Olam Information Security Policy

Olam Information Security Policy

Document Properties
A. Document Control

S. No. Type of Information Description

1 Document Title Olam Information Security Policy

2 Document Version Number 1.3

3 Date of Release 19-Nov-2019

4 Nature of Change Added few Policies

5 Document Author Suresh T

B. Document Change Approvals

Approver Name Contact

Chief Information Security

Venkatesh Subramaniam s.venkatesh@olamnet.com
Officer

C. Version History

Version no Description Reason for Change done

and Reviewed By Approved By
of Change Change by
date

1.05 Indranuj Indranuj

Initial Version Initial version SenthilKumar D
28-04-2014 Choudhury Choudhury

Changed the document

template, Added
1.06 Document history,
Review of Indranuj Indranuj
Made changes in the Suresh T
04-11-2015 document Choudhury Choudhury
Introduction section and
the definition of
disaster.
1.07 Necessary Changes Change in the Indranuj Indranuj
Suresh T
10-02-2016 made to the Olam logo Olam Logo Choudhury Choudhury

Incorporated additional
1.1 polices around Mobile Introducing Sudeep Indranuj
Suresh T
15-09-2017 security, cloud security, new policies Saxena Choudhury
data security etc
Review of Venkatesh Venkatesh
1.2 Modified Few Policies Suresh T
document Subramaniam Subramaniam

Version 1.3 Confidential Page 2 of 34

 Olam Information Security Policy

26-09-2018
Added sections on
Contact with Authorities
1.3 and Special Interest Review of Venkatesh Venkatesh
Suresh T
19-11-2019 groups, Third Party document Subramaniam Subramaniam
Management Policy,
Modified few policies

Version 1.3 Confidential Page 3 of 34

 Olam Information Security Policy

TABLE OF CONTENTS

Contents

SECURITY OBJECTIVES ...................................................................................................................... 6

SCOPE AND APPLICABILITY ............................................................................................................... 6

POLICY STATEMENT AND OBJECTIVE ............................................................................................... 6

POLICY COMPLIANCE ....................................................................................................................... 7

EXCEPTIONS ..................................................................................................................................... 8

INFORMATION SECURITY RESPONSIBILITY ....................................................................................... 8

CONTACT WITH AUTHORITIES AND SPECIAL INTEREST GROUPS ...................................................... 8

POLICY LIFE CYCLE............................................................................................................................ 9

MANAGEMENT DIRECTION .............................................................................................................. 9

INFORMATION SECURITY ORGANIZATION........................................................................................ 9

ASSET MANAGEMENT .................................................................................................................... 10

HUMAN RESOURCES SECURITY POLICY .......................................................................................... 12

USER ACCESS MANAGEMENT POLICY ............................................................................................ 13

PHYSICAL & ENVIRONMENTAL SECURITY POLICY ........................................................................... 14

PASSWORD POLICY ........................................................................................................................ 15

Version 1.3 Confidential Page 4 of 34

 Olam Information Security Policy

DESKTOP SECURITY POLICY ............................................................................................................ 16

EMAIL SECURITY POLICY................................................................................................................. 18

INTERNET USAGE POLICY ............................................................................................................... 19

ANTI-VIRUS POLICY ........................................................................................................................ 20

FIREWALL POLICY ........................................................................................................................... 21

SECURITY INCIDENT MANAGEMENT POLICY .................................................................................. 22

BUSINESS CONTINUITY MANAGEMENT POLICY ............................................................................. 23

ACCEPTABLE USE POLICY ............................................................................................................... 24

COMPLIANCE ................................................................................................................................. 27

VULNERABILITY MANAGEMENT POLICY ......................................................................................... 29

END USER SECURITY AWARENESS POLICY ...................................................................................... 29

INTELLECTUAL PROPERTY POLICY .................................................................................................. 30

DATA PROTECTION POLICY ............................................................................................................ 30

PRIVACY POLICY…………………….……………………………………………………………………………………………………31

THIRD PARTY MANAGEMENT POLICY………………………………………………………………………………………….31

MOBILE SECURITY POLICY .............................................................................................................. 32

USER SOCIAL MEDIA POLICY .......................................................................................................... 33

LICENSE MANAGEMENT POLICY..................................................................................................... 33

CLOUD SECURITY POLICY ............................................................................................................... 33

WIRELESS SECURITY POLICY ........................................................................................................... 34

Version 1.3 Confidential Page 5 of 34

 Olam Information Security Policy

Security Objectives
Olam security objectives are aligned to Business Objectives and priorities - top organization priorities have
been kept in mind while shaping security objectives. They are as follows:
• Protect sensitive information from disclosure and unauthorized use that can lead to a competitive
disadvantage
• Deliver cost effective security for the business
• Enable the business by ensuring necessary and sufficient security is in place.
• Ensure Security by Design in implementation of initiatives.
• Ensure availability of critical systems and applications by protecting against cyber-attacks and
plan for resiliency.
• Ensure compliance with applicable security regulations.
• Create a “culture of security” that goes beyond awareness and becomes second nature while
performing any company related activity.

Scope and Applicability

This policy applies to all Olam information assets, employees, vendors and contractors, and third parties,
who have access to Olam information and network assets. Olam information assets includes data that is
owned, sent, received or processed by Olam and associated hardware, software, media and facilities.

All employees who use, manage, operate, maintain or develop Olam applications or data must comply with
this policy. The policy also applies to all third parties acting on behalf of Olam and to representatives who
are granted authorized access to Olam and its information assets.

This policy is supported by secondary policies, standards and security process documents on various topics
as required – together, this body of documentation comprises the Information Security Management System
(ISMS).

Policy Statement and Objective

“Olam International Limited. is committed to implement processes and systems to protect and safeguard
the Confidentiality, Integrity and Availability (CIA) of all critical information and information processing
assets from internal and external threats sources to ensure secure provision of business operations.”

The objective of this policy is to provide governance to ensure that: -

• The confidentiality, integrity and availability of critical information, is ensured always.

Version 1.3 Confidential Page 6 of 34

 Olam Information Security Policy

• Critical information is protected from intentional or unintentional unauthorized access, use,

disclosure, modification and disposal.
• Any security incident that results in violation of the Policy is reported. Appropriate corrective and
preventive actions are initiated after investigation.
• Awareness programs on Information Security are available to all employees and wherever
applicable to third parties.
• All legal, regulatory and contractual requirements with regard to information security are met
wherever applicable.
• All employees adhere to the policy and the Management has rights to take necessary action in
case of violation.

Olam information assets must be protected based on the level of risk and in accordance with the following
principles:
• Authentication - All users of any Olam assets will be uniquely identified, and the claimed identity
appropriately verified.
• Accountability - All users will be held accountable for their use of critical and sensitive Olam
information assets.
• Confidentiality - Confidentiality of critical and sensitive information assets has to be ensured.
• Integrity - No unauthorized change should be made to the accuracy and completeness of
information and its associated information processing methods.
• Availability - Critical information assets and the services required to create and maintain those
assets must be available when the business needs it.
• Non-repudiation - Olam should be able to prove any party’s identity and action related to
transactions with Olam to avoid repudiation of those transactions.
• Least Privilege or Need to know - Access to information assets and services will be given to
users based on the needs of their job or role following the principles of least privilege. This
access must be authorized by the owners of the assets.

Policy compliance
Unauthorized use, or alteration of information assets, or any violation of the Security Policy or standards of
acceptable use of Olam assets and facilities, or their use in any way that violates business goals or values,
are a serious offence.

Such actions performed by employees or contractors may result in disciplinary action including termination
of their service and/or action in accordance with local laws. It is the responsibility of Human Resources
(HR) to implement the disciplinary action.

Version 1.3 Confidential Page 7 of 34

 Olam Information Security Policy

Offences of this nature by third party vendors may result in the revocation of their access rights to Olam’s
information, termination of their service contracts, and/or action in accordance with local laws. It is the joint
responsibility of the Service owner and Legal to implement the disciplinary action.

Exceptions
If it is not possible to follow the policy due to some constraint in the IT Infrastructure or business
environment, a formal exception shall be requested. The exception will be requested in writing,
documenting the reason or circumstances stating the exception, the period for which the exception is
sought, and any compensating risk mitigation steps. These exceptions would be reviewed by Chief
Information Security Officer, who would assign severity ratings of the requested exceptions. The CISO may
involve other senior management in assessing the exception. The function/business head of the requestor
organization would need to accept the residual risk post any compensating controls associated with the
exception.

Information Security responsibility

• Each employee of Olam is responsible for the security and protection of information resources
over which he or she has control. Resources to be protected include networks, computers,
software, and data. The physical and logical integrity of these resources must be protected
against threats such as unauthorized intrusions, malicious misuse, or inadvertent compromise.
• Olam management will ensure that proper resources are available to work on the information
security management system of Olam. The Chief Information Security Officer will have the overall
responsibility for establishing, implementing, and monitoring Olam’s Information Security Program
and continuously improve the security posture of Olam.

Contact with Authorities and Special Interest Groups

• The authorized function and/or individuals in the respective locations shall maintain contact with
the relevant authorities in case of emergencies such as Fire accident, and other Disaster
scenarios.
• Chief Information Security Officer and Information Security team shall maintain contact and
coordinate with the relevant specialist security forums and professional associations (e.g. ISF,
ISACA) in order to exchange knowledge as it pertains to the cyber threat landscape.

Version 1.3 Confidential Page 8 of 34

 Olam Information Security Policy

Policy Life Cycle

• The information security policy life cycle at Olam consists of 3 major phases: Policy Development,
Policy Implementation and Policy Monitoring.
• Policy development is the phase in which the security policies are written driven by the business
objectives and other legal/compliance requirements. After developing the policies, the next phase
is Policy implementation where the objectives of the policies are implemented through detailed
procedures and guidelines. The final phase is policy monitoring, which is to ensure that employees
comply with the policy requirements. To measure and monitor compliance with policies, Olam
information security team will take up initiatives such as system audits and reviews, intrusion
detection, penetration testing and user activity audit trail analysis.
• To ensure the effectiveness and applicability of information security policy, a formal review of the
policy must be conducted at least once in a year. As part of this review, associated policies,
procedures, and standards must be aligned to reduce duplications and variances.

Management Direction
Olam management commits to the establishment, implementation, operation, monitoring, review,
maintenance & improvement of the Information Security Management System (ISMS).
Management will ensure that the proper resources are available to work on the ISMS and that all
employees affected by the ISMS have the proper training, awareness & competency.

Information Security Organization

The Information Security Organization at Olam is structured independent of Information Technology
with the Chief Information Security Officer heading the function and reporting to the President, Strategic
Investments & Shared Services. The Key Verticals in the Information Security Organization are:

o Governance, Risk & Compliance

o Cyber Defense
o Data Protection & OT Security

Local IT in the respective countries help implement security initiatives as directed by the Information
Security team and are responsible to manage and maintain the security posture in the countries. The
First Line and Second Line responsibilities are documented and uploaded in Olam’s Intranet website.

Olam would have an Information Security Steering Committee that provides leadership in the protection
of information assets. The committee provides guidance and leadership to maintain and improve the

Version 1.3 Confidential Page 9 of 34

 Olam Information Security Policy

confidentiality, integrity and availability of information across the System. The committee may establish
working groups or subcommittees to identify and develop strategic direction and recommendations.

Third Party Security is very important, and the SPOC for the Third Party should engage the Information
Security team for assessment of third-party risks.

Special Interest Groups and Information Security Forums should be contacted by the Chief Information
Security Officer and his designates as required to build relationships as appropriate.

Asset Management

• All assets shall be clearly identified, documented & regularly updated

• All assets shall have designated owners & custodians
• All employees shall use company assets as per the acceptable use of assets procedures
• Critical assets shall be classified as per the classification of the company.
• All information stored on company computers belongs to the company, and the company may
inspect all such computers and information at any time as necessary for the conduct of its business.

Information Classification

All Olam IT users share the responsibility for ensuring that Olam information assets receive an appropriate
level of protection by observing the Information Classification standard:
• Information ‘owners’ shall be responsible for assigning classifications to critical information assets
as per the standard information classification system presented below.
• Where practicable, the information category shall be embedded in the information itself.

All Olam information and all information entrusted to Olam from third parties falls into one of the three
classifications in the table below, presented in order of increasing sensitivity.

Information Description Examples

Category
• Information is not confidential and can
Public
be made public without any
implications for Company.
• Loss of availability due to system
downtime is an acceptable risk.
• Integrity is important but not vital.
• Product brochures widely distributed
• Information widely available in the public domain.
• Including publicly available Company web site
areas.
• Financial reports required by regulatory
authorities.
• Newsletters for external transmission.

Version 1.3 Confidential Page 10 of 34

 Olam Information Security Policy

• Information whose unauthorized • Departmental memos.

Internal
disclosure, particularly outside the
organization, would be inappropriate
and inconvenient.
• Disclosure to anyone outside of Olam
requires management authorization.
• Information on internal bulletin boards
• Training materials.
• Policies, operating procedures, work instructions,
guidelines.
• Phone and email directories.
• Productivity reports.
• Intranet Web pages.

• Information collected and used by • Salaries and other personnel data.

Confidential
Olam in the conduct of its business to • Accounting data and internal financial reports.
employ people, to log and fulfil orders, • Confidential customer business data and
and to manage all aspects of confidential contracts.
corporate finance. • Non-disclosure agreements with clients\vendors.
• Access to this information is very • Company business plans.
restricted within the company.
• The highest possible levels of
integrity, confidentiality, and restricted
availability are vital.

Handling of Confidential documents:

Storage

Confidential information in physical form should ideally be stored in a locked drawer, cabinet within a locked
office. Confidential electronic information must be protected at all times when stored and kept in an access-
controlled folder or directory.

Transfer

Confidential electronic information must be protected at all times when emailed or electronically transferred.
Confidential physical information and backup tapes should be ideally transferred in sealed, tamper-proof
packaging and a trusted courier should be used.

Disposal

Confidential electronic information must be securely wiped when no longer required. Confidential physical
information must be securely disposed by using appropriate measures like shredding for paper and secure
wipe for electronic media.

Version 1.3 Confidential Page 11 of 34

 Olam Information Security Policy

Human Resources Security Policy

This policy applies to all employees and third-party contractors. The Human Resources (HR) function shall
ensure that security responsibilities are briefed to every new employee/contractor when he/she joins the
organization as well as during exit procedures.

It is recommended that the HR function carries out background verification and reference checks of
prospective employees and contractual staff as per the relevant HR policy.
• Screening check prior to employment
• Verification of the original identity documentation (Ex: Passport number, Aadhaar number),
confirmation of the candidate’s current address and confirmation of the candidate’s right to work
in the country of hire.
• A completeness and accuracy check of the candidate’s references for the past three years.
• Basic level criminal record check, financial probity and international sanctions lists check (World
Check).
• Confirmation through an appointed third party, of the highest claimed academic qualification(s).
• Confirmation through an appointed third party, the source of professional qualifications to the
candidate’s prospective role.

The HR function shall ensure that Formal Information Security Training is imparted to the employees at the
time of their induction and at least once a year thereafter; and the training program should include relevant
sections of Olam’s Information Security Policy with appropriate Dos and Don’ts that the employees need to
practice in their day-to-day work.

Notification of last date of employment

The HR function is required to formalize a termination process including the return of all issued assets such
as corporate documents, equipment, mobile computing devices, credit cards, access cards, manual and/
or any other asset that is the property of Olam.

HR function/Country Admin should notify Central IT and the Information Security team as soon as the
resignation/ separation of an employee is accepted. They should notify the last date of employment.
Information Security team may put in place additional surveillance of employees during the notice period.

All employees and third parties are required to return all information assets that are issued to them.

Removal of Access Rights

The HR and IT function are required to ensure that the access rights of all employees and third parties to
corporate information and assets are revoked upon termination of their employment, contract or agreement.

The IT function is required to ensure that active accounts of a departing employee or third parties are
revoked immediately on the departure of the employee.

Version 1.3 Confidential Page 12 of 34

 Olam Information Security Policy

User Access Management Policy

Access Rights Creation/Modification/Deletion/Review Policy

• User access rights shall be configured as per the business requirements for each user to access
IT systems, Applications and Data following the principle of least privilege.
• A role-based usage profile, detailing privileges and access rights, shall be assigned to each user.
• Each user shall be uniquely identified by a User ID. Every User ID shall have a secret password
that should follow Olam’s Password Policies.
• This User ID and password will be required for access to the relevant applications and network
resources.
• No generic User ID shall be permitted except for service accounts on a specific application.

User Access Creation

• New user access IDs to the Olam corporate network shall be created only upon the receipt of
request from HR department. ID creation for access to business applications requires prior
approval of the user manager and application owner.
• There shall be an authorized person nominated for creating user ID who will control the levels of
access that can be granted as per the level specified by the application owner.

User Access Modification

• There shall be an authorized person nominated for modifying user ID.

• Based on the request from user along with approval from user’s reporting manager and
application owner, authorized person will modify the access rights of the user.

User Access Deletion

• As and when an employee decides to leave the organization HR/Country admin team should
inform his last working date to the Central IT service desk and Information Security team well in
advance. The central IT service desk should inform key application owners regarding the deletion
of the user in their respective applications. Information Security team. Application teams would
disable the departed employee’s access, from business applications.

There shall be a formal process to review the list of registered users to critical assets and their privileges
periodically, to make sure that all redundant user accounts are deleted at the earliest and appropriate
access levels are maintained.

Version 1.3 Confidential Page 13 of 34

 Olam Information Security Policy

Remote Access

• Only employees of the Organization or authorized third parties shall be permitted to remotely
connect to the Organization’s internal network.
• VPNs shall be used for establishing, authenticating with multi-factor and maintaining remote
access connections. While connected through VPN to the Olam’s core network, connection to
other networks shall be restricted.
• Olam-issued devices shall be authorized to remotely connect to the network. Where non-
Organization-issued devices or portals are authorized to remotely connect to the network,
additional controls should be in place to restrict and secure access where appropriate.

Physical & Environmental Security Policy

• All A/Cs, fire detection & protection systems, UPS, telecommunication equipment’s shall be
brought under maintenance contracts. All equipment information contact and tech support
numbers would be maintained.
• No equipment to be taken out of the office premises of the company without proper authorization
and a proper log of all equipment taken in and out of the facility to be maintained.
• This excludes laptops and mobile phones carried by employees.
• Server room should be accessed only by authorized IT personnel with dual access control
mechanism
• If Data Center is within the interior of the office premises, it shall have wall along an outside edge
of the office premise then there would be a physical barrier preventing close access to that wall.
• Care shall be taken not to arouse unnecessary interest in secure areas.
• Vendors visiting Data Center to carry out any work shall not be allowed to enter the room without
being accompanied and supervised by regular IT employees of Olam
• Data Center in-charge in each site would ensure that the Access Log Form/Register is
maintained of all the entry and exits points within the server room.
• Combustible materials shall be avoided inside the data Center. Only the minimum supplies
necessary to the functioning of the room shall be kept within its perimeter
• The Organization shall take measures to secure the perimeters of its premises based on the
security requirements and classification of the assets, including the sensitivity or criticality of
information assets and information processing facilities, within the perimeter and the results of
threat and security assessments.
• Designated areas containing the Organization’s information assets shall be protected by
automated physical entry controls to ensure that only authorized personnel are allowed access.

Version 1.3 Confidential Page 14 of 34

 Olam Information Security Policy

• The Organization shall install Closed Circuit Television (CCTV) cameras around the main entry
and exit areas to the Organization premises and secure / restricted areas as required.
• Manned reception areas shall be put in place to restrict physical site, building and floors access to
authorized personnel only and to positively authenticate visitors by suitable means of
identification.
• The Organization shall take necessary measures to protect the integrity of the physical access
methods.
• Employees shall always visibly display their ID pass when on premises.
• Employees shall not lend their ID pass or borrow an ID pass belonging to a colleague when
working on premises.
• Reception employees shall take the following actions as appropriate for individuals not visibly
displaying their ID passes:
• Employees without their ID should be issued a temporary ID;
• A visitor / contractor should be issued a visitor ID after obtaining confirmation from the
visitor’s host; or
• If none of the above apply, the individual should be escorted from the premises by security
where available.
• Employees are responsible for ensuring that they are not tailgated/followed through entry
doors by individuals not displaying their ID without first identifying them and ensuring they
have the correct approval to be in that area.

Password Policy
• The initial password provided by the administrator shall be changed at first login.

• Users shall not share their password with others or shall not reveal the same to others under any
circumstances. If they do so, then they shall be accountable for the actions taken by the other party
with the password.

• Domain users, applications and servers shall automatically enforce the password policy as stated
below.

o At a minimum, password shall be at least 8 characters long. For improved security, users
shall choose longer passwords.

o Passwords shall contain Alphanumeric and one special character.

o Its recommended that passwords shall not be repeated for atleast 18 history of passwords

o All user passwords and must be changed at least once in 75 days. Its recommended that
System level passwords should also be changed periodically.

Version 1.3 Confidential Page 15 of 34

 Olam Information Security Policy

• Password guidelines must be followed for ensuring strong passwords are used in Olam IT

• Password shall not be easily guessable

Guidelines for Usage of Strong Password

• Change all the default passwords once the system is provided and made available to use.

• Ensure that passwords are combinations of alphabets, special character and numbers

• Passwords must be a combination of 8 alphanumeric characters and a special character

Password Protection Guidelines

• Passwords should NOT be individual name, common names, organization names, family
member names, popular places names, dictionary words etc.

• Passwords should NOT have repeated letters, patterns etc.

• Users shall not share their password with others or shall not reveal the same to others under any
circumstances. If they do so, then they shall be accountable for the actions taken by the other
party with the password.

• Users shall NOT reveal the organization passwords to their friends, relatives, colleagues.

• Users shall NOT reveal your password over phone to anyone.

• Users shall NOT reveal their password over Public email, SMS, Chat or through any social media
etc.

• Users shall NOT disclose their password in meetings, open forums, etc.

Desktop Security Policy

• The operating system of all desktops in Olam shall remain up to date with latest Service packs,
Patches, Hotfixes.

• All desktops shall be sited behind the main firewalls and protected from external networks.

• All desktops shall have authorised anti-virus software installed and configured with latest virus
signature updates.

• All desktop users should not share their hard drives. Concerned manager should approve any
exceptions.

• Asset list of desktops/laptops must be maintained. IT Team must maintain inventory of all the
desktops in IT department.

Version 1.3 Confidential Page 16 of 34

 Olam Information Security Policy

• All desktops media shall be formatted before re-allocating to another user. However, if the
desktop is within the same group /function, then the desktop shall be handed over as it is, to the
new user, with the approval of concerned manager. However new user id for the desktop should
be created.

• All desktop users shall follow the End User guidelines which is part of this document.

• All desktop users shall change domain, and other passwords, as recommended.

• Users shall not connect USB drives from unknown sources to the office computer as it may infect
the office computer

• All corporate laptops and desktops should be joined the Company Domain. It is the responsibility
of Local IT to ensure this.

• All corporate laptops and desktops should be regularly patched for operating systems and other
software utilities. It is the responsibility of Local IT to ensure all laptops and desktops under their
support to have up to date patches.

• Desktops and Laptops shall have USB access disabled. Any exception to this needs explicit
approval by the Information Security team.

• A limited set of Desktop and Laptop make and model should be pre-authorized centrally along
with specifications around memory and processing capacity and latest firmware versions running
in UEFI mode. Regional teams should procure assets accordingly.

• An Olam pre-approved “image” must be applied of each laptop and desktop having the required
software defined in an IT stack. All security software like Antivirus, Encryption (for laptops), Web
Browsing Software and USB write block should be enabled before handing a desktop or laptop
to a user.

• Users should not strictly have administrative access to Desktops and Laptops. Any exception to
this needs explicit approval by the Information Security team.

• Local IT should use their domain user ID to support laptops and desktops. Their IDs should be
in the Local Administrators group on the laptops and desktops they manage. Local IT should
strictly not use the ‘administrator’ account, and not share the password of the account with
anyone.

• The Management has right to access all information on Olam’s system and network without prior
notification to the respective user.

Version 1.3 Confidential Page 17 of 34

 Olam Information Security Policy

Email Security Policy

Email is a business communication tool and users are required to use this tool in a responsible, effective
and lawful manner.

▪ All users shall be provided with an e-mail address for use while in service with Olam, after
authorisation from the concerned Manager/HR.

▪ All E-mails can be treated as “Confidential” and every user shall remain accountable for mails sent
by him / her. Important E-mails need to be suitably archived for later references.

▪ The copies of emails for senior management shall be stored on the mail server and regular backups
shall be taken.

▪ Users shall NOT forward official email communications to their personal mail.

▪ User shall NOT send or forward corporate information to any unauthorized recipient.

▪ Email service shall be mainly used for business use. Limited personal use is acceptable if it does
not hamper Olam’s functioning and business interest.

▪ All e-mails created, sent, or received using Olam compute and network facility, are the property of
the Olam. The Management has right to access all e-mail files created, received or stored on
Olam’s system without prior notification to the respective user.

▪ Management reserves the right to disclose all communications, including text and images, to law
enforcement agencies or other third parties without prior consent of either the sender or the
receiver.

▪ User shall not send or knowingly receive any material that is obscene or defamatory or derogatory
which is intended to harass, annoy or intimidate another person.

▪ User shall not represent personal opinions as those of Olam’s by using emails.

▪ All incoming and outgoing emails shall be checked for virus infection.

▪ Use of Olam email system to transmit messages or attachments mentioned below is prohibited at
all cost and is subject to suitable to disciplinary action.

o Sending intimidating or harassing mails

o Sending junk and spam mails

o Purposefully sending virus infected emails.

o Participating in chain or pyramid mails

o Sending sexually abusive/pornographic pictures, texts, audio/video through e-mails

o Sending messages/files/communications against any caste, religion or race

Version 1.3 Confidential Page 18 of 34

 Olam Information Security Policy

o Sending or forwarding libellous, defamatory, offensive, racist or obscene messages.

▪ No user shall use another individual mail account to send messages

▪ No user shall attach company data to their personal mail or forward company mails to personal
mail ids of their colleagues, friends or relatives

Internet Usage Policy

The internet usage policy applies to any access to internet using Olam corporate devices and/or Olam
provided internet access.

• Use of Internet using Olam provided resources (network or devices) shall be monitored.

• User shall neither visit nor access pornographic, racist and illegal sites, or downloads from the
same Internet sites that contain obscene or offensive materials. Access to many (if not all) sites
considered to contain "unsuitable" material shall be prevented by using a filtering system. As new
sites of this nature come online and come to the attention of Olam IT, they shall be blocked as soon
as possible.

• Olam is not responsible for material viewed or downloaded by users from Internet. Users are
cautioned that many of these pages include offensive, sexually explicit, and in appropriate material.
Users access the information over the Internet at their own risk.
• Olam reserves the right to record all Internet sites accessed by users. The company reserves the
rights in its sole discretion to share this information or make public a complete listing of all sites
visited by the users to any requesting party or authority if required.
• Olam reserves the right to block users from any internet resources including, but not limited to those
which company determines in its sole discretion to have no legitimate company purpose or which
could have detrimental impact on company computing resources or confidentiality or information.

• The Information Security team maintains the categories of sites allowed for browsing based on
business need and risk. All exception requests will be handled by the Information Security team.

• Categories like internet email and storage sites are blocked as it is a potential avenue for data leak.

• User shall not use Internet over Olam network or devices for accessing sites promoting gambling,
personal commercial benefits or money laundering.

• User shall not make or post indecent remarks, proposals or materials on the Internet.

• Users shall not upload, download or transmit any unauthorized screensavers, wallpapers, songs,
music, video etc. These may have copyright implications.

• Users shall not download and/or install and use unauthorized software on corporate machines.
Users can take guidance from central it service desk regarding authorized software’s.

Version 1.3 Confidential Page 19 of 34

 Olam Information Security Policy

• Users shall not upload any kind of corporate information to non-approved sites including storage
sites as it may result in data loss.

• User shall not reveal or publicize confidential or proprietary information which includes, but is not
limited to: financial information, new business and product ideas, marketing strategies and plans,
databases and the information contained therein, customer lists, technical product information,
computer software source codes, computer/network access codes, and business relationships.

• All browsers used to connect to the Internet should be authorized by the company and shall be
updated periodically for the latest patches and vulnerabilities.

• Internet access shall be disabled from all servers and any exception needs to be explicitly approved
by the Information Security team. This is to ensure that malicious code does not affect the critical
data on such servers.

• All content downloaded from Internet shall be thoroughly checked to make sure they do not include
viruses, Trojan horses, and other malicious code. Every desktop and laptop should have Olam
approved antivirus with the latest virus definitions. Disabling antivirus software shall not be
permitted. All desktops and laptops shall be configured to automatically scan any material
downloaded from an Internet Web site.

• Olam retains the right, to report any illegal activities to the appropriate authorities.

• Olam reserves the right to take disciplinary action up to and including termination against users
who violate the Olam’s Internet usage policy.

Anti-Virus Policy
• The latest Anti-virus programs approved by the Information Security team shall be continuously
enabled on all servers, desktop and laptops. It is the responsibility of the Local IT teams to ensure
this.

• Users shall not intentionally write, generate, compile, copy, collect, propagate, execute, or attempt
to introduce any computer code designed to self-replicate, damage, or otherwise wilfully commit
fraud and hinder the performance of or access to any Olam IT assets.

• All systems should undergo a full anti-virus scan at least once a week and on access scans should
performed on all files and processes. Servers in addition to above should also undergo daily “quick”
scans.

• Antivirus software and scan settings should not be changed without explicit approval from the
Information Security team. Local IT should consult with the Information Security team and get
explicit approvals if and before making any changes. All approvals should be retained for
compliance purposes.

Version 1.3 Confidential Page 20 of 34

 Olam Information Security Policy

• Local IT teams are responsible that the anti-virus servers be continuously updated with the latest
versions of the virus signature file. The laptops, desktops and other servers shall take the update
from central management server or from the internet.

• The user/Local IT Teams should immediately raise a ticket for any virus incident and also inform
the Central IT service desk team and Information Security team.

• The Information Security team should have read and write access to all the Anti-Virus Servers and
Consoles. Any mitigation for immediate threats like applying hashes for critical vulnerabilities
should be done immediately. Local IT should assist in this, and the Information Security team
should also apply any such hashes and signatures keeping local IT in the loop.

• All servers, desktops and laptops shall have appropriate configurations to protect against active
code (e.g. Java, ActiveX) run from un-trusted sites on the Internet.

Firewall policy
• Olam network shall be isolated from unsecured networks, Internet and third-party networks through
firewalls. Any exceptions would need explicit approval by the Information Security team which
should be retained for any compliance audits.

• All traffic from inside to outside, as well as outside to inside must pass through the firewall.

• All traffic going in and out through the Firewall should be blocked by default. Only authorized traffic
for legitimate business operations should be allowed through the firewall – only specific IPs, ports
and protocols needed to meet business requirements should be opened.

• All corporate applications should be protected by a Firewall and access should be restricted through
specific IPs, ports and protocols. The applications need to be accessed over a secure connection
when outside the office. Users accessing corporate applications outside the office using personal
internet, wireless hotspots etc. should connect using secure mechanisms using authentication and
encryption of transmission.

• Firewall should log all inbound and outbound requests and if it is serving as a Unified Threat
Management (UTM) device including Intrusion Prevention and Web Filtering capabilities, those
logs should also be captured. All these logs should be integrated with a Central Monitoring System
for centralized threat management.

• Audit logging should be enabled on the firewall to ensure that all critical accesses and changes to
firewall configuration and policy are tracked. These logs shall be regularly monitored.

• Local IT teams are responsible for procurement of the Firewall. They should track and ensure that
subscriptions are renewed before expiry. The Information Security team would provide required
approval on the brand and model

Version 1.3 Confidential Page 21 of 34

 Olam Information Security Policy

• Information Security Team along with local IT support are responsible for day to day management
of the Firewall and periodically review rules to ensure that only specific IPs, Ports and Protocols
required for legitimate business purposes are open. Everything else should be closed by default.
Any modifications to rules should be done in consultation with the Information Security team.

• SOC Team should also regularly monitor the Firewall for any unusual traffic.

• The Information Security team should have read and write access to the Firewall and should be
able to apply any rules to block threats in an emergency. They should keep the local IT teams in
the loop.

• The Information Security team should recertify Firewall rules for key locations at least once a year.

Security Incident Management Policy

• Users should be educated to recognize a security incident, and immediately report any suspected
security indents to centralit.servicedesk@olamnet.com and csirt@olamnet.com. They should also
notify their manager, Local IT and the HR function as appropriate.

• CITS shall do initial assessment, and If the incident is not false positive, CITS shall create a ticket
in a Ticket Management System capturing the event description, date, source, and rating.

• The Information Security team should use the Ticketing System to capture email, Lync IM & other
informal communications

• The Information Security team upon resolving the security incident enters the resolution & the
problem category into the ticket and submits it for closure

• The user who created the ticket receives the resolution notification. They either determine that the
security incident is resolved to their satisfaction or escalate the ticket.

• Users will participate in the investigation of incidents as and when required. Users shall also
participate in the implementation of recommendations made as part of incident response and
resolution wherever necessary.

• The Information Security team is responsible for documenting detailed procedural guidance on
handling security incidents.

• Emergency response shall be initiated by escalation of a security event or by direct declaration by

the CISO

• All critical incidents and repeated incidents should go through a detailed root cause and corrective
action process (RCCA) where all involved parties and team should participate. Learnings from the

Version 1.3 Confidential Page 22 of 34

 Olam Information Security Policy

RCCA activities should be documented and communicated to all relevant parties. Action need to
be taken to mitigate the vulnerabilities and weakness in the system to prevent future incidents.

The detailed procedural guidance for local IT and IT infrastructure teams on how to handle an incident
can be found in the Security Incident Management Procedure.

Business Continuity Management Policy

The appropriate level of Business continuity must be ensured so that business processes can be restored
when a disruption in assets occurs e.g. due to technical bugs, failure of components, failure of essential
services, loss of personnel, or major disasters like earthquakes, fire or floods. Including information security
in the business continuity management process will be an intrinsic part of the plan.

It is recommended to have a comprehensive risk assessment and business impact analysis at least once
every two years for key locations, business applications and information assets. These areas should have
associated disaster recovery and business continuity plans to minimize impact to service and duration of
disruption processes in the event of damage, failure, corruption, lack of availability or loss.

IT Disaster recovery is a subset of Olam’s overall Business Continuity Management plan. A disaster can
be caused by man or nature and which results in the critical facilities and/or information assets and systems
not being accessible or functional.

The IT Disaster Recovery Team must identify critical business applications and information assets including
computing assets like laptops and desktops of senior management and develop a disaster recovery plan
for these.

At Olam, the declaration of disaster and invocation of the Disaster recovery plan can be made only if at
least two of the following persons agree to classify the event as such:
• Executive Director and Group COO
• Group Head – Strategic Investments & Shared Services
• Chief Information Officer
• Chief Information Security Officer

Disaster Recovery and Business Continuity plans should be tested periodically. Asset owners shall ensure
that their assets are suitably protected and covered with appropriate DR & BC Plans. The highest priority
in all DR plans shall be given to the protection of human life. The Disaster Recovery Plan, at a minimum,
must include the following:
• Criteria to activate the plan including detection of a disaster.

Version 1.3 Confidential Page 23 of 34

 Olam Information Security Policy

• Escalation guidelines
• Procedure to implement the recovery strategies.
• Recovery Time Objectives
• Recovery Point Objectives
• Responsibility Matrix
• Procedures to revert to normal operations
• Test and Maintenance procedures
• Contact Lists

Olam employees, contractors and third parties should be aware of their roles and responsibilities in the
continuity and recovery plans. They must be aware of critical information such as contact information of key
continuity and recovery personnel, call trees (if applicable), and the specific procedures they have to follow.

Acceptable Use Policy

This policy outlines the acceptable use of Information Assets/Systems/Resources of Olam which includes
(but not limited to) all computer equipment, software, hardware, operating systems, storage media, network,
electronic mail, internet & intranet, remote access services, telephony systems, mobile computing
environment, and other information usage/storing/transmission/processing services provided by Olam.

It also provides expectation around use and protection of corporate information.

The “user” of these resources is any person (full-time, part-time and temporary employees, trainees,
contractor, consultants and third party) who has been provided access to information Systems in order to
perform work in support of the Olam processes or a project authorized by Olam. It also includes all
personnel affiliated with third parties that use Olam information.

General Usage of Olam’s Information Assets

• Olam Information Assets are expected to be used for processing data and information relating to Olam
business in course of normal business operations.
• Users shall not attempt to access any data or programs contained on Olam Information Systems for
which they do not have authorization.
• Users are responsible for protecting any corporate information in their possession including that stored
on their respective Olam workstations, laptops, mobile and personal computing devices.
• Users shall not use Information Systems (including internet and email) for any activity with an intent of:

Version 1.3 Confidential Page 24 of 34

 Olam Information Security Policy

- Discriminating, harassing, vilifying or victimizing others based on gender, race, religious beliefs,
disability, political conviction, sexual preferences, age or otherwise.
- Degrading systems performance.
- Depriving an authorized user access to Olam's information system.
- Attempting to gain more system access or privileges than allocated.
Circumventing/Disabling Olam's information security measures or non-compliance to Olam
Information Security Policy
- Unauthorized information sharing within or outside Olam.
- Installing software programs including freeware and shareware not explicitly authorized by the IT
and Information Security team.
- Causing physical damage to facility or property.
- Sending unsolicited messages and creating or forwarding of ‘chain emails

• Users shall not take ‘Information’ or ‘Information Systems’ out of Olam's premises without
appropriate clearances and valid business justification / purpose.
• Users shall familiarize themselves with the contents of the Olam Information Security Policy (and any
updates to these) and practice the same. Any doubts or queries shall be raised with their respective
managers or the Information Security Team.
• Users shall comply with security directives, guidelines, and polices at all times. Users shall not
circumvent or attempt to circumvent any logical or physical security control or guidelines issued by
Olam. Additionally, users shall proactively participate in all security and safety exercises / drills /
trainings which may be conducted from time to time.
• ‘Users’ shall be responsible for protecting systems / devices in their possession having corporate
information against theft, and for secure storage of corporate information.
• Users shall not download and / or install any unauthorized or non-Olam procured / approved software
or make unauthorized copies.
• ‘Users’ are responsible for the content that they store or transmit using Olam ‘Information Systems’
and mobile computing devices. “Users’ shall respect all copyrights, trademarks and may not perform
unauthorized download copy, retrieve, modify or forward of copyrighted materials using Olam
information systems.
• Use of E-mail or communication facilities not provided or authorized by Olam is prohibited for any official
communication.
• Users shall exercise caution while opening emails received from unknown senders as they may be
phishing mails and have malicious contents.
• All communication using Olam systems and resources should be done keeping Olam's security and
image in mind.

Version 1.3 Confidential Page 25 of 34

 Olam Information Security Policy

• Users shall treat personal data collected for business purpose of employees, customers and business
partners fairly and lawfully. Users entrusted with the task shall be responsible for collecting personal
data only for specific, lawful, explicit and legitimate purposes. Further ‘users shall process this data
consistent with those purposes.
• Retention of data should be in compliance with local regulatory requirements of the region.
• Users shall not perform unauthorized disclosure of Olam data in any medium.
• If there is a business need to copy corporate information to an external portable storage device and no
alternates are available, prior exception approval shall be taken from functional manager and
Information Security Team. All corporate information in the device should be encrypted and the device
shall not contain any information apart from any data required for business use. Users are responsible
for the confidentiality, integrity and availability of information on these devices.
• Olam reserves the right to monitor and access as required all use of Olam information and information
systems.
• Users shall be held liable for any defamatory, obscene, offensive, political, proprietary, copyrighted or
libelous content posted or stored by them on or using Olam resources.
• Any incidents, violations of this policy, or potential security weakness should be reported by the user to
her/his Manager and Information Security team immediately.
• Users whose employment or contract with Olam stands terminated are strictly not allowed to retain
access or any information / data pertaining to Olam.
• Users shall not store, maintain or back up Olam data on any account / computing devices / data
storages not provided by Olam for official purpose in any form, unless explicitly authorized by the
functional manager and Information Security team.
• If any information pertaining to Olam has to be sent outside Olam for business purpose electronically
or in hardcopy, the ‘user’ shall take into consideration Olam Information Classification Guidelines, and
safeguard the information appropriately based on requirements at the different classification levels.
• Remote access to the Olam’s ‘Information Systems’ is granted only on a demonstrable business need
basis. All security & privacy requirements as per Olam policies shall be applicable.
• All access and sharing of Olam information shall be on a business need to know basis.
• Users shall create and maintain strong non-guessable passwords compliant with Olam password
policy. Password disclosure or sharing is strictly not permitted and in case unauthorized use is detected
under a user id, the person holding the user id would be held accountable.
• Administrative access is not allowed on laptops or desktops unless explicitly approved by the
Information Security team.
• USB/CD/DVD access is not allowed on laptops or desktops unless explicitly approved by the
Information Security team.

Version 1.3 Confidential Page 26 of 34

 Olam Information Security Policy

• Users shall not use generic ID to access resources unless it is explicitly approved by Information
security team. All Generic IDs must have an owner who is accountable for this ID and should be used
only for the purpose mentioned during ID creation.
• Users shall not attempt, initiate or establish any network connections with third parties or resources
outside Olam corporate network unless explicitly approved by the Information Security Team.
• Users shall not misrepresent, obscure, suppress, or replace their own or another user’s identity on any
Olam Information System.
• Users shall promptly accept and install critical security updates, software, anti-virus definitions and
operating system patches pushed on their machines by Olam through a central location.
• Users shall not test or attempt to compromise or disable any information security mechanism unless
specifically authorized to do so by the Information Security team.
• Users shall not divulge or comment on Olam information in any forums, social networks, blogs, and
personal sites or in any other form unless approved in writing by Olam.
• Before transferring any Information across borders, users shall check with Legal and Information
Security Department to ensure that no laws are violated.

Compliance

Data in any form created, modified, transmitted or stored on Olam systems is deemed to be the property of
the Company. Olam reserves the right to audit / review Information Systems on a periodic basis to ensure
compliance with this Policy.

Olam may take any violation of this policy as a sign of misconduct by the user and the user may be subject
to any or a combination of the following:
• Verbal or written warning
• Counseling
• Withdrawal of access and system privileges in part or whole
• Dismissal
• Legal Action
• End user must adhere to the following guidelines

DO’S
Use the Olam resources /Equipment’s in a
responsible, legal and ethical fashion
DONT’S
Do not use office automation equipment for personal
use. This includes sending or receiving fax messages,
personal long-distance telephone usage and use of
office resources like printers for uses unrelated to
office duties

Version 1.3 Confidential Page 27 of 34

 Olam Information Security Policy
Report any incidents like fire, theft, sabotage,
environmental incidents (including spills), injury,
suspicious behaviour, etc. to IT/Admin helpdesk
immediately
Whenever IT sends mail for Antivirus software
updates, Users shall download and install the
updates as per the specifications given by IT.
Dispose the confidential documents using the
shredders
Maintain clear screen and clear desk
Protect the laptops from theft by appropriate
measures from time to time.
Ensure that laptops have personal (windows)
firewalls installed
To download and install the anti-virus update as
per the procedure
Use computer software and equipment, as well
as telecommunication services, (including
internet, email) and equipment only for
performing the official work of Olam. However
limited personal use is allowed.
Delete any obscene, vulgar or inappropriate
material, jokes, pictures, chain letters from
his/her desktop and inform IT / Admin
immediately. Also, inform the sender about
undesirability of such mails
Version 1.3 Confidential
Do not bring flammable liquids, gases and materials
inside the premises without proper authorization from
Olam Admin
Do not download Shareware / freeware without
approval of the concerned Manager and information of
the same to IT. The software need be un- installed at
the end of expiry period.
Do not leave any confidential papers on the desk
unattended.
Do not leave PC / Laptop unattended without locking
the screen
Do not share the password of the laptop with anybody.
Access any network, services, software within Olam
by unlawful, unauthorized means
Bring diskettes /CD’s, thumb drives, external storage
media from outside Olam other than for office related
work.
• Send intimidating or harassing mails or indecent
remarks
• Participate in chain or pyramid mails
• Send sexually abusive/pornographic pictures, texts,
audio/video through e-mails
• Send messages/ files/ communications against any
caste, religion or race
• Posting commercial ads to newsgroups
• Neither visits nor access pornographic, racist and
illegal sites, or downloads from the same Internet
sites that contain obscene or offensive materials.
• Access pay sites, gambling, personal commercial
benefits or money laundering sites, spamming,
electronic greetings etc.
Attempt to change the configuration/settings of
desktops and laptop without consulting IT.
Page 28 of 34
 Olam Information Security Policy

Keep the password confidential
Intentionally write, generate, compile, copy, collect,
propagate, execute, or attempt to introduce any
computer code designed to self-replicate, damage, or
otherwise hinder the performance of or access to any
IT assets.

Sharing of folders on network is removed when To introduce or cause to introduce any computer
not necessary and the folders when shared on contaminant or computer virus into any computer,
network are password protected computer system or computer network

Adhere to all S/W copyrights and licensing Connect to Internet through dial up, smart phones
agreements unless authorized to do so when on Olam network

Clear unattended white boards or similar Do not leave documents unattended on a desk,
mediums printer, scanner or photocopier

Vulnerability Management Policy

Olam’s IT Infrastructure and critical business applications shall undergo periodic vulnerability assessments
and penetration testing to identify and mitigate vulnerabilities.
• The systems must be installed as per the vendor’s instructions
• All unused and unnecessary software must be removed or uninstalled from the system.
• Default or predefined user accounts which are not used must be removed or disabled.
• Default passwords must be changed for all the accounts
• All services which are not going to be used in production must be disabled or removed
• The systems must be patched up to date. All relevant service packs and security patches must be
applied at least monthly and for critical patches, it should be applied immediately
• Suitable anti-virus and anti-malware package must be installed on the system to prevent malicious
software introducing weakness into the system.
• If the system can run its own firewall, then suitable rules must be configured on the firewall to close
all ports which are not required for production use.
• All internet facing applications should undergo a penetration and all Critical and High rated issues
should be remediated before going live
• All existing systems will undergo periodic assessments and remediation of vulnerabilities as per
details outlined in the Vulnerability Management Procedure.

End user security awareness Policy

The Olam information security awareness program shall meet the following requirements:

Version 1.3 Confidential Page 29 of 34

 Olam Information Security Policy

• All users must achieve and maintain at least a basic level of understanding on information security
matters such as obligation under various information security policies and procedures, guidelines,
laws, regulations, contractual terms and other generally held standards of ethics and acceptable
behavior.
• Additional training must be provided for users with specific obligations towards information security
that are not satisfied by basic security awareness

Intellectual Property Policy

Olam users must abide by applicable intellectual property laws and/or regulations. Users must refrain from
actions or access which would violate the terms of licensing and nondisclosure agreements. The following
administrative standards must be followed
• Users are prohibited from copying Olam provided software to any storage media, transfer to
another device or disclose to unauthorized parties.
• Downloading or sharing of any electronic information which infringes any copyright or intellectual
property law or regulation must not be done.
• Users are prohibited from using Peer-to-Peer (P2P) software or "file sharing" applications which
may infringe copyright and/or intellectual rights of others.

Data Protection Policy

The Data Protection principles are based on the information classification standard of Olam.
Data Protection for Public Information
• Users must not post any company related information even though it is public information on any
mailing list, public news group without prior approval.
• Public information is not considered as confidential. However, the integrity of the data should be
protected and hence the data should be sent out or made available only through the corporate
communication team.

Data Protection for Internal Information

• All information assets that are not explicitly classified as Confidential or Public data should be
treated as company Internal data and appropriate security controls should be applied to ensure
that internal data is accessed by or shared with only authorized individuals with a legitimate need.
• Access to Internal data must be requested from, and authorized by, the Data Owner who is
responsible for the data.

Version 1.3 Confidential Page 30 of 34

 Olam Information Security Policy

• Users are not allowed to reveal company internal information to any unauthorized individuals or
third-party users. In case of a requirement to share company internal information with third parties,
non-disclosure agreements should be signed by third parties before any information is shared.

Data Protection for Confidential Information

• Access to confidential data must be controlled from creation to destruction and will be granted only
to those persons affiliated with Olam who require such access to perform their job (need to know
basis).
• Access to confidential data must be individually requested and then authorized by the Data owner
who is responsible for the data.
• Do not discuss or display confidential information in an environment where it may be viewed or
overheard by unauthorized individuals.
• Do not leave keys or access badges for rooms or file cabinets containing confidential information
in areas accessible to unauthorized personnel.
• Before printing, photocopying, or faxing, ensure that only authorized personnel will be able to
access the output.
• Confidential information may not be stored on any personal equipment.
• Users may not send or forward emails containing confidential data to personal email accounts.
• Protect sensitive information when (1) placing it on removable media; (2) placing it on a mobile
computer (e.g. laptops, PDAs, smart phones); or (3) sending it via electronic mail.
• Confidential information in electronic form should be destroyed using industry standard software
wiping or degaussing technology. Deleting files or reformatting electronic media is not sufficient for
data destruction.
• Confidential information on paper should be shredded, including all transitory work products such
as unused copies, drafts and notes.

Privacy Policy

There is a separate privacy policy that has been uploaded in our corporate website. You can find the privacy
policy at the following link: https://www.olamgroup.com/privacy.html

Third Party Management Policy

The objective of this policy is to provide the third party with an approach and direction for implementing
information security controls for all information assets used by them to provide services to Olam.

Version 1.3 Confidential Page 31 of 34

 Olam Information Security Policy

• The Third Party shall not process or use Olam information for any purpose other than that which is
directly required for the supply of the agreed Services and will deliver its services in accordance
with the contract.
• The Third party should assign an individual or team who will be responsible and accountable for
information security policy, implementation and processes and would be acting as the single point
of contact for Olam where information security is concerned.
• The Third Party shall establish security controls to prevent accidental, deliberate or unauthorized
disclosure, access, or destruction of Olam information in possession.
• The third-party senior management shall provide clear strategic direction and support to assess,
monitor and control information security risks and ensure that it’s properly addressed.
• The third party shall ensure that all their employees receive formal information security awareness
training and a disciplinary process for information security breaches shall be established,
documented and communicated to the employees.
• Adequate security measures shall be in place to ensure that third party employees who undergo
role transformation within the organization or resign from the organization shall return all assets in
their possession upon termination of employment and the access rights shall be revoked or
changed appropriately.
• All third parties acting on behalf of Olam and representatives who are granted authorized access
to Olam and its information assets must comply to the information security policies of Olam
• Critical third parties handling sensitive Olam information and systems should be assessed
periodically

Mobile Security Policy

• Access to corporate information from personal devices for critical users should be governed by a
software such as an MDM solution that also ensures privacy of non-corporate information. Olam is
interested in protecting & managing only the corporate data and applications that resides on
employee’s phone.
• To prevent unauthorized access, the mobile devices must be password protected using the
features of the device and a strong password must be enforced to access the company network.
• Lost or stolen devices must be reported to Olam within 24 hours.
• Users should install only applications from trusted sources in the device.

Version 1.3 Confidential Page 32 of 34

 Olam Information Security Policy

User Social Media Policy

• The user is personally responsible for the content which they publish on websites and should refrain
from posting any Olam confidential data.
• The user should not post online any views on behalf of Olam or represent as a spokesperson of
Olam. If it’s a personal view, it should be explicitly mentioned that the views do not represent that
of Olam.
• Users should not advertise or sell Olam products via social media websites without prior written
approval from Senior Management

License Management Policy

• Licenses should always be tracked and maintained to ensure compliance with the contractual
requirement. Over-utilization of licenses would be considered as a major non-compliance.
• Central IT Infrastructure team maintains a list of centrally supported system software like Microsoft
Exchange, Microsoft Office, Adobe Reader, etc. The licenses of such applications shall be procured
centrally based on the demand forecast for all regions.
• Any deviations or non-compliance must be reported to the Central IT team on priority.

Cloud Security Policy

• Confidential information should not put in a public cloud unless there is a significant business
advantage that far outweighs the risk.
• All cloud service provisioning should necessarily go through security clearance from the IT Security
team.
• The cloud service provider should complete the Cloud Risk Assessment Questionnaire which would
be the basis for the security assessment conducted by the Information Security team.
• The Information Security team should be engaged in the initial stages of all public cloud
deployments and Software as a Service subscriptions – so that there is adequate time to review
the security implications. All such deployments and subscriptions need explicit approval of the
Information Security team and acceptance of any residual risks by the business,
• The cloud service provider should comply with the security requirements and the relevant laws and
regulations pertaining to the location.

Version 1.3 Confidential Page 33 of 34

 Olam Information Security Policy

Wireless Security Policy

• Wireless Networks should be designed, implemented, and operated in a secure manner.
• All connections to the wireless devices should be authenticated before use.
• Preventive measures should be taken to properly & effectively protect the wireless access point
from unauthorized physical access.
• Wireless 802.11x devices shall be located on a separate subnet to that of wired TCP/IP network to
ensure network traffic protection.
• Transmissions between the 802.11x device & the wireless access point shall be encrypted.
Wherever feasible, it should use Temporal Key Integrity Protocol or Advanced Encryption System
(AES) protocol with minimum key length of 128 bits.
• All unused ports & services shall be disabled on the access points.
• Network based access control mechanisms (e.g., ACLs) shall be implemented on the wireless
network to restrict access into & out from the wireless network.
• Radio power on access points shall be adjusted to maintain a Zone of Control (ZoC) covering only
the area where wireless access is required & RF coverage shall be minimized so as not to extend
beyond the perimeter of the property in which it is installed will be considered to limit the
transmission range to only that of required.
• System logs & audit trails shall be maintained and reviewed as requested for unauthorized access
attempts to wireless network.
• Service Set Identifier (SSID) shall be changed immediately upon initial installation.
• Wherever necessary & feasible, use Extensible Authentication Protocol-Fast Authentication via
Secure Tunneling (EAP-FAST), Protected Extensible Authentication Protocol (PEAP) or Extensible
Authentication Protocol-Translation Layer Security (EAP-TLS) as the authentication protocol.

Version 1.3 Confidential Page 34 of 34