Professional Documents
Culture Documents
UCL-75-1030 - Issue No.2 - Information Security Policy (Extended)
UCL-75-1030 - Issue No.2 - Information Security Policy (Extended)
Copy No.:
Policy
Title:
Information Security Policy
1- Objective:
Pharco Corporation information Security Policy is to identify how to protect Pharco
Corporation employees, partners, customers, suppliers and the organization from illegal use,
hacking, unconfident or damaging actions by individuals, either knowingly or unknowingly.
Internet/Intranet systems, and ERP Application including but not limited to computer
equipment, software, operating systems, storage media, network accounts providing electronic
mail, www browsing, and FTP, are the property of Pharco Corporation. These systems are to be
used for business purposes in serving the interests of the Corporate companies. Effective
security is a team effort involving the participation and support of everyone in the corporate. It
is the responsibility of every computer user to know these guidelines, and to conduct their
Code No.:UCL-75-1030 Issue No.: 2 Page: 2/12
activities accordingly.
2- Scope :
The purpose of this policy is to outline the required security issues of computer systems at
Pharco Corporation. These rules are in place to protect the information asset from
Inappropriate use and expose it to risks including virus attacks, damage of network systems
and services, and legal issues
3- Responsibility:
This policy applies to employees, contractors, consultants, temporaries, and other workers at
Pharco Corporation companies, including all personnel affiliated with third parties. This policy
applies to all equipment that is owned or leased by corporate companies.
4- Definitions
Spam: Unauthorized and/or unsolicited electronic mass mailings.
Hacking: Breaking computer systems
5- Attachments : None
6- Forms used : None
7- Procedure
7-1- General Use and Ownership
7-1-1- While the network administration desires to provide a reasonable level of privacy,
users should be aware that the data they create on the corporate systems (ERP, Intranet, or any
other systems) remains the property of the own companies.
7-1-2- Employees are responsible to keep the confidentiality of the accessed information.
7-1-3- For security and network maintenance purposes, authorized individuals within
corporate may monitor equipment, systems and network traffic at any time.
7-1-4- The corporate Information Sector reserves the right to audit networks and systems
on a periodic basis to ensure compliance with this policy.
7-2- User Rights and Responsibilities
7-2-1- Individual departments are responsible for identifying the user rights according to
the business needs into the department by sending request for user rights
requirement to the information technology division with the detailed required user
rights for each one in the department according to his specialty.
7-2-2- Employees should take all necessary steps to prevent unauthorized access to this
information.
7-2-3- Employee should keep passwords secure and do not share accounts. Authorized
users are responsible for the security of their passwords and accounts.
7-2-4- System level passwords should be changed quarterly; user level passwords should
be changed periodically according to the system local policy by expiring the user
password.
7-2-5- All PCs, laptops and workstations should be secured with a password-protected
screensaver with the automatic activation feature set at 10 minutes or less, or by
logging-off when the host will be unattended.
7-2-6- Postings by employees from a Pharco email address to newsgroups should contain
a disclaimer stating that the opinions expressed are strictly their own and not
necessarily those of Pharco, unless posting is in the course of business duties.
7-2-7- All computers used by the employee that are connected to the company network
whether owned by the employee or the company shall be continually executing
approved virus-scanning software with a current virus database.
7-2-8- Employees must use extreme caution when opening e-mail attachments received
from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse
code.
7-2-9- Employees should not save the password either for operating system or any other
application.
7-2-10-Employees should use company’s business mail (departmental mail), and should
not use the generic mails like Yahoo, Gmail, Microsoft outlook and Etc.
7-2-11-Departments operators should not be administrators on their devices they should
be have a standard user privileges.
7-2-12-Changing the computer’s date/time is forbidden for any user, only the system
administrator can change them.
7-2-13-Using USB memory or an removable storage media must be blocked for any
employee and any exception must be authorized with approval from the company‘s general
manager according to the business needs.
Prepared by Revised by Approved by
Name : Amal Ibrahim Mostafa Hassan Mohamed Abd El Rahman Ayten Saleh
Sig./Date :
Code No.:UCL-75-1030 Issue No.: 2 Page: 4/12
7-3-2- Unauthorized copying of copyrighted material including, but not limited to,
digitization and distribution of photographs from magazines, books or other
copyrighted sources, copyrighted music, and the installation of any copyrighted
software for which the company or the end user does not have an active license
is strictly prohibited.
7-3-3- Introduction of malicious programs into the network or server (e.g., viruses, worms,
Trojan horses, e-mail bombs, etc.).
7-3-4- Revealing your account password to others or allowing use of your account by
others. This includes family and other household members when work is being done at home.
7-3-5- Using corporate devices transmitting material that is in violation of law, traditions.
7-3-6- Making fraudulent offers of products, items, or services originating from any
companies account.
7-3-7- Accessing data of which the employee is not an intended recipient or logging into
a server or account that the employee is not expressly authorized to access,
7-3-8- Executing any form of network monitoring which will intercept data not intended
Prepared by Revised by Approved by
Name : Amal Ibrahim Mostafa Hassan Mohamed Abd El Rahman Ayten Saleh
Sig./Date :
Code No.:UCL-75-1030 Issue No.: 2 Page: 5/12
for the employee's job, unless this activity is a part of the employee's normal job/duty.
7-3-9- Hacking any other user authentication or security.
7-3-10-Using any program/script/command, or sending messages of any kind, with the
intent to interfere with, or disable, a user's account, via any means, locally or via the
Internet/Intranet
7-3-11-Providing information about corporate companies to outside parties.
7-3-12-Sending unsolicited or spam email messages.
7-3-13-Any employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment.
The following are some examples of prohibited activities that violate this Internet policy:
Employee may not use email to ask other people to contribute to or to tell them about
businesses outside of the company religious or political causes, outside organizations, or any
other non business matters.
Employee may use the company’s business mail and should not use the generic mails like
gmail, yahoo, Microsoft outlook and Etc. for business purpose.
Employee use outlook mail client to access his mail from his assigned computer device to send
and receive any business mail
Using the generic mails require a special approval from his company’s general manager
If you know about any violations to this policy, notify your supervisor, the Human Resources
Department or any member of management. Employees who violate this policy are subject to
disciplinary action, up to and including termination of employment.
IT Support Professionals
All system-level passwords (e.g., root, enable, admin, application administration
accounts, etc.) must be changed every 90 days.
All systems administrative-level passwords for production environments must be part of
an ITSS (Information Technology Security System) administered global password
management database (Saved with IT Manager as mentioned in End User Security SOP).
User accounts that have system-level privileges granted through group memberships or
programs must have a unique password from all other accounts held by that user.
Password Should not save at all
Passwords must not be included in email messages or other forms of electronic
communication. Passwords must be at least 8 characters in length.
General Users
All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed
every 90 days.
Passwords must not be included in email messages or other forms of electronic
communication. Passwords must be at least 8 characters in length.
Guidelines
General password construction guidelines are used for various purposes at (organization), i.e.
user level accounts, web accounts, email accounts, screen saver protection, voicemail password,
and local router logins). It is important that everyone be aware of how to select strong
passwords. Poor, weak passwords have the following characteristics:
The password can be found in a dictionary (English or foreign)
The password is a common usage word such as: Names of family, pets, friends, co-
workers, fantasy characters, computer terms and names, commands, sites, companies,
hardware, software, birthdays and other personal information such as addresses and
phone numbers.
Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc. Any of the above
spelled backwards. Any of the above preceded or followed by a digit (e.g., secret1, 1secret).
7.5.1 IT Infrastructure
o System backup and disaster recovery plan must be in-place and in-use
o Changing the date and time and time zone must be restricted to the IT system
Administration staff
o Users Should not have access to the backup server data files for (overwrite, or
deletion)
Each user must have his own profile ( roles and privileges) according to his duties
The user duties on the information system must be determined and approved by the
sector head according to the employee job description
The system users must not have the ability for data MANIPULATION
Archive, Backup and Restore the systems data SOP must be exist
IT policies.
7-6- Updating
This Policy should be reviewed annually.
8- References
9- Related documents
History Page
Page
Issue No. Effective date Review date Amendment Summary
No.
1 1/5/2016 1/5/2019 11
2
Adding 7.5 Data integrity policy