A-Yee Lee Organization Berhad It Policy 2018 (User)

YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES
Computer Usage & Security Policy (Revision 2018)
YEE LEE ORGANIZATION BERHAD

AND IT’S SUBSIDIARIES
Computer Usage
&
Security Policy
(For Employee)
TABLE OF CONTENTS
No. Contents Page
Table Content 1-4
Corporate Information Technology Security Policy 5 - 14

1 Policy 5
2 Purpose 7
3 Scope 8
4 Internet Access and Administration 9
5 Personal Use 10
6 Internet Messaging rules and regulation 10
7 Computer Users Responsibilities in General 12
8 Notebook Security Tips 13
9 Computer Orientation 14
10 Acceptance Terms 14
(Appendix 1) Yee Lee Group Acceptable Use Policy 15 - 21

1.0 Overview 15
2.0 Purpose 15
3.0 Scope 16
4.0 Policy 16
4.1 General Use and Ownership 16
4.2 Security and Proprietary Information 17
4.3 Unacceptable Use 18
4.4 E-mail and Communication Activities 20
5.0 Enforcement 21
(Appendix 2) Yee Lee Group Password Policy 22 - 27

1.0 Overview 22
2.0 Purpose 22
3.0 Scope 22
4.0 Policy 22
4.1 General 22
4.2 Guidelines 23
4.2.1. General Password Construction Guidelines 23
4.2.2. Password Protection Standards 24
4.2.3. Application Development Standards 25
4.2.4. Use of Passwords and Pass phrases for Remote Access 26
Users
4.2.5. Pass Phrases 26
4.2.6 System Usage 27
5.0 Enforcement 27
-1-
No. Contents Page

(Appendix 3) Yee Lee Group E-mail Use Policy 28 - 30
1.0 Purpose 28
2.0 Scope 28
3.0 Policy 28
3.1 Prohibited Use 28
3.2 Personal Use 28
3.3 Monitoring 29
4.0 E-mail Etiquette 29
5.0 Supported E-Mail Software 29
6.0 Disclaimer 30
7.0 Enforcement 30
(Appendix 4) Yee Lee Group Remote Access Policy 31 - 33

1.0 Purpose 31
2.0 Scope 31
3.0 Policy 31
3.1 General 31
3.2 Requirements 32
4.0 Enforcement 33
(Appendix 5) Yee Lee Group Wireless Communication Policy 34 - 35

1.0 Purpose 34
2.0 Scope 34
3.0 Policy 34
3.1 Register Access Points and Cards 34
3.2 Approved Technology 34
3.3 Settings the SSID 35
4.0 Enforcement 35
(Appendix 6) Yee Lee Group Virtual Private Network (VPN) 36-37

Policy
1.0 Purpose 36
2.0 Scope 36
3.0 Policy 36
4.0 Enforcement 37
(Appendix 7) Yee Lee Group Risk Assessment Policy 38

1.0 Purpose 38
2.0 Scope 38
3.0 Policy 38
4.0 Enforcement 38
(Appendix 8) Yee Lee Group SPAM Handling Policy 39 – 41

1.0 What Is SPAM ? 39
2.0 Policy Statement 40
3.0 Preventing SPAM 40
4.0 Law Restricting SPAM 41
5.0 Reporting SPAM 41
-2-
No. Contents Page
(Appendix 9) Yee Lee Group Bluetooth Security Policy 42 – 44

1.0 Purpose 42
2.0 Scope 42
3.0 Policy 42
3.1 Version level 42
3.2 Pins and Pairing 42
3.3 Device Security Settings 43
3.4 Security Audits 43
3.5 Unauthorized Use 43
3.6 User Responsibilities 44
4.0 Enforcement 44
(Appendix 10) Yee Lee Group Software Installation Policy 45 – 46

1.0 Overview 45
2.0 Purpose 45
3.0 Scope 45
4.0 Policy 46
5.0 Enforcement 46
(Appendix 11) Yee Lee Group Workstation Security Policy 47 – 48

1.0 Purpose 47
2.0 Scope 47
3.0 Policy 47
4.0 Enforcement 48
(Appendix 12) Approved Application Policy 49 - 50

1.0 Overview 49
2.0 Purpose 49
3.0 Approved Application 49
4.0 Exceptions 49
5.0 Enforcement 50
6.0 List of Approved Application 50
(Appendix 13) Asset Control Policy 51 - 57

1.0 Overview 51
2.0 Purpose 51
3.0 Assets Tracking 52
3.1 IT Asset Types 52
3.2 Assets Tracked 52
3.3 small Memory Devices 53
4.0 Asset Tracking Requirement 54
5.0 Transfer Procedure 54
6.0 Assets Transfers 55
7.0 Asset Disposal 55
8.0 Media Use 56
9.0 Enforcement 57
-3-
No. Contents Page

(Appendix 14) Information Sensitivity Policy 58 - 67
1.0 Purpose 58
2.0 Scope 58
3.0 Policy 60
3.1 Minimal Sensitivity 60
3.2 More Sensitivity 61
3.3 Most Sensitivity 62
4.0 Enforcement 64
5.0 Terms and Definitions 64
(Appendix 15) Mobile Computer Policy 68 - 75

1.0 Overview 68
2.0 Purpose 68
3.0 Scope 68
4.0 Responsibility 69
5.0 Connection Terms 69
6.0 Mobile Computer Protection 70
7.0 Protecting the Network 74
8.0 Enforcement 75
(Appendix 16) Removable Media Policy 76 - 77

1.0 Overview 76
2.0 Purpose 76
3.0 Scope 76
4.0 Policy 76
5.0 Enforcement 77
6.0 Definitions 77
(Appendix 17) Vendor / Third-Party Access Policy 78 – 80

1.0 Purpose 78
2.0 Audience 78
3.0 Policy 78
4.0 Enforcement 80
(Appendix 18) Anti Virus Policy 81 - 87

1.0 Overview 81
2.0 Purpose 81
3.0 Scope 81
4.0 Anti Virus Policy 82
5.0 Email Policy- Blocked Attachment Type 83
6.0 File Exchange Policy 86
7.0 Definition 86
8.0 Enforcement 87
(Appendix 19) Data Protection Policy 88 – 92
(Appendix 20) Enforcement 93 – 94
-4-
YEE LEE ORGANIZATION BERHAD

AND IT’S SUBSIDIARIES
Computer Usage & Security Policy

(Revision 2018)
1.0 Policy
It is the intent of this policy to establish guidelines for the employees using
the Yee Lee Corporate computing facilities, including computer hardware,
printers, fax machines, voice-mail, software, e-mail, mobile devices, and
Internet and intranet access, collectively called “Information Technology”.
All employees that are authorized to access computing resources shall be

expected to treat it as a privilege. This policy is designed to define
expectations for what is acceptable and what is not when it comes to using
these resources wisely. The employees are expected to be familiar with
and to comply with this policy, and are also required to use their common
sense and exercise their good judgment while using the computer services.
These facilities are provided to employees for the purpose of conducting

Company business. The Company does permit a limited amount of
personal use of these facilities, including computers, printers, e-mail and
Internet access. However, these facilities must be used responsibly by
everyone, since misuse by even a few individuals has the potential to
negatively impact productivity, disrupt company business and interfere
with the work or rights of others. Therefore, all employees are expected to
exercise responsible and ethical behavior when using the Company’s
Information Technology facilities. Any action that may expose the
-5-
Company to risks of unauthorized access to data, disclosure of information,

legal liability, or potential system failure is prohibited and may result in
disciplinary action up to and including termination of employment and/or
criminal prosecution.
All employees are responsible for complying fully with the following
policies.
• Yee Lee Group Acceptable Use Policy (Refer to Appendix 1)

• Yee Lee Group Password Policy (Refer to Appendix 2)
• Yee Lee Group E-mail Use Policy (Refer to Appendix 3)
• Yee Lee Group Remote Access Policy (Refer to Appendix 4) –
o only for users that access organization resources via remote access
• Yee Lee Group Wireless Communication Policy (Refer to Appendix 5)
• Yee Lee Group Virtual Private Network (VPN) Policy (Refer to Appendix 6)
• Yee Lee Group Risk Assessment Policy (Refer to Appendix 7)
• Yee Lee Group SPAM Handling Policy (Refer to Appendix 8)
• Yee Lee Group Bluetooth Security Policy (Refer to Appendix 9)
• Yee Lee Group Software Installation Policy (Refer to Appendix 10)
• Yee Lee Group Workstation Security Policy (Refer to Appendix 11)
• Yee Lee Group Approved Application Policy (Refer to Appendix 12)
• Yee Lee Group Assets Control Policy (Refer to Appendix 13)
• Yee Lee Group Information Sensitivity Policy (Refer to Appendix 14)
• Yee Lee Group Mobile Device Policy (Refer to Appendix 15)
• Yee Lee Group Removable Media Policy (Refer to Appendix 16)
• Yee Lee Group Third-Party Access Policy (Refer to Appendix 17)
• Yee Lee Group Antivirus Policy (Refer to Appendix 18)
• Yee Lee Group Data Protection Policy (Refer to Appendix 19)
• Enforcement (Refer to Appendix 20)
-6-
2.0 Purpose
The use of the Company's information technology facilities in connection
with company business and limited personal use is a privilege but not a
right, extended to various Company employees. Users of Yee Lee
Corporate computing facilities are required to comply with all policies
referred to in this document.
Users also agree to comply with applicable country, state, and local laws
and to refrain from engaging in any activity that would subject the
company to any liability. Yee Lee Corporate reserves the right to amend
these policies and practices at any time without prior notice and to take
such further actions as may be necessary or appropriate to comply with
applicable country, federal, state/province, and local laws.
To protect the integrity of Yee Lee Corporate computing facilities and its
users against unauthorized or improper use of those facilities, and to
investigate possible use of those facilities in violation of Company rules
and policies, Yee Lee Corporate reserves the right, without notice, to limit
or restrict any individual's use, and to inspect, copy, remove, or otherwise
alter any data, file, or system resource which may undermine the
authorized use of any computing facility or which is used in violation of
Company rules or policies. Yee Lee Corporate also reserves the right
periodically to examine any system and other usage and authorization
history as necessary to protect its computing facilities.
Yee Lee Corporate disclaims any responsibility for loss of data or
interference with files resulting from its efforts to maintain the privacy and
security of those computing facilities or from system malfunction or any
other cause.
The purpose of this policy is to:
-7-
2.1 To ensure all computer equipment, hardware, software and its

related facilities are in good working order and secured.
2.2 To ensure all computer equipment and its related facilities are used
for business related purposes only.
2.3 To ensure all communications are conducted in professional
manner and also to ensure that business affairs of this Company
are conducted orderly, efficiently and professionally.
3.0 SCOPE
This policy applies to all Yee Lee Corporate employees worldwide and to
all employees of Yee Lee Corporate subsidiaries and affiliated companies.
It is the responsibility of all operating units to ensure that these policies are
clearly communicated, understood and followed.
These policies also apply to software contractors, and vendors/suppliers
providing services to Yee Lee Corporate that bring them into contact with
Yee Lee Corporate Information Technology infrastructure. The Yee Lee
Corporate employee who contracts for these services is responsible to
provide the contractor/vendor/supplier with a copy of these policies before
any access is given.
These policies cover the usage of all of the Company’s Information
Technology and communication resources, including, but not limited to:
• All computer-related equipment, including personal desktop computers
(PCs), mobile devices, terminals, workstations, PDAs, wireless
computing devices, telecomm equipment, networks, databases,
printers, servers and shared computers, and all networks and hardware
to which this equipment is connected
• All electronic communications equipment, including telephones, pagers,
radio communicators, voice-mail, e-mail, fax machines, PDAs, wired or
wireless communications devices and services, Internet and intranet
and other on-line services
• All software including purchased or licensed business software
applications, company-written applications, employee or
vendor/supplier-written applications, computer operating systems,
-8-
firmware, and any other software residing on company-owned

equipment
• All intellectual property and other data stored on company equipment
• All of the above are included whether they are owned or leased by the
company or are under the company's possession, custody, or control
• These policies also apply to all users, whether on company property,
connected from remote via any networked connection, or using
company equipment
4.0 Internet Access and Administration

4.1 The company has made substantial investments to make it possible
for the employees to electronically communicate with fellow
employee, customers, and suppliers as well as to seek information
from worldwide web. The purpose of these investments is to help
the employee to perform the job in a more efficient manner.
The appropriate use of internet is as follows:
• Communicating with fellow employees, customers, prospects and
suppliers regarding company related business matters.
• Researching topics that are relevant to the specific job
requirements.
• Conducting other business activities such as posting job
opportunities, describing company products and etc.
4.2 The company reserves the right to monitor the usage of the internet.
This includes the following:
• The blocking of certain sites that have been deemed offensive.
Trying to subvert this blocking will be grounded for termination.
• Monitoring the usage rates of the Internet by all employees and
individual usage. The company reserves the right to publish this
information on an internal basis.
• Monitoring the specific sites that each employees visits, and the
length of each visit.
• All files transfer and e-mail deliveries will also be monitored.
-9-
5.0 Personal Use

The company allowed the employees to use the computer for personal use
subject to a certain restriction.
5.1. Personal use of Internet and e-mail services cannot interfere with
business operations and normally should be limited to non-working
hours. E.g. (Lunch and after office hours)
5.2. Personal use should not consume any office stationeries such as A4
Papers, printer ink/toner, diskettes and etc
5.3. Personal use should not engage in any unlawful activities or any
other activities which would in anyway bring discredit to the Company.
5.4. All of your accessed communications sites and Internet visits are not
considered to be private. Therefore, treat all your activities as such.
The company reserves the right to inspect all files and
communications sites accessed to ensure that you complied with the
stated company policies and guidelines.
6.0 Internet Messaging Rules and Regulation
6.1. Employees are prohibited from downloading and using personal,

consumer-grade IM software (AOL Instant Messenger, Yahoo and
etc.) to transmit IM via the public Internet. Employees who violate this
rule are subject to termination.
6.2. All IM communications and information transmitted, received, or

archived in the company's IM system belong to the company.
6.3. Employees have no reasonable expectation of privacy when using

the company’s IM system. The company reserves the right to monitor,
access, and disclose all employee IM messages.
6.4. Treat IM messages as business records that may be retained and

used as evidence in litigation, audits, and investigations.
- 10 -
6.5. Employees are required to retain business record IM and delete

nonessential IM in accordance with the company’s written IM
retention and deletion schedule. See the Compliance Officer if you
need a copy or have questions about IM retention/deletion policies,
practices, and procedures.
6.6. Use professional, appropriate language in IM messages. Employees

are prohibited from sending abusive, harassing, threatening,
menacing, discriminatory, pornographic, off-color, or otherwise
offensive IM messages.
6.7. Employees are prohibited from sending jokes, rumors, gossip, or

unsubstantiated opinions via IM. These communications, which often
contain objectionable material, are easily misconstrued when
communicated electronically.
6.8. Employees may not use IM to transmit confidential, proprietary,

personal, or potentially embarrassing information about the company,
employees, clients, business associates, or other third parties.
6.9. Employees may not share confidential, proprietary, or potentially

embarrassing business related and/or personal IM with the media,
competitors, prospective employers, and/or other third parties.
6.10.The IM system is intended for business use only. Employees are

prohibited from wasting computer resources, colleagues’ time, and/or
their own time sending personal IM and/or engaging in unnecessary
chat not related to business.
6.11.Employees are to share their IM user names with colleagues strictly

on a need-to-know basis.
- 11 -
7.0 Computer Users Responsibilities in General

All computer users shall be responsible for:
7.1. The proper use of the office computer equipments. Physical

Vandalism such as taking the tracking ball out of the mouse,
disconnecting wires on the back of the computers, tearing off labels
and other attachment, carving or marking anything onto the computer
are prohibited.
7.2. Notify the IT Department if you identify any suspected security

problem and any changes in user account information.
7.3. Respect the privacy of others. Do not seek information about, obtain
copies of, or modify electronic information belonging to other users
unless it was authorized to do so by those.
7.4. Ensure that internal messages meant only for company employees
are not sent to outsiders.
7.5. Ensuring all communication through company e-mail or messaging

services is conducted in a professional manner. The use of vulgar or
obscene language is strictly prohibited.
7.6. Confidential Material. Users must be present when printing

confidential material. No document of a confidential nature may be
printed or left in an area accessible by others users.
7.7. Destroying confidential information. Confidential information must be

destroyed in a manner which prevents it from being reviewed by
others.
7.8. Keeping all pornographic material, inappropriate text files, or files

dangerous to the integrity of the network from entering the networks.
7.9. Log-off, shutdown or turn off their respective computers daily before
retiring for the day.
- 12 -
8.0 Notebook Security Tips
8.1. The notebook is not to be loaned to anyone.
8.2. Lock the notebook or logout from the system while you are away.
8.3. Keep the notebook in a secured environment when not being used.
8.4. No software is to be loaded onto the notebook other than software

approved by the management.
8.5. Proper care is to be given to the laptop at all times, including but not
limited to the following:
• Do not leave the notebook exposed to direct sunlight;
• Do not drop your notebook or allow it to fall;
• Do not attempt to repair a damaged or malfunctioning notebook;
• Do not leave the A/C adapter behind when moving the notebook;
• Do not allow children to play with the notebook;
• Unplug the notebook during electrical storms;
• Give care appropriate for any electrical device.
• Perform regular preventative virus scans on all disks place in the
computer;
• The notebook should be stored in it’s zipped case when not in use;
• Put a label to the top of the notebook. This is to avoid confusion
(same brand and model of notebook) from picking up someone
else’s notebook.
- 13 -
9.0 Computer Orientation
9.1. All computer users in the company shall undergo a brief computer
orientation given by the IT Department.
9.2. All Department Heads are responsible for ensuring that their
employees understand this policy and for monitoring usage within
their department.
10.0 Acceptance Terms
Yee Lee Organization Berhad reserves the right to update the Yee Lee
Organization Berhad Corporate Information Technology Security Policy
and other policies under the said policy at any time without notice. Users
shall be updated on the amendments via HR Dept.
- 14 -
APPENDIX 1
Yee Lee Group Acceptable Use Policy
1.0 Overview
Yee Lee Group’s intentions for publishing an Acceptable Use Policy are
not to impose restrictions that are contrary to Yee Lee Group established
culture of openness, trust and integrity. Yee Lee Group is committed
protecting Yee Lee Group’s employees, subsidiaries and the company
from illegal or damaging actions by individuals, either knowingly or
unknowingly.
Internet / Intranet / Extranet-related systems, including but not limited to

computer equipment, mobile devices, software, operating systems,
storage media, network accounts providing electronic mail, WWW
browsing, SharePoint Services and FTP, are the property of Yee Lee
Group. These systems are to be used for business purposes in serving the
interests of the company and its subsidiaries in the course of normal
operations.
Effective security is a team effort involving the participation and support of

every Yee Lee Group employee and affiliate who deals with information
and /or information systems. It is the responsibility of every computer user
to know these guidelines, and to conduct his / her activities accordingly.
2.0 Purpose
The purpose of this policy is to outline the acceptable use of computer
equipment at Yee Lee Group. These rules are in place to protect the
employees and Yee Lee Group. Inappropriate use exposes Yee Lee
Group to risks including virus attacks, compromise of network systems and
services, and legal issues.
- 15 -
3.0 Scope
This policy applies to employees, contractors, consultants, temporaries,
and other workers at Yee Lee Group, including all personnel affiliated with
third parties. This policy applies to all equipment that is owned or leased
by Yee Lee Group.
4.0 Policy
4.1. General Use and Ownership
• Yee Lee Group’s network administration intention to provide a

reasonable level of privacy and security users should be aware that
the data they create on the corporate systems remains the property of
Yee Lee Group.
• Employees are responsible for exercising good judgment regarding

the reasonableness of personal computer use. If there is any
uncertainty, employees should consult their supervisor or manager or
the IT Department.
• Yee Lee Group recommends that any information that users consider
sensitive or vulnerable be encrypted.
• For security and network maintenance purposes, authorized

individuals within Yee Lee Group may monitor equipment, systems
and network traffic at any time, per Yee Lee Group’s Audit Policy.
• Yee Lee Group reserves the right to audit network and systems on a
periodic basis to ensure compliance with this policy.
- 16 -
4.2. Security and Proprietary Information
• The user interface for information contained on Internet / Intranet /

Extranet-related systems should be classified as either confidential or
not confidential. Examples of confidential information include but are
not limited to: Company private, corporate strategies, competitor
sensitive, trade secrets, specifications, customer lists, and research
data. Employees should take all necessary steps to prevent
unauthorized access to this information.
• Keep password secure and do not share accounts. Authorized users

are responsible for the security of their passwords and accounts.
System level passwords should be change half yearly; user level
passwords should be changed every quarter.
• All PCs, notebooks and workstations should be secured with a

password-protected screensaver with the automatic’s activation feature
set at 10 minutes or less, or by logging-off when the computer will be
unattended.
• Use encryption of information where appropriate.
• Because information contained on portable computers and mobile

devices is especially vulnerable, special care should be exercised.
Protect notebooks in accordance with the “Mobile Device Policy”.
• Postings by employees from a Yee Lee Group email address to

newsgroups should contain a disclaimer stating that the opinions
expressed are strictly their own and not necessarily those of Yee Lee
Group, unless posting is in the course of business duties
- 17 -
• All computers used by the employee that are connected to the Yee Lee
Group Internet / Intranet / Extranet, whether owned by the employee or
Yee Lee Group, shall be continually executing approved virus-scanning
software with a current virus database. Unless overridden by
department or group policy.
• Employee must exercise extreme caution when opening e-mail

attachments received from unknown senders, which may contain
viruses, e-mail bombs, or Trojan horse code.
4.3. Unacceptable Use
• The following activities are, in general, prohibited. Employee may be

exempted from these restrictions during the course of their legitimate
job responsibilities (e.g., systems administration staff may have a need
to disable the network access of a computer if that computer is
disrupting production services).
• Under no circumstances is an employee of Yee Lee Group authorized

to engage in any activity that is illegal under local, state, federal or
international law while utilizing Yee Lee Group-owned resources.
• The lists below are by no means exhaustive, but attempt to provide a

framework for activities which fall into the category of unacceptable use.
System and Network Activities

The following activities are strictly prohibited, with no exceptions:
i. Violations of the rights of any person or company protected by

copyright, trade secret, patent or other intellectual property, or similar
laws or regulations, including, but not limited to, the installation or
distribution of “pirated” or other software products that are not
appropriately licensed for use by Yee Lee Group or it’s subsidiaries.
- 18 -
ii. Unauthorized copying of copyrighted material including, but not

limited to, digitization and distribution of photographs from magazines,
books or other copyrighted sources, copyrighted music, and the
installation of any copyrighted software for which Yee Lee Group or
the end user does not have an active license is strictly prohibited.
iii. Exporting software, technical information, encryption software or

technology, in violation of international or regional export control laws,
is illegal. The appropriate management should be consulted prior to
export of any material that is in question.
iv. Introduction of malicious programs into the networks or server (e.g.,

viruses, worms, Trojan Horses, e-mail bombs, etc.).
v. Revealing your account password to others or allowing the use of

your account by others. This includes family and other household
members when work is being done at home.
vi. Using a Yee Lee Group computing asset to actively engage in

procuring or transmitting material that is in violation of sexual
harassment or hostile workplace laws in the user’s local jurisdiction.
vii. Making fraudulent offers of products, items, or services originating

from any Yee Lee Group account.
viii. Making statements about warranty expressly or implied, unless it is a

part of normal job duties.
ix. Port scanning or security scanning is expressly prohibited unless

prior notification to Yee Lee Group IT Department is made.
x. Effecting security breaches or disruption of network communication.

Security breaches include, but are not limited to, accessing data of
which the employee is not an intended recipient or logging into a
server or account that the employee is not expressly authorized to
access, unless these duties are within the scope of regular duties.
For purposes of this section, “disruption” includes, but is not limited to,
- 19 -
capturing network information like e-mail or document files for

malicious purposes.
xi. Executing any form of network monitoring which will intercept data
not intended for the employee’s computer, unless this activity is a part
of the employee’s normal job/duty.
xii. Circumventing user authentication or security of any computer,

network or account.
xiii. Interfering with or denying service to any user other than the
employee’s computer (for example, denial of service attack).
xiv. Using any program/script/command, or sending messages of any

kind, with the intent to interfere with, or disable, a user’s terminal
session, via any means, locally or via the Internet/Intranet/Extranet.
xv. Providing information about, or lists of, Yee Lee Group employees to
parties outside Yee Lee Group.
xvi. Introduction of unauthorized programs into the client computers,

network or server without prior approval from superior (e.g. Games,
third party interface drivers, Shareware , Freeware, Peer to Peer,
Third party screen savers and etc.).
xvii. Downloading unnecessary software, MP3 and none related

information with company is prohibited.
xviii. USB Pen drive is not allowed to use unless prior notification to Yee
Lee Group is made. This is to prevent unauthorized copying data out
of premises.
4.4. E-mail and Communications Activities
i. Sending unsolicited email messages, including the sending of “junk

mail” or other advertising material to individuals who did not
specifically request such material (email spam).
- 20 -
ii. Any form of harassment via email, telephone or paging, whether

through language, frequency, or size of messages.
iii. Unauthorized use, or forging, of email header information.
iv. Solicitation of email for any other email address, other than that of the
poster’s account, with the intent to harass or to collect replies.
v. Creating or forwarding “chain letter”, “Ponzi” or other “pyramid”

schemes of any type.
vi. Use of unsolicited email originating from within Yee Lee Group’s
networks of other Internet/Intranet/Extranet service providers on
behalf of, or to advertise, any service hosted by Yee Lee Group or
connected via Yee Lee Group’s network.
vii. Posting the same or similar non-business-related messages to large

numbers of Usenet newsgroups (newsgroup spam).
5.0 Enforcement
Any employee found to have violated the aforementioned policy may be

subject to disciplinary action, up to and including termination of
employment.
(Please refer Appendix 20)
- 21 -
APPENDIX 2
Yee Lee Group Password Policy
1.0 Overview
Passwords are an important aspect of computer security. They are the
front line of protection for user accounts. A poorly chosen password may
result in the compromise of Yee Lee Group‘s entire organization network.
As such, all Yee Lee Group employees (including contractors and vendors
with access to Yee Lee Group systems) are responsible for taking the
appropriate steps, as outlined below, to select and secure their passwords.
2.0 Purpose
The purpose of this policy is to establish a standard for creation of strong
passwords, the protection of those passwords, and the frequency of
change.
3.0 Scope
The scope of this policy includes all personnel who have or are
responsible for an account (or any form of access that supports or requires
a password) on any system that resides at any Yee Lee Group facility, has
access to the Yee Lee Group network, or stored any non-public Yee Lee
Group information.
4.0 Policy
4.1. General
• All system-level passwords (e.g., root, administrator, NT admin,
application administration accounts, etc.) must be changed a minimum
of half a year basis.
• All production system-level passwords must be part of the Yee Lee
Group administered global password management database.
• All user-level passwords (e.g., email, web, desktop/mobile computer,
etc.) must be changed at least every half yearly. The recommended
change interval is every three months.
- 22 -
• Passwords must not be inserted into email messages or other forms for
electronic communication.
• All user-level and system-level passwords must conform to the
guidelines described below.
4.2. Guidelines
4.2.1. General Password Construction Guidelines
Passwords are used for various purposes at Yee Lee Group. Some
of the more common uses include: user level accounts, web
accounts, e-mail accounts, screen saver protection, voicemail
password, and local router logins. Since very few systems have
support for one-time tokens (i.e., Dynamic passwords which are
only used once), everyone should be aware of how to select strong
passwords.
Poor, weak passwords have the following characteristics:

1) The password contains less than six characters.
2) The password is a word found in a dictionary (English or foreign)
3) The password is a common usage word such as:
(i) Names of family, pets, friends, co-workers, fantasy
characters, etc.
(ii) Computer terms and names, commands, sites, companies,
hardware, software.
(iii) The words “Yee Lee Group”, “YLEO”, “YLT” or any
derivation.
(iv) Birthdays and other personal information such as address
and phone numbers.
(v) Words or number patterns like aaabbb, qwerty, zyxwvuts,
123321, etc.
(vi) Any of the above spelled backwards.
(vii) Any of the above preceded or followed by a digit (e.g.,
secret1, 1 secret)
- 23 -
Strong passwords have the following characteristics:

4) Contain both upper- and lower-case characters
E.g. a-z, A-Z
5) Have digit and punctuation characters as well as letters.
E.g. 0-9, ! @ # $ % ^ & * ( ) _ + | ~ - = \ ; ’ : ” , . < > / ? ` [ ] { }
6) Are at least eight alphanumeric characters long.
7) Are not words in any language, slang, dialect, jargon, etc.
8) Are not based on personal information, names of family, etc.
9) Password should never be written down or stored on-line. Try to
create passwords that can be easily remembered. One way to
do this is create a passwords based on a song title, affirmation,
or other phase. For example, the phrase might be : “ This May
Be One Way To Remember “ and the password could be :
“ TmB1w2R “ or “ Tmb1W>r~ “ or some other variation.
NOTE : Do not use either of the above examples as passwords!!
4.2.2. Password Protection Standards

Do not use the same passwords for Yee Lee Group accounts as for
other non-Yee Lee Group access (e.g. Personal ISP account,
option trading, benefits, etc.). Where possible, don’t use the same
password for various Yee Lee Group access needs. For example,
select one password for the Engineering systems and a separate
password for IT systems. Also, select a separate password to be
used for a Windows Server account and an ERP account.
Do not share Yee Lee Group passwords with anyone, including

administrative assistants or secretaries. All passwords are to be
treated as sensitive, Confidential Yee Lee Group information.
Here is a list of “Don’ts” :

a. Don’t reveal a password over the phone to ANYONE.
b. Don’t reveal a password in an email message.
c. Don’t reveal a password to the boss.
- 24 -
d. Don’t reveal a password on questionnaires or security forms.

e. Don’t reveal a password to co-workers while on vacation.
f. Don’t talk about password in front of others.
g. Don’t hint at the format of a password (e.g. My family name)
h. Don’t share a password with family members.
However, if the password is to be revealed to co-workers so that

work could be conducted on behalf of the user during his absence,
the password should be changed when the user reports back for
duty.
If someone demands a password, refer them to this document or

have them call someone in the IT Department.
Do not use the “Remember Password” feature of application (e.g.

IncrediMail, Outlook, Netscape Messenger).
Again, do not write passwords down and store them anywhere in

your office. Do not store passwords in a file on ANY computer
system (including Palm Pilots or similar devices) without encryption.
Change passwords at least once every half yearly. (except system-

level password which must be change quarterly).)
If an account or password is suspected to have been compromised,

report the incident to I.T. Department of Yee Lee Group and change
all passwords.
Password checking or guessing may be performed on a periodic or

random basis by Yee Lee Group or its delegates. If a password is
guessed or cracked during one of these scans, the user will be
required to change it.
4.2.3. Application Development Standards
Application developers must ensure their programs contain the
following security precautions.
Application:
- 25 -
(a) Should support authentication of individual users, not groups.

(b) Should not store passwords in clear text or in any easily
reversible form.
(c) Should provide for some sort of role management, such that one
user can take over the functions of another without having to
know the other’s password.
4.2.4. Use of Passwords and Passphrases for Remote Access Users

Access to the Yee Lee Group Networks via remote access is to be
control using either a one-time authentication or a public/private key
system with a strong passphrase.
4.2.5. Passphrases
Passphrases are generally used for public/private key

authentication. A public/private key system defines a mathematical
relationship between the public key that is known by all, and the
private key, that is known only to the user. Without the passphrase
to “unlock” the private key, the user cannot gain access.
Passphrases are not the same as passwords. A passphrase is a

longer version of a password and is, therefore, more secure. A
passphrase is typically composed of multiple words. Because of this,
a passphrase is more secure against “dictionary attacks”.
A good passphrase is relatively long and contains a combination of

upper and lowercase letters and numeric and punctuation
characters. An example of a good passphrase:
The *?#>&@TrafficOnThe101Was*&#!#ThisMorning
All of the rules above that apply to passwords also apply to

passphrases.
- 26 -
4.2.6 System Usage

1. Users should ensure their computers are fully shut down and turned
off at end of day.
2. Computers should be locked or shut down when left unattended for
any significant period of time.
3. With regards to file management, Department Managers will
determine the top-level folders/directories and associated
permissions for their department and inform the IT Department. The
IT Department will create or modify the folders accordingly.
4. Within their respective top-level folders, staff should create sub-
folders in accordance with their own departmental guidelines but
cannot create new top-level folders.
5.0 Enforcement
Any employee found to have violated this policy may be subjected to
disciplinary action, up to and including termination of employment.
(Please refer Appendix 20)
- 27 -
APPENDIX 3
Yee Lee Group E-mail Use Policy
1.0 Purpose
To prevent tarnishing the public image of Yee Lee Group when email goes
out from Yee Lee Group, the general public will tend to view that message
as an official statement from the Yee Lee Group.
2.0 Scope
This policy covers appropriate use of any email send from a Yee Lee
Group email address and applies to all employees of the group operating
on behalf of Yee Lee Group.
3.0 Policy
3.1. Prohibited Use

The Yee Lee Group email system shall not be used for the creation
or distribution of any disruptive or offensive messages, including
offensive comments about race, gender, hair color, disabilities, age,
sexual orientation, pornography, religious beliefs and practice,
political beliefs, or national origin. Employees who receive any
emails with this content from any Yee Lee Group employee should
report the matter to their supervisor and IT Department immediately.
3.2. Personal Use

Using a reasonable amount of Yee Lee Group resources for
personal emails is acceptable, but non-work related email shall be
saved in a separate folder from work related email. Sending chain
letters or joke emails from a Yee Lee Group email account is
prohibited. Virus or other malware warnings from Yee Lee Group
shall be administered by Yee Lee Group IT Department before
sending.
- 28 -
3.3. Monitoring
Yee Lee Group employees shall have no expectation of privacy in
anything they store, send or received on the company’s email
system. Yee Lee Group may monitor messages in/out without prior
notice.
4.0 Electronic Mail (E-Mail) Etiquette

Yee Lee Group employees are expected to conduct themselves in
accordance with the following guideline when using e-mails as a
communication mechanism.
▪ User should ensure that e-mail messages are sent to only those users
with a specific need to know.
▪ Check the e-mails frequently.
▪ Do not publicly criticize others.
▪ Respond to messages, requiring a response, as quickly as possible.
▪ All communication through company e-mail must be conducted in a
professional manner. The use of vulgar or obscene language is strictly
prohibited.
▪ Identify yourself honestly, accurately and completely when sending e-
mail.
▪ Message writing in all caps are difficult to read and considered as
shouting.
▪ When sending e-mail, make your “subject” line as descriptive as
possible, so that the readers of your message will be able to judge the
content of the message.
▪ When replying to message includes enough of the original message,
so that the receiver of the message can easily recall the discussion.
5.0 Supported E-Mail Software

Yee Lee Group will only be observing and support the following email
software, user are not permitted to use other than the mentioned email
software.
- 29 -
1. Microsoft Outlook
2. Microsoft Outlook Express
3. Microsoft Windows Mail
4. Yee Lee Webmail Portal
6.0 Disclaimer
The following legal disclaimer text shall be added to every email being
sent by Yee Lee Group employees.
/-------------------------------------------------------------------------------------------------\
Confidential and/ or privileged information may be contained in this e-mail

and any attachments transmitted with it ('Message'). If you are not the
addressee indicated in this Message (or responsible for delivery of this
Message to such person), you are hereby notified that any dissemination,
distribution, printing or copying of this Message or any part thereof is
prohibited. Please delete this Message if received in error and advice the
sender by return e-mails. Opinions, conclusions and other information in
this Message that do not relate to the official business of this company
shall be understood as neither given nor endorsed by this company.
\-------------------------------------------------------------------------------------------------/
7.0 Enforcement
(Please refer to Appendix 20)
- 30 -
APPENDIX 4
Yee Lee Group Remote Access Policy
1.0 Purpose
The purpose of this policy is to define standards for connecting to Yee Lee
Group’s network from any computer remotely. These standards are
designed to minimize the potential exposure to Yee Lee Group from
damages which may result from unauthorized use of Yee Lee Group
resources. Damages include the loss of sensitive or company confidential
data, intellectual property, damage to public image, damage to critical Yee
Lee Group internal system, etc.
2.0 Scope
This policy applies to all Yee Lee Group employees, contractors, vendors
and agents with a Yee Lee Group-owned or personally-owned computer
and workstation used to connect to the Yee Lee Group network. This
policy applies to remote access connections used to do work on behalf of
Yee Lee Group, including ERP System, reading or sending email and
viewing intranet web resources.
Remote access implementations that are covered by this policy include,

but are not limited to, dial-in modems, frame relay, Unifi, ISDN, DSL, VPN,
SSH, and cable modems, etc.
3.0 Policy
3.1. General
A. It is the responsibility of Yee Lee Group employees, contractors,

vendors and agents with remote access privileges to Yee Lee Group
organization network to ensure that their remote access connection is
given the same consideration as the user’s on-site connection to Yee
Lee Group.
B. General access to the Internet for recreational use immediate

household members through the Yee Lee Group Network on personal
- 31 -
computers is permitted for employees that have flat-rate services. The

Yee Lee Group employee is responsible to ensure the family member
does not violate any Yee Lee Group policies, does not perform illegal
activities, and does not use the access for outside business interests.
The Yee Lee Group employee bears responsibility for the
consequences should the access is misused.
C. Please review the following policies for details of protecting information

when accessing the corporate network via remote access methods,
and acceptable use of Yee Lee Group network.
(1) Acceptable Use Policy – (Appendix 1)
(2) Password Policy – (Appendix 2)
(3) E-mail Policy – (Appendix 3)
(4) Wireless Communications Policy – (Appendix 5)
3.2. Requirements
Secure remote access must be strictly controlled. Control will be
enforcing via one-time password authentication or public/private keys
with strong passphrases. For information of creating a strong
passphrase, please read Password Policy in Appendix 2.
A. At no time should any Yee Lee Group employee provide their login
or email password to anyone, not even family members.
B. Yee Lee Group employees and contractors with the remote access
privileges must ensure that their Yee Lee Group-owned or personal
computer or workstation, which is remotely connected to Yee Lee
Group organization network, is not connected to any other network
at the same time, with the exception of personal networks that are
under the complete control of the user.
- 32 -
C. Yee Lee Group employees and contractors with remote access

privileges to Yee Lee Group organization network must not use
non-Yee Lee Group email accounts (i.e. Hotmail, Yahoo, AOL,
Gmail), or other external resources to conduct Yee Lee Group
business, thereby ensuring that official business is never confused
with personal business.
D. Non-standard hardware configuration must be approved by IT

Department, and Yee Lee Group must approve security
configurations for access to hardware.
E. All computers that are connected to Yee Lee Group internal

networks via remote access technologies must use the most up-to-
date anti-virus, this includes personal computers. Third party
connections must comply with requirements as stated in the Third-
Party Access Policy.
F. Personal equipment that is used to connect to Yee Lee Group’s

network must meet the requirements of Yee Lee Group-owned
equipment for remote access.
G. Organizations or individuals who wish to implement non-standard

Remote Access solutions to the Organizations or individuals who
wish to implement non-standard Remote Access solutions to the
Yee Lee Group production network must obtain prior approval from
IT Department and Yee Lee Group.
4.0 Enforcement
- 33 -
APPENDIX 5
Yee Lee Group Wireless Communication Policy
1.0 Purpose
This policy prohibits access to Yee Lee Group networks via unsecured
wireless communication mechanisms. Only wireless systems that meet the
criteria of this policy or have been granted an exclusive waiver by Yee Lee
Group are approved for connectivity to Yee Lee Group.
2.0 Scope
This policy covers all wireless data communication devices (e.g. Personal
computers, Mobile phones, PDAs, etc.) connected to any of Yee Lee
Group’s internal networks. This includes any form of wireless
communication device capable of transmitting packet data. Wireless
devices and/or networks without any connectivity to Yee Lee Group’s
network do not fall under the purview of this policy.
3.0 Policy
3.1. Register Access Points and cards
All Wireless Access Point / Base Station connected to the organization
network must be registered and approved by Yee Lee Group. These
Access Point / Base Stations are subject to periodic penetration tests
and audits. All wireless Network Interface Cards (i.e. PC cards) used in
organization Notebook or desktop computers must be registered with
Yee Lee Group.
3.2. Approved Technology

All wireless LAN access must use organization-approved vendor
products and security configurations.
- 34 -
3.3. Setting the SSID

The SSID shall be configured so that it does not contain any identifying
information about the organization, such as the company name,
division title, employee name, or products identifier.
4.0 Enforcement
- 35 -
APPENDIX 6
Virtual Private Network (IPVPN) Policy
1.0 Purpose
The purpose of this policy is to provide guidelines for Remote Access
IPSec or L2TP Internet Protocol Virtual Private Network (IPVPN)
connections to the Yee Lee Group corporate network.
2.0 Scope
This policy applies to all Yee Lee Group employees, contractors,
consultants, temporaries, and other workers including all personnel
affiliated with third parties utilizing IPVPNs to access the Yee Lee Group
network. This policy applies to implementations of IPVPN that are directed
through an IPSec Concentrator.
3.0 Policy
Approved Yee Lee Group employees and authorized third parties
(customers, vendors, etc.) may utilize the benefits of IPVPNs, which are a
"user managed" service. This means that the user is responsible for
selecting an Internet Service Provider (ISP), coordinating installation,
installing any required software, and paying associated fees. Further
details may be found in the Remote Access Policy.
Additionally,
1. It is the responsibility of employees with IPVPN privileges to ensure that
unauthorized users are not allowed access to Yee Lee Group internal
networks.
2. IPVPN use is to be controlled using either a one-time password
authentication such as a token device or a public/private key system
with a strong passphrase.
3. When actively connected to the corporate network, IPVPNs will force all
traffic to and from the PC over the IPVPN tunnel: all other traffic will be
dropped.
- 36 -
4. Dual (split) tunneling is NOT permitted; only one network connection is

allowed.
5. IPVPN gateways will be set up and managed by Yee Lee Group IT
Department.
6. All computers connected to Yee Lee Group internal networks via IPVPN
or any other technology must use the most up-to-date anti-virus
software that is the corporate standard; this includes personal
computers.
7. IPVPN users will be automatically disconnected from Yee Lee Group's
network after thirty minutes of inactivity. The user must then logon
again to reconnect to the network. Pings or other artificial network
processes are not to be used to keep the connection open.
8. The IPVPN concentrator is limited to an absolute connection time of 24
hours.
9. Users of computers that are not Yee Lee Group-owned equipment must
configure the equipment to comply with Yee Lee Group's IPVPN and
Network policies.
10. By using IPVPN technology with personal equipment, users must
understand that their machines are a de facto extension of Yee Lee
Group's network, and as such are subject to the same rules and
regulations that apply to Yee Lee Group-owned equipment, i.e., their
machines must be configured to comply with Yee Lee Corporate
Information Technology Security Policies.
4.0 Enforcement
Any employee found to have violated this policy may be subject to
- 37 -
APPENDIX 7
Risk Assessment Policy
1.0 Purpose
To empower IT Department to perform periodic information security risk
assessments (RAs) for the purpose of determining areas of vulnerability,
and to initiate appropriate remediation.
2.0 Scope
Risk assessments can be conducted on any entity within Yee Lee Group
or any outside entity that has signed a Third-Party Agreement with Yee
Lee Group. RAs can be conducted on any information system, included
applications, servers, and networks, and any process or procedure by
which these systems are administered and/or maintained.
3.0 Policy
The execution, development and implementation of remediation programs
are the joint responsibility of IT Department and the department
responsible for the systems area being assessed. Employees are
expected to cooperate fully with any RA being conducted on systems for
which they are held accountable. Employees are further expected to work
with the IT Department Risk Assessment Team in the development of a
remediation plan.
4.0 Enforcement
- 38 -
APPENDIX 8
SPAM Handling Policy
1.0 WHAT IS SPAM?

Spam is commercial email or unsolicited bulk email, including “junk mail”,
which has not been requested by the recipient. It is intrusive and often
irrelevant or offensive, and it wastes valuable resources. Spam messages
are the opposite of permission-based email, which are normally
anticipated, personal, relevant and/or associated with a pre-existing
business or personal relationship. Inappropriate newsgroup activities,
consisting of excessive posting of the same materials to several
newsgroups, are also deemed to be spam.
Unsolicited commercial email, or spam, is a problem facing all

organizations that make use of internet-enabled email. The risks and
problems arising from reception of spam range from lost productivity,
failure in communications when real emails are missed in a flood of spam,
to legal liability when employees are exposed to offensive or pornographic
messages.
Spam is an increasing problem at YEE LEE GROUP. In August 2004, anti-

spam software was implemented at the central level. This software tags
any email displaying recognized spam characteristics but does not delete
it. The decision not to automatically delete was made because of the fear
of deleting legitimate mail that had been incorrectly marked as spam, so-
called “false positives”. Tagged spam is passed to the relevant business
unit email server along with the untagged email. Some business units filter
off the tagged spam before delivering email to the users’ inboxes; others
leave it up to the user to delete any tagged spam.
The current devolved arrangement for handling of tagged spam email at

the business units has resulted in a variety of implementations ranging
from doing nothing, to deleting all tagged spam on receipt.
- 39 -
This policy has become necessary to ensure a minimum standard and

associated practices for handling spam are in place across YEE LEE
GROUP to protect employees.
2.0 POLICY STATEMENT

Any business unit that is running a mail server must take proactive
measures to protect employees from offensive spam and the time-
consuming task of deleting tagged spam. The minimum measures that
must be put in place are:
• Any tagged spam should be archived into a separate area so that it is

not delivered to the user’s inbox.
• A mechanism should be provided to allow the user to review and
retrieve archived spam emails if the user fears that there may be false
positives.
• Archived spam emails should be automatically deleted after a
reasonable period of time, not less than 14 days.
• An opt-out option may be provided for those staff or students who do
not wish to have any spam email archived and are willing to manage
tagged spam themselves.
• Tagged spam will not be forwarded to an external email address, such
as a personal hotmail address. This is to prevent YEE LEE GROUP
from being blacklisted as a sender of spam.
• Business units should provide support and guidance to all staff and
students to enable them to manage spam, including the reporting of
false positives.
3.0 PREVENTING SPAM
Employees of YEE LEE GROUP have agreed during their employment

process, upon accepting the Terms of Use, to comply with this Anti-Spam
Policy. Specifically, each employee agrees not to use YEE LEE GROUP
- 40 -
services to send unsolicited email or bulk email, whether or not for

commercial purposes. YEE LEE GROUP reserves the right to determine
in its sole discretion what constitutes actionable spam, as well as what
measures are necessary in response to such spam activities.
4.0 LAWS RESTRICTING SPAM
Spam laws vary from state to state, and from country to country. This YEE
LEE GROUP Anti-Spam Policy has been developed to conform to the
highest commercially reasonable standards. As a result, and without
limiting the general prohibitions against all spam activities, the following
are expressly prohibited:
(a) Use of false headers, or other false information, to identify the point of
origin or the transmission path of the email, or to hide the true origin of
the email sender,
(b) Unauthorized use of a third party’s internet domain name without the
permission of such third party, to make it appear that the third party
was the point of origin of the email,
(c) Use of any false or misleading information in the subject line of the
email, and
(d) Assisting any person in using the services of YEE LEE GROUP for any
of these previously mentioned activities.
5.0 REPORTING SPAM
If you believe that you have received spam from or through YEE LEE
GROUP’s facilities, please send a complaint from your email account
along with the unsolicited email, with completed header, to IT Department
(it@yeelee.com.my). Please provide any other information that you
believe may help us in our investigation. IT Department does not
investigate or take any action based on “anonymous” spam complaints.
- 41 -
APPENDIX 9
Bluetooth Security Policy
1.0 Purpose
This policy provides for more secure Bluetooth Device operations. It

protects the company from loss of Personally Identifiable Information (PII)
and proprietary company data.
2.0 Scope
This policy covers all Yee Lee Group Bluetooth Devices.
3.0 Policy
3. 1 Version level
No Bluetooth Device shall be deployed on Yee Lee Group

equipment that does not meet Bluetooth v2.1 specification without
written authorization from the IT Manager. Any Bluetooth equipment
purchased prior to this policy must comply with all parts of this
policy except the Bluetooth version specifications.
3.2 Pins and Pairing
When pairing your Bluetooth unit to your Bluetooth enabled

equipment (i.e. phone, laptop, etc.), ensure that you are not in a
public area. If your Bluetooth enabled equipment asks for you to
enter your pin after you have initially paired it, you must refuse the
pairing request and report it to IT Department immediately. Unless
your Bluetooth device itself has malfunctioned and lost its pin, this
is a sign of a hack attempt.
- 42 -
3.3 Device Security Settings
All Bluetooth devices shall employ ‘security mode 3’ which encrypts

traffic in both directions, between your Bluetooth Device and its
paired equipment.
If your device allows the usage of long PIN’s, you must use either a
13 alphabetic PIN or a 19 digit PIN (or longer).
Switch the Bluetooth device to use the hidden mode, and activate
Bluetooth only when it is needed.
Update the device’s firmware when a new version is available.
3.4 Security Audits
IT Department shall perform audits to ensure compliancy with this

policy. In the process of performing such audits, IT Department
shall not eavesdrop on any phone conversation.
3.5 Unauthorized Use
The following is a list of unauthorized uses of Yee Lee Group-

owned Bluetooth devices:
• Eavesdropping, device ID spoofing, DoS attacks, or any for of

attacking other Bluetooth enabled devices.
• Using Yee Lee Group-owned Bluetooth equipment on non-Yee

Lee Group-owned Bluetooth enabled devices.
• Unauthorized modification of Bluetooth devices for any purpose.
- 43 -
3.6 User Responsibilities
• It is the Bluetooth user's responsibility to comply with this policy.
• Bluetooth users must only access Yee Lee Group information

systems using approved Bluetooth device hardware, software,
solutions, and connections.
• Bluetooth device hardware, software, solutions, and connections

that do not meet the standards of this policy shall not be
authorized for deployment.
• Bluetooth users must act appropriately to protect information,

network access, passwords, cryptographic keys, and Bluetooth
equipment.
• Bluetooth users are required to report any misuse, loss, or theft

of Bluetooth devices or systems immediately to IT Department.
4.0 Enforcement

- 44 -
APPENDIX 10
Software Installation Policy
1.0 Overview
Allowing employees to install software on company computing devices
opens the organization up to unnecessary exposure. Conflicting file
versions or DLLs which can prevent programs from running, the
introduction of Malware from infected installation software, unlicensed
software which could be discovered in an audit and programs which can
be used to hack the organization’s network are examples of the problems
that can be introduced when employees install software on company
equipment.
2.0 Purpose
To minimize the risk of loss of program functionality, the exposure of
sensitive information contained within Yee Lee Group computing network,
the risk of introducing Malware, and the legal exposure of running
unlicensed software.
3.0 Scope
This policy covers all computers, servers, PDAs, smartphones, and other
computing devices operating within Yee Lee Group.
- 45 -
4.0 Policy
Employees may not install software on Yee Lee Group computing devices
operated within the Yee Lee Group network. Software requests must first
be approved by the requester’s manager and then be made to the IT
department or Help Desk in writing or via email. Software must be selected
from an approved software list, maintained by the Information Technology
Department, unless no selection on the list meets the requester’s need.
The IT Department will obtain and track the licenses, test new software for
conflict and compatibility, and perform the installation.
5.0 Enforcement
- 46 -
APPENDIX 11
Workstation Security Policy
1.0 Purpose
The purpose of this policy is to provide guidance on workstation security
for Yee Lee Group workstations in order to ensure the security of
information on the workstation and information the workstation may have
access to.
2.0 Scope
This policy applies to all Yee Lee Group employees, contractors,
workforce members, vendors and agents with a Yee Lee Group-owned or
personal-workstation connected to the Yee Lee Group network.
3.0 Policy
Appropriate measures must be taken when using workstations to ensure
the confidentiality, integrity and availability of sensitivity information and
that access to sensitivity information is restricted to authorized users.
3.1 Employees using workstations shall consider the sensitivity of the

information that may be accessed and minimize the possibility of
unauthorized access.
3.2 Yee Lee Group will implement physical and technical safeguards for
all workstations that access electronic protected information to restrict
access to authorized users.
3.3 Appropriate measures include:
• Restricting physical access to workstations to only authorized

personnel.
• Securing workstations (screen lock or logout) prior to leaving area
to prevent unauthorized access.
- 47 -
• Enabling a password-protected screen saver with a short timeout

period to ensure that workstations that were left unsecured will be
protected
• Complying with all applicable password policies and procedures.
• Ensuring workstations are used for authorized business purposes
only.
• Never install unauthorized software on workstations.
• Storing all sensitivity information on network servers
• Keeping food and drink away from workstations in order to avoid
accidental spills.
• Securing laptops that contain sensitivity information by using cable
locks or locking laptops up in drawers or cabinets.
• Complying with the Mobile Device Encryption policy
• Complying with the Anti-Virus policy
• Ensuring that monitors are positioned away from public view. If
necessary, install privacy screen filters or other physical barriers to
public viewing.
• Ensuring workstations are left on but logged off in order to facilitate
after-hours updates. Exit running applications and close open
documents
• Ensuring that all workstations use a surge protector (not just a
power strip) or a UPS (battery backup).
• If wireless network access is used, ensure access is secure by
following the Wireless Communication policy
4.0 Enforcement
- 48 -
APPENDIX 12
Approved Application Policy
1.0 Overview
All employees and personnel that have access to organizational computer

systems must adhere to the approved application policy in order to protect
the security of the network, protect data integrity, and protect computer
systems.
2.0 Purpose
This policy is designed to protect the organizational resources on the

network by requiring all network users to only run or install application
programs deemed safe by the IT department.
3.0 Approved Applications
All employees may operate programs on the IT approved application list. If

an employee wants to use an application not on the list, they should
submit the application program to IT department for approval prior to using
the program on a system connected to the organizational network.
If the employee causes a security problem on the network by installing and

running an unapproved program they risk disciplinary action.
4.0 Exceptions
Special exception may be made to this policy for specific employees

depending on the required job function and the skills of the employee.
Some reasons for exception include:
1. The employee may be the person who needs to test new applications
on a test network, then on the main network.
2. The employee may be a developer that must run applications
developed by themselves in order to test their own work.
- 49 -
3. Network administrators may be allowed the ability to operate and test

new software.
5.0 Enforcement
Since running safe programs is critical to the security of the organization,

employees that do not adhere to this policy may be subject to disciplinary
action up to and including dismissal.
6.0 List of Approved Applications
IT department approved applications are listed below.
• Microsoft Office Suite

• Mozilla firefox
• Adobe Acrobat
• Microsoft Visio
• Bitdefender Endpoint Security Tools
• 7Zip
- 50 -
APPENDIX 13
Asset Control Policy
1.0 Overview
All employees and personnel that have access to organizational computer

systems must adhere to the IT asset control policy defined below in order
to protect the security of the network, protect data integrity, and protect
and control computer systems and organizational assets. The asset
control policy will not only enable organizational assets to be tracked
concerning their location and who is using them but it will also protect any
data being stored on those assets. This asset policy also covers disposal
of assets.
IT assets should not be confused with nor tracked with other

organizational assets such as furniture. One of the main reasons to track
IT assets other than for property control and tracking is for computer
security reasons. A special IT asset tracking policy will enable the
organization to take measures to protect data and networking resources.
This policy will define what must be done when a piece of property is
moved from one building to another or one location to another. This policy
will provide for an asset tracking database to be updated so the location of
all computer equipment is known. This policy will help network
administrators protect the network since they will know what user and
computer is at what station in the case of a worm infecting the network.
This policy also covers the possibility that data on a computer being
moved between secure facilities may be sensitive and must be encrypted
during the move.
2.0 Purpose
This policy is designed to protect the organizational resources on the

network by establishing a policy and procedure for asset control. These
policies will help prevent the loss of data or organizational assets and will
reduce risk of losing data due to poor planning.
- 51 -
3.0 Assets Tracking
This section defines what IT assets should be tracked and to what extent
they should be tracked.
3.1 IT Asset Types
This section categorized the types of assets subject to tracking.
1. Desktop workstations
2. Laptop / mobile devices
3. Printers, Copiers, FAX machines, multifunction machines
4. Handheld devices
5. Scanners
6. Servers
7. Firewalls
8. Routers
9. Switches
10. Memory devices
3.2 Assets Tracked
Assets which cost less than RM100 shall not be tracked specifically
including computer components such as video cards or sound
cards. However, assets which store data regardless of cost shall be
tracked. These assets include:
1. Hard Drives
2. Temporary storage drives
3. Tapes with data stored on them including system backup data.
4. Although not specifically tracked, other storage devices
including CD ROM disks and floppy disks are covered by this
policy for disposal and secure storage purposes.
- 52 -
3.3 Small Memory Devices
Small memory storage assets will not be tracked by location but by

trustee. These assets include:
1. Floppy disks
2. CD ROM disks
3. Memory sticks
If these types of devices are permitted for some employees, the

trustee of the device must sign for receipt of these devices in their
possession. All employees must also agree to handle memory
sticks, floppy disks, and CD ROM disks in a responsible manner
and follow these guidelines:
1. Never place sensitive data on them without authorization. If

sensitive data is placed on them, special permission must be
obtained and the memory device must be kept in a secure area.
2. Never use these devices to bring executable programs from
outside the network without authorization and without first
scanning the program with an approved and updated anti-virus
and malware scanner. Any program brought into the network
should be on the IT department list of approved programs.
The Memory Device Trustee agreement allows employees to sign

for receipt of these devices and agree to handle these devices in
accordance with the terms of this policy. This form must be
submitted by all employees that will work with any organizational
data when the employee begins working for the organization. It will
also be submitted when employee receives one or more memory
sticks, temporary storage drives, or data backup drives.
- 53 -
4.0 Asset Tracking Requirements
1. All assets must have an ID number. Either an internal tracking number

will be assigned when the asset is acquired or the use of Manufacturer
ID numbers must be specified in this policy.
2. An asset tracking database shall be created to track assets. It will
include all information on the Asset Transfer Checklist table and the
date of the asset change.
3. When an asset is acquired, an ID will be assigned for the asset and its
information shall be entered in the asset tracking database.
5.0 Transfer Procedure:
1. Asset Transfer Checklist - When an asset type listed on the Asset

Types list is transferred to a new location or trustee, the IT Asset
Transfer Checklist must be filled out by the trustee of the item and
approved by an authorized representative of the organization. The
trustee is the person whose care the item is in. If the item is a
workstation, then the trustee is the most common user of the
workstation. For other equipment, the trustee is the primary person
responsible for maintenance or supervision of the equipment.
The trustee must fill out the Asset Transfer Checklist form and indicate
whether the asset is a new asset, moving to a new location, being
transferred to a new trustee, or being disposed of. The following
information must be filled in:
1. Asset Type
2. ID number
3. Asset Name
4. Current Location
5. Designated Trustee
6. New Location
7. New Trustee
8. Locations of Sensitive Data
- 54 -
Once the trustee fills out and signs the Asset Transfer Checklist form
an authorized representative must sign it.
2. Data entry - After the Asset Transfer Checklist is completed, it will be

given to the asset tracking database manager. The asset tracking
database manager will ensure that the information from the forms is
entered into the asset tracking database within one week.
3. Checking the database - Managers who manage projects that
affected equipment location should check periodically to see if the
assets that recently were moved were added to the database. The
database should provide a recent move list which can be easily
checked. Managers should check the database weekly to be sure
assets moved within the last 2 or 3 weeks are included in the database.
6.0 Asset Transfers
This policy applies to any asset transfers including the following:
1. Asset purchase
2. Asset relocation
3. Change of asset trustee including when an employee leaves or is
replaced.
4. Asset disposal
In all these cases the asset transfer checklist must be completed.
7.0 Asset Disposal
Asset disposal is a special case since the asset must have any sensitive
data removed prior to disposal. For any data storage devices, the manager
of the user of the asset must determine what the level of maximum
sensitivity of data stored on the device is. Below is listed the action for the
device based on data sensitivity according to the data assessment
process.
- 55 -
1. None (Unclassified) - No requirement to erase data but in the interest

of prudence normally erase the data using any means such as
reformatting or degaussing.
2. Low (Sensitive) - Erase the data using any means such as
reformatting or degaussing.
3. Medium (Confidential) - The data must be erased using an approved
technology to make sure it is not readable using special hi technology
techniques.
4. High (Secret) - The data must be erased using an approved
technology to make sure it is not readable using special hi technology
techniques. Approved technologies are to specified in a Media Data
Removal Procedure document by asset type including:
1. Floppy disk
2. Memory stick
3. CD ROM disk
4. Storage tape
5. Hard drive.
6. RAM memory
7. ROM memory or ROM memory devices.
8.0 Media Use
This policy defines the types of data that may be stored on removable
media and whether that media may be removed from a physically secure
facility and under what conditions it would be permitted. Removable media
includes:
1. Floppy disk
2. Memory stick
3. CD ROM disk
4. Storage tape
Below is listed the policy for the device based on the rated data sensitivity
of data stored on the device according to the data assessment process.
- 56 -
1. Unclassified - Data may be removed with approval of the first level

manager and the permission is perpetual for the employee duration of
employment unless revoked. The device may be sent to other offices
using any public or private mail carrier.
2. Sensitive - Data may only be removed from secure areas with the
permission of a director level or higher level of management and
approvals are good for one time only.
3. Confidential - The data may only be removed from secure areas with
permission of a Vice -president or higher level of management. There
must be some security precautions documented for both the transport
method and at the destination.
4. Secret - - The data may only be removed from secure areas with the
permission of the President or higher level of management. There must
be some security precautions documented for both the transport
method and at the destination.
5. Top secret - The data may never be removed from secure areas.
9.0 Enforcement
Since data security and integrity along with resource protection is critical to
the operation of the organization, employees that do not adhere to this
policy may be subject to disciplinary action up to and including dismissal.
Any employee aware of any violation of this policy is required to report it to
their supervisor or other authorized representative.
- 57 -
APPENDIX 14
Information Sensitivity Policy
1.0 Purpose
The Information Sensitivity Policy is intended to help employees determine
what information can be disclosed to non-employees, as well as the
relative sensitivity of information that should not be disclosed outside of
Yee Lee Corporation without proper authorization.
The information covered in these guidelines includes, but is not limited to,
information that is either stored or shared via any means. This includes:
electronic information, information on paper, and information shared orally
or visually (such as telephone and video conferencing).
All employees should familiarize themselves with the information labeling

and handling guidelines that follow this introduction. It should be noted that
the sensitivity level definitions were created as guidelines and to
emphasize common sense steps that you can take to protect Yee Lee
Corporation Confidential information (e.g., Yee Lee Corporation
Confidential information should not be left unattended in conference
rooms).
Please Note: The impact of these guidelines on daily activity should be

minimal.
Questions about the proper classification of a specific piece of information

should be addressed to your manager
2.0 Scope
All Yee Lee Corporation information is categorized into two main
classifications:
• Yee Lee Corporation Public
• Yee Lee Corporation Confidential
- 58 -
Yee Lee Corporation Public information is information that has been

declared public knowledge by someone with the authority to do so, and
can freely be given to anyone without any possible damage to Yee Lee
Corporation.
Yee Lee Corporation Confidential contains all other information. It is a

continuum, in that it is understood that some information is more sensitive
than other information, and should be protected in a more secure manner.
Included is information that should be protected very closely, such as trade
secrets, development programs, potential acquisition targets, and other
information integral to the success of our company. Also included in Yee
Lee Corporation Confidential is information that is less critical, such as
telephone directories, general corporate information, personnel
information, etc., which does not require as stringent a degree of
protection.
A subset of Yee Lee Corporation Confidential information is "Yee Lee

Corporation Third Party Confidential" information. This is confidential
information belonging or pertaining to another corporation which has been
entrusted to Yee Lee Corporation by that company under non-disclosure
agreements and other contracts. Examples of this type of information
include everything from joint development efforts to vendor lists, customer
orders, and supplier information. Information in this category ranges from
extremely sensitive to information about the fact that we've connected a
supplier / vendor into Yee Lee Corporation's network to support our
operations.
Yee Lee Corporation employees are encouraged to use common sense

judgment in securing Yee Lee Corporation Confidential information to the
proper extent. If an employee is uncertain of the sensitivity of a particular
piece of information, he/she should contact their manager
- 59 -
3.0 Policy
The Sensitivity Guidelines below provides details on how to protect
information at varying sensitivity levels. Use these guidelines as a
reference only, as Yee Lee Corporation Confidential information in each
column may necessitate more or less stringent measures of protection
depending upon the circumstances and the nature of the Yee Lee
Corporation Confidential information in question.
3.1 Minimal Sensitivity: General corporate information; some

personnel and technical information.
Marking guidelines for information in hardcopy or electronic form.
Note: any of these markings may be used with the additional annotation of
"3rd Party Confidential".
Marking is at the discretion of the owner or custodian of the information. If

marking is desired, the words "Yee Lee Corporation Confidential" may be
written or designated in a conspicuous place on or in the information in
question. Other labels that may be used include "Yee Lee Corporation
Proprietary" or similar labels at the discretion of your individual business
unit or department. Even if no marking is present, Yee Lee Corporation
information is presumed to be "Yee Lee Corporation Confidential" unless
expressly determined to be Yee Lee Corporation Public information by a
Yee Lee Corporation employee with authority to do so.
Access: Yee Lee Corporation employees, contractors, people with a

business need to know.
Distribution within Yee Lee Corporation: Standard interoffice mail,

approved electronic mail and electronic file transmission methods.
- 60 -
Distribution outside of Yee Lee Corporation internal mail: Normal mail

and other public or private carriers, approved electronic mail and electronic
file transmission methods.
Electronic distribution: No restrictions except that it is being sent to only
approved recipients.
Storage: Keep from view of unauthorized people; erase whiteboards, do

not leave in view on tabletop. Machines should be administered with
security in mind. Protect from loss; electronic information should have
individual access controls where possible and appropriate.
Disposal/Destruction: Deposit outdated paper information in specially

marked disposal bins on Yee Lee Corporation premises; electronic data
should be expunged / cleared. Reliably erase or physically destroy media.
Penalty for deliberate or inadvertent disclosure: Up to and including

termination, possible civil and/or criminal prosecution to the full extent of
the law.
3.2 More Sensitive: Business, financial, technical, and most personnel

information
"3rd Party Confidential". As the sensitivity level of the information
increases, you may, in addition or instead of marking the
information "Yee Lee Corporation Confidential" or "Yee Lee
Corporation Proprietary", wish to label the information "Yee Lee
Corporation Internal Use Only" or other similar labels at the
discretion of your individual business unit or department to denote a
more sensitive level of information. However, marking is
discretionary at all times.
- 61 -
Access: Yee Lee Corporation employees and non-employees with signed

non-disclosure agreements who have a business need to know.
Distribution within Yee Lee Corporation: Standard interoffice mail,

approved electronic mail and electronic file transmission methods.
Distribution outside of Yee Lee Corporation internal mail: Sent via

normal mail or approved private carriers.
Electronic distribution: No restrictions to approved recipients within Yee

Lee Corporation, but should be encrypted or sent via a private link to
approved recipients outside of Yee Lee Corporation premises.
Storage: Individual access controls are highly recommended for electronic

information.
Disposal/Destruction: In specially marked disposal bins on Yee Lee

Corporation premises; electronic data should be expunged / cleared.
Reliably erase or physically destroy media.

the law.
3.3 Most Sensitive: Trade secrets & marketing, operational, personnel,

financial, source code, & technical information integral to the
success of our company
- 62 -
"3rd Party Confidential". To indicate that Yee Lee Corporation
Confidential information is very sensitive, you may should label the
information "Yee Lee Corporation Internal: Registered and
Restricted", "Yee Lee Corporation Eyes Only", "Yee Lee
Corporation Confidential" or similar labels at the discretion of your
individual business unit or department. Once again, this type of Yee
Lee Corporation Confidential information need not be marked, but
users should be aware that this information is very sensitive and be
protected as such.
Access: Only those individuals (Yee Lee Corporation employees and

non-employees) designated with approved access and signed non-
disclosure agreements.
Distribution within Yee Lee Corporation: Delivered direct - signature

required, envelopes stamped confidential, or approved electronic file
transmission methods.
Distribution outside of Yee Lee Corporation internal mail: Delivered

direct; signature required; approved private carriers.
Electronic distribution: No restriction to approve recipients within Yee

Lee Corporation, but it is highly recommended that all information be
strongly encrypted.
Storage: Individual access controls are very highly recommended for

electronic information. Physical security is generally used, and information
should be stored in a physically secured computer.
- 63 -
Disposal/Destruction: Strongly Encouraged: In specially marked

disposal bins on Yee Lee Corporation premises; electronic data should be
expunged/cleared. Reliably erase or physically destroy media.

the law.
4.0 Enforcement
5.0 Terms and Definitions
Appropriate measures
To minimize risk to Yee Lee Corporation from an outside business

connection. Yee Lee Corporation computer use by competitors and
unauthorized personnel must be restricted so that, in the event of an
attempt to access Yee Lee Corporation corporate information, the amount
of information at risk is minimized.
Configuration of Yee Lee Corporation-to-other business connections
Connections shall be set up to allow other businesses to see only what

they need to see. This involves setting up both applications and network
configurations to allow access to only what is necessary.
Delivered Direct; Signature Required
Do not leave in interoffice mail slot; call the mail room for special pick-up of
mail.
Approved Electronic File Transmission Methods
Includes supported FTP clients and Web browsers.
- 64 -
Envelopes Stamped Confidential
You are not required to use a special envelope. Put your document(s) into
an interoffice envelope, seal it, address it, and stamp it confidential.
Approved Electronic Mail
Includes all mail systems supported by the IT Support Team. These

include, but are not necessarily limited to, [insert corporate supported
mailers here…]. If you have a business need to use other mailers contact
the appropriate support organization.
Approved Encrypted email and files
Techniques include the use of DES and PGP. DES encryption is available
via many different public domain packages on all platforms. PGP use
within Yee Lee Corporation is done via a license. Please contact the
appropriate support organization if you require a license.
Company Information System Resources
Company Information System Resources include, but are not limited to, all
computers, their data and programs, as well as all paper information and
any information at the Internal Use Only level and above.
Expunge
To reliably erase or expunge data on a PC or Mac you must use a

separate program to overwrite data, supplied as a part of Norton Utilities,
etc. Otherwise, the PC or Mac's normal erasure routine keeps the data
intact until overwritten. The same thing happens on UNIX machines, but
data is much more difficult to retrieve on UNIX systems.
Individual Access Controls
Individual Access Controls are methods of electronically protecting files

from being accessed by people other than those specifically designated by
the owner.
- 65 -
Insecure Internet Links
Insecure Internet Links are all network links that originate from a locale or
travel over lines that are not totally under the control of Yee Lee
Corporation.
Encryption
Secure Yee Lee Corporation Sensitive information in accordance with the

Acceptable Encryption Policy. International issues regarding encryption
are complex. Follow corporate guidelines on export controls on
cryptography, and consult your manager and/or corporate legal services
for further guidance.
One Time Password Authentication
One Time Password Authentication on Internet connections is

accomplished by using a one time password token to connect to Yee Lee
Corporation's internal network over the Internet. Contact IT Department for
more information on how to set this up.
Physical Security
Physical security means either having actual possession of a computer at

all times, or locking the computer in an unusable state to an object that is
immovable. Methods of accomplishing this include having a special key to
unlock the computer so it can be used, thereby ensuring that the computer
cannot be simply rebooted to get around the protection. If it is a laptop or
other portable devices, never leave it alone in a conference room, hotel
room or on an airplane seat, etc. Make arrangements to lock the device in
a hotel safe, or take it with you. In the office, always use a lockdown cable.
When leaving the office for the day, secure the laptop and any other
sensitive material in a locked drawer or cabinet.
- 66 -
Private Link
A Private Link is an electronic communications path that Yee Lee

Corporation has control over its entire distance. For example, all Yee Lee
Corporation networks are connected via Private Link. Computers with
modem connected via a standard land line (not cell phone) to another
computer have established a private link. An ISDN line to employee’s
homes is a private link. Yee Lee Corporation also has established private
links to other companies, so that all email correspondence can be sent in a
more secure manner. Companies which Yee Lee Corporation has
established private links include all announced acquisitions and some
short-term temporary links.
- 67 -
APPENDIX 15
Mobile Computer Policy
1.0 Overview
Portable computing devices, including but not limited to Personal Data

Assistants (PDA), Blackberry devices, iPhones, laptop/tablet computers,
Smartphone, Android Phone, etc., are becoming increasingly powerful and
affordable. Their small size and functionality are making these devices
ever more desirable to replace traditional desktop computers in a wide
number of applications. However, the portability offered by these devices
increases the risk that information stored or transmitted on them will be
exposed.
This policy defines the use of Mobile Devices in the organization. It defines:
1. The process that mobile devices must meet to leave the corporate
network. Both the devices and any sensitive data should be password
protected.
2. How mobile devices will be protected while outside the organizational
network.
3. The process that mobile devices must meet to enter the corporate
network when being brought into a building owned by the organization.
2.0 Purpose
This policy is designed both to protect the confidentiality of any data that
may be stored on the mobile devices and to protect the organizational
network from being infected by any hostile software when the mobile
devices return. This policy also considers wireless access.
3.0 Scope
This policy covers any mobile devices brought into the organization or
connected to the organizational network using any connection method.
This includes but is not limited to tablet computers, laptops/notebooks,
- 68 -
Personal Data Assistants (PDA) and Smartphone’s (like Samsung Tab,

Iphone, Ipad, Android Phone, etc).
And to consider data and the sensitivity of the data stored and viewed on
the mobile computer including:
1. Email
2. Data the user is working on that is stored locally.
3. Cached data that is stored locally such as cached data from the user's
browser. Windows OS/Smartphone OS allows for cached files to be
encrypted using the encrypting file system (EFS).
4. Data from the internal network that the user may access while the
mobile device is outside the network.
5. Locally stored user names and passwords.
Consider loss due to:
6. Theft - should locally stored data be encrypted?

7. Hard drive / Storage device failure
8. Hardware failure
4.0 Responsibility
The user of the mobile devices will accept responsibility for taking
reasonable safety precautions with the mobile devices and agrees to
adhere to this policy. The mobile device user will not be allowed to have
administrative rights unless granted special exception by the network
administrator. The user of the mobile device agrees not to use the mobile
devices for personal business and agrees to abide by the organizational
computer usage policy.
5.0 Connection Terms
1. Mobile devices connected to the organizational network must be

determined to be a benefit to the organization rather than convenience by
the designated IT manager.
- 69 -
2. All mobile devices owned by the organization or allowed on the

organization network must be identified by their MAC address to the IT
department before being connected. (Possibly require static IP address)
3. The device must meet the mobile device connection standards described
in the following section.
4. The mobile device operator must be identified by name and contact
information to the IT department.
5. The mobile device operator must be familiar with the organization's
acceptable use policy.
6. All employees are not allowed to bring in any mobile devices of their own
and use in the organization; unless is being approved by the management.
This is to prevent the following:
a. Pirated software from entering the organization.
b. Viruses from affecting the organization network.
c. Important information from leaking out of the organization.
Access rights to the organizational network cannot be transferred to

another person even if that person is using an allowed mobile device.
6.0 Mobile Devices Protection
1. Any mobile device owned by the organization shall at all times operate
the following for its own protection:
a. Antivirus program named Kaspersky with the latest possible virus
updates. The program shall be configured for real time protection,
to retrieve updates daily, and to perform an anti-virus or malware
scan at least once per week.
b. A firewall program (for Notebook/Laptop) with the latest possible
updated. The program shall be operational any time the mobile
device is connected to any un-trusted network including the internet
to protect the device from worms and other malware.
c. Additional malware protection software shall be active on the device
in accordance with the anti-virus and malware policy.
- 70 -
d. The operating system and application patch levels must be

consistent with the current patch levels of our organization for
similar devices and operating systems. All mobile devices in the
organization shall have wireless access disabled. If wireless access
is used, a specific protocol for wireless encryption shall be
designated and configured. Also the maximum data sensitivity
category shall be noted for the device depending on the security of
the wireless access and other features of the mobile device.
2. Policy for mobile devices owned by the organization and removed
nightly by employees with permission to work from home.
a. These mobile devices shall always meet requirement 6.0.1 above.
b. If at any time the mobile device shall fail to meet the requirement
6.0.1 above, the employee shall report the condition to the IT
Department and a check of the mobile device equivalent to any
check of an unsecure mobile device entering the building shall be
performed.
c. It shall be ensured that unauthorized persons cannot gain access to
the mobile device without a proper user identification and password.
Operating systems that do not safely support this process shall not
be used in mobile devices. The IT Department will determine and
specify the proper tools to be used for authentication and access
controls.
d. Data to be stored on the mobile device will be evaluated and rated
to consider the sensitivity of the data according to the Data
Assessment Process document. Any data stored on the mobile
device that is considered to be sensitive will be stored only in an
encrypted format, possibly using an Encrypting File System (EFS).
e. The mobile device shall be checked weekly by IT Department
personnel at designated times when the mobile device will be
entering a secure building area. The check will include a scan for
malware and a test to determine whether the mobile device has a
worm. The state of stored sensitive data shall also be checked to
determine whether it is encrypted and whether data of too high a
- 71 -
level of security is being stored on the mobile device. Remove any

malware on the mobile device if any was detected. Log information
about any malware found. Log any information about data that was
not stored properly.
3. Policy for mobile devices being used for travel - Protection of these
mobile devices shall be the encryption of all sensitive data and a
requirement for a valid user ID to operate the mobile device.
4. These mobile devices shall always meet requirement 6.0.1 above. If
any additional software installation is required, it must be done and
configured before the mobile device leaves the building by IT
Department.
5. It shall be ensured that unauthorized persons cannot gain access to
the mobile device without a proper user identification and password.
Operating systems that do not safely support this process shall not be
used in mobile devices. The IT Department will determine and specify
the proper tools to be used for authentication and access controls.
6. Data to be stored on the mobile devices during the time the mobile
device is not in a security facility will be evaluated and rated to consider
the sensitivity of the data according to the Data Assessment Process
document. Any data stored on the mobile device that is considered to
be sensitive will be stored only in an encrypted format, possibly using
an Encrypting File System (EFS). Any data not considered to be safe
to be stored on the mobile device will be removed using a designated
program to be sure it has been removed so it cannot be read using
special technology later. There will be a list of documented sensitive
data including storage locations for all sensitive data stored on the
mobile device. This list will be created before the mobile device leaves
the facility.
7. If there is a chance that the user will view any sensitive data using their
web browser or other program, cached data will need to be encrypted.
Cached data that is stored locally such as cached data from the user's
browser will be set to be encrypted using the encrypting file system
(EFS). This may require Windows OS or some third party software. In
- 72 -
Windows OS (for Notebook/Laptop only), this may be enabled using

the following procedure:
a. Open "My computer"
b. Click on "Tools" and select "folder Options".
c. Select the "Offline files" tab.
d. Check the box next to "Encrypt offline files to secure data".
e. Click "OK" to exit.
8. If the mobile device will acquire irreplaceable and valuable data while
on the road, the mobile device user must notify the IT department so
arrangements can be made for a method to back the data up.
9. Policy for mobile devices being used by contractors / vendors

a. The mobile device will first be checked for compliance with section
6.01 above.
b. The mobile device will be scanned for malware and tested to
determine whether the mobile device has a worm. Any malware on
the mobile device shall be removed if any was detected. Log
information about any malware found.
c. If the mobile device is in compliance with section 6.01 and contains
no malware, the contractor shall report any sensitive data related to
the organization that is expected to be stored on the mobile device.
d. Data to be stored on the mobile device will be evaluated and rated
to consider the sensitivity of the data according to the Data
Assessment Process document. Any data stored on the mobile
device that is considered to be sensitive will be stored only in an
encrypted format, possibly using an Encrypting File System (EFS).
e. The ID of the mobile device shall be recorded and it shall be
certified for use on the organizational network.
f. The mobile device shall be checked weekly by IT Department
personnel at designated times when the mobile device will be
entering a secure building area. The check will include a scan for
malware and a test to determine whether the mobile device has a
worm. The state of stored sensitive data shall also be checked to
- 73 -
determine whether it is encrypted and whether data of too high a

level of security is being stored on the mobile device. Remove any
malware on the mobile device if any was detected. Log information
about any malware found. Log any information about data that was
not stored properly. If the mobile device is storing data improperly,
the certification of the mobile device shall be reviewed.
7.0 Protecting the Network
Mobile devices entering the network shall meet the following requirements.
1. If the mobile device is owned by the organization and used regularly by

employees according to 4.0.2 above, then the mobile device shall be
checked according to that part of the policy.
2. If the mobile device is owned by the organization and is returning from
a period when an employee used it for travel, the following check shall
be performed.
a. Determine whether the anti-virus program is up to date, has the
latest virus definitions, is configured properly, and is running
properly. If it fails one of these conditions or has not been scanned
for a virus within the last week, a full virus scan must be done
before the mobile device can be used in the building.
b. Test the mobile device and scan for additional malware such as
adware or spyware test to determine whether the mobile device has
a worm.
c. Test the state of stored sensitive data to be sure it is encrypted.
d. Remove any malware on the mobile device if any was detected.
Log information about any malware found. Log any information
about data that was not stored properly.
3. If the mobile device is owned by an outside organization the following
must be done.
a. The outside organization must agree in writing to allow a malware
scan of their mobile device and agree pay any costs if malware is
found on their mobile device.
- 74 -
b. A full virus scan must be done.

c. Test the mobile device and scan for additional malware such as
adware or spyware test to determine whether the mobile device has
a worm.
d. Remove any malware on the mobile device if any was detected.
Log information about any malware found. The outside organization
may be billed for services depending on organizational policy.
8.0 Enforcement
Since improper use of mobile devices can bring in hostile software which
may destroy the integrity of network resources and systems and the
prevention of these events is critical to the security of the organization and
all individuals, employees that do not adhere to this policy may be subject
to disciplinary action up to and including dismissal.
- 75 -
APPENDIX 16
Removable Media
1.0 Overview
Removable media is a well-known source of malware infections and has

been directly tied to the loss of sensitive information in many organizations.
2.0 Purpose
To minimize the risk of loss or exposure of sensitive information

maintained by Yee Lee Group and to reduce the risk of acquiring malware
infections on computers operated by Yee Lee Group.
3.0 Scope
This policy covers all computers, mobile devices and servers operating in
Yee Lee Group.
4.0 Policy
Yee Lee Group staff may only use Yee Lee Group removable media in
their work computers. Yee Lee Group removable media may not be
connected to or used in computers that are not owned or leased by the
Yee Lee Group without explicit permission of the Yee Lee Group IT
Department. Sensitive information should be stored on removable media
only when required in the performance of your assigned duties or when
providing information required by other state or federal agencies. When
sensitive information is stored on removable media, it must be encrypted
in accordance with the Yee Lee Group Acceptable Encryption Policy:
Exceptions to this policy may be requested on a case-by-case basis by

Yee Lee Group-exception procedures.
- 76 -
5.0 Enforcement

6.0 Definitions
Removable Media: Device or media that is readable and/or writeable by
the end user and is able to be moved from computer to computer without
modification to the computer. This includes flash memory devices such as
thumb drives, cameras, MP3 players and PDAs; removable hard drives
(including hard drive-based MP3 players); optical disks such as CD and
DVD disks; floppy disks and any commercial music and software disks not
provided by Yee Lee Group.
Encryption: A procedure used to convert data from its original form to a

format that is unreadable and/or unusable to anyone without the
tools/information needed to reverse the encryption process.
Sensitive Information: Information which, if made available to
unauthorized persons, may adversely affect Yee Lee Group, its programs,
or participants served by its programs. Examples include, but are not
limited to, personal identifiers and financial information.
Malware: Software of malicious intent/impact such as viruses, worms,

and Spyware.
- 77 -
APPENDIX 17
Vendor/Third-Party Access Policy
1.0 Purpose
The purpose of the Yee Lee Group Third-Party Access Policy is to

establish the rules for vendor access to Yee Lee Group Information
Resources and support services (A/C, UPS, PDU, fire suppression, etc.),
vendor responsibilities, and protection of Yee Lee Group information.
Vendor access to Yee Lee Group Information Resources is granted solely
for the work contracted and for no other purposes.
2.0 Audience
The Yee Lee Group Third-Party Access Policy applies to all individuals
that are responsible for the installation of new Yee Lee Group Information
Resource assets, and the operations and maintenance of existing Yee Lee
Group Information Resources, and who do or may allow vendor access for
support, maintenance, and monitoring and/or troubleshooting purposes.
3.0 Policy
- Vendors must comply with all applicable Yee Lee Group policies,
practice standards and agreements, including, but not limited to:
• Remote Access Policies
• Wireless Communication Policies
• Security Policies
• Information Sensitivity Policy Policies
• Software Licensing Policies
• Acceptable Use Policies
- Vendor agreements and contracts must specify:
• The Yee Lee Group information the vendor should have access to
• How Yee Lee Group information is to be protected by the vendor
• Acceptable methods for the return, destruction or disposal of Yee
Lee Group information in the vendor’s possession at the end of the
contract
- 78 -
• The Vendor must only use Yee Lee Group information and
Information Resources for the purpose of the business agreement
• Any other Yee Lee Group information acquired by the vendor in the
course of the contract cannot be used for the vendor’s own
purposes or divulged to others
- Yee Lee Group IT Department will provide a technical point of contact
for the vendor. The point of contact will work with the vendor to make
certain the vendor is in compliance with these policies.
- Each vendor must provide Yee Lee Group with a list of all employees
working on the contract. The list must be updated and provided to Yee
Lee Group within 24 hours of staff changes, wherever possible.
- Each vendor employee with access to Yee Lee Group Confidential
Data must be approved to handle that information at a level
commensurate with its classification level.
- Vendor personnel must report all security incidents directly to the
appropriate Yee Lee Group IT personnel.
- If vendor management is involved in Yee Lee Group security incident
management, the responsibilities and details must be specified in the
contract.
- Vendor must follow all applicable Yee Lee Group change control
processes and procedures.
- If appropriate, regular work hours and duties will be defined in the
contract. Work outside of defined parameters must be approved in
writing by appropriate Yee Lee Group IT management.
- All vendor maintenance equipment on the Yee Lee Group network that
connects to the outside world via the network, telephone line, or leased
line, and all Yee Lee Group Information Resource vendor accounts will
remain disabled except when in use for authorized maintenance.
- Vendor access must be uniquely identifiable and password
management must comply with the Yee Lee Group Password Policy.
- Vendor’s major work activities must be entered into a log and available
to Yee Lee Group IT management upon request. Logs must include,
but are not limited to, such events as personnel changes, password
- 79 -
changes, project milestones, deliverables, and arrival and departure

times, wherever possible.
- Upon departure of a vendor employee from the contract for any reason,
the vendor will ensure that all sensitive information is collected and
returned to Yee Lee Group or destroyed within 24 hours.
- Upon termination of contract or at the request of Yee Lee Group, the
vendor will return or destroy all Yee Lee Group information and provide
written certification of that return or destruction within 24 hours.
- Upon termination of contract or at the request of Yee Lee Group, the
vendor must surrender all Yee Lee Group badges, access cards,
equipment and supplies immediately. Equipment and/or supplies to be
retained by the vendor must be documented by authorized Yee Lee
Group IT management.
- Vendors are required to comply with all regulatory and Yee Lee Group
auditing requirements, including the auditing of the vendor’s work. All
software used by the vendor in providing service to Yee Lee Group
must be properly inventoried and licensed.
- Each vendor granted access to any Yee Lee Group Information
Resource must sign the Yee Lee Group Information Security Policy
Acknowledgement Form which stipulates that he/she:
• Has read and understands the security policies
• Understands his/her responsibilities to comply
• Understands the consequences of an infraction.
4.0 Enforcement

- 80 -
APPENDIX 18
Anti-Virus Policy
1.0 Overview
This policy defines anti-virus policy on every computer including how often
a virus scan is done, how often updates are done, what programs will be
used to detect, prevent, and remove malware programs. It defines what
types of files attachments are blocked at the mail server and what anti-
virus program will be running on the mail server and all Yee Lee Group
Computers. It may specify whether an anti-spam firewall will be used to
provide additional protection to the mail server. It may also specify how
files can enter the trusted network and how these files will be checked for
hostile or unwanted content. For example, it may specify that files sent to
the enterprise from outside the trusted network be scanned for viruses by
a specific program.
2.0 Purpose
This policy is designed to help prevent infection of Yee Lee Group

computers and computer systems by computer viruses and other
malicious code. This policy is intended to help prevent damage to user
applications, data, files, and hardware.
3.0 Scope
This policy applies to all employees of Yee Lee Group; as well as vendors,
contractors, partners, visitors, collaborators and any others doing business
with Yee Lee Group will be subject to the provisions of this policy. Any
other parties, who use, work on, or provide services involving Yee Lee
Group computers and technology systems will also be subject to the
provisions of this policy. Every user of Yee Lee Group computer resource
is expected to know and follow this policy.
- 81 -
4.0 Anti-Virus Policy
Yee Lee Group will use a single anti-virus product for anti-virus protection
and that product is Bitdefender Endpoint Security Tools. The following
minimum requirements shall remain in force.
1. The anti-virus product shall be operated in real time on all servers and
client computers. The product shall be configured for real time
protection.
2. The anti-virus library definitions shall be updated at least once per day.
3. Anti-virus scans shall be done a minimum of once per week on all user-
controlled workstations and servers.
No one should be able to stop anti-virus definition updates and anti-virus

scans except for domain administrators.
1. All Yee Lee Group computer devices connected to the Yee Lee
Corporate network (herein referred to as "the network") or networked
resources shall have anti-virus software installed, configured so that
the virus definition files are current, routinely and automatically updated,
and the anti-virus software must be actively running on these devices.
2. All files on computer devices will be scanned periodically for
viruses. All departments will have to establish a schedule for
automatically scanning the devices within the control.
3. If deemed necessary to prevent propagation to other networked
devices or detrimental effects to the network or data, an infected
computer device may be disconnected from the network until the
infection has been removed. This will be done under the direction of
the IT Department in conjunction with the affected department and the
IT Manager.
4. Exceptions to this policy may be allowed if a department computer
device cannot have anti-virus software installed. Possible examples of
this would be vendor-controlled systems, FDA validated systems, or
devices where anti-virus software has not yet been developed. In
- 82 -
these cases, the department must develop a plan to protect the device
from infection.
5. An exception may be granted if an infected computer device is
discovered that performs a critical function and may not be immediately
taken "off-line" without seriously impairing some business function or
affecting patient care. Under those circumstances, a plan will be
developed to allow the computer device to be taken off-line and the
infection purged while protecting the function of the device.
5.0 Email Policy - Blocked Attachment Types
The email server or proxy server will block all emails with
attachment types listed below. This is because these attachment
types are dangerous containing active content which may be used
to infect a computer with hostile software or because these
attachment types are commonly successfully used by virus
programs or malware to spread.
1. ade - Microsoft Access project extension can contain executable

code.
2. adp - Microsoft Access project can contain executable code.
3. app - Microsoft FoxPro application is executable code.
4. asp - Active server pages
5. asx -
6. bas - Basic program source code is executable code.
7. bat - Batch file which can call executable code.
8. chm - Compiled HTML help file can contain executable code.
9. cmd - Windows NT command script file is executable code.
10. com - Command file program is executable code.
11. cpl - Control panel extension
12. crt
13. csh
14. dll - Dynamic link library is executable code. Could be placed on
your system then run by the system later.
- 83 -
15. exe - Binary executable program is executable code.

16. fxp - Microsoft FoxPro is executable code.
17. hlp - Help file
18. hta - HTML program
19. inf - Setup information
20. ins - Internet naming service
21. isp - Internet communication settings
22. js - JavaScript file
23. jse - JavaScript encoded file
24. ksh - Unix shell file
25. lnk - Link file
26. mda - Microsoft Access add-in program
27. mdb - Microsoft Access program
28. mde - Microsoft Access MDE database
29. mdt - Microsoft Access file
30. mdw - Microsoft Access file
31. mdz - Microsoft Access wizard program
32. msc - Microsoft Common Console document
33. msi - Microsoft windows installer package
34. msp - Windows Installer patch
35. mst - Visual Test source files
36. ops - FoxPro file
37. pcd - "Photo CD image or Microsoft Visual Test compiled script"
38. pif - "Shortcut to MS-DOS program"
39. prf - "Microsoft Outlook Profile Settings"
40. prg - "FoxPro program source file"
41. reg - Registry files
42. scf - "Windows Explorer Command file"
43. scr - Screen saver
44. sct - Windows® script component
45. shb - Document shortcut
46. shs - Shell scrap object
47. url - Internet address
- 84 -
48. vb - Visual Basic file

49. vbe - Visual Basic encoded script file
50. vbs - Visual Basic file
51. vsd
52. vss
53. vst
54. vsw
55. wsc - Windows script component
56. wsf - Windows script file
57. wsh - Windows script host settings file
58. xsl - XML file may contain executable code
zip - Many viruses are commonly zipping files to keep them from
being scanned and providing instructions to users about how to run
the attachment. Many users still do this so to secure the network; it
has become necessary to block this attachment type.
Do not depend fully on the anti-virus software on each computer to

prevent these viruses. Viruses have a period of time when they
spread unrecognized by anti-virus software. Blocking these file
attachments will prevent many trouble calls.
When an email breaks the rules and contains an illegal file

attachment we should define one of the following to be done:
1. Delete the email and notify neither the sender nor the recipient.
The problem with doing this is in the fact that people may be
trying to send legitimate files to each other and have no way of
knowing their communication attempts are failing.
2. Delete the email and notify the sender - This will notify senders
when their emails do not go through, but it will also notify
senders who really did not send an email (when a virus spoofed
them as the sender) that they sent an email with an illegal
attachment. This can cause more additional help desk requests
and questions for the administrator on the spoofed sender's side.
- 85 -
3. Delete the email and notify the sender and recipient. - This
would have all the drawbacks of the above policy but would also
increase help desk calls in our organization.
4. Remove the attachment and let the email go through. - This
would let the receiver know that someone tried to send them an
illegal attachment. If the attempt was a legitimate one, they
could contact the sender and tell them what to do to get the
attachment sent.
6.0 File Exchange Policy
This part of the policy specifies methods that are allowed to be used when
files are sent into the network by members of the public or employees of
the organization. It specifies:
1. All legitimate methods used to include:

i) FTP transfer to an FTP server.
ii ) File transfer to a Web server with a legitimate file upload
program.
iii ) Any other method.
2. The method and type of software to be used to scan the files for hostile
content before they are completely transferred into the network. It will
also specify the update frequency for the scanning software.
3. The point in time when the files will be scanned.
7.0 Definition
Computer devices are any type of device connected to a network that

could become infected with a computer virus. Examples of computer
devices would be, but not limited to, workstations, servers, laptops, mobile
devices, PDAs, etc.
Malicious software is any type of computer code that infects a machine

and performs a malicious action. This is sometimes perpetrated by
computer viruses, worms, trojans, etc.
- 86 -
Anti-Virus software runs on either a server or workstation and monitors

network connections looking for malicious software. Anti-virus software is
generally reactive, meaning a signature file must be developed for each
new virus discovered and these virus definition files must be sent to the
software in order for the software to find the malicious code.
Virus definition files are periodic files provided by vendors to update the
anti-virus software to recognize and deal with newly discovered malicious
software.
8.0 Enforcement
- 87 -
APPENDIX 19
Data Protection
Information Security Policy
1.0 Purpose
The purpose of this policy is to set the framework by which Yee Lee Corporation
achieves compliance with the Personal Data Protection Act 2010 (PDPA).
2.0 Scope
The PDPA lays down regulations and safeguards for the collection, recording and
use of personal information whether on paper, in a computer or recorded on other
material. Yee Lee Corporation needs to collect and use certain types of
information about people with whom it deals in order to operate. These include
employees, employment applicants, tenants, customers, board members,
suppliers and others with whom it communicates. Certain information may be
required for regulatory or monitoring purposes as laid down by statute. Other
information may be required for the purpose of establishing a business contract.
In any case Yee Lee Corporation recognises that the information must be dealt
with lawfully and correctly under the principles laid down within the PDPA.
This policy does not form part of any employee's contract of employment and it
may be amended at any time. However, any breach of this policy will be taken
seriously and may result in disciplinary action.
3.0 Responsibilities
It is the responsibility for Yee Lee Corporation to provide advice on compliance
and training in data protection. It is the responsibility of the HR Manager to
ensure that training opportunities are provided. It is the responsibility of Head of
Department to ensure that their managed staffs have received appropriate
training in data protection; this includes temporary and casual staff. It is the
responsibility of every member of staff to act in compliance with the PDPA and
with Yee Lee Corporation policies and procedures.
- 88 -
Yee Lee Corporation will have a set of systems and procedures in place to
ensure that the requirements of the Personal Data Protection Act 2010 are
delivered. These will involve ensuring that:
• Everyone who manages or handles personal information understands that

they are contractually responsible for following good data protection
practice outlined in this policy;
• Everyone who manages or handles personal information is appropriately
trained to do so and is adequately supervised;
• Anyone wanting to make enquiries about handling personal information
knows what to do;
• Queries about handling personal information are promptly and courteously
dealt with;
• Methods of handling personal information are regularly assessed and
evaluated as a performance area.
4.0 The Personal Data Protection Act 2010

The purpose of the PDPA is to ensure that personal data is used in a way that is
fair to the individual and protects their rights, whilst ensuring that organisations
are able to process personal data in pursuit of their legitimate aims. In order to do
this, the PDPA lays down principles of good information handling, with which data
controllers must comply. The Data Protection Principles require that personal
data shall:
a) be obtained and processed fairly and lawfully, and shall not be processed
unless certain conditions, as defined in the PDPA, are met;
b) be obtained for a specified and lawful purpose and not be further
processed in a manner incompatible with that purpose;
c) be adequate, relevant and not excessive for the purpose for which they
are being processed;
d) be accurate and, where necessary, kept up to date;
e) not be kept for longer than is necessary for the purpose for which they are
being processed;
- 89 -
f) be processed in accordance with the data subject's rights under the PDPA,
including the right of subject access;
g) be kept secure from loss, damage and unauthorised disclosure;
5.0 Sensitive Personal Data
The PDPA identifies certain types of personal data as sensitive personal data.
Sensitive personal data comprise data about:
(a) ethnic and racial origin;
(b) political opinions;
(c) religious belief;
(d) trade union membership;
(e) sexual life;
(f) physical and mental health or condition;
(g) criminal offences.
6.0 The Right of Subject Access
The PDPA provides individuals with the right to see, and if they wish, to have a
copy of, all the information held about them by an organisation.
7.0 Outsourcing Processing of Personal Data
When processing of personal data is outsourced to an external third, it is a legal

requirement that there is a contract in place which requires the data processor to
take appropriate security measures with regard to the processing of personal
data, and to only process personal data in accordance with Yee Lee Corporation
instructions.
8.0 Security of Personal Data
The PDPA requires that appropriate organizational and technological measures

be used to protect personal data from loss, damage and unauthorized disclosure.
Further advice on the security of electronic systems can be obtained from Yee
- 90 -
Lee Corporation Head of IT, and on manual filing systems from Yee Lee
Corporation Departmental Head, who is responsible for physical security.
All staffs are responsible for ensuring that any personal data which they hold are
kept securely and are not disclosed to unauthorised third parties. All personal
data should be accessible only to those who need to use it and consideration
should be given to keeping such data:
• in a lockable room with controlled access, or
• in a lockable drawer or filing cabinet, or
• if computerised, password protected, or
• kept on disks which are themselves kept securely.
9.0 Disclosure of Data
Yee Lee Corporation must ensure that personal data are not disclosed to
unauthorised third parties, which includes statutory bodies, non-statutory bodies
and individuals. All staff should exercise caution when asked to disclose personal
data held on another individual to a third party.
9.1 Disclosing personal data to statutory bodies

Statutory organisations include:
• local authorities
• social services departments
• health authorities
• the police
Yee Lee Corporation may be able to disclose personal data to third parties where
an employee has given their consent. In addition, Yee Lee Corporation may
disclose personal data without consent to third parties:
• to protect the vital interests of an employee/tenant, i.e. in a life or death
situation;
• to comply with the law;
• to assist in the prevention or detection of crime;
- 91 -
• in connection with legal proceedings.

Yee Lee Corporation needs to be satisfied that the request:
• is actually from a statutory body;
• is within the powers of the statutory body;
• is relevant;
• complies with the Personal Data Protection Act 2010.
9.2 Disclosing personal data to non-statutory bodies
Personal data may be disclosed to other third parties, such as a non-statutory

organisation, or an individual only with the consent of the data subject. It is the
responsibility of the third party to obtain the data subject’s consent. Where
consent is not obtained, Yee Lee Corporation should NOT release personal data.
All third-party requests for access to personal data should be made in writing.
Where third parties request either personal or sensitive employee data, such as
payroll details for mortgage purposes, written signed authorisation of the
employee should be obtained before information is shared with the third party.
The authorisation should contain the employee’s name and address together with
a description of what is required and any other details.
10.0 Enforcement
- 92 -
APPENDIX 20
ENFORCEMENT
The following disciplinary action will be taken if any employee found to be

violating any of this Yee Lee Group Corporate Information Technology Security
Policy.
Step Type of Action Who Initiates Action
Step 1 Verbal Warning and Oral Immediate Superior & H.R
Counseling Department (Documented)
Step 2 1st Written Warning Immediate Superior & H.R
Department
Step 3 2nd Written Warning Immediate Superior & H.R
Department
Step 4 3rd Written Warning Immediate Superior & H.R
Department
Step 5 Show Cause Letter H.R. Department
Step 6 Domestic Inquiry H.R. Department
- 93 -
MAJOR INFRACTIONS
In case of serious infractions, the Company may suspend you for a period not
exceeding fourteen (14) days to enable the company to carry out investigations.
During the period of suspension, you will be paid not less than half of your basic
wages.
You will be notified of the offences you have allegedly committed and no
disciplinary action will be taken until you have been given an opportunity to be
heard through a show-cause letter and/or a domestic inquiry.
In the event the actions initiated by the Company reveal that no misconduct has
been committed by you, the Company will restore your full salary / wages during
your period of suspension.
If you are found guilty of any misconduct under this classification, disciplinary
action may take one of the following forms based on the gravity of the act
committed by you.
i. Suspension from work without pay for a period not exceeding seven (7)
days.
ii. Deferment of salary increment for period to be determined by the

management.
iii. With-holding of payment of bonus, if such bonus is declared.
iv. Reduction of salary where the amount of such reduction will be determined
by the management.
v. Termination
- 94 -

A-Yee Lee Organization Berhad It Policy 2018 (User)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A-Yee Lee Organization Berhad It Policy 2018 (User)

Uploaded by

Copyright:

Available Formats

YEE LEE ORGANIZATION BERHAD AND IT’S SUBSIDIARIES

Computer Usage & Security Policy (Revision 2018)

YEE LEE ORGANIZATION BERHAD

Corporate Information Technology Security Policy 5 - 14

(Appendix 1) Yee Lee Group Acceptable Use Policy 15 - 21

(Appendix 2) Yee Lee Group Password Policy 22 - 27

No. Contents Page

(Appendix 4) Yee Lee Group Remote Access Policy 31 - 33

(Appendix 5) Yee Lee Group Wireless Communication Policy 34 - 35

(Appendix 6) Yee Lee Group Virtual Private Network (VPN) 36-37

(Appendix 7) Yee Lee Group Risk Assessment Policy 38

(Appendix 8) Yee Lee Group SPAM Handling Policy 39 – 41

No. Contents Page

(Appendix 9) Yee Lee Group Bluetooth Security Policy 42 – 44

(Appendix 10) Yee Lee Group Software Installation Policy 45 – 46

(Appendix 11) Yee Lee Group Workstation Security Policy 47 – 48

(Appendix 12) Approved Application Policy 49 - 50

(Appendix 13) Asset Control Policy 51 - 57

No. Contents Page

(Appendix 15) Mobile Computer Policy 68 - 75

(Appendix 16) Removable Media Policy 76 - 77

(Appendix 17) Vendor / Third-Party Access Policy 78 – 80

(Appendix 18) Anti Virus Policy 81 - 87

(Appendix 19) Data Protection Policy 88 – 92

(Appendix 20) Enforcement 93 – 94

YEE LEE ORGANIZATION BERHAD

Computer Usage & Security Policy

All employees that are authorized to access computing resources shall be

These facilities are provided to employees for the purpose of conducting

Company to risks of unauthorized access to data, disclosure of information,

• Yee Lee Group Acceptable Use Policy (Refer to Appendix 1)

2.1 To ensure all computer equipment, hardware, software and its

firmware, and any other software residing on company-owned

4.0 Internet Access and Administration

5.0 Personal Use

6.0 Internet Messaging Rules and Regulation

6.1. Employees are prohibited from downloading and using personal,

6.2. All IM communications and information transmitted, received, or

6.3. Employees have no reasonable expectation of privacy when using

6.4. Treat IM messages as business records that may be retained and

6.5. Employees are required to retain business record IM and delete

6.6. Use professional, appropriate language in IM messages. Employees

6.7. Employees are prohibited from sending jokes, rumors, gossip, or

6.8. Employees may not use IM to transmit confidential, proprietary,

6.9. Employees may not share confidential, proprietary, or potentially

6.10.The IM system is intended for business use only. Employees are

6.11.Employees are to share their IM user names with colleagues strictly

7.0 Computer Users Responsibilities in General

7.1. The proper use of the office computer equipments. Physical

7.2. Notify the IT Department if you identify any suspected security

7.5. Ensuring all communication through company e-mail or messaging

7.6. Confidential Material. Users must be present when printing

7.7. Destroying confidential information. Confidential information must be

7.8. Keeping all pornographic material, inappropriate text files, or files

8.0 Notebook Security Tips

8.1. The notebook is not to be loaned to anyone.

8.4. No software is to be loaded onto the notebook other than software

9.0 Computer Orientation

10.0 Acceptance Terms

Internet / Intranet / Extranet-related systems, including but not limited to

Effective security is a team effort involving the participation and support of

• Yee Lee Group’s network administration intention to provide a

• Employees are responsible for exercising good judgment regarding