Acceptable Use of Information Systems Standard Guidance for all staff
2
Equipment security and passwords You are responsible for the security of the equipment allocated to, or used by you, and must not allow it to be used by anyone, other than in accordance with the guidance provided in this booklet. Passwords must be kept confidential and must not be made available to anyone else unless authorised by your local IT contact or your line manager. Passwords should be changed regularly. If you need to gain access to a colleague s mailbox or documents for a legitimate business reason, please contact your local IT contact, who will then follow the required approvals routine. Normally permission from the owner of the mailbox or document will be required in order for access to be granted. If you have been issued with a laptop, PDA (personal digital assistant) or any other mobile computing device, you must ensure that it is kept secure at all times by use of a password, especially when travelling. Loss of these devices should be reported to the relevant local law enforcement authority and to your local IT contact to allow appropriate security measures to be taken against potential misuse. Your computer terminal or workstation will automatically lock if it has remained inactive for 15 minutes or more and it is good practice to lock it manually by holding down the Ctrl, Alt and Delete keys when you leave it unattended for any reason. You should shut down your personal workstations when you leave the office each day. If your employment is terminated, you must provide details of your passwords to your local IT contact and return any equipment, key fobs or cards. Please also refer to the section Leaving Petrofac on page 14. 3
Removable storage devices If you need to store/read business related information on/from a removable storage device, such as a USB (universal serial bus) stick, SD (secure digital) card, CD (compact disc) or DVD (digital versatile disc), you must take care to ensure that the media is kept secure and files picked up outside of Petrofac systems are cleaned of viruses. To safeguard Petrofac systems and maintain confidentiality of data, Petrofac has implemented data leak prevention solutions, controlling and monitoring access to USB ports. 4
Systems and data security You should not alter the state of the computing systems by adding or removing programmes or hardware. All requests relating to such changes should be forwarded to your local IT contact or service desk. You should not download or install software from external sources without authorisation from the relevant IT department. No device or equipment should be attached to Petrofac s systems without the prior approval of the IT department. All emails which pass through Petrofac systems are scanned for viruses. Your IT department should be informed immediately if a suspected virus is received, and in such circumstances, you should not open the email unless requested to do so by a member of the IT department. Petrofac reserve the right to block access to email attachments and block the transmission of any email messages, in order to maintain the effectiveness of systems, in accordance with the guidance provided in this booklet. You should not attempt to gain access to restricted areas of the network, access information which is not addressed to, or intended for you, or to attempt to gain access to passwords, unless specifically authorised. 5
Email etiquette All business related emails should be sent using the Petrofac network to ensure a complete record is retained and that the appropriate disclaimer is included. You should not use personal email accounts for business, unless unavoidable (for example network failure). In such circumstance, a copy of any emails sent or received in relation to Petrofac business should be forwarded to your Petrofac email account. You should not send abusive, obscene, discriminatory, racist, harassing, derogatory or defamatory emails. Anyone who feels that they have been harassed or bullied, or is offended by material received from a colleague via email should inform their line manager. You should assume that email messages may be read by individuals other than the intended recipient and therefore should not include anything which would offend or embarrass any reader, our organisation or themselves, if it found its way into the public domain. Email messages may be required to be disclosed in legal proceedings in the same way as paper documents and you should comply with any instructions or guidance issued by Group Head of Legal in relation to any pending proceedings or investigations. Deletion from an inbox or archives does not mean that an email cannot be recovered for the purposes of disclosure. All email messages should be treated as potentially retrievable, either from the main server or using specialist software. If you receive a wrongly delivered email, this should be returned or notified to the sender. Auto-forwarding of Petrofac emails to non Petrofac email accounts is prohibited. 6
Use of the internet When a website is visited, devices such as cookies, tags or web beacons may be employed to enable the site owner to identify and monitor visitors. You should not therefore access any web page or download any files (whether documents, images or other) from the internet which could, in any way, be regarded as illegal, immoral or likely to cause offence. You should not use our systems to participate on our behalf in any internet chat room, post messages on any social media portals, or set up and log text or information on a blog or wiki, unless specifically authorised. Please also refer to the section Use of social media on page 10. As a general rule, if any person (whether intended to view the page or not) might be offended by the contents of a page, or if the fact that our software has accessed the page or file might be a source of embarrassment if made public, then viewing it will be a breach of the guidance provided in this booklet. 7
Personal use of systems We permit the incidental personal use of our internet, email and telephone systems but it must be neither abused nor overused and should not: interfere with your work commitments or colleague s work commitments have any negative impact on Petrofac commit us to any marginal costs breach our policies including our Code of Conduct Petrofac reserves the right to remove any material considered to be offensive or damaging from our systems, without warning. Petrofac s local offices may have individual requirements which supplement these provisions on personal use of systems. These additional or supplementary requirements will be explained and provided by the local IT contacts where necessary. Use of these systems may be monitored and if evidence is found that policies have been breached disciplinary action may be taken. Petrofac reserves the right to restrict or prevent access to certain telephone numbers or internet sites if personal use is considered to be excessive or otherwise inappropriate. 8
Fair processing of personal information Petrofac will retain custody of your routine personal data during the course of your employment within its designated enterprise resource planning (ERP) systems. This information is used for visa processing, salary disbursement, end of service benefits etc. Your personal data will therefore cover details such as name, address, bank details, telephone number, date of birth, religious affinity and certain medical records. We are committed to ensuring that the information we collect and use is appropriate for this purpose and does not constitute an invasion of your privacy. We may pass your personal data on to our ERP systems located in Petrofac s data centre in Chennai, India. The data centre is obliged to keep all information secure and use it only to fulfil the designated purpose. We will dispose of your personal data in line with applicable legislation and Petrofac s procedures. If we pass your personal data onto a third party, we will only do so once we have obtained your consent, unless we are legally required to do so. Petrofac is not responsible for maintaining security or safety of any other information that is personal to you and which is placed on our systems by you, for example personal pictures, letters, videos. 9
Monitoring use of systems Use of social media For business reasons, and in order to carry out legal obligations in our role as an employer, use of our computer and communication systems are continuously monitored by the IT department. We may retrieve the content of messages sent or received, or check searches which have been made on the internet; to monitor whether the use of the email system or the internet is legitimate and in accordance with the guidance provided in this booklet to find lost messages or to retrieve messages lost due to computer failure to assist in the investigation of wrongful acts to comply with any legal/audit obligations Petrofac identity and social media Any social media account, blog, web page or related content with the Petrofac brand identity should only be created and updated by our Corporate Communications team. Only approved spokespeople may communicate on our behalf. Use of Petrofac s logo and/ or related intellectual property requires prior written consent from our Corporate Communications department and is not to be used on personal web pages or any type of social media sites. Unofficial pages, created without prior authorisation of the Corporate Communications team, may be shut down. If you do come across positive or negative remarks about Petrofac that you believe are important, you should refrain from responding directly and instead forward the comments to our Corporate Communications department (communications@petrofac.com). 10
Personal use of social media Petrofac encourages all employees to use social media responsibly. Social media is any tool or service that facilitates conversations over the internet, including applications such as Facebook, Twitter and other platforms such as, YouTube, Linkedin, blogs and wikis. Access to social media sites from the Group s systems is subject to local management approval. Petrofac has adopted five social media principles you should adhere to before engaging in any type of social media activity: Whilst using social media; take care when sharing personal details and avoid sharing personal information, especially about any travel plans make it clear in any social media postings that you are speaking on your own behalf (i.e. write in the first person and use personal email addresses when communicating via social media) and if you do own a personal web page or any type of social media site which in any way makes reference to your employment with us, display the following notice on that site: the views expressed on this website/blog are those of the author and do not necessarily reflect the views of their employer never reveal contact details or photographs of other employees, suppliers, or other stakeholders without their permission never report details of your work or business travel plans, discuss any details of current or past projects or performance, or speculate on future activity of Petrofac (as Petrofac is listed on the London Stock Exchange, disclosure of forward looking information is highly regulated and any disclosure of sensitive or forward looking information online will be treated extremely seriously by management) you should not do anything to jeopardise our valuable trade secrets and other confidential information and intellectual property You are personally responsible for what you communicate in social media so bear this in mind before posting content and be sure it complies with any restrictions under local state/country laws. 11
Reporting of information security weaknesses All suspected information security weaknesses, incidents or violations must be reported as quickly as possible to your local IT service desk. Security weaknesses or incidents might comprise of, but may not be limited to, unusual virus alerts, abnormal drive space changes, spam emails, official website defacement, suspected reconnaissance activities, suspected intrusions, physical security lapses, theft or loss of computing devices, lost or stolen ID cards, witnessing of illegal/inappropriate online activity by others, suspected user account break-in or credentials compromised. 12
Copyright Ownership Material obtained from third parties (including customers, law firms, information services or via the internet) is likely to be protected by copyright and unauthorised storage or reproduction is unlawful. It is our policy to comply with all applicable requirements and, where necessary, to have in place appropriate licences. All of the computer equipment used, and any documents or other information created using our computer systems, remain the property of Petrofac. This extends to any documents or email messages you may have created or communicated for personal reasons. Be aware when creating anything of a personal nature that all files and emails can be retained indefinitely. Similarly, Petrofac s own material is subject to copyright and should only be provided to third parties where there is a valid business reason. In appropriate circumstances, you may wish to place a notice Petrofac [year] on any material that is distributed to third parties to indicate this. 13
Leaving Petrofac It is the responsibility of the individual leaving to ensure that all moveable IT equipment is returned to the office or local IT contact prior to leaving employment with Petrofac and its affiliates. Such equipment includes, but is not limited to: laptop computers and any associated equipment modems/routers and any other networking equipment BlackBerry/PDA/mobile phone(s) and any associated equipment any software licensed to Petrofac all diskettes/cds/usb pens any Petrofac data/information stored on any other computer/data storage devices This includes any IT equipment provided to you for use outside the office. Desktop hardware, printers, license dongles, telephones and associated cabling should be left on your desk. If you wish to take an electronic copy of any personal emails or documents, you must first obtain the written authorisation of your supervisor/manager. Once this authorisation has been received by your local IT contact, they will provide an electronic copy. This is however dependent on the quantity of the data. Further restrictions may apply. Please provide at least one week s notice. At close of business on your final day with Petrofac your access to the systems will be disabled and calendar, contacts and emails will be archived. Documents will remain on the system and will be available according to their security settings. 14
15
If you have questions about our Acceptable Use of Information Systems Standard, email it.security@petrofac.com. 16 Published July 2013