Key IT User Responsibilities

Introduction – Your Responsibilities

 As a user of ExxonMobil's IT assets including hardware, computers, and mobile devices,

software, and information, you assume certain responsibilities to protect them.
o You are expected to protect these assets according to the ExxonMobil System of Management
Control and the ExxonMobil Systems Security General Practices and follow the responsibilities
detailed below or equivalent practices agreed and documented by appropriate local
management. Further details regarding the guidance/best practices and how to receive
approvals for alternate or equivalent practices can be found in the various links provided in this
overview. This document summarizes the most important of these responsibilities and provides
guidance on how to follow them.
o Company information and systems on any computer, mobile device, and/or network are the
property of Exxon Mobil Corporation and its affiliates unless covered by contractual obligations
to a third party. Your use of ExxonMobil’s IT assets and information is not covered by any right
of privacy, except as otherwise provided by applicable law.
o Your Internet activity on company assets is subject to monitoring to the extent permitted by
applicable law and you should have no expectation of privacy in connection of your use of
company assets.
o Report misuse of corporate systems or corporate assets. If you uncover any misuse of systems,
or conduct which does not adhere to the Standards of Business Conduct, you are expected to
report it immediately to your supervisor. However, if you suspect a systems security weakness,
do not attempt to prove or demonstrate the weakness without proper authorization from
EMIT. If you're unsure how to obtain appropriate EMIT authorization, contact your Business IT
Manager.
o Failure to follow the Key IT User Responsibilities guidance may result in possible irregularity
investigation and disciplinary action up to and including termination.
Cyber Security Awareness
Awareness of cyber security issues enables you to use your computer and mobile devices safely.
The following behaviors may help safeguard you against cyber-crimes.
Do:
 Limit access to Company information in an appropriate manner, in keeping with MPI
guidelines.
 Report suspicious emails by clicking the Suspicious Email Reporting button in Outlook.
Delete SPAM emails, such as advertisements, which do not require reporting
 Report cyber-attacks or unusual computer behavior to the IT Help Desk
 Use removable media, such as USB drives, ONLY when required for business critical
purposes and with an approved exception. Encrypt information copied to the removable
media. Only use removable media from trusted sources.
 Educate yourself and your team on cyber security by accessing the IT Home Cyber Security
Page.
Do not:
 Use Web-based email services such as Gmail or Yahoo mail from a Company computer
(e.g., desktop, laptop/tablet or terminal server), even if the site has not been blocked by
technical means, unless you have obtained a Web email exception.
 Open attachments or web links in emails or text messages from untrusted sources.
Repeated mock-phishing failures will lead to loss of internet access.
 Visit unknown websites, or click on web links in pop-up windows (e.g., pop-up messages
that indicate your computer is infected). Contact the IT Help Desk immediately if you receive
alerts saying that your machine is/may be infected (do not click links or attempt to close the
message).
 Install, execute or rename (in an attempt to disguise) software on Company-owned IT
assets (workstations, servers, etc.) without proper authorization.
 Use Internet or Cloud file sharing services or sites such as GitHub, Dropbox or iCloud to
store, share or transfer Company information without authorization.
 Post ExxonMobil's confidential, proprietary, or trade secret information to social media
forums, or other internet sites. Additionally, information that is subject to confidentiality
obligations to third parties, legally privileged information, and information classified as
Restricted under the MPI Guidelines may not be posted or otherwise distributed outside the
Company.

Information Management and Protection

Information is a valuable asset, so be aware of how to appropriately convey it, classify it, print it and
store it. In addition, be aware of how long you should retain company information.
Management and Protection of Information (MPI)
Do:
 Classify, label and protect ExxonMobil information consistent with the MPI guidelines.
 Follow the HR Guidance on Safeguarding Company Private Information (e.g., performance
ranking data, medical history and salary information).
 Insert MPI classifications manually in the subject line when using Company mobile devices.
 Store information notes in an appropriate location that limits access to only those who
should have it. See EMIT Guidance for Protecting Electronic Information (EGPEI) for details,
including limitations on where Company information may be stored.

Do not:
 Send Company information from your Company account to your personal email account,
unless authorized.
 Over-classify information as MPI Proprietary, Private or Restricted. (Only classify records
that clearly meet the requirements for classification.)
Electronic Communications
Electronic communications such as email, voicemail, text, chat are subject to RMG retention
requirements. Because electronic communications are widely disseminated, around the globe, it is
important to recognize writing styles and uses of language that may cause misinterpretation of the
intended meaning of a communication. Always consider how a communication would look in
tomorrow's newspaper, online at CNN, or presented by other global news outlets. If you need
additional guidance, please refer to the following Electronic Communications Guidance, as needed,
or contact Law.
Do:
 Stay factual and think before you write.
 Avoid legal conclusions, exaggeration, facetiousness, humor and slang.

Do not:
 Publish or store communications or information that might be misconstrued or
misunderstood, particularly those that are communicated through electronic means.
Electronic Approvals
Electronic approvals, including electronic signatures, may be used, subject to Law, Tax and
Controller endorsement. Electronic approvals have several benefits including saving time and
money with not having to print, fax, scan, and ship documents and obtaining results faster by
sending a document and getting an electronic signature in minutes. Additionally, it is expected that
many transactions can be executed through electronic signature tools such as DocuSign if they
meet the requirements for use of electronic signature. However, not every email or document
involving an endorsement or approval will have to be electronically signed. Please review EMIT's
Electronic Approval Best Practices to understand the benefits (and risks) of various technologies
(e.g., DocuSign, SharePoint, MS Office) available for capturing electronic signatures and approvals.
Records Management
Manage email messages, LAN files, SharePoint files and other records according to the Records
Management Guidelines (RMG), including retention and deletion of controlled and discretionary
records. See the Basic Records Retention Schedule for the retention codes and, if applicable, the
Supplemental Records Retention Schedule.
Do:
 Ensure that records subject to Litigation or Tax Holds are preserved in accordance with the
language of the Litigation Hold Notification or Tax Hold provisions of Sections 8 and 9 of
the RMG.

Data Privacy
Data Privacy laws have been enacted in over 100 countries and establish conditions under which
Personal Information should be processed (used in any way) and transferred (moved from one
company and/or country to another, including between EM affiliates).
It is the policy of ExxonMobil Corporation to comply with all Data Privacy laws. Comprehensive
guidance on this complex and changing area is maintained on the Data Privacy Website. Advice can
also be obtained from the Data Privacy Office.
Do:
 Assume that all Personal Information, even basic Personal Information such as names,
phone numbers, and IDs, is subject to Data Privacy laws.
 Avoid processing Personal Information if you can achieve the objective without it.
 Become familiar with the Routine Use guidance, which explains how to perform common
business tasks within the legal constraints.
 Process Personal Information in accordance with ExxonMobil Data Privacy Principles.
 Ensure all participants in work events that are being recorded (i.e., capturing audio, video or
photographs in connection with ExxonMobil-related work, and includes the use of personal
or company-owned devices, whether in-person, online, or by other means) are aware of
being recorded and are free to opt out of participating in the activity. Some countries may
require formal consent when recording; please contact the Data Privacy Office for
additional guidance in this area.
 Engage the Data Privacy Office to review all new or updated internal applications, mobile
apps developed for ExxonMobil, and Internet-based or cloud computing services to ensure
alignment with the guidance provided on the Data Privacy website.
 Discard Personal Information once it has served the specific purpose for which it was
collected.

Do not:
 Collect Personal Information that is unnecessary, excessive or irrelevant for the purpose.
 Reuse Personal Information for a purpose other than the one for which it was collected.
 Process Sensitive Personal Information without first consulting the Data Privacy Office.
Computers and Computer Software
Each device that you use is a valuable asset, so be aware of how to appropriately access and
protect your IT devices.
Do:
 Use a Smart Card (physical or virtual) to logon to ExxonMobil computers unless you have an
approved technical deferral.
 Manually screen-lock your computer or remove your Smart Card and ensure your
screen is locked when your computer is unattended, even for short periods.
 Ensure Smart Cards are not stored or placed with your device.
 Lock your computer in a drawer/office or take it home when you leave for the day when
using a Virtual Smart Card.
 Use strong passwords that are meaningful to you but hard for someone else to guess.
 If enabled, change the default BitLocker PIN(s) on your computer(s).
 If you suspect your password has been compromised, change it immediately and notify your
supervisor or the IT Help Desk.
 Appropriately secure your devices when in the office and while traveling. Follow local
practices for tethering or locking up your computer. See the Global Travel Safety/Security
Guidance.
 Remove visible references to the Company from your laptop and laptop carrying case.
 If your computer is lost or stolen, report the loss in accordance with the standard reporting
practice for your business.
 Purchase, move and dispose of all Company computer hardware and software through
EMIT. Process Control equipment and software is handled according to local business
practices and not by EMIT.
 Obtain all software used on ExxonMobil computers through the IT Services Portal.
 Contact IT Asset Management if you have any questions concerning use or acquisition of
software not listed in the IT Services Portal.
 Be aware of owner responsibilities for applications and software. If you are the owner of
software or an application, understand the system risks and determine the controls
consistent with the risks. Include the impacts to other applications/services when assessing
the risks. As an owner, it is your responsibility to ensure that a risk assessment is performed,
documented, approved, and periodically reviewed.

Do not:
 Share your passwords or PINs with anyone or store this information where it can be found
by others.
Note: BitLocker PINs may be shared in certain limited situations (e.g., training laptops).
  Give anyone your Smart Card, even temporarily, as Smart Cards can serve as a badge to
enter Company offices.
 Leave your computer unattended after you leave for the day when using a Virtual Smart
Card.
 Use Web-based email services such as Gmail or Yahoo mail from a Company computer
(e.g., desktop, laptop/tablet or terminal server), even if the site has not been blocked by
technical means, unless you have obtained a Web email exception.
 Use Company resources to conduct non-Company activities, except as may be permitted in
the Personal Use Guidance for Electronic Devices.
 Use Company resources (including company email addresses) to access, register,
download, view or store sexually explicit, illegal, or other material considered inappropriate
under the Company Standards of Business Conduct guidelines.
 Use a Procurement Card (PCard) or American Express (AMEX) card to purchase computer
software unless given authorization by IT Asset Management.
 Use, install, rename (in an attempt to disguise) or otherwise try to hide unauthorized files or
software (e.g., music/video files, screen savers, computer software, including freeware,
shareware, open source software or U3 USB software) on Company computers.
 Copy or otherwise use software product key/file information on other ExxonMobil or
personal computers unless authorized by IT Asset Management.

Mobile Devices and Mobile Apps

Each Company-owned mobile device (e.g., smartphones, iPads) that you use is a valuable asset, so
be aware of how to appropriately access and protect your devices and associated mobile
applications.
We strongly recommend these practices also be followed for your personal mobile devices if you
participate in the ‘Bring Your Own Device’ (BYOD) program to access ExxonMobil data such as
company email, calendar, contacts and SharePoint sites.
Do:
 Be aware of owner responsibilities for mobile apps. If you are the owner of a mobile app,
understand the system risks and determine the controls consistent with the risks. Include
the impacts to other applications/services when assessing the risks. As an owner, it is your
responsibility to ensure that a risk assessment is performed, documented, approved, and
periodically reviewed.
 Follow the Mobile App Development Guidelines.
 Use strong passwords that are meaningful to you but are hard for someone else to guess.
 If you suspect your password has been compromised, change it immediately and notify your
supervisor or the IT Help Desk.
 Screen-lock your mobile device whenever it is unattended, even for short periods. Your
device should be set up to require re-entry of your password or PIN before you can return
to using it.
  Follow local practices to appropriately secure your devices when in the office. While
traveling you are expected to appropriately secure your mobile devices or keep them on
your person.
 Immediately report to the IT Help Desk if your mobile device is lost, stolen or transferred to
another person, and adhere to the standard reporting practice for your business.
 For Company-owned devices, submit a request to have it remotely erased of all
data.
 For BYOD devices, submit a request to have the secure container erased of
Company data.
 Purchase, move and dispose of all Company-owned mobile devices through EMIT.
 Read and understand the Guidance for Use of Company-owned Mobile Devices prior to
using a Company-owned mobile device to download apps, music, videos and other
content. Specific user responsibilities apply to these devices.
 Read and understand the BYOD Electronic Consent Form prior to using a BYOD device to
access Company data through the supported Workspace and Secure Mail apps.

Do not:
 Share your passwords or PINs (e.g., mobile device passcode, Workspace PIN) with anyone,
or store this information where it can be found by others. Device passcodes and Workspace
PINs may be shared in certain limited situations for shared iOS devices.
 Share a Company-owned mobile device with anyone, including family and friends.
 Use a Company email address or Company credit card when setting up an account for a site
providing content downloads, including iTunes and the Apple Store, on a Company-owned
or personal BYOD device, in accordance with the Guidance for Use of Company-owned
Mobile Devices.
 Use Company SIM (Subscriber Identity Module) cards in personal devices.
 Use any mobile device while operating a motor vehicle.
 Use Internet or cloud file-sharing services or sites such as Dropbox or iCloud to store, share
or transfer Company information on mobile devices without authorization.
 Email Company information from a Company email account to a personal email account.
 Use a Company mobile device to access, download, view or store sexually explicit, illegal or
other material considered inappropriate under Company guidelines.
 Travel to countries with your Mobile device or the Workspace and Secure Mail apps
installed on your device without complying with the applicable countries' restrictions on
carrying of encryption products across the border. See the Restrictions on Traveling with
Mobile Devices and Global Travel Safety/Security site for specific country information.
 Use any mobile device to photograph or make a video or audio recording of any Company
assets except in accordance with applicable guidance.
Network Protection
Protect ExxonMobil's computer network by only using certified devices and wireless equipment and
by only remotely connecting to known external networks.
Do:
 Understand that most information (voice and data) transmitted via the ExxonMobil network
is not encrypted by default.
 Consider additional controls consistent with MPI guidelines when transmitting MPI-
classified information across the network.
 Understand that data traveling through private and public networks may be disclosed to
network support personnel (in the course of their normal duties), to unauthorized users, or
to a malicious party who may attempt to capture data as it passes through unsecured public
facilities.
 Obtain EMIT (Network and Voice Solutions) endorsement for connections to the corporate
network from outside networks or devices, and any non-standard Internet services, before
implementation.
 Understand that devices such as network printers, wireless routers, and hubs can pose a
reliability and security risk to the operation of the network and must be brought to EMIT's
attention so the risk and compensating controls can be evaluated.
 Obtain EMIT endorsement for all non-approved wireless equipment before use in company
facilities. Note that wireless communications can be intercepted, resulting in possible
disclosure of data or unauthorized access to our networks.
 Use good judgment when viewing Internet-based streaming content on ExxonMobil's
network, as this can place extra load on corporate network resources (e.g., avoid lengthy
clips, high definition feeds).

Do not:
 Connect any non-company (personal, contractor, or third party) computing equipment or
any wireless computing devices to the corporate network (not including a guest Wifi
network) without first completing the Internal Device Certification process.
Note: If you notice any external devices that were attached to your workstation without
your knowledge, contact the IT Help Desk immediately.
 Connect a printer or scanner directly to your GME PC and to a wired or wireless network at
the same time.
 Use network protocol analyzing software on company networks unless you are specifically
authorized by management.

SharePoint (My Sites, Team Sites and Surveys)

Protect your SharePoint sites.
Do:
 Follow the ExxonMobil Guidance for using SharePoint.
 Manage which users should be allowed to access the site and the permissions they receive.
 Ensure that all content published on My Sites or Team Sites follows Records Management
Guidelines (RMG) and complies with all laws, including but not limited to laws relating to
export controls, copyright, data privacy, and anti-trust.
 Follow Data Privacy Guidelines on SharePoint Surveys and Publishing Photographs.
 Comply with all third-party confidentiality obligations in posting content to My Sites and
Team Sites.
 Perform periodic access reviews on Team Sites including all sub-sites.
 Perform a My Site access review only in unique situations where a My Site owner has
assigned another user to manage the access security (via SCA/Full Control role).
 Periodically review site(s) for accurate and current content.
 Use file-level password protection/encryption/MS Rights Management for Restricted
Distribution documents, prior to uploading in SharePoint.

Do not:
 Grant Full Control to your My Site unless you perform periodic access reviews to ensure
access security.
 Implement custom computer code (copied from the Internet or other unknown sources) or
third-party applications on any SharePoint site unless a risk assessment is performed and
approved by appropriate management.
 Store content that is classified or covered by the Standard Research Agreement (SRA) or
the Upstream Cost Sharing Agreement (UCSA) in your My Site Shared Documents Folder,
since such content has access limitations. Consult the Manager of the SRA or UCSA as
applicable, for appropriate storage of such content.
 Store Restricted content in wikis, blogs, lists, tags, discussion boards or other locations
where password protection is unavailable.
 Store Restricted information unless it is password protected/encrypted/MS Rights
Management-protected prior to storage in a limited-access site.

ExxonMobil Data Outside of Company Network

If you send company data to a third party, follow these practices to safeguard the data:
Do:
 Perform appropriate risk assessments prior to sending, storing and/or processing
ExxonMobil data on any third-party computer system or website via the Internet. Where
warranted, conduct a review of the third party. Use appropriate data protection measures
such as encryption (e.g., Microsoft Office password protection) for data being sent or
transferred outside the Company network.
  Consult with EMIT, Procurement, Law, and the Data Privacy Office to ensure that contracts
with third-party service providers contain appropriate terms and conditions prior to
sending, storing and/or processing ExxonMobil data on any third-party computer system or
website via the Internet.
 Obtain IT endorsement for any agreement which results in ExxonMobil data being
processed or stored in third party computer systems or services. IT endorsement is also
required for agreements to allow Joint Venture (JV) access to company computer
networks, IT equipment or other IT supported applications.
 Obtain appropriate Delegation of Authority Guidelines (DOAG) endorsements and
approvals before releasing any Company information outside ExxonMobil. This includes
MPI-classified and unclassified information and applies to formal releases, such as media
and survey information, as well as sharing Company-related information with third parties
or on the Internet, such as social networking sites and blogs. This includes external file
sharing sites such as GitHub.
 Comply with applicable laws, including, but not limited to laws relating to data privacy,
export/import controls, copyright, trade sanction, and regulations regarding access to
personal information, information disclosure, legal privilege, technology, technical
information and software.
 Evaluate whether it is appropriate to enter into a third-party confidentiality agreement, and
ensure that you are in compliance with any applicable third-party confidentiality obligations.
 Obtain consent from the Manager of the Standard Research Agreement (SRA) or Upstream
Cost Sharing Agreement (UCSA), as applicable, before sharing such data with third parties
or with non-signatory affiliates.
 Conduct appropriate risk assessments prior to allowing joint ventures to access Company
information, computer networks, IT equipment or EMIT-supported software as necessary.
Remember that joint ventures are treated as third parties. Consult with Procurement to
insure that ExxonMobil software licenses permit access by joint ventures. Obtain all
endorsements required by the DOAG.
 Obtain approvals for third-party extranets, and manage the content consistent with the
approved scope of those extranets.
 Avoid printing from public computers, as data may be stored inadvertently on these devices
and retrieved by others.
 Receive exception approval prior to the use of removable storage devices (e.g., USB
drives/memory devices, secure digital cards, CDs, DVDs).
 Encrypt (e.g., MS BitLocker encryption) information copied to removable storage devices,
where required.

Do not:
 Use Web-based email services such as Gmail or Yahoo mail from a Company computer
(e.g., desktop, laptop/tablet or terminal server), even if the site has not been blocked by
technical means, unless you have obtained a Web email exception.
  Conduct ExxonMobil business, email or store ExxonMobil information on personal email
(e.g., Gmail or Yahoo), personal PCs or personal Internet accounts without prior assessment
of risk and management approval. See Approval Process for Alternate/Equivalent Practices.
 Mix personal and Company information on removable storage devices to ensure that the
Company information is not inadvertently shared with others.
 Join a Yammer or SharePoint extranet without approval.
 Use removable storage devices from unknown or untrusted sources.

Voice Security (Phones, Faxes, Cell Phones, Audio Conferencing, Voice Mail)
Be cautious when using phones, audio conferencing, and voice mail.
Do:
 Consider using additional controls when communicating MPI-classified information, since
voice services and voice mailboxes are not encrypted by default, should not be considered
totally secure, and can be monitored. For high and severe threat countries (map), contact
Global Security for assistance.
 Be suspicious of abnormal requests for information from individuals that you may not know.
If you are not certain if the information should be shared with the requester, offer to call
them back. Legitimate callers will give you their name and number; other callers will usually
hang up.
 Use caution when discussing Company business over a cellular phone in a location where
you may be overheard by others.
 Ensure that the use of and costs for Company cellular phones are appropriate to your job.
 Use audio conferencing bridges only for calls involving more than three people. Use Skype
for Business or the locally recommended audio conference solution, which may include a
third-party service. The moderator (or host) is responsible for properly securing the audio
conference. This includes managing access to screen-shared content, which is visible to
third-party and anonymous attendees in Lync/Skype meetings.

Do not:
 Bring with you or use a Digital Enhanced Cordless Telecommunications (DECT)
communications device when traveling outside the country in which the device was
purchased. DECT devices used by the Company are listed in the Approved Device List.
 Record phone calls or conference calls.

Social Media
Stay safe on social media.
Do:
 Consider checking your privacy settings and avoid posting business travel plans on social
media sites.
  Understand the conditions of use and follow specific rules for approved Company social
media sites (e.g., Mobil 1 Facebook, Yammer).
 Ensure that your posts on internal and external facing sites (Company or personal) are in
compliance with anti-trust laws. Avoid discussion of any competitively-sensitive
information, such as pricing and future plans, when third parties have access to the site.
Avoid posting any disparaging comments relating to any Company with which ExxonMobil
does business.
 Refer to Data Privacy advice on publishing any Personal Information, especially
photographs, on the ExxonMobil Yammer Network or other ExxonMobil social media sites.
Contact the Data Privacy Office for country-specific guidance for Angola, Argentina,
Azerbaijan, Germany, Italy, Mexico, Russia, South Korea or Spain.
 Obtain consent from the Manager of the Standard Research Agreement (SRA) or Upstream
Cost Sharing Agreement (UCSA), as applicable, before posting any content that may be
subject to the SRA or UCSA.
 Assume that all material (including graphics, content, audio, video) found on the Internet is
copyrighted, including YouTube videos. It is not necessary for material to include a
copyright notice or be a registered work for the material to be protected by copyright laws.
Consider using sources such as Getty Images (approved image provider for ExxonMobil),
rather than using material from the Internet. Prior to copying copyrighted material from the
Internet to the ExxonMobil Yammer Network or ExxonMobil social media sites, request
permission from the copyright owner if such copying is not permitted by the terms and
conditions of the site. This can often be done by using an email address found on the site.
 Be careful about posting communications that might be misconstrued or misunderstood,
particularly those that are communicated through electronic means such as email, text, chat
or other messaging tools.
 Periodically review and if necessary delete any of your content that no longer has value that
is posted on the ExxonMobil Yammer Network, Yammer extranets approved for your use,
and other ExxonMobil social media sites. Periodically review who has access to the content
posted on the ExxonMobil social media sites that you own (e.g., Yammer extranets or
Yammer network groups).
 Use common sense when posting content to the ExxonMobil Yammer network and other
ExxonMobil social media sites. Content should be relevant to your business. Follow the
Harassment in the Workplace policy located in Standards of Business Conduct when
posting content.

Do not:
 Post ExxonMobil's confidential, proprietary, or trade secret information. Additionally,
information that is subject to confidentiality obligations to third parties, legally privileged
information, and information classified as Restricted under the MPI Guidelines may not be
posted or otherwise distributed outside the Company.
 Post information that relates to a matter that is the subject of an anticipated or ongoing
litigation proceeding or investigation.
  If you work in the U.S., do not discuss the Company’s products on social media sites
without identifying yourself as an ExxonMobil employee in compliance with the Federal
Trade Commission (FTC).
 Post classified material, content covered by Standard Research Agreement (SRA) or
Upstream Cost Sharing Agreement (UCSA), and information that is subject to contract
limitations (including non-disclosure or confidentially provisions) to the ExxonMobil
Yammer Network and other ExxonMobil social media sites. Posting links to the information
hosted on our intranet site is acceptable; however, discussing the classified information is
not.
 Create an ExxonMobil Yammer extranet or join a third-party Yammer extranet until your
formal request to the ExxonMobil Yammer Administrator has been approved.

Residual Risks of EMIT Services

There are residual risks associated with core EMIT services. A list of the Residual Risks associated
with these services is available in IT Controls Manager (ITCM).

Approval Process for Alternate/Equivalent Practices

 You are expected to follow the guidance referred to in this document, however, equivalent
alternate practices may be deemed appropriate, if ALL the following apply:
 Changes are driven by specific business or country requirements.
 They comply with the intent of this document.
 They are previously reviewed by an appropriate EMIT Controls Advisor during the
design phase of the alternate practices to determine if impact** to the Corporate IT
network requires further EMIT management endorsement.
 They are documented and endorsed by the appropriate local/functional
management responsible for the equivalent practices and, if deemed necessary
above, the EMIT IT Risk Management Manager.
** Corporate IT Impact could include, but is not limited to, situations involving Network or Cyber
Security.

Upstream Technical Computing Services (UTCS) Users Only

Users of Upstream Technical Computing Services (UTCS) IT assets such as software, data, and
Windows/UNIX/Linux systems have additional responsibilities to ensure proper asset use and
protection. Please review and engage your local Upstream IT support contact for questions.
Software
 Exit UTCS software when not in use to release the license for others to use, where
applicable.
Data
 Classify, share and manage technical output such as maps, logs and montages per
Management and Protection of Information (MPI) guidelines.
 Store technical data in appropriate Windows and UNIX project data locations (e.g.,
StanLAN).
 Locally stored data should be encrypted where technically feasible and periodically
backed-up in a location other than the local disk.
 UNIX/Linux – Do not store data in your HOME (/users/<userid>), tmp or spool
directories.
 Notify local/regional UIT support staff regarding data with special limitations (e.g., contract
use rights, no back-up).

UNIX/Linux
 Keep workstations turned on at all times to allow required background IT processes to run.
 Rebooting is acceptable if the computer is unresponsive.
 Use the “ssh –X <machine name>” command for remote access.
 Do not use “xhost+” command in dot-files or interactively.
 Dot-files within the HOME directory have default umask 027; reset permissions to 750 if
needed.

Notes

1. The words ExxonMobil's IT assets in this message mean all computing,

telecommunications, network, and information systems resources owned by ExxonMobil
Global Services Company and its affiliates (ExxonMobil or Company) and the information
stored on them, subject to the Corporate Assets Policy.
2. The words ExxonMobil IT and EMIT in this message refer to the IT Division of ExxonMobil
Global Services Company.
3. Classified information means Private, Proprietary or Restricted information.
4. UTCS, a subset of ExxonMobil IT, provides Upstream technical geoscience and engineering
applications as well as associated technical data on Windows and UNIX hardware.

Chennuru Tejeswarreddy