Handling of Sensitive/Confidential Information of the Company

 Data and information relating to the Company is confidential and should be used only for
official purpose. Employees shall not disclose it or use it for personal gain or for the
advantage of any other person or purpose.
 Users shall not share any Company confidential/sensitive information with a third party
without ensuring that a Non-Disclosure Agreement is signed with the respective third party.
 Users shall ensure that all the important and sensitive data related to the Company, are
stored on the central file storage drives in order to protect such information from
unauthorised access and to prevent loss of information due to hard disk crashes.
 If any Company sensitive information is stored in the local hard disk/ removable media, such
information shall be stored in an encrypted form to safe guard sensitive information from
unauthorized access.
 Users shall not forward e-mail to any address outside the Company’s network unless the
information owner / originator agrees in advance or the information is clearly public in
nature. This policy does not apply to personal e-mails.
 Automatic forwarding of e-mail messages to an external address could compromise the
information confidentiality. To avoid risks associated with such compromise, automatic
forwarding of e-mail messages of any user to an external address shall be allowed only for a
specific period and shall require approval from the Divisional CEO and CIO for Division / CFO
and CIO for Corporate.
 Users shall not forward e-mail containing Company Information to personal e-mail ids unless
authorized by Line EC/DMC member/Corporate HoD.
Refraining from Computer related offences

 Users shall not store, process, or transmit material which is - unlawful, defamatory,
harassing, invasive of any individual’s privacy, abusive, harmful, threatening, vulgar,
pornographic, obscene, or otherwise objectionable, offends religious sentiments, or
promotes racism.
 Users shall not use or attempt to initiate activities using information processing resources or
equipment leading to abusive, unethical or inappropriate use of the Internet facility provided
by the Company. Examples of prohibited Internet use include, but are not limited to, the
following:
o Impersonate the identity of another user on the Internet or on any of the Company
systems;
o Conduct illegal activities, including gambling, access or download pornographic/illegal
material;
o Introduce material considered indecent, offensive, or is related to the production, use,
storage, or transmission of sexually explicit or offensive items on the company’s
network or systems, using Internet;
 To maintain harmony, e-mail users shall not create or forward e-mail messages that can
cause harassment to a certain sex, race and religion.
 Users shall not delete / destroy / alter any computer source code or information residing in
a computer resource with the intent to cause wrongful loss or damage to the Company or
any person.
 Users shall not deny or cause the denial of access to any person authorized to access any
information systems.
 Pre-emption against adverse legal implications
 Only authorized software shall be installed on the desktop / laptop as per the licensing
provisions.
 While using internet, users shall not
o Upload or download commercial software in violation of its copyright;
o Reveal or publicize Company proprietary or sensitive information and represent
personal opinions as those of Company’s;
o Enter into contractual agreements via the Internet unless authorized to do so, e.g.
enter into binding contracts on behalf of Company over the Internet;
o Solicit for any purpose which is not expressly approved by management;
o Use Company logos or materials in any web page or Internet posting without seeking
prior approval as per Corporate Governance;
 Users shall ensure that e-mails addressed to external parties are not addressed to or copied
to internal recipients. If there is a need for this mail to be sent to internal recipients, such
mail should be separately forwarded to internal users.
 When a communication containing any claims against the Company is received through e-mail,
user should immediately send out a responder message which shall read as follows:
“Please note that claims of any nature whatsoever will not be accepted on email”.
 E-mail users shall not
o Acknowledge any incoming mail if such user is neither dealing with the subject nor
authorized by the Company to do so and instead should forward it to the HoD / Unit
Head / Functional Head.
o Further, in the event that such an e-mail relates to any claims against the Company
attached with significant financial implication or penal consequences, HoD / Unit Head
/ Functional Head shall forward the same to the Company Secretary.
Safe use of E-mail and Internet

 Originating/ propagating a chain mail, which is not related to the business, is strictly
prohibited. The only exception to this clause shall be the messages sent on humanitarian
health grounds of Company employees/families.
 Users while using internet shall not:
o Intentionally interfere with the normal operation of any corporate Internet gateway;
o Attempt to gain unauthorized access to remote systems on the Internet;
o Establish unauthorized Internet or other external network connections that could
allow non-Company users to gain access into information processing resources and
information assets;
o Click on suspicious links or pop-up ads or respond to any prompts requesting for
installation / upgrading of any software or device drivers from unknown sources.
Security of Company’s IT Assets
 Users shall pay attention to security warnings. When a system gives a security warning, users
shall make sure to read the security warning and report to the IT team. In case of any evidence
of or suspicion of security violation, users shall notify the respective Information Security
Incident Manager (ISIM) immediately of any evidence of or suspicion of security violation.
 Users shall make sure that Desktops / Laptops assigned to them are protected by power-on
passwords.
 Users shall be responsible for the physical protection of Portable media and devices (such as
laptops, external storage media etc.) containing company information and any loss of such
media/device shall be reported as per the laid down process of the Division/Shared Services
for handling such incidents.
 Password Management
Users shall ensure that the passwords are
o Not shared for individual user-ids;
o Changed at the first log-on;
o Not easily guessed or obtained using person related information, e.g. names,
telephone numbers, and dates of birth etc.;
o Not written down or stored electronically without adequate protection;
o Changed whenever there is any indication of possible system or password
compromise;
o Not stored in automated logon processes like browsers and Forms that allow users to
store their credentials for replaying later.
Responsible use of Company’s IT Assets & Facilities

 To ensure optimal utilisation of the Company’s data storage resources, every user should
delete unwanted messages as a practice. Housekeeping of mailbox shall be the responsibility
of individual user.
 Users shall ensure proper restart of laptops / desktops while connected to ITC LAN at least
once in a day to update the security policies.
 User shall be responsible for the deletion of all the information stored on the local hard disk
of a computer issued to him / her, before returning the same to the IT Team.
 User shall not store sensitive/ confidential information on removable media unless absolutely
necessary.
 User shall delete the information stored in the removable media after the purpose is over.
 Users shall not share the Information Assets and facilities provided to them or use
Information Assets and facilities extended to other users unless authorized to do so.
 User shall not access company systems, applications, data and network through Mobile
device that is not enrolled with the centralized Mobile Device Management (MDM) service.
 Users shall not try and test the weaknesses of the information systems unless authorized to do
so.
 Users shall switch off the power source for individual workstations and other IT equipment
before leaving for the day.
Company’s Rights

 Company respects the individual privacy. However, owing to legal and ethical reasons:-
 Privacy shall not extend to the use of the Company’s Information assets / services.
Company reserves the right to log, monitor and inspect use of all Information assets /
services provided to its employees. The user understands that such monitoring may
involve access to any personal data or information that the user may store in such
Information assets. The user by agreeing to accept and use such Information assets /
services provides his / her consent and authority to the Company to that affect.
 In order to ensure privacy to e-mail users, the e-mail administrator shall not scrutinize the
contents of the users’ mailbox. However, in exceptional circumstances, the Chairman -
CITSC may grant the permission to scrutinize the e-mails of a specific user for a specific
period.
  To protect the Company’s interests, it can initiate necessary action for:
 suspected misuse that may cause damage to Company’s interests and image
 User’s non-compliance with regulations.
 To safeguard the Company’s interest, IT facilities provided to an employee can be withdrawn
at any time at the discretion of the Company.
Physical Security

 Users shall abide by the following Do’s and Don’ts

I. Do’s:

a. Always keep documents containing confidential and sensitive information in lock and
key when not in use.
b. Always store important documents in fireproof and waterproof cabinets.
c. Always lock the Desktop/Laptop if you leave your desk.
d. Users working out of cabins should lock their cabins before leaving the office /when
they are away for a long time.
e. Users having workstations in open space should keep their desks clear and not leave
any official documents unattended.
f. Keep a track of the duplicate keys available for your cabins/storage cabinets and
persons having access to the same.
g. Removable media containing company information shall not be left unattended when
not in use.
h. Make copies of sensitive/confidential documents only if required. All such copies
should be controlled and traceable.
i. Print the documents only under supervision. Always ensure to collect the prints
generated on the network printer. In case of failed print, ensure that the print is
cancelled.
j. Always send sensitive/confidential documents (if necessary) in sealed envelopes and
ensure they are hand delivered through trusted persons.
k. Ensure that the documents or electronic media containing company sensitive/
confidential data are disposed in a secured manner.
l. Accompany visitors / vendors in case they need to enter Company premises.
m. Try to restrict meeting the visitors in the visitor’s areas/conference rooms rather than
allowing them into your cabins/workstations.
n. Wipe out the information written on whiteboards in the conference
rooms/workstations after the purpose is over.

II. Don’ts:

a. Tail gate /allow tail gating.

b. Share access cards.
c. Display sensitive /confidential company information at your workstations.
d. Store remote access tokens and Data cards with the mobile devices.
e. Leave your laptops/mobile devices unattended unless you trust the physical security
in place.
f. Position screens where they can be read from outside the room.
g. Keep documents containing sensitive/confidential information unattended /place it in
a manner that they are readable by others.
h. Discuss Company information over phone/with colleagues in public places audible to
strangers/unintended recipients of the information.
i. Give access to duplicate keys to service staff unless necessary.
j. Tamper with Surveillance/Security equipment such as CCTV/Biometric card readers
etc.
I confirm that I have read, understood and complied with the password security
guidelines, specifically that:
I have not shared the password of the named id assigned to me with any other
person; and
I have only used the user id assigned to me

I have read and understood the above Acceptable Usage Policy and Password
security guidelines