Policy 0047 - Acceptable Use of Information, Devices, and

Technology

PURPOSE OF THIS POLICY

The purpose of this Policy is to set forth the requirements for the protection and use of Company, client, and other
third-party Information, Devices, and Technology.

POLICY

Table of Contents

1. SCOPE, EXCEPTIONS AND SANCTIONS

1.1 In Scope
1.2 Exception Process
1.3 Sanctions
2. EXPECTATIONS FOR PERSONNEL

3. DEVICES AND TECHNOLOGY

4. INFORMATION

1. SCOPE, EXCEPTIONS AND SANCTIONS

1.1 Scope
This Policy applies to all Personnel.

This Policy sets forth the minimum Company requirements when accessing any Company, client, or other
third-party Information or Technology, and when Personnel use any Device, while performing Company
work. Further requirements may be issued locally due to specific client requirements or to comply with local
law or security standards adopted by specific Company locations or businesses. Personnel must comply
with whichever applicable requirements are most stringent.

This Policy does not override any applicable data privacy and data protection laws and regulations in
countries where the Company operates and to which the Company is subject.

This Policy refers to various categories of sensitivity of Company Information. In order of increasing
sensitivity, the classification levels as defined below:

 Unrestricted (Company data that is intended for public non-company consumption such as
Polestarllp.com),
 Confidential (Company data that can be shared across the Company, but not made publicly
available, such as delivery processes, knowledge capital),
 Highly Confidential (Company data intended for business use only by specific groups of employees
on a need-to-know basis, such as network designs or personal data), and
 Restricted Information (highly sensitive, strategic Company Information that is material and non-
public, such as financial statements).

The term “Sensitive Information” means Company Information classified as Confidential, Highly Confidential
or Restricted.

1.2 Exception Process

On rare occasions and where not contrary to any legal requirement, it may be appropriate to grant an
 Policy 0047 - Acceptable Use of Information, Devices, and
Technology

exception to certain requirements in this Policy.

1.3 Sanctions

Any Personnel who violate this Policy may, as circumstances merit, be referred to HR and/or Legal and may
face disciplinary measures, including but not limited to:

 a note placed in personnel file;

 consideration in the performance review process;
 specific adjustment of performance evaluation or project ratings;
 removal from an engagement; and/or
 Other sanctions not listed, up to and including termination.

2. EXPECTATIONS FOR PERSONNEL

Personnel are required to act lawfully at all times and exercise sound judgment in their use of
Information, Devices and Technology. In particular, they must (i) comply with the Company’s Code of
Business Ethics and security behaviors described within this Policy and (ii) act promptly on security
communications from Polestar, including “Protecting Polestar”.

Specifically prohibited behaviors are:

1. Any conduct that violates the Company’s policies, Code of Business Ethics or law.
2. Accessing the internet or Technology for unlawful purposes, such as violating copyright laws.
3. Accessing, downloading, or distributing pornographic, obscene, defamatory, discriminatory,
harassing, or other inappropriate materials of any kind.
4. Installing and using peer-to-peer file sharing software that has not been approved for use by
the Information Security organization.
5. Uninstalling, disabling or circumventing Company workstation security software.
6. Gaining unauthorized access to Company, client or other third party Devices or Technology.
7. Jeopardizing the reputation of the Company or harassing individuals by transmitting messages
that could be construed as libelous, slanderous, defamatory, threatening, abusive or otherwise
inappropriate.
8. Violating the identified and communicated acceptable use policies of a client or other third
party (e.g. service provider) when using their resources.

3. DEVICES AND TECHNOLOGY

3.1 Provision and Use of Devices and Technology

Only Company-provided Devices and Technology may be used to fulfill business responsibilities for, or on
behalf of, the Company, with the exception that those Devices and Technology described below may be used
for Company business in the manner described provided that the accompanying requirements are adhered to.
3.1.1 Using Devices and Technology for Company Business

A. Smartphones and Tablets

Smartphones and tablets, whether Company-provided or personally owned (when used for Company
business), must be configured and used as follows:

1. Create passwords / pass codes that are difficult to guess (e.g. not “1234”).
2. Install the latest available operating system that the smartphone or tablet will accept and application
updates unless Protecting Polestar advises otherwise.
Policy 0047 - Acceptable Use of Information, Devices, and
Technology

3. Limit the business use of smartphones and tablets to email, Polestar and client applications, and
browser based access.
4. Do not save Company or client Information outside of the email application, web browser or any
other applications used to connect to Company systems. If you edit Company or client documents
on the smartphone or tablet, delete them immediately after emailing.
5. Third party storage systems such as iCloud and DropBox, and related tools such as GoodReader,
must not be used to transmit, store or backup Company or client Information. Smartphone and
tablet backups to personally owned Devices are permitted, but must be encrypted (e.g. using the
encryption option in iTunes). Backups of device configuration and non-Company data to encrypted
third party services (e.g. iCloud) are permitted but must be configured to exclude data in Company
and client applications.
6. Do not compromise the Device’s operating system (e.g. Jailbreaking Apple iOS devices or rooting
Android devices), or circumvent Microsoft Active Sync technical policies.
7. Report lost Devices to Polestar’s HR first.
8. Unless the Device is returned to Local Technical Support, erase Company data and access
configuration prior to departing the Company, transferring ownership of the Device or disposing of
the Device.
9. Do not download any unauthorized software or application.
10. In case company provided device is lost/stolen/damaged, the cost of value of the assets will be
borne by such employee and it will be recovered from employee’s salary or incentive or any other
amount payable to the employee.

B. Personally Owned Computers

1. Only browser-based access to Company internet facing applications (e.g. webmail) is
permitted from a personally owned computer. Private Browsing should be used, or
temporary browser internet storage must be securely erased by clearing the browser
cache after each use (refer to the Help section of the internet browser for instructions on
how to do this). If documents are opened or edited then browser temporary files must be
manually deleted after each use (refer to the Help section of the internet browser to
determine the location of temporary files). Information saved elsewhere on a personally
owned computer (i.e. using the Save As function) must also be manually deleted after
each use.

C. Client Provided Computers

1. If a client provides Devices or Technology for use on an engagement, Personnel must
adhere to the client’s relevant policies and use those Devices or Technology only for that
client’s engagement. The Engagement Lead is responsible for ensuring that Personnel
understand and follow the relevant client policy, and that any use of the Devices or
Technology other than for the client engagement, even sporadic personal use, is in
accordance with that client policy.
2. Only browser-based access to Company internet facing applications (e.g. webmail) is
permitted from client Devices or over client networks if not prohibited by the client. Private
Browsing should be used, or temporary browser internet storage must be securely erased
by clearing the browser cache after each use (refer to the Help section of the internet
browser for instructions on how to do this). No other access to Company Information from
a client-provided computer is permitted. If documents are opened or edited then browser
temporary files must be manually deleted after each use (refer to the Help section of the
internet browser to determine the location of temporary files). Information must not be
saved elsewhere on the client Device (i.e. using the Save As function).
3. Information relating to internal Company business must not be communicated via client
email systems or stored on client workstations or servers. If Personnel do not have a
Company provided computer but have a need to use a client provided computer for
internal Company business, then the Engagement Information Security Lead should be
contacted for guidance.

Internal Company business consists of:

 business operations (e.g. relating to internal communications, financial information, engagement

delivery performance, operating model changes, or other Company business that would not be
known to the outside public),
Policy 0047 - Acceptable Use of Information, Devices, and
Technology

 management of Company Personnel (e.g. relating to performance management, hiring, discipline,

compensation and benefits, working conditions or attrition), and
 any other activities that would be considered Confidential to the Company by a reasonable person
(e.g. activities related to sales preparation, contract negotiations, management reviews and policy
decisions).

D. Public Computers
Use of Public Computers to access Company or client Information is acceptable only in an emergency (as
described below) and where no practical alternatives are available, under the following conditions:

1. Personnel must use good judgment in determining whether an emergency exists, but it should
involve a critical service need or another circumstance requiring action which, if not addressed
immediately, could result in severe adverse consequences to the Company or a client.
2. Only browser-based access to Company internet facing applications (e.g. webmail) is permitted
from a Public Computer. Private Browsing should be used, or temporary browser internet storage
must be securely erased by clearing the browser cache after each use (refer to the Help section of
the internet browser for instructions on how to do this). If documents are opened or edited then
browser temporary files must be manually deleted after each use (refer to the Help section of the
internet browser to determine the location of temporary files). Information must not be saved
elsewhere on the Public Computer (i.e. using the Save As function).

Internal hardware modifications to Company-provided Devices can only be made via Company support
services.

3.1.2 Personal Use of Company Provided Devices and Technology

1. Subject to the restrictions set out in this Policy, Personnel are permitted to use Devices and
Technology (including email, internet and telephones) for limited personal use, provided such use
is in compliance with all Company policies, applicable laws and regulations, and does not:
o interfere with on-going work;
o adversely affect the proper handling or security of Information; or
o create a significant overload on Company Technology

In some instances, the Company may have stricter rules regarding personal use of Devices and Technology
or may prohibit personal use altogether.

1. Personnel who wish to protect the privacy of their personal communications or files when using the
Company’s Technology or Devices should mark such items clearly as “private” or “personal”. This
can be done for example, by including “private” in the subject line of an email or in the name of a
file or by marking the email as “private” using the sensitivity properties settings within the email
application.
2. Personally owned data on Company owned Devices and Technology should be segregated from
Company or client data and contained within a single folder location for personal files and within a
separate folder for emails.
3. Notwithstanding the above, the Company maintains the right, subject to all applicable laws,
regulations, agreements and local policies, including local data privacy, telecommunications and
labor law, and local collective bargaining (or similar) agreements, to open items that are marked as
“private” or “personal” in some circumstances including but not limited to:
o if there is a reasonable suspicion that it is, in fact, Company business-related;
o if there is a reasonable suspicion that a criminal offence, breach of common, statutory or
other law or significant breach of Company policy may occur or has occurred;
o if in connection with potential Company related litigation or an internal or external
investigation; or
o if it is accessed inadvertently in the course of activities aimed at protecting the Company
or client Information. If this happens, the Company will delete its copy of the
communication or Information as soon as practicable after determining that the
communication or Information was private and unrelated to Company business.
 Policy 0047 - Acceptable Use of Information, Devices, and
Technology

3.2 Use of Passwords and Company Provided Credentials

Personnel must observe the following with respect to passwords and Company provided credentials:

1. Personnel must use unique, individual IDs (and secure tokens if applicable) as provided by the
Company or client. Such credentials, along with Personnel created passwords and PINS, must not
be shared with anyone, except as follows:
o individual Polestar Employee IDs that are part of an individual’s Polestar email address (e.g.
ajay.gupta), but without the accompanying password;
o when a user’s ID, password, and/or PIN must be provided for the resolution of a
maintenance or support request. In this scenario the credentials must only be shared via
secure online support tooling or through another means provided by CIO. It is not
permissible to share credentials via telephone, email or instant message. At the completion
of the technical support process, the user must change their password; and
2. Passwords must meet Company password protocols
3. Passwords must not be written down by Personnel.
4. Passwords must be changed if there are any indications of System or password compromise.
5. Passwords used for Company systems must be materially different from passwords used for non-
Company systems.

3.3 Physical Protection of Devices

Personnel must comply with the following requirements for the physical protection of Devices, whether at a
Company office, a Client location, at home, or in public:

1. Outside of the home, unattended portable Devices including laptops, portable storage and media
must be physically secured (e.g. with a cable) or securely stored out of sight (e.g. locked drawer). In
the home, Personnel are encouraged to follow the same rules.
2. Activate the screen lock on unattended computers, laptops, smartphones and tablets.
3. Do not leave Devices unattended when in public, and do not put Devices in checked-in baggage
unless required by airport or similar policy.
4. For those traveling regularly and working in public places, the use of a privacy screen is strongly
recommended to reduce the risk of others viewing confidential Information. Personnel should speak
with their project leadership or contact Technology Support to discuss options for obtaining a privacy
screen.

4. INFORMATION

4.1 Use of Company, Client and Other Third Party Information

Personnel must act as stewards of Information entrusted to them, by observing the following:

1. Information use and dissemination must be limited to the extent necessary to fulfill job
responsibilities, and be in compliance with applicable policies such as Policy 0069
(Confidentiality). Before sharing Information, Personnel must verify that they have the right to
share it and that there is a legitimate business need to do so.
2. In accordance with this Policy:
o Company Information must be protected based on its classification
o Client Information must be protected in accordance with client contractual
requirements and the requirements of the Client Data Protection (CDP) program.
3. Personnel are strongly encouraged to use Company provided network storage as a safe
repository for their work. Personnel are not required to backup their laptops, but if an indivi dual
wishes to backup a Company laptop, then a Company provided solution must be used in order
to ensure appropriate encryption. Backup of laptops to personal storage devices is not
permitted.
4. The following rules must be followed for use of media or portable storage devices (e.g. CDs,
DVDs and USB storage devices):
Policy 0047 - Acceptable Use of Information, Devices, and
Technology

o As a general rule, media and portable storage devices, even those provided by
Polestar or a client, should only be used when it is absolutely necessary and there is
no practical Company provided safer alternative.
o Media and portable storage media, containing Company, client or other third party
information must be:
 Physically controlled when being transported and protected when stored at
the Company or an off-site location, preferably with a fire resistant container;
 Transported by Company-approved bonded carriers from lists maintained by
each office location; and
 Inventoried prior to transporting the media or portable storage device and
then reconciled against the delivered goods once it reaches its destination.
o When Information is no longer needed on the media or portable storage device, it
must be securely deleted from the media or portable storage device, or the media or
portable storage device must be physically destroyed. .

4.2 Use and Communication of Information using Email, Collaboration Tools, Social Media, and
Cloud Services

The use of Company email, collaboration tools, social media, and cloud services by Personnel is
subject to the following requirements:

1. Open attachments or URL links in e-mails or instant messages only if they are from trusted
sources (e.g. people that you know) and look legitimate. If in doubt, verify authenticity by
telephoning or emailing the sender separately..
2. Do not communicate confidential Company or client Information over unencrypted messaging
systems (e.g. to Yahoo or MSN users).
3. Do not disclose Sensitive Company Information or client confidential Information when using
public social media for either business of personal purposes.
o Although Company provided social networks are more secure than public social
media, do not share Restricted Company Information or the equivalent sensitivity
level of client confidential Information even over Company provided social networks
(e.g. Twitter).
o When using a client provided social network and the client provides its own social
media guidelines, Personnel must comply with whichever guidelines are more
stringent and the requirements set out in this Policy.
4. Restrict use of Company email addresses and systems as follows:
o Emails containing Restricted Information or Highly Confidential Personal Information
or the equivalent sensitivity level of client data must be protected.
o The use of Company email addresses for registration on non-business related
websites and mailing lists is strongly discouraged.
o Company email must not be automatically forwarded outside of the Company’s
control, such as to personal addresses or client email systems.
o It is prohibited to use email manipulation techniques to disguise identities or to
generate unsolicited email (e.g. spam or chain mails).
5. Do not use client email to conduct internal Company business.
6. Personnel are encouraged, where practical, to use a personal email account for personal
communications. However, do not use personal email accounts to conduct company business.
7. Do not use third-party Technology or services (e.g. Dropbox, Google Drive/Docs/Translate,
Evernote) that have not been provided by the Company to store or process Sensitive
Company Information or the equivalent sensitivity level of client Information. If unsure whether
certain services or Technology are provided by the Company for use on an engagement or for
internal Company use, contact your Engagement Lead or your manager.

4.3 Physical Protection of Paper Documents

Whether at a Company office, a client location, home, or in a public place, paper documents containing
Sensitive Company Information or client confidential Information must be protected as follows:

1. Desks must be kept clear and paper documents must be securely stored when not in use.
2. Paper documents must not be left unattended on printers, facsimile equipment, copiers, etc.
Policy 0047 - Acceptable Use of Information, Devices, and
Technology

3. Paper documents that are no longer required or that have met or exceeded their retention
period must be securely disposed of by cross-cut shredding or placing them in the locked
containers provided for that purpose.
4. Paper documents must not be left unattended or easily visible to others in public locations.