Saudi Pharmaceutical Industries & Medical

Appliances Corporation (SPIMACO)

ACCEPTABLE USE POLICY

ACCEPTABLE USE POLICY

This Policy is effective from Date: …./…./2022

Approved By: ……………………………………
Signature:
 Shareholder policy V.00

Contents
1. Introduction ................................................................................................................ 3
1.1. Purpose...................................................................................................................................... 3
1.2. Scope ......................................................................................................................................... 3
1.3. Glossary (Definitions and abbreviations) .................................................................................. 3
1.4. Ownership and Maintenance .................................................................................................... 5
2. Policy .......................................................................................................................... 6
2.1. General use .................................................................................................................. 6
2.2. Acceptable use of the Internet and software.................................................................... 7
2.3. Acceptable use of e-mail and communication system ....................................................... 7
2.4. Video meetings and web-based communications ............................................................. 7
2.5. The use of Passwords .................................................................................................... 7
2.6. Policy compliance ......................................................................................................... 8
3. Policy Review .............................................................................................................. 8
4. References .................................................................................................................. 8
4.1. Regulatory references ................................................................................................... 8
4.2. International standard references .................................................................................. 8
5. Document Control........................................................................................................ 9

Date Printed: 29 November 2022 SPIMACO ADDWAEIH Page 2 of 9

 Shareholder policy V.00

Introduction
1.1.Purpose
This Policy set SPIMACO’s approach to govern and manage the acceptable use of Information
resources and/or assets at SPIMACO. These rules are in place to protect the user (employee,
contractor, etc.) and SPIMACO. Inappropriate use might expose SPIMACO to risks including
virus attacks, compromise of network systems and services, and legal liabilities.

1.2.Scope
This policy is applicable to:
- All information, technology, and assets owned or used by SPIMACO wither it is cloud or
non-cloud.
- All users (employees, contractors, trainees, outsources and vendors) who have access
to SPIMACO’s information and technology assets.

1.3.Glossary (Definitions and abbreviations)

Word/Abbreviation Explanation

Executive
SPIMACO’s C level management
Management

SPIMACO or the Saudi Pharmaceutical Industries & Medical

Company Appliances Corporation (SPIMACO) and its
subsidiaries.

Cybersecurity Cybersecurity is the protection of networks, IT

systems, operational technologies systems and their
components of hardware and software, their
services, and the data they contain, from any
penetration, disruption, modification, unauthorized
access, use or unauthorized exploitation.

Date Printed: 29 November 2022 SPIMACO ADDWAEIH Page 3 of 9

 Shareholder policy V.00

Word/Abbreviation Explanation

Information and Information: An asset that, like other important

Technology Assets business assets, is essential to business. It can exist in
many forms: printed or written on paper, stored
electronically, transmitted by post or electronically,
or spoken in conversation

Information Systems: Set of applications, services,

information technology assets, or other information-
handling components.

Information Processing Facilities: Any information

systems, service or infrastructure, or the physical
location housing it.

Asset Register Is a detailed list compiled of information and

technology assets it can refer to as asset register or
information asset register

Asset Owner Asset owner refers to individual or department that

has an approved management responsibility for
controlling the production, development,
maintenance, use and security of the

Users All users (employees, contractors, trainees,

outsources and vendors) who have access to
SPIMACO’s information and technology assets

CEO Chief Executive Officer

NCA National Cybersecurity Authority

ECC Essential Cybersecurity Controls

CSCC Critical Systems Cybersecurity Controls

CRO Chief Risk Officer

Date Printed: 29 November 2022 SPIMACO ADDWAEIH Page 4 of 9

 Shareholder policy V.00

1.4.Ownership and Maintenance

Roles and responsibilities for the policy document are as follows:

Prepare/
Maintain
Responsibility Update/ Review Approve Publish
Policy
Amend Policy

Cybersecurity   

CRO 

Policy Control  

CEO 

Date Printed: 29 November 2022 SPIMACO ADDWAEIH Page 5 of 9

 Shareholder policy V.00

1. Policy
1.1. General use
1.1.1. User shall not infringe the rights of any person or company that is protected by
copyright, patent, or other intellectual property, or similar laws or regulations;
Including, but not limited to, installing unauthorized or illegal software.
1.1.2. User shall not leave prints unattended on the company’s shared printers.
1.1.3. User shall keep External storage media in secure and proper conditions.
1.1.4. User shall not use SPIMACO’s business-related information and technology assets for
personal use, including repositories for personal data.
1.1.5. Information Shall be dealt with according to the specified classification, and in
accordance with the data classification and information protection policy for
SPIMACO in a manner that ensures the protection of information confidentiality,
integrity and availability.
1.1.6. User shall not share his/her account details (Username and password) with any other
employee or use other employee’s credentials.
1.1.7. User shall remove all data in hardcopy or electronic form from their workspace and
secure it in a locked drawer when the desk is unoccupied at the end of the workday.
1.1.8. User shall lock his/her device when he leaves his/her desk.
1.1.9. User shall shred all business-related documents upon disposal.
1.1.10. User Shall not disclose any information related to SPIMACO, including information
related to systems and networks, to any social media outlets or unauthorized party,
whether internally or externally.
1.1.11. User shall not connect personal devices to SPIMACO’s Networks or systems without a
prior approval from Cybersecurity department.
1.1.12. User shall not carry out any activities to bypass SPIMACO’s protection Systems
including anti-virus software, firewall, and malware without prior approval from
Cybersecurity department.
1.1.13. Cybersecurity department shall monitor systems, networks and personal accounts
related to work, and review them periodically to monitor compliance with cyber
security policies and standards.
1.1.14. User and visitors shall not enter sensitive places without Prior approval from
Cybersecurity department.
1.1.15. User shall wear SPIMACO’s identification card in all SPIMACO’s Facilities.
1.1.16. User shall report any lost, theft or leakage of SPIMACO’s Information.
1.1.17. Workstation Protection
1.1.18. User shall not use external storage media without prior Approval from Cybersecurity
Department
1.1.19. User shall not carry out any activity that would affect the efficiency and safety of
SPIMACO’s systems and assets without prior approval from Cybersecurity
department.
1.1.20. User shall not leave any classified information in accessible places, or to view it by
unauthorized persons.

Date Printed: 29 November 2022 SPIMACO ADDWAEIH Page 6 of 9

 Shareholder policy V.00

1.1.21. User shall not install external tools or software on SPIMACO’s computers and assets
without prior permission from the information technology department.
1.1.22. User shall notify Cybersecurity department of any suspicious activity that may cause
damage to SPIMACO’s computers or assets.

1.2. Acceptable use of the Internet and software

1.2.1. User shall notify Cybersecurity department of any suspicious websites that should be
blocked.
1.2.2. User shall use a secure and authorized browser to access the internal network or the
Internet
1.2.3. User shall not use technologies that allow bypassing a proxy or firewall to access the
Internet
1.2.4. User shall not use the Internet for non-business purposes, including downloading
media and files, and using file-sharing software.
1.2.5. User shall not conduct a security scan for the purpose of discovering security
vulnerabilities, including penetration testing, or monitoring of SPIMACO’s networks
and systems, or those of third parties without prior authorization from Cybersecurity
Department.
1.2.6. User shall not visit suspicious websites, including hacking education website.

1.3. Acceptable use of e-mail and communication system

1.3.1. User shall not use e-mail, telephone, fax or e-fax is for non-business purposes and in
accordance with Cyber Security Policies and Standards.
1.3.2. User shall not circulate messages containing inappropriate or objectionable content,
including messages with internal and external parties.
1.3.3. User shall use encryption techniques when sending sensitive information by email or
communication systems .
1.3.4. User shall not register SPIMACO’s email address on any website that is not related to
work.
1.3.5. User shall report any emails containing content that may cause damage to the
systems, assets or reputation of SPIMACO.
1.3.6. SPIMACO reserves the right to disclose the contents of e-mail messages after
obtaining the necessary permits from the authorized person and the Cybersecurity
department in accordance with the relevant procedures and regulations.
1.3.7. User Shall not open suspicious or unexpected emails and attachments, even if they
appear to be from trusted sources.

1.4. Video meetings and web-based communications

1.4.1. User Shall not use unauthorized tools or software to conduct video communications
or hold video meetings
1.4.2. User shall not make calls or hold video meetings that are not related to work without
obtaining prior permission.

1.5. The use of Passwords

1.5.1. User shall use secure passwords should also be chosen different from those of
personal accounts, such as personal mail accounts and social networking sites.
Date Printed: 29 November 2022 SPIMACO ADDWAEIH Page 7 of 9
 Shareholder policy V.00

1.5.2. User shall change the password, when a new password is provided to him/her by the
system administrator.

2. Policy compliance
2.1. Head of Cyber Security Department shall ensure that SPIMACO adheres to this policy on a
regular basis.
2.2. Compliance with SPIMACO’s cybersecurity policies and associated controls is mandatory
on SPIMACO staff members, contractors, partners, and services providers who have
access to SPIMACO information and information processing facilities.
2.3. Any violation of this policy may subject the offender to disciplinary actions; in accordance
with the procedures followed in SPIMACO

3. Policy Review
Cybersecurity Department shall conduct annual review and update of this document, and shall
assure constant alignment with changes to requirements, best practices, regulations, and
obligations.

4. References
4.1. Regulatory references
4.1.1. NCA Essential Cybersecurity Controls (ECC)

4.2. International standard references

4.2.1. ISO27001

Date Printed: 29 November 2022 SPIMACO ADDWAEIH Page 8 of 9

 Shareholder policy V.00

5. Document Control

Document Information
Custodian: Cybersecurity

Policy Name: Acceptable Use Policy

Found Where?
SharePoint
(retention place)

Retention Period? 5 years

Who has Access? All users

Document History
Version Date Description

0.1 17/08/2022 Initial Version

Date Printed: 29 November 2022 SPIMACO ADDWAEIH Page 9 of 9