Professional Documents
Culture Documents
Do not:
Send Company information from your Company account to your personal email account,
unless authorized.
Over-classify information as MPI Proprietary, Private or Restricted. (Only classify records
that clearly meet the requirements for classification.)
Electronic Communications
Electronic communications such as email, voicemail, text, chat are subject to RMG retention
requirements. Because electronic communications are widely disseminated, around the globe, it is
important to recognize writing styles and uses of language that may cause misinterpretation of the
intended meaning of a communication. Always consider how a communication would look in
tomorrow's newspaper, online at CNN, or presented by other global news outlets. If you need
additional guidance, please refer to the following Electronic Communications Guidance, as needed,
or contact Law.
Do:
Stay factual and think before you write.
Avoid legal conclusions, exaggeration, facetiousness, humor and slang.
Do not:
Publish or store communications or information that might be misconstrued or
misunderstood, particularly those that are communicated through electronic means.
Electronic Approvals
Electronic approvals, including electronic signatures, may be used, subject to Law, Tax and
Controller endorsement. Electronic approvals have several benefits including saving time and
money with not having to print, fax, scan, and ship documents and obtaining results faster by
sending a document and getting an electronic signature in minutes. Additionally, it is expected that
many transactions can be executed through electronic signature tools such as DocuSign if they
meet the requirements for use of electronic signature. However, not every email or document
involving an endorsement or approval will have to be electronically signed. Please review EMIT's
Electronic Approval Best Practices to understand the benefits (and risks) of various technologies
(e.g., DocuSign, SharePoint, MS Office) available for capturing electronic signatures and approvals.
Records Management
Manage email messages, LAN files, SharePoint files and other records according to the Records
Management Guidelines (RMG), including retention and deletion of controlled and discretionary
records. See the Basic Records Retention Schedule for the retention codes and, if applicable, the
Supplemental Records Retention Schedule.
Do:
Ensure that records subject to Litigation or Tax Holds are preserved in accordance with the
language of the Litigation Hold Notification or Tax Hold provisions of Sections 8 and 9 of
the RMG.
Data Privacy
Data Privacy laws have been enacted in over 100 countries and establish conditions under which
Personal Information should be processed (used in any way) and transferred (moved from one
company and/or country to another, including between EM affiliates).
It is the policy of ExxonMobil Corporation to comply with all Data Privacy laws. Comprehensive
guidance on this complex and changing area is maintained on the Data Privacy Website. Advice can
also be obtained from the Data Privacy Office.
Do:
Assume that all Personal Information, even basic Personal Information such as names,
phone numbers, and IDs, is subject to Data Privacy laws.
Avoid processing Personal Information if you can achieve the objective without it.
Become familiar with the Routine Use guidance, which explains how to perform common
business tasks within the legal constraints.
Process Personal Information in accordance with ExxonMobil Data Privacy Principles.
Ensure all participants in work events that are being recorded (i.e., capturing audio, video or
photographs in connection with ExxonMobil-related work, and includes the use of personal
or company-owned devices, whether in-person, online, or by other means) are aware of
being recorded and are free to opt out of participating in the activity. Some countries may
require formal consent when recording; please contact the Data Privacy Office for
additional guidance in this area.
Engage the Data Privacy Office to review all new or updated internal applications, mobile
apps developed for ExxonMobil, and Internet-based or cloud computing services to ensure
alignment with the guidance provided on the Data Privacy website.
Discard Personal Information once it has served the specific purpose for which it was
collected.
Do not:
Collect Personal Information that is unnecessary, excessive or irrelevant for the purpose.
Reuse Personal Information for a purpose other than the one for which it was collected.
Process Sensitive Personal Information without first consulting the Data Privacy Office.
Computers and Computer Software
Each device that you use is a valuable asset, so be aware of how to appropriately access and
protect your IT devices.
Do:
Use a Smart Card (physical or virtual) to logon to ExxonMobil computers unless you have an
approved technical deferral.
Manually screen-lock your computer or remove your Smart Card and ensure your
screen is locked when your computer is unattended, even for short periods.
Ensure Smart Cards are not stored or placed with your device.
Lock your computer in a drawer/office or take it home when you leave for the day when
using a Virtual Smart Card.
Use strong passwords that are meaningful to you but hard for someone else to guess.
If enabled, change the default BitLocker PIN(s) on your computer(s).
If you suspect your password has been compromised, change it immediately and notify your
supervisor or the IT Help Desk.
Appropriately secure your devices when in the office and while traveling. Follow local
practices for tethering or locking up your computer. See the Global Travel Safety/Security
Guidance.
Remove visible references to the Company from your laptop and laptop carrying case.
If your computer is lost or stolen, report the loss in accordance with the standard reporting
practice for your business.
Purchase, move and dispose of all Company computer hardware and software through
EMIT. Process Control equipment and software is handled according to local business
practices and not by EMIT.
Obtain all software used on ExxonMobil computers through the IT Services Portal.
Contact IT Asset Management if you have any questions concerning use or acquisition of
software not listed in the IT Services Portal.
Be aware of owner responsibilities for applications and software. If you are the owner of
software or an application, understand the system risks and determine the controls
consistent with the risks. Include the impacts to other applications/services when assessing
the risks. As an owner, it is your responsibility to ensure that a risk assessment is performed,
documented, approved, and periodically reviewed.
Do not:
Share your passwords or PINs with anyone or store this information where it can be found
by others.
Note: BitLocker PINs may be shared in certain limited situations (e.g., training laptops).
Give anyone your Smart Card, even temporarily, as Smart Cards can serve as a badge to
enter Company offices.
Leave your computer unattended after you leave for the day when using a Virtual Smart
Card.
Use Web-based email services such as Gmail or Yahoo mail from a Company computer
(e.g., desktop, laptop/tablet or terminal server), even if the site has not been blocked by
technical means, unless you have obtained a Web email exception.
Use Company resources to conduct non-Company activities, except as may be permitted in
the Personal Use Guidance for Electronic Devices.
Use Company resources (including company email addresses) to access, register,
download, view or store sexually explicit, illegal, or other material considered inappropriate
under the Company Standards of Business Conduct guidelines.
Use a Procurement Card (PCard) or American Express (AMEX) card to purchase computer
software unless given authorization by IT Asset Management.
Use, install, rename (in an attempt to disguise) or otherwise try to hide unauthorized files or
software (e.g., music/video files, screen savers, computer software, including freeware,
shareware, open source software or U3 USB software) on Company computers.
Copy or otherwise use software product key/file information on other ExxonMobil or
personal computers unless authorized by IT Asset Management.
Do not:
Share your passwords or PINs (e.g., mobile device passcode, Workspace PIN) with anyone,
or store this information where it can be found by others. Device passcodes and Workspace
PINs may be shared in certain limited situations for shared iOS devices.
Share a Company-owned mobile device with anyone, including family and friends.
Use a Company email address or Company credit card when setting up an account for a site
providing content downloads, including iTunes and the Apple Store, on a Company-owned
or personal BYOD device, in accordance with the Guidance for Use of Company-owned
Mobile Devices.
Use Company SIM (Subscriber Identity Module) cards in personal devices.
Use any mobile device while operating a motor vehicle.
Use Internet or cloud file-sharing services or sites such as Dropbox or iCloud to store, share
or transfer Company information on mobile devices without authorization.
Email Company information from a Company email account to a personal email account.
Use a Company mobile device to access, download, view or store sexually explicit, illegal or
other material considered inappropriate under Company guidelines.
Travel to countries with your Mobile device or the Workspace and Secure Mail apps
installed on your device without complying with the applicable countries' restrictions on
carrying of encryption products across the border. See the Restrictions on Traveling with
Mobile Devices and Global Travel Safety/Security site for specific country information.
Use any mobile device to photograph or make a video or audio recording of any Company
assets except in accordance with applicable guidance.
Network Protection
Protect ExxonMobil's computer network by only using certified devices and wireless equipment and
by only remotely connecting to known external networks.
Do:
Understand that most information (voice and data) transmitted via the ExxonMobil network
is not encrypted by default.
Consider additional controls consistent with MPI guidelines when transmitting MPI-
classified information across the network.
Understand that data traveling through private and public networks may be disclosed to
network support personnel (in the course of their normal duties), to unauthorized users, or
to a malicious party who may attempt to capture data as it passes through unsecured public
facilities.
Obtain EMIT (Network and Voice Solutions) endorsement for connections to the corporate
network from outside networks or devices, and any non-standard Internet services, before
implementation.
Understand that devices such as network printers, wireless routers, and hubs can pose a
reliability and security risk to the operation of the network and must be brought to EMIT's
attention so the risk and compensating controls can be evaluated.
Obtain EMIT endorsement for all non-approved wireless equipment before use in company
facilities. Note that wireless communications can be intercepted, resulting in possible
disclosure of data or unauthorized access to our networks.
Use good judgment when viewing Internet-based streaming content on ExxonMobil's
network, as this can place extra load on corporate network resources (e.g., avoid lengthy
clips, high definition feeds).
Do not:
Connect any non-company (personal, contractor, or third party) computing equipment or
any wireless computing devices to the corporate network (not including a guest Wifi
network) without first completing the Internal Device Certification process.
Note: If you notice any external devices that were attached to your workstation without
your knowledge, contact the IT Help Desk immediately.
Connect a printer or scanner directly to your GME PC and to a wired or wireless network at
the same time.
Use network protocol analyzing software on company networks unless you are specifically
authorized by management.
Do not:
Grant Full Control to your My Site unless you perform periodic access reviews to ensure
access security.
Implement custom computer code (copied from the Internet or other unknown sources) or
third-party applications on any SharePoint site unless a risk assessment is performed and
approved by appropriate management.
Store content that is classified or covered by the Standard Research Agreement (SRA) or
the Upstream Cost Sharing Agreement (UCSA) in your My Site Shared Documents Folder,
since such content has access limitations. Consult the Manager of the SRA or UCSA as
applicable, for appropriate storage of such content.
Store Restricted content in wikis, blogs, lists, tags, discussion boards or other locations
where password protection is unavailable.
Store Restricted information unless it is password protected/encrypted/MS Rights
Management-protected prior to storage in a limited-access site.
Do not:
Use Web-based email services such as Gmail or Yahoo mail from a Company computer
(e.g., desktop, laptop/tablet or terminal server), even if the site has not been blocked by
technical means, unless you have obtained a Web email exception.
Conduct ExxonMobil business, email or store ExxonMobil information on personal email
(e.g., Gmail or Yahoo), personal PCs or personal Internet accounts without prior assessment
of risk and management approval. See Approval Process for Alternate/Equivalent Practices.
Mix personal and Company information on removable storage devices to ensure that the
Company information is not inadvertently shared with others.
Join a Yammer or SharePoint extranet without approval.
Use removable storage devices from unknown or untrusted sources.
Voice Security (Phones, Faxes, Cell Phones, Audio Conferencing, Voice Mail)
Be cautious when using phones, audio conferencing, and voice mail.
Do:
Consider using additional controls when communicating MPI-classified information, since
voice services and voice mailboxes are not encrypted by default, should not be considered
totally secure, and can be monitored. For high and severe threat countries (map), contact
Global Security for assistance.
Be suspicious of abnormal requests for information from individuals that you may not know.
If you are not certain if the information should be shared with the requester, offer to call
them back. Legitimate callers will give you their name and number; other callers will usually
hang up.
Use caution when discussing Company business over a cellular phone in a location where
you may be overheard by others.
Ensure that the use of and costs for Company cellular phones are appropriate to your job.
Use audio conferencing bridges only for calls involving more than three people. Use Skype
for Business or the locally recommended audio conference solution, which may include a
third-party service. The moderator (or host) is responsible for properly securing the audio
conference. This includes managing access to screen-shared content, which is visible to
third-party and anonymous attendees in Lync/Skype meetings.
Do not:
Bring with you or use a Digital Enhanced Cordless Telecommunications (DECT)
communications device when traveling outside the country in which the device was
purchased. DECT devices used by the Company are listed in the Approved Device List.
Record phone calls or conference calls.
Social Media
Stay safe on social media.
Do:
Consider checking your privacy settings and avoid posting business travel plans on social
media sites.
Understand the conditions of use and follow specific rules for approved Company social
media sites (e.g., Mobil 1 Facebook, Yammer).
Ensure that your posts on internal and external facing sites (Company or personal) are in
compliance with anti-trust laws. Avoid discussion of any competitively-sensitive
information, such as pricing and future plans, when third parties have access to the site.
Avoid posting any disparaging comments relating to any Company with which ExxonMobil
does business.
Refer to Data Privacy advice on publishing any Personal Information, especially
photographs, on the ExxonMobil Yammer Network or other ExxonMobil social media sites.
Contact the Data Privacy Office for country-specific guidance for Angola, Argentina,
Azerbaijan, Germany, Italy, Mexico, Russia, South Korea or Spain.
Obtain consent from the Manager of the Standard Research Agreement (SRA) or Upstream
Cost Sharing Agreement (UCSA), as applicable, before posting any content that may be
subject to the SRA or UCSA.
Assume that all material (including graphics, content, audio, video) found on the Internet is
copyrighted, including YouTube videos. It is not necessary for material to include a
copyright notice or be a registered work for the material to be protected by copyright laws.
Consider using sources such as Getty Images (approved image provider for ExxonMobil),
rather than using material from the Internet. Prior to copying copyrighted material from the
Internet to the ExxonMobil Yammer Network or ExxonMobil social media sites, request
permission from the copyright owner if such copying is not permitted by the terms and
conditions of the site. This can often be done by using an email address found on the site.
Be careful about posting communications that might be misconstrued or misunderstood,
particularly those that are communicated through electronic means such as email, text, chat
or other messaging tools.
Periodically review and if necessary delete any of your content that no longer has value that
is posted on the ExxonMobil Yammer Network, Yammer extranets approved for your use,
and other ExxonMobil social media sites. Periodically review who has access to the content
posted on the ExxonMobil social media sites that you own (e.g., Yammer extranets or
Yammer network groups).
Use common sense when posting content to the ExxonMobil Yammer network and other
ExxonMobil social media sites. Content should be relevant to your business. Follow the
Harassment in the Workplace policy located in Standards of Business Conduct when
posting content.
Do not:
Post ExxonMobil's confidential, proprietary, or trade secret information. Additionally,
information that is subject to confidentiality obligations to third parties, legally privileged
information, and information classified as Restricted under the MPI Guidelines may not be
posted or otherwise distributed outside the Company.
Post information that relates to a matter that is the subject of an anticipated or ongoing
litigation proceeding or investigation.
If you work in the U.S., do not discuss the Company’s products on social media sites
without identifying yourself as an ExxonMobil employee in compliance with the Federal
Trade Commission (FTC).
Post classified material, content covered by Standard Research Agreement (SRA) or
Upstream Cost Sharing Agreement (UCSA), and information that is subject to contract
limitations (including non-disclosure or confidentially provisions) to the ExxonMobil
Yammer Network and other ExxonMobil social media sites. Posting links to the information
hosted on our intranet site is acceptable; however, discussing the classified information is
not.
Create an ExxonMobil Yammer extranet or join a third-party Yammer extranet until your
formal request to the ExxonMobil Yammer Administrator has been approved.
UNIX/Linux
Keep workstations turned on at all times to allow required background IT processes to run.
Rebooting is acceptable if the computer is unresponsive.
Use the “ssh –X <machine name>” command for remote access.
Do not use “xhost+” command in dot-files or interactively.
Dot-files within the HOME directory have default umask 027; reset permissions to 750 if
needed.
Notes
Chennuru Tejeswarreddy