Professional Documents
Culture Documents
Acceptable Use Policy
Acceptable Use Policy
January 3, 2022
INTRODUCTION
The Company provides a variety of technology resources to support its initiatives and daily operations. All Users
play an important role in maintaining the Confidentiality, Integrity, and Availability of RCG Information Assets
and Systems. Therefore, it is the responsibility of Users to exhibit and maintain appropriate use of RCG
Information Assets and Systems in accordance with this Acceptable Use Policy (“Policy”).
1. Policy Detail
1.1. Scope
This Policy applies to all Users who interact with RCG Information Assets and Systems. It is the responsibility of
every RCG Employee who engages Third Parties to perform services involving RCG Information Assets and
Systems to work with Information Security and Legal to ensure that such Third Parties are contractually
obligated to comply with this Policy and other applicable policies and standards.
1.2. Purpose
This Policy establishes the acceptable use of RCG Information Assets and Systems. Users must use RCG
Information Assets and Systems in a manner consistent with this Policy and are responsible for exercising good
judgement and exhibiting ethical and lawful behavior during the use of the provided technologies.
• exercise good judgement regarding reasonableness of their personal use of RCG Devices and Systems.
If there is any uncertainty, Users should consult RCG policies, their manager or Information Security.
• safeguard their credentials, including and not limited to username, passwords, pins, and tokens. Users
must not write down or share their passwords with anyone.
• immediately reset and change their password if it has been or they suspect it has been compromised.
• use a mixture of upper and lower alpha-numeric and special characters when creating their password.
The use of common passwords, such as “Password123” or ship and brand names are prohibited.
• take care of all equipment provided by RCG. RCG reserves the right to reclaim any costs incurred for
damaged equipment, whether negligently or intentionally damaged; and
• work with IT to ensure RCG Information Assets on Mobile Devices are maintained in a secure manner to
protect from potential threats and vulnerabilities.
• Desktops and Laptops must be locked or logged off when left unattended.
• Laptops left at an RCG office overnight must be secured in a locked office, drawer, cabinet or docked
on a locked docking station. Keys to the locked area must not be left in the lock.
• Laptops taken off-site must not be left unattended in public places and not left in sight in a car.
• Laptops must be carried as hand luggage when travelling.
1
Acceptable Use Policy Information Security
January 3, 2022
• If a laptop is lost or stolen, Users are required to report it to their manager and the RCG Support Desk
or Shipboard IT Manager as soon as possible.
• Mobile Devices must have the Company approved mobile device management application enabled on the
device, and Users are not to disable the application unless Authorized.
• Appropriate safeguard practices should be implemented on the company-owned Mobile Device to protect
RCG Information Assets and Systems, including and not limited to password/pin protection, multi-factor
authentication and encryption.
• Mobile Devices must be locked any time the device is unattended.
• Mobile Devices must not be left unattended in an unsecure location or left in sight in a car.
• If a Mobile Device is lost or stolen, Users are required to report it to their manager and the RCG Support
Desk or Shipboard IT Manager as soon as possible, so the appropriate precautions can be applied.
• The Company approved mobile device management application must be downloaded and enabled on
the Mobile Device, prior to using the device to access RCG Information Assets and Systems, including
and not limited to receiving/sending emails, utilizing calendars, tasks or accessing Systems. If the
mobile device management application is disabled or uninstalled from the device, then access to RCG
Information Assets and Systems via a personally owned Mobile Device shall be revoked.
• Mobile Devices used for Company business should have appropriate safeguard practices enabled on their
device to protect RCG Information Assets and Systems, including but not limited to password/pin
protection, multi-factor authentication.
• Mobile Devices used for RCG business purposes, must be locked any time the device is unattended.
• Mobile Devices used for RCG business purposes must not be left unattended in an unsecure location.
• If a personally-owned Mobile Device is lost or stolen which is used for RCG business, Users are required
to report it to their manager and the RCG Support Desk or Shipboard IT Manager as soon as possible, so
the appropriate precautions can be applied to protect the RCG Information Assets and Systems (i.e.,
remotely wiping the phone of RCG Information Assets and Systems, resetting passwords, etc.).
• Email and communication platforms provided by RCG are to be used for business purposes and should
follow company practices. RCG reserves the right to monitor these platforms and related
communications as it determines appropriate.
• Email and communication platforms should only be used by the registered User, or a delegate granted
access through the communication platform’s delegation process.
• If Users receive messages containing offensive or inappropriate material, they must immediately notify
their manager or HR business partner.
• Do not open email attachments or links from unknown sources. Attachments and links are the primary
source of malware and should be treated with utmost caution. Report suspicious emails using the
“Report Phishing” button or forward to abuse@rccl.com.
2
Acceptable Use Policy Information Security
January 3, 2022
• Forwarding RCG email accounts to external accounts (e.g., Yahoo, Gmail, Outlook, etc.).
• Sharing email account passwords with another person or attempting to obtain another person’s email
account password.
• Intentionally spreading malicious software (i.e., viruses, worms, Trojans) or causing any Network
disruption (e.g., downtime or impact to business product or service).
• Transmitting obscene, profane, or offensive messages.
• Engaging in illegal activity or any activity that otherwise violates any RCG policy, standard or applicable
law or regulation.
• Users should take precautions to ensure that Restricted Information Assets cannot be retrieved or
viewed by an unintended recipient.
• Users should verify the information shared is being sent to the intended party.
RCG printer and multifunctional devices may not be used for the following:
3
Acceptable Use Policy Information Security
January 3, 2022
Any monitoring information gathered may be disclosed to appropriate RCG management and, if required to law
enforcement officials. This may involve transferring information outside the country of residence of the User
and RCG will always seek to ensure that such transfer is handled in accordance with applicable laws. Any
monitoring information gathered will be deleted by RCG in accordance with the applicable record retention
schedules of RCG’s Record Management Policy. RCG is not responsible for maintaining backup copies of any
personal materials Users create and/or save on RCG Systems (such as your laptop), and all such materials will
be destroyed upon termination of employment or contract with no further notice to the User.
3. Certification
The Company may require Users to certify that they have reviewed this Policy and are compliant with this
Policy.
4. Exceptions
Any request for an exception to this Policy must be submitted in writing to Information Security at
CyberRiskAssessments@rccl.com and approved in accordance with the Approval Matrix in the IT Risk and
Exception Management Standard Operating Procedure (“SOP”).
The Company does not tolerate any kind of retaliation for reports or complaints made in good faith.
6. Definitions
For purposes of this Policy, the following terms shall have the following meanings:
Availability: The need to ensure that the business purpose of the System can be met and that it is accessible
to those who need to use it.
4
Acceptable Use Policy Information Security
January 3, 2022
Company or RCCL/RCL/RCG: Royal Caribbean Cruises Ltd. and its wholly owned subsidiaries.
Employee: means any employee or officer of the Company, whether shoreside or shipboard.
Information Asset(s): RCG data that are processed interpreted, organized, structured, or presented to
make them meaningful or useful in both physical and electronic form.
Intellectual Property: Content or data Users create on RCG Systems or for Company purposes
notwithstanding location, including without limitation, content files, Internet, e-mail, and voice mail usage
records, as well as to their office space within any company-owned or leased facilities
Integrity: Protecting Information Assets from being modified in any form or state by an unauthorized entity.
Network: A group of Systems linked by wired or wireless means to transmit Information Assets.
RCG Devices: Cellphone, Smartphone, Tablet device, or any other portable or non-portable electronic
product Authorized to access the Company’s Network.
System(s): A set of IT or Operational Technology (“OT”) hardware, software, or application used to store,
process, transfer, or maintain Company data for a specific purpose. (example: 3 servers that have software
installed to market information to guests is considered a System).
Spam: Irrelevant or inappropriate messages sent on the Internet to a large number of recipients.
Third Party(ies): A non-Employee, whether an individual or entity engaged by the Company to provide
goods or services to the Company.
User: An individual or entity, including and not limited to Employees and Third Parties, who have valid and
Authorized, limited or unlimited access to any RCG Information Asset or System.
Information Security
Information Security is responsible for administering this Policy and answering questions regarding this
Policy or its application. In addition, Information Security will review this Policy on an annual basis to
5
Acceptable Use Policy Information Security
January 3, 2022
determine if any amendments are appropriate and proposing such amendments to the Chief Information
Security Officer.
Department Heads
Each Department Head is responsible for ensuring that the Employees within his or her department or
Third Parties engaged by the department comply with this Policy.
This Policy must be reviewed by all the parties below and approved by the Chief Executive Officer and the
Chief Financial Officer of the Company no less than once a year or whenever there is a change in business
practices that affects the security of Information Assets or Systems.