Page: 1/12

Copy No.:
Policy
Title:
Information Security Policy

Issue No. : 2 Code No. : UCL-75-1030

Issue Date : Effective date :

: Review date
Prepared by Revised by Approved by
Mohamed Abd El
Name : Amal Ibrahim Mostafa Hassan Ayten Saleh
Rahman
Oracle Apps
Oracle Application
Title : Development Section Manager
Corporate IT Director Q.A Director
Head
Sig./Date :
Distribution
No. of Copy No. of Copy
Destination Destination
Copies No. Copies No.
1 1 EEPI Managing Director 1 9 OHS Directorate
Quality Assurance Directorate
1. 2 1 10 Planning Directorate
Quality Control Directorate
1 3 1 11 Production Directorate

1 4 R&D Directorate 1 12 IT Directorate

1 5 Engineering Directorate 1 13 Human Resource Directorate
1 6 Warehouse Directorate 1 14 Marketing Directorate
1 7 Finance Directorate 1 15 Scientific Office Directorate
1 8 Transportation Directorate

1- Objective:
Pharco Corporation information Security Policy is to identify how to protect Pharco
Corporation employees, partners, customers, suppliers and the organization from illegal use,
hacking, unconfident or damaging actions by individuals, either knowingly or unknowingly.
Internet/Intranet systems, and ERP Application including but not limited to computer
equipment, software, operating systems, storage media, network accounts providing electronic
mail, www browsing, and FTP, are the property of Pharco Corporation. These systems are to be
used for business purposes in serving the interests of the Corporate companies. Effective
security is a team effort involving the participation and support of everyone in the corporate. It
is the responsibility of every computer user to know these guidelines, and to conduct their
Code No.:UCL-75-1030 Issue No.: 2 Page: 2/12
activities accordingly.
2- Scope :
The purpose of this policy is to outline the required security issues of computer systems at
Pharco Corporation. These rules are in place to protect the information asset from
Inappropriate use and expose it to risks including virus attacks, damage of network systems
and services, and legal issues
3- Responsibility:
This policy applies to employees, contractors, consultants, temporaries, and other workers at
Pharco Corporation companies, including all personnel affiliated with third parties. This policy
applies to all equipment that is owned or leased by corporate companies.
4- Definitions
Spam: Unauthorized and/or unsolicited electronic mass mailings.
Hacking: Breaking computer systems
5- Attachments : None
6- Forms used : None
7- Procedure
7-1- General Use and Ownership
7-1-1- While the network administration desires to provide a reasonable level of privacy,
users should be aware that the data they create on the corporate systems (ERP, Intranet, or any
other systems) remains the property of the own companies.
7-1-2- Employees are responsible to keep the confidentiality of the accessed information.
7-1-3- For security and network maintenance purposes, authorized individuals within
corporate may monitor equipment, systems and network traffic at any time.
7-1-4- The corporate Information Sector reserves the right to audit networks and systems
on a periodic basis to ensure compliance with this policy.
7-2- User Rights and Responsibilities
7-2-1- Individual departments are responsible for identifying the user rights according to
the business needs into the department by sending request for user rights
requirement to the information technology division with the detailed required user
rights for each one in the department according to his specialty.

Prepared by Revised by Approved by

Name : Amal Ibrahim Mostafa Hassan Mohamed Abd El Rahman Ayten Saleh
Sig./Date :
Code No.:UCL-75-1030 Issue No.: 2 Page: 3/12

7-2-2- Employees should take all necessary steps to prevent unauthorized access to this
information.
7-2-3- Employee should keep passwords secure and do not share accounts. Authorized
users are responsible for the security of their passwords and accounts.
7-2-4- System level passwords should be changed quarterly; user level passwords should
be changed periodically according to the system local policy by expiring the user
password.
7-2-5- All PCs, laptops and workstations should be secured with a password-protected
screensaver with the automatic activation feature set at 10 minutes or less, or by
logging-off when the host will be unattended.
7-2-6- Postings by employees from a Pharco email address to newsgroups should contain
a disclaimer stating that the opinions expressed are strictly their own and not
necessarily those of Pharco, unless posting is in the course of business duties.
7-2-7- All computers used by the employee that are connected to the company network
whether owned by the employee or the company shall be continually executing
approved virus-scanning software with a current virus database.
7-2-8- Employees must use extreme caution when opening e-mail attachments received
from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse
code.
7-2-9- Employees should not save the password either for operating system or any other
application.
7-2-10-Employees should use company’s business mail (departmental mail), and should
not use the generic mails like Yahoo, Gmail, Microsoft outlook and Etc.
7-2-11-Departments operators should not be administrators on their devices they should
be have a standard user privileges.
7-2-12-Changing the computer’s date/time is forbidden for any user, only the system
administrator can change them.
7-2-13-Using USB memory or an removable storage media must be blocked for any
employee and any exception must be authorized with approval from the company‘s general
manager according to the business needs.
Prepared by Revised by Approved by
Name : Amal Ibrahim Mostafa Hassan Mohamed Abd El Rahman Ayten Saleh
Sig./Date :
Code No.:UCL-75-1030 Issue No.: 2 Page: 4/12

7-3- Prohibited Activities

The following activities are, in general, prohibited. Employees may be exempted from these
restrictions during the course of their legitimate job responsibilities (e.g., systems
administration staff may have a need to disable the network access of a computer if that
computer is disrupting production services).
Under no circumstances is an employee to engage in any activity that is illegal under local or
international law while utilizing the company's owned resources.

The following activities are strictly prohibited, with no exceptions:

7-3-1- Violations of the rights of any person or company protected by copyright, trade
secret, patent or other intellectual property, or similar laws or regulations,
including, but not limited to, the installation or distribution of "pirated" or other
software products that are not appropriately licensed for use.

7-3-2- Unauthorized copying of copyrighted material including, but not limited to,
digitization and distribution of photographs from magazines, books or other
copyrighted sources, copyrighted music, and the installation of any copyrighted
software for which the company or the end user does not have an active license
is strictly prohibited.

7-3-3- Introduction of malicious programs into the network or server (e.g., viruses, worms,
Trojan horses, e-mail bombs, etc.).
7-3-4- Revealing your account password to others or allowing use of your account by
others. This includes family and other household members when work is being done at home.
7-3-5- Using corporate devices transmitting material that is in violation of law, traditions.
7-3-6- Making fraudulent offers of products, items, or services originating from any
companies account.
7-3-7- Accessing data of which the employee is not an intended recipient or logging into
a server or account that the employee is not expressly authorized to access,
7-3-8- Executing any form of network monitoring which will intercept data not intended
Prepared by Revised by Approved by
Name : Amal Ibrahim Mostafa Hassan Mohamed Abd El Rahman Ayten Saleh
Sig./Date :
Code No.:UCL-75-1030 Issue No.: 2 Page: 5/12
for the employee's job, unless this activity is a part of the employee's normal job/duty.
7-3-9- Hacking any other user authentication or security.
7-3-10-Using any program/script/command, or sending messages of any kind, with the
intent to interfere with, or disable, a user's account, via any means, locally or via the
Internet/Intranet
7-3-11-Providing information about corporate companies to outside parties.
7-3-12-Sending unsolicited or spam email messages.
7-3-13-Any employee found to have violated this policy may be subject to disciplinary
action, up to and including termination of employment.

7-4- Main Information Security Policies

7-4-1- INTERNET Usage Policy
Pharco Corporation companies may provide you with Internet access to help you do your job.
This policy explains our guidelines for using the Internet.
All internet navigation is controlled and monitored thru firewall, which filter the web packets
according to the company policy Social media sites, YouTube, porno sites, news sites are
prohibited and they are blocked by firewall to all the companies’ users.
Any special requirements that violate the previous sites require a special allow from the
company general manger or CEO.
All Internet data that is written, sent, or received through our computer systems is part of
official COMPANY records. That means that we can be legally required to show that
information to law enforcement or other parties.
Therefore, you should always make sure that the business information contained in Internet
email messages and other transmissions is accurate, appropriate, ethical, and legal.
The equipment, services, and technology that you use to access the Internet are the property of
the company.
Therefore, we reserve the right to monitor how you use the Internet. We also reserve the right to
find and read any data that you write, send, or receive through our online connections or is
stored in our computer systems.

Prepared by Revised by Approved by

Name : Amal Ibrahim Mostafa Hassan Mohamed Abd El Rahman Ayten Saleh
Sig./Date :
Code No.:UCL-75-1030 Issue No.: 2 Page: 6/12
If you use the Internet in a way that violates the law or COMPANY. Policies, you will be
subject to disciplinary action, up to and including termination of employment. You may also be
held personally liable for violating this policy.

The following are some examples of prohibited activities that violate this Internet policy:

• Sending or posting discriminatory, harassing, or threatening messages or images

• Using the organization's time and resources for personal gain
• Stealing, using, or disclosing someone else's code or password without authorization
• Copying, pirating, or downloading software and electronic files without permission
• Sending or posting confidential material, trade secrets, or proprietary information outside
of the organization .
• Violating copyright law
• Failing to observe licensing agreements
• Participating in the viewing or exchange of pornography or obscene materials
• Attempting to break into the computer system of another organization or person
• Sending or posting chain letters, solicitations, or advertisements not related to business
purposes or activities
• Using the Internet for political causes or activities, religious activities, or any sort of
gambling.
 Sending anonymous email messages
 Engaging in any other illegal activities
7-4-2- Email Usage Policy
To help you do your job, the company may give you access to email system. To make sure that
all employees follow this policy, we may monitor computer and email usage.
We try hard to have a workplace that is free of harassment and sensitive to the diversity of our
employees. Therefore, we do not allow employees to use computers and email in ways that are
disruptive, offensive to others.

Prepared by Revised by Approved by

Name : Amal Ibrahim Mostafa Hassan Mohamed Abd El Rahman Ayten Saleh
Sig./Date :
Code No.:UCL-75-1030 Issue No.: 2 Page: 7/12

Employee may not use email to ask other people to contribute to or to tell them about
businesses outside of the company religious or political causes, outside organizations, or any
other non business matters.
Employee may use the company’s business mail and should not use the generic mails like
gmail, yahoo, Microsoft outlook and Etc. for business purpose.
Employee use outlook mail client to access his mail from his assigned computer device to send
and receive any business mail
Using the generic mails require a special approval from his company’s general manager
If you know about any violations to this policy, notify your supervisor, the Human Resources
Department or any member of management. Employees who violate this policy are subject to
disciplinary action, up to and including termination of employment.

7-4-3- password protection policy

Passwords are an integral aspect of our computer security program. Passwords are the front line
of protection for user accounts. A poorly chosen password may result in the compromise of
critical (organization) resources.

IT Support Professionals
 All system-level passwords (e.g., root, enable, admin, application administration
accounts, etc.) must be changed every 90 days.
 All systems administrative-level passwords for production environments must be part of
an ITSS (Information Technology Security System) administered global password
management database (Saved with IT Manager as mentioned in End User Security SOP).
 User accounts that have system-level privileges granted through group memberships or
 programs must have a unique password from all other accounts held by that user.
 Password Should not save at all
 Passwords must not be included in email messages or other forms of electronic
 communication. Passwords must be at least 8 characters in length.

Prepared by Revised by Approved by

Name : Amal Ibrahim Mostafa Hassan Mohamed Abd El Rahman Ayten Saleh
Sig./Date :
Code No.:UCL-75-1030 Issue No.: 2 Page: 8/12

General Users
 All user-level passwords (e.g., email, web, desktop computer, etc.) must be changed
every 90 days.
 Passwords must not be included in email messages or other forms of electronic
communication. Passwords must be at least 8 characters in length.

Guidelines
General password construction guidelines are used for various purposes at (organization), i.e.
user level accounts, web accounts, email accounts, screen saver protection, voicemail password,
and local router logins). It is important that everyone be aware of how to select strong
passwords. Poor, weak passwords have the following characteristics:
 The password can be found in a dictionary (English or foreign)
 The password is a common usage word such as: Names of family, pets, friends, co-
workers, fantasy characters, computer terms and names, commands, sites, companies,
hardware, software, birthdays and other personal information such as addresses and
phone numbers.
 Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc. Any of the above
spelled backwards. Any of the above preceded or followed by a digit (e.g., secret1, 1secret).

Strong passwords have the following characteristics:

 Contain both upper and lower case characters (e.g., a-z, A-Z)
 Have digits and punctuation characters as well as letters e.g., 0-9, !@#$%^&*()_+|~-
=\`{}[]:";'<>?,./)
 Are at least eight alphanumeric characters long.
 Are not a word in any language, slang, dialect, jargon, etc.
 Are not based on personal information, names of family, etc.

Prepared by Revised by Approved by

Name : Amal Ibrahim Mostafa Hassan Mohamed Abd El Rahman Ayten Saleh
Sig./Date :
Code No.:UCL-75-1030 Issue No.: 2 Page: 9/12

Password protection standards

 Change passwords at least once every 90 days.

 Do not write down passwords
 Do not store passwords on-line without encryption.
 Do not use the same password for (organization) accounts as for other non-
(organization)
 access (e.g., personal ISP account, on-line banking, email, benefits, etc.).
 Do not share (organization) passwords with anyone, including administrative assistants
or secretaries. All passwords are to be treated as sensitive, confidential (organization)
 information.
 Don't write a password over the phone to ANYONE
 Don't write a password in an email message
 Don't give a password to the boss
 Don't talk about a password in front of others
 Don't hint at the format of a password (e.g., "my family name")
 Don't give a password to co-workers while on vacation
Password cracking or guessing may be performed on a periodic or random basis by security
personnel. If a password is guessed or cracked during one of these scans, the incident will be
documented and the user will be required to change their password.

7-4-4- remote access policy

 For each company a single computer may be prepared for remote access by the I.T Technical support
Supervisors for any incident support at non-work times
 This device must be secured with strong password for each I.T. Support team
 Remote access of forbidden for any employee except mentioned IT support staff.

Prepared by Revised by Approved by

Name : Amal Ibrahim Mostafa Hassan Mohamed Abd El Rahman Ayten Saleh
Sig./Date :
Code No.:UCL-75-1030 Issue No.: 2 Page: 10/12
7.5@ Data Entigrity policy

7.5.1 IT Infrastructure

o The Server Room must be secured

o IT Team Access only to the system administration functions

o System backup and disaster recovery plan must be in-place and in-use

o Changing the date and time and time zone must be restricted to the IT system
Administration staff

7.5.2 System Administration

o Only IT system Administrators is responsible for switching the audit trail

functionality into any computer system

o Assigning a privileges to any user must be restricted to IT System Administrator

o Users Should not have access to the backup server data files for (overwrite, or
deletion)

7.5.3 Systems Roles and privileges

 Each user must have his own profile ( roles and privileges) according to his duties

 The user duties on the information system must be determined and approved by the
sector head according to the employee job description

 The system users must not have the ability for data MANIPULATION

 Define user roles according to the users job description

 Tight the user privilege to his related functions

7.5.4 Data integrity required SOPS

 Review audit trail SOP must be exist

Prepared by Revised by Approved by

Name : Amal Ibrahim Mostafa Hassan Mohamed Abd El Rahman Ayten Saleh
Sig./Date :
Code No.:UCL-75-1030 Issue No.: 2 Page: 11/12
 User Training on the data integrity requirements must be conducted

 Archive, Backup and Restore the systems data SOP must be exist

 IT policies.

 System administration (CDS access, roles and privileges).

 Data acquisition and processing.

 Data review and approval.

7.5.5 Data integrity prohibited functions

 Sharing accounts or passwords

 Provide a delete privilege to a user

 Disable Audit trail

 Hide or exclude data

 Forget to backup system data

 Provide change date/time privilege to user

7-6- Updating
 This Policy should be reviewed annually.

8- References
9- Related documents

Prepared by Revised by Approved by

Name : Amal Ibrahim Mostafa Hassan Mohamed Abd El Rahman Ayten Saleh
Sig./Date :
Code No.:UCL-75-1030 Issue No.: 2 Page: 12/12

History Page

Page
Issue No. Effective date Review date Amendment Summary
No.
1 1/5/2016 1/5/2019 11
2
Adding 7.5 Data integrity policy

Prepared by Revised by Approved by

Name : Amal Ibrahim Mostafa Hassan Mohamed Abd El Rahman Ayten Saleh
Sig./Date :