless devices include but are not limited to: laptops, notebooks, personal digital assistants (PDAs), smart phones and wireless access points. 9.5. Installing Wireless Access Points and Wireless Transmitters. Only authorized individuals may possess approved wireless access points/transmitters on [COMPANY] premises. Only authorized individuals may install approved wireless access points/transmitters on a [COMPANY] network. All new wireless implementations must receive prior approval through the Information Security Deviation Process. 9.6. Employee Usage Policy for Non-[COMPANY] Systems and Networks. [COMPANY] employees are not to connect their computers to a Non-[COMPANY] network unless approved by the network owner. [COMPANY] employees must never try to access or find information that they were not intended to see; employees should only access those resources granted even if they find they have access to other areas of the network or system. 9.7. Lobby Connections. All lobby network ports and access points must be disabled. This includes conference rooms in the lobby. 9.8. FTP Sites. All FTP files will be deleted every 30 days. FTP account log-in passwords will be changed every 180 days and accounts will expire after 30 days of inactivity. Each user, not company, will have an individual FTP account and password. 9.9. Modem Usage. No modems are allowed to be setup without prior local Information Technology Department permission. [COMPANY] employees are prohibited from simultaneously connecting a dial-up modem and network connection on the same computing device. Modems will never be setup to receive incoming calls, they must only dial out. 9.10. Eavesdropping or Network Sniffing. Employees are prohibited from eavesdropping on any [COMPANY] network or telecommunication system. Only authorized Information Technology Department personnel will perform any type of network monitoring. 9.11. Voice Mail Passwords. Passwords for entrance into the voice messaging system are required to be: (1) changed every six months; (2) different from the preceding two passwords; (3) non-sequential; and (4) at least four characters long. 9.12. Faxing. Prior to faxing or receiving sensitive information the following must occur: the recipient must first have been notified of the time when the information will be transmitted; the recipient should have agreed either that an authorized person will be present at the destination machine when the material is sent or received or that a password-protected fax mailbox is used to restrict the unauthorized release of the materials. Sensitive [COMPANY] information must not be sent or received via distrusted intermediaries (hotel staff, rented mailbox store staff, etc.). 10 Glossary. 10.1. "Business use" means the use of electronic mail, Internet and telecommunications systems that are related to the user's specific job functions and duties. All other use, while not necessarily forbidden, is to be considered Non-business use. 10.2. "Common area" means any physical area easily accessible to general employees or external parties. These areas can include hallways, cafeterias, conference rooms, lobbies, etc. 10.3. "Communication systems" means any electronic device or group of devices used primarily to send or receive data. This includes telephones, networked computers, fax machines, pagers, etc. 10.4. "FTP" means file transfer protocol, a means for transferring computer information files from one computer to another using network, Internet or modem connections. 10.5. "PDA" means a "personal digital assistant" device, such as a PalmPilot(tm) or Ipaq(tm). 10.6. "Storage Media" means resources used to store data. Common examples include floppy disks, hard disk drives, magnetic tapes, CD-ROMs and USB- connected removable drives. 10.7. "User" means any employee, independent contractor, consultant, temporary worker and any other person or entity that uses [COMPANY]'s computer resources. 10.8. "Virus" means any malicious software that has the ability to copy itself and spread to parts of the operating system, application or programs, which can cause damage to or loss of data. Examples include: Trojan horses, worms and other damaging code that propagates in a similar way. 10.9. "Workstation" means any computer (laptop or desktop) used during the course of business, typically used as an interface.