12 Compliance

12.1 Compliance with Legal Requirements

12.1.1 Identification of Applicable Legislation

The design, operation and use of Aventis information processing facilities, applications and systems must
comply with all relevant local/global statutory, regulatory and contractual requirements.
Business units in coordination with the Legal Department must ensure that Aventis complies with the laws
and regulations specific to the territories in which it operates. Managers must communicate to associates
and third party contract personnel, any individual responsibilities to ensure compliance.
Managers must provide Global I.S. Security sufficient information to ensure that controls and
countermeasures are designed and implemented to meet the statutory, regulatory and contractual
requirements of their businesses.
Additionally, business units will document all legal and regulatory restrictions/requirements for the
information systems and processes owned by the unit and to ensure that the requirements have been met.
Legal Department and Global I.S. Security must provide consultative input when required.

12.1.2 Copyright Compliance

Global I.S. Security must monitor adherence to security policies, standards and procedures and to that
ensure compliance with intellectual property rights are complied.
All software must be used in accordance with licensing agreements and copyright restrictions. Users will be
required to sign and acknowledge that they will use software accordingly and to comply with all policies
governing such use.

12.1.2.1 Software Copyright

The following defines Aventis policy concerning the use of third party software and copyright
restrictions:
1. The use of all third party software at Aventis must be in accordance with third party licensing
agreements. These agreements must specify the user restrictions, such as the number of copies
allowed to be installed, the number of machines the software can be installed on, or the
number of concurrent users of the software allowed at any one time. Customer support levels
(onsite or phone) must also be specified within the agreement;
2. All Aventis licenses for software must be centrally managed and stored by I.S. I.S. must
maintain appropriate asset registers, proof, evidence of ownership of licenses, master disks,
manuals, etc., and expiration dates of licenses. I.S. will be responsible for establishing a
process to ensure that appropriate licenses are renewed pending contract addendum or
finalization;
3. I.S. must perform checks on all systems every 6 months to ensure that the maximum number
of users permitted is not exceeded and that only authorized software and licensed products are
installed on Aventis information assets;
4. Third party software must not be copied to a computer other than the computer for which it
was licensed. An exception to this cases where software is required for contingency testing;
5. Software supplied to Associates and third party contract personnel is to be solely used on the
Aventis computer assigned to that individual, even though licensing agreements may permit
further installations;
6. Associates and third party contract personnel with Internet access must take particular care to
understand the copyright, trademark, libel, slander and public speech control laws of all
countries that might be enforceable against Aventis. Refer to “Policy on Internet Use”;

Aventis Use Only Compliance

Page 1
 7. Unless specifically stipulated in the licensing or contractual agreements between Aventis and
third party software vendor, disposal of software will be in accordance to Aventis media
disposal policy;
8. Third party software must not be transmitted and/or transferred to other non-Aventis
operations without the written consent of the vendor.

12.1.3 Safeguarding of Organizational Records

Important organizational records must be protected from loss, falsification and unauthorised destruction.
These records may exist in electronic or paper form. The level of protection afforded each record must be
in line with its classification. Managers must ensure that all applicable policies and standards are adhered to
in the protection of the organization’s records.

12.1.4 Data Protection and Privacy of Personal Information

Several countries have introduced legislation placing controls on processing and transmitting of
personal data. To ensure that Aventis complies with applicable laws, Information Owners must
identify and document all legislation that may affect their information. Legal will provide
consultative input and will act as a resource to information owners. This policy will assist in
meeting the minimum requirements. However, based on the applicable regulations that
information owners identify and document, additional standards may be necessary.
1. A dedicated team shall provide advice and guidance to business units/information owners and
to promote staff awareness regarding legislative restrictions;
2. The team must be involved from the onset of new system development, or system
enhancements, that involve personal data;
3. Notice must be given before personal information is collected from or about individuals.
Such a notice must include a statement describing all data collected and must additionally
include a statement describing what uses will be made of all data collected (i.e. Privacy
Statement). The team will work with the Legal Department to develop the statement and all
protocols must be adhered to in the publishing of such information;
4. Whenever information will be collected about an individual, that individual must be given the
chance to reject providing such information and must be notified that services might be
denied due to the lack of information provided;
5. To the extent possible, previously, collected personal identifiable information must be made
available for the individual to update as needed. Individuals must be informed of their right to
view and access collected information;
6. Personal information must not be released to external entities without the expressed consent
of the individual (Legal must be consulted to determine what constitutes consent). Personal
information includes important data such as social security numbers and credit cards, as well
as any web access or preference information when such information is directly correlated with
name, or address of an individual; and
7. Personal information will be classified as “CONFIDENTIAL” or “RESTRICTED” depending
on the sensitivity of the information and must be afforded all the protection necessitated by its
classification level.

12.1.5 Prevention of Misuse of Information Processing Facilities

Associates and third party contract personnel must only use Aventis information assets for the purposes for
which they were authorized. Information assets usage will be subject to monitoring. Users must
acknowledge in writing that they understand the scope of their access and that they are aware that
actions/activities may be monitored.
The monitoring of information assets usage, however, must be performed in compliance with prevailing
laws and regulations. Unless restricted by prevailing laws, the use of Aventis information assets, at any
time, with or without notice may be monitored, searched, reviewed, disclosed or intercepted by
management for any legitimate purpose including:
1. Monitoring performance;
2. Ensuring compliance with Aventis policies;

Aventis Use Only Compliance

Page 2
 3. Appropriate usage of the internet, e-mail and other system resources;
4. Troubleshooting hardware and software problems;
5. Complying with legal and regulatory requests for information;
6. Investigating disclosure of sensitive business, proprietary information; or
7. Investigating conduct that may be illegal or adversely affect Aventis or its employees.
Persons assigned to monitoring the use of information assets and who have administrative responsibilities
may not under any circumstance other than the ones identified above, access, view or modify users
accounts unless specific authority is given by management and the action is in compliance with all policies.
Inappropriate use by any user of Aventis information assets will be considered a violation of Aventis
Global Information Security Policy and violators will be subjected to disciplinary actions as outlined in
“Disciplinary Process”.
Global I.S. Security will be responsible for the establishment of the monitoring program and to collaborate
with the respective managers to ensure that mechanisms are in place to effectively monitor information
asset use. The monitoring program must at a minimum:
• Identify roles and define responsibilities for monitoring;
• Outline areas to be monitored and with what frequency;
• Identify tools or techniques that will be used to monitor activities. Any product used for
monitoring must be approved by management and must comply with all applicable standards
regarding such use (i.e. contractual agreements, copyrights, restricted access rights, etc.); and
• Outline steps to respond to incidents.

12.1.6 Regulation of Cryptographic Controls

Aventis must comply with international agreements, laws, regulations or other instruments to control the
access to or use of cryptographic solution.

Cryptographic products may only be deployed for use overseas after approval by the Legal Department and
compliance with all applicable Aventis policies and standards.

12.1.7 Collection of Evidence

12.1.7.1 Rules for Evidence
Global I.S. Security must define guidelines and procedures, which will govern the collection of
evidence for both internal incidents and incidents performed against Aventis by external entities.
These procedures must be part of the Incident Response Plan and where necessary may call for the
use of specialist advice such as forensic experts. The use of specialist must be carried out in
accordance with all policies covering third parties.
Global I.S. Security must consult with the Legal Department to ensure that collection methods will
allow for admissibility of evidence in court proceedings.
At a minimum, the evidence collection process must:
1. Comply with relevant laws governing evidence collection;
2. Provide a comprehensive account of events that initiated the investigation;
3. Provide detailed inventory (log) of all evidence collected;
4. Provide detailed account of actions performed in collecting the evidence -
For paper documents: the original must be kept securely and at a minimum the
following must be recorded:
• Who found it;
• Where it was found;
• When it was found; and
• Who witnessed the discovery. Any investigation must ensure that originals are not
tampered with. Persons tasked with evidence collection must therefore ensure that
controls as defined in the Global Information Security Policy are adhered to in
protecting the evidence. (i.e. physical protection, access controls, etc.). For
information on computer media - copies of any removable media, information on

Aventis Use Only Compliance

Page 3
 hard disks or in memory must be taken to ensure availability. The log of all actions
during the copying process must be kept and the process witnessed to further allow
for admissibility in the event that the copy is used.
5. Ensure that the only applicable/pertinent parties are notified at the appropriate time
(i.e. Legal, management, law enforcement authorities);
6. Provide integrity of evidence for admissibility in court;
7. Ensure that evidence is stored in a secure location and restricted to only authorized
personnel; and
8. Be performed by individuals trained in evidence collection and forensic analysis.

12.1.7.2 Admissibility of Evidence

System audit and logging capabilities must be enabled on all systems and Global I.S. Security
must ensure that additional controls as defined by the Global Information Security Policy are in
place to protect the systems and to allow the integrity and admissibility of evidence gathered from
these systems.

12.2 Reviews of Security Policy and Technical Compliance

12.2.1 Compliance with Security Policy

Compliance with Aventis security policies, standards, guidelines and procedures is mandatory. Managers
must ensure that users are aware of their responsibilities for compliance and that their respective unit is
compliant with security policies.
An annual review and where applicable testing of security controls must be performed by the Internal Audit
Department. The audit must provide reasonable assurance that policies have been developed and
implemented and that documented procedures are functioning as intended. The review at minimum must
cover the following security requirements:
1. Information systems (controls have been implemented in accordance to policies; controls are
effective and appropriate; and that detailed procedures have been developed where necessary;
2. Services providers (controls are in place which will govern the relation and protect Aventis
information assets from misuse, destruction and disclosure);
3. Information and application owners (controls have been implemented in assigning
classification levels, access control requirements, etc. to information assets);
4. Users (controls have been implemented to provide users with only the access that is needed
for job performance; users are trained for jobs which there have been assigned to etc.); and
5. Management (controls have been implemented for the management of the security policies
and compliance programs).
Internal audit shall develop more detailed work plans in performing its review.

12.2.2 Technical Compliance Checking

Technical security control standards (i.e. minimum baseline security standards, vendor security
configuration standards) must be developed for and implemented on all information systems.
System security administrators will be responsible for the development of these standards. The
standards must be approved by Global I.S. Security before implementation into Aventis
environment and Global I.S. Security must develop a metric to:
1. Determine the systems to be checked (applications, network components, etc.);
2. Identify the types of checks to be performed (i.e. penetration, password strength, etc). In
instances where external parties are contracted to perform penetration testing, security
requirements must be included in the contract that stipulate that actions performed by the third
party must not create system unavailability, cause disruption in operations or create additional
security vulnerabilities on the systems. The scope of the testing must be clearly defined and
any potential risks involved in penetration testing must be identified and addressed

Aventis Use Only Compliance

Page 4
 accordingly. All policies governing the use of third parties must be adhered to before services
are performed; and
3. Determine tools to be used to perform the compliance checking. Any products used for
compliance checking must be approved and used only for the intended purpose.
Period checks (at least twice yearly) must be performed to ensure that systems are in compliance with the
technical standards and that systems are updated with latest patches in accordance to change control
process. Where required, as determined by Global I.S. Security, penetration testing may be performed on
applications and networks.

Aventis Use Only Compliance

Page 5
12.3 System Audit Considerations

12.3.1 System Audit Controls

Although management realises the importance of audits within Aventis environment, these must
be carried out in a manner that does not result in disruption of business processes. The following
applies to audits checks of operational systems:
• Access to software and data must be limited to read-only. Access other than read-only
must only be allowed for isolated copies of system files, which must be erased when the
audit is completed;
• Resources for performing the checks must be identified and made available;
• Requirements for special or additional processing must be defined;
• All access must be monitored and logged to produce an audit trail;
• Access to the audit log will be restricted to only authorized personnel (Internal/External
Auditors, Global I.S. Security, etc.); and
• System access must be revoked at the end of the audit.

12.3.2 Protection of System Audit Tools

Access to audit tools must be restricted to authorized personnel only. Access must be
documented and reviewed. Any inappropriate access rights to audit tools must be immediately
removed and Global I.S. Security must investigate any misuse of the tool.

Audit tools must be separated from development and operational systems and must not be held in tape
libraries or user areas unless given an appropriate level of additional security protection.

Aventis Use Only Compliance

Page 6