1. Background

The use of E-mail, the Internet and laptops, has during the recent years dramatically increased. E-mails, including Microsoft Outlook and the Internet, have become an important business tools for the Company, but also constitute risks.

These instruction sets out the rules, regulations and guidelines for the employees to use IS facilities so as make optimum use of the resources; and to control the risks and exposures and to avoid misuse.

2. E-mail

Microsoft Outlook is the standard IS Facility to be used for internal E-mail. and for E-mail with third parties not belonging to Kent Introl.

E-mail sent to third parties is transferred through the Internet mail service which has to be accessed through Microsoft Outlook.

3. The Internet

The Internet, when used in a correct way, can give substantial customer value both in marketing as well as in after-market activities but may, if not correctly used, also expose Kent Introl to large risks such as:

(i) Illegal access of third parties to the Company’s facilities
(ii) Issue of faulty information in connection with business transactions
(iii) Publishing, intentionally or unintentionally, wrong information about Kent Introl or other companies/persons.
3.1 Illegal Access
At access points to the Internet firewalls protect the Company’s facilities against illegal access.  Whenever a computer is connected to the Company network, access to the Internet must be through a firewall.
3.2 Confidentiality
Information published via the Internet shall be correct and not be confidential or otherwise of sensitive nature.  Written permission must be obtained from the General Manager, before publishing any information on the Internet.
3.3 Typography, Layout and Copyright
Typography, layout and copyright of publications shall comply with applicable instructions.
3.4 Financial Transactions over the Internet
Financial transactions made over the Internet shall only be made with prior authorisation of the head of Finance, and with appropriate security measures in place such as encryption and message authentication in accordance with applicable Group Instructions.
3.5 E-Commerce
E-Commerce may be handled only by authorised employees in accordance with applicable rules and regulations, and as prescribed by the responsible manager.

4. Responsibility of the User

4.1 Responsibility for Proper Use of Kent Introl IS Facilities
The use of the facilities is governed by the same principles, rules and regulations as valid for the use of any other facilities, as laid down in applicable labour legislation, employment contracts and employment conditions.
The facilities are provided for carrying out and advancing the business of the Company and are the property and important assets of KIPL as per the lease agreement
The easy access to E-mail and Internet through the Company’s IS Facilities, their effectiveness and speed requires all employee with access, to uses the IS Facilities in an efficient and professional manner in accordance with the applicable rules, regulations and guidelines.
The Company IS facilities largely extend the resources and competences of the Kent Introl employees, which implies an increased degree of responsibility of Company employees using the IS Facilities; and they must ensure they do not violate the rights or interests of the Company and associated Group.
4.2 No Misuse
Under no circumstances must the Company’s. IS Facilities be used for vindictive, harassing, aggravating, discriminatory or abusive comment or criticism of anyone, whether a colleague or Group employee or a third party; whether sent internally or externally.

5. Supervision of the Use of E-mail and the Internet

The Company will decide which of their employees shall be connected to the Lotus Notes E-mail facility and which of their employees shall have access to the Internet.
The Company is authorised to supervise the use of E-mail and the Internet with respect to compliance with this Instruction and other applicable rules and regulations.  All E-mail and Internet communications made through Company IS facilities are treated as Company business information, which may be accessed, retrieved, or monitored by the Company.
The Company remains owner of all personal access codes and passwords which employees use for IS facilities. 
Employees shall keep secret at all times any access code and password placed at their disposal by the Company. If asked, employees shall provide their departmental manager, or senior manager with access codes and passwords generated by themselves.
Kent Introl Pvt employees cannot claim any privacy privilege with respect to communications transacted through the Company’s IS facilities.

6. Retention of Records

E-mail and Internet publications are subject to the same legal prescriptions as valid for retention of hard copies of documents.  Unless otherwise prescribed by local legislation, electronic information may be archived on appropriate electronic storage media.  The Company shall ensure that employees are informed on applicable legal requirements with respect to archiving documents.

7. Implementation, Local Legislation

The Company shall ensure that their employees are informed through distribution of this Instruction, of other appropriate rules, regulations and guidelines for the use of E-mail and the Internet as contained herein.
Possible restrictions imposed by local law in the field of personal data protections are to be observed.

Rules for the Use of the KENT INTROL PVT. LTD. IS Facilities

Things you should DO:

1. Be aware that by communicating through Company IS Facilities you will be regarded by recipients as a representative of Kent Introl Pvt.  Care should be taken to communicate at all times in a professional and courteous manner.

2. Be aware that it is easy to misaddress messages - always check recipient names before sending a message out.

3. Always provide a meaningful subject line to outgoing communication.

4. Check communication for clarity and professionalism.

5. Use carbon copies ("cc:") sparingly. Inform only those who need to know otherwise you consume valuable resources needed by others.

6. Avoid trivial responses.

7. Refrain from adding too many attachments to your communication.  Compression tools such as Winzip must be used whenever possible.

8. Delete outdated messages from live mailboxes and folders but make sure that relevant documents are properly saved and archived, either as hard copy or electronically, in accordance with applicable legislation.

9. Remember that messages you send out can be forwarded without your knowledge - don't assume the recipient keeps your message confidential.

10. Remember that all laws governing copyright, defamation, discrimination and other forms of written communication also apply to communication through Company IS facilities.

11. Remember that communication through Company IS facilities may generate legal obligations for the Company and that in this respect all internal rules of competence and form must be observed.

Things you should NOT DO

1. Don't use Company IS facilities for the release of information that is commercially sensitive or contentious; or may have contractual or other legal implications for the Company, unless encrypted and or authorised.

2. Don't issue information that infringes copyright or other intellectual property rights.

3. Don't issue emotional, hasty, angry or otherwise heated communications.

4. Don't store personal messages in the Company IS facilities, especially any that may be classified as obtained through misuse of the IS facilities.  Delete these messages immediately and inform the sender to refrain from sending similar messages in the future.

6. Don't load any unauthorised or unlicensed software onto Company IS facilities.  The Company provides you with fully licenced software that you need to conduct Company business.

7. Don't download or receive music / video (or similar) online as this consumes Company resources. The only exception is where this is needed to conduct Company business.

 Misuse of Company IS facilities includes, but is not limited to the following matters.

Engaging in any communication, (including but not limited to logging into sites, saving, down loading and distribution) that causes harm the Company’s reputation or its relationship with its business partners; or which may embarrass business partners of the Company.

Engaging in any communication that intimidates, embarrasses or injures the dignity of another person or company, or that is perceived as hostile on the basis of nationality, gender, sexual orientation, religious believe or disability (physical or mental), including specifically, without limitation, pornography, racism and Nazism.

- Hate or vulgar communication.

- Religious or political communication.

- Engaging in communication of indecent material.

- Originating or forwarding chain letters.

Using the Company IS facilities for jeopardizing or attacking the integrity of the Company, or third party's networks or data

End User Security      
Responding to Incidents

Objective: To minimise the damage from security incidents and malfunctions, and to monitor and learn from such incidents.
Incidents affecting security must be reported through the correct channels as quickly as possible
All employees and contractors must be made aware of the procedure for reporting different types of incidents - security breaches, threat, weakness or malfunction (viruses) - that might have an impact on the security of Company IT-related assets.  Furthermore, they shall be required to report any observed or suspected incidents as quickly as possible to the correct focal point (Help Desk)

          
Security incidents must be reported through the correct channels as quickly as possible
All employees and contractors must be made aware of the procedure for reporting security incidents.  Such incidents shall be reported as quickly as possible to Head of Finance
Network security incidents (incl. virus attacks) shall be escalated to the responsible IBM IS employee on site.
The IBM IS employee must maintain written records of security incidents
Severe incidents (theft of strictly confidential information, etc.) shall be immediately reported
Furthermore, employees shall be required to note and report any observed or suspected security weaknesses in systems or services.
           
Software malfunctions must be reported.
Users of IT services shall be required to note and report any software that appear not be functioning correctly (i.e. according to specification). The matter shall be reported to the local IBM IS employee.
If it is suspected that the malfunction is due to a malicious piece of software (e.g. a computer virus) the user shall:
1. Note the symptoms and any messages appearing on the screen.
2. Stop using the computer and inform the IT IBM support person immediately.  Diskettes shall not be transferred to other machines.
3. Ensure that the matter is reported to the IT IBM support employee.
Users shall be informed that they shall not, in any circumstances, attempt to remove the suspected software. Recovery shall be carried out by appropriately trained staff.

 To prevent unauthorised user access. 
Users should  be aware of their responsibilities regarding virus protection and access control, particularly regarding the use of passwords and the security of equipment used off-premises.

 Users shall follow good security practices in the selection and use of passwords.
Passwords are used for restricting the access to IT services.  The users shall:
1. Keep passwords confidential.
2. Avoid keeping a paper record of passwords, unless this can be stored securely.
3. Change passwords whenever there is any indication of possible password compromise.
4. Select passwords with a minimum length of eight characters for unprivileged user-ids and a minimum length of 15 characters for privileged user-ids wherever possible.
5. Select passphrases (e.g. Jack went up the hill) instead of passwords in systems allowing for long passwords consisting of upper and lower case letters as well as spaces. For passphrases the minimum length is 15 characters
6. Change passwords at regular intervals and avoid reusing or "cycling" old passwords.
7. Change passwords for privileged user-ids (e.g. those which access certain system utilities) more frequently.
8. Change temporary passwords at first logon.
9. Do not include passwords in any automated logon process (e.g. stored in macro or function key).
If users need to access multiple services or platforms and are required to maintain multiple passwords, they may use a single, quality password for all services that provide a minimum level of security protection for password storage.  (The recommended level of protection is the use of a one-way encryption algorithm to encipher user passwords.)
Each user must ensure that all his/her business-critical data and software are regularly backed up.
Every user is responsible for that back-ups are taken of all his/her business-critical data and software (e.g. to a file server, to diskettes or to a streamer) on a regular basis.  To ensure users can recreate all necessary data quickly and to minimise the negative impact on the business, back-ups must be taken frequently.
Please contact your IBM HelpDesk to know how to back up data. 

Users must ensure viruses do not enter or leave their system via electronic mail, boot-diskettes or by similar means
Users must ensure all information received from other systems is controlled with anti-virus software.  In particular the user shall note the following:
1. All files received by e-mail or by file transfer as well as all diskettes must be checked for viruses before use
2. PCs must not be booted from diskette unless it is with a clean, write-protected system boot diskette
3. Before distributing files on diskettes (or other media), files must be checked for viruses.
Users should ensure that unattended equipment has appropriate security protection.
Equipment installed in user areas (such as terminals and personal computers) may require specific protection from unauthorised access when left unattended for an extended period.

Users should:
1. Terminate active sessions when finished (unless they can be secured by an appropriate software lock).
2. Log off LAN and mainframe computers when the session is finished - and not just switch off the computer or terminal.
3. Secure personal computers (or terminals) by a password or an equivalent control when not in use.

IT equipment used outside the Company must be subject to security protection

IT equipment (regardless of ownership) used outside Company premises to support business activities should be subject to an equivalent degree of security protection, as office equipment. The following guidelines shall be applied:
1. Personal computers shall not be used at home for business activities if virus controls are not installed
2. Portable computers shall not be left in public places.  Portable computers shall be carried as hand-baggage.
3. Portable computers shall be provided with an appropriate form of access protection (e.g. passwords and encryption) to prevent unauthorised access to their contents.
4. Manufacturer's instructions regarding the protection of equipment shall be observed at all times, e.g. to protect against exposure to strong electromagnetic fields.
Security risks (e.g. of damage, theft, eavesdropping) may vary considerably between locations, and shall be taken into account in determining the most appropriate security measures.

DATA EXCHANGE
Objective: To prevent loss, modification or misuse of data.
Exchanges of data shall be controlled.
Business communication is increasingly done by electronic means. Hence to secure the data of these communications adequate care is to be taken for its security.  Users can use the Encryption function, which is available in Lotus Notes to secure confidential information.  Please note misuse or Loss of data may lead to disruption or loss of Company business.
Data in transit shall be protected from loss or misuse.
Data, regardless of whether transferred on computer media (e.g. on diskettes or tapes) or over computer networks in electronic form (EDI, e-mail), can be vulnerable to unauthorised access, misuse or corruption during transfer. 
The following techniques can be applied to ensure the confidentiality and integrity of the information:

• Encryption
• Message authentication
• Digital signatures

Business and security risks associated with the use of Lotus Notes shall be reduced through the utilisation of built-in security features in Notes.
Lotus Notes contains a number of security features that shall be used in order to reduce the risks associated with the local storage and the transfer of business-related information.
Application-related security functions (Access Control Lists, encryption, etc.), must either be implemented at application design or when the database is set up by the administrator
Encryption of outgoing mail can be initiated by the local user when a mail is dispatched.  Notes also supports encryption of locally stored mail.
Notes mails can be protected against unauthorised modification by providing the messages with a digital signature when dispatched.  The option to sign outgoing messages should be set as default in "Users Preferences..."
The Notes ID-file together with the Notes passphrase identifies the user to the Lotus Notes system. The ID-file shall be protected at all times with appropriate care.

1.         POLICY

Kent Introl will maintain a Laptop Computer Policy in order to prevent risk to our business and our customers from the impact of Laptop Computer related incidents.

2.         SCOPE

The Laptop Computer Policy will apply to Kent Introl personnel.

3.         PURPOSE

To allow the employees of Kent Introl to do their jobs effectively, some employees provided with a laptop computer for business purposes. This policy outlines the laptop computer options supported by Kent Introl, guidelines for appropriate use, and other administrative issues relating to laptop acquisition and reimbursement. This policy was created in order to enhance employee safety, limit corporate liability, and help manage IT costs.

4.         RESPONSIBILITIES

Kent Introl Senior Management Team

Responsible for Company policy and compliance to this policy.

Kent Introl IT Manager

Responsible for maintaining the Laptop Computer Policy.

Kent Introl Human Resources Manager

Responsible for personnel issues relating to the Laptop Computer Policy and for ensuring that the Laptop Computer Policy is passed on, to all new starts.

Kent Introl Users

All employees requiring the use of a Company-owned laptop computer for business purposes must fill out an appropriation request that clearly outlines why the laptop is required and what level of service the employee needs should his/her application be accepted. Appropriation Request forms must be approved and signed by the employee’s unit or department head, then the Senior Manager before final submission to the IT department.    

Basic features included with every company-owned and supported laptop include:

• Email
• Microsoft Office
• Internet Access
• Global Roaming(on request, if required)

• APPROPRIATE USE

It is imperative that laptop computers owned by Kent Introl or any laptop computer used to conduct Kent Introl’s business be used appropriately, responsibly, and ethically. The following rules must be observed:

In the office:

• Ensure that the laptop is in a secure place at all times.
• If left unattended ensure that it is secured and hidden from sight.
• Be aware of any strangers or contractors around premises. Alert the relevant people if there is cause for concern.
• On leaving laptop, formally close files down and log off the network to prevent unauthorised access to data.
• When leaving the office, lock the laptop away or remove it from the premises.

Travelling with your laptop:

• When in transit consider how laptops are carried, ideally a standard briefcase or sports bag should be used rather than the manufacturer’s carry case.
• If laptops are taken on flights they should be carried as hand luggage to prevent damage and loss.
• During car journeys and when parked, laptops should be left in the boot out of sight to prevent opportunistic theft.
• When travelling on public transport, laptops should be kept in sight and control at all times.
• Enough time should be left when alighting from public transport to reduce the risk of leaving equipment behind.
• Due to the vulnerability of laptops sensitive data should not be kept on the hard drive.  Such data should be kept separately on a floppy disk.

Using Company laptop outside the office:

• If staying in a hotel the laptop should not be left unattended or in an obvious place in your room. Consider leaving it in the hotels secure place.
• At home laptops should be afforded the same protection as your other household items, and not for example left in the garden or conservatory or in view from a window.
• Always Scan for viruses when using memory sticks, diskettes or CD’s before use.

These guidelines can deliver you a number of benefits if they are followed:

• Employee personal safety may be protected if the laptop is disguised reducing the risk of theft by force.
• Prevent the loss of confidential and commercially sensitive information.
• Reduce the probability of disruption from losing the laptop and any data.

If a Company-owned laptop computer is damaged, lost, or stolen, it must be reported immediately to the IT department.

Policy Non-Compliance:

If any individual fails to comply with any section of this policy, Kent Introl may take whatever action it determines to be necessary to avoid or prevent further violations or harm to employees, third parties or Company Property. Such action may include suspension of laptop user privileges, disciplinary action, up to and including termination of employment, as well as civil lawsuits or criminal prosecution.

6.         ADMINISTRATION

Kent Introl retains the absolute right, in its sole discretion, to change this policy and to determine whether an individual’s action(s) are covered by this policy.

Questions about this policy should be directed to the Kent Introl IT department.

All decisions regarding the administration of this policy will be made in conjunction with the Kent Introl HR department.