Airswift Holdings Ltd.

IT Security Policy
Date of Issue: 05 July 2016
Version: 1
Owner: Chief Information Officer

Airswift Holdings Ltd.

IT Security Policy

Important Notice:

1. This procedure is a Controlled Document and shall not be amended without the authority of the Chief
Information Officer.
2. Any queries or feedback concerning the contents of this Document should be addressed to the Quality
and Compliance Manager (Global).
3. This procedure is reviewed annually or when there is a change to business practices.
4. This document should be retained indefinitely and only removed should the procedure become
obsolete.
Airswift Holdings Ltd.
IT Security Policy
Date of Issue: 05 July 2016
Version: 1
Owner: Chief Information Officer

Document Control – Revisions and Amendments

Version Effective Author Amendments Reason for Amendments

Number Date
 Airswift Holdings Ltd.
IT Security Policy
Date of Issue: 05 July 2016
Version: 1
Owner: Chief Information Officer

Objective

The Airswift policy is to ensure that IT systems, including computer systems, network components and
electronic data, are adequately protected from a range of threats. The policy covers all aspects of the
environment: systems, administration systems, environmental controls, hardware, software, data and
networks.

Policy

It is the Policy of Airswift to ensure:

 Information is protected from unauthorised access.
 Valuable or sensitive information is protected from unauthorised disclosure.
 The accuracy and completeness of information is assured.
 Individual accountability is established for all system activity.
 All regulatory and legislative requirements are met.
 Airswift reserves the right to audit networks and systems on a periodic basis to ensure compliance
with this policy.
 Facilities are only used for authorised activities.
 Information security education is available to all employees.

Security Policy

Monitoring: Airswift provides the network, personal computers, electronic mail and other communications
devices for your use on company business. Airswift may access and disclose all data or messages stored on
its systems or sent over its electronic mail system. Airswift reserves the right to monitor communication and
data at any time, with or without notice, to ensure that company property is being used only for business
purposes. The company also reserves the right to disclose the contents of messages for any purpose at its
sole discretion. No monitoring or disclosure will occur without the direction of either the department head, or
executive leadership, unless otherwise noted.

Retrieval: Notwithstanding the company's right to retrieve and read any e-mail messages, such messages
should be treated as confidential by other employees and accessed only by the intended recipient. Employees
are not authorised to retrieve or read any e-mail messages that are not sent to them and cannot use a
password, access a file, or retrieve any stored information unless authorised to do so.

The following activities are strictly prohibited, with no exceptions:

 Violations of the rights of any person or company protected by copyright, trade secret, patent or other
intellectual property, or similar laws or regulations, including, but not limited to, the installation or
distribution of "pirated" or other software products that are not appropriately licensed for use by
Airswift.

 Unauthorised copying of copyrighted material including, but not limited to, digitisation and distribution
of photographs from magazines, books or other copyrighted sources, copyrighted music, and the
installation of any copyrighted software.

 Exporting software, technical information, encryption software or technology, in violation of

international or regional export control laws which is illegal. IT should be consulted prior to export of
any material that is in question.
 Airswift Holdings Ltd.
IT Security Policy
Date of Issue: 05 July 2016
Version: 1
Owner: Chief Information Officer

 Effecting security breaches or disruptions of network communication. Security breaches include, but
are not limited to, accessing data of which the employee is not an intended recipient or logging onto
a server or account that the employee is not expressly authorised to access, unless these duties are
within the scope of regular duties.

Data Security

 Airswift attaches great importance to the secure management of the data it holds and generates. Staff
are accountable for any inappropriate mismanagement or loss of it.

 Airswift hold a variety of sensitive data including personal information about staff and contractors. If
you have been given access to this information, you are reminded of your responsibilities under data
protection law.

 Airswift provides secure and practical remote access to information and data held within its various
systems environments and IT infrastructure. In most cases, gaining access to such data from an
offsite point of electronic access will prove sufficient and safe for most needs and is the recommended
general mode of remote use of such data and information.

 Any copying or original creation of sensitive data and information onto any form of portable media
transport device or mechanism (Memory Stick, CD, DVD, External Hard Drive, PDA, portable music
player, Laptop, etc.) or its transportation beyond the secure environment it was intended to be used
within (systems environment, PC environment, office etc.) carries additional responsibilities for the
individual undertaking such activity.

 Airswift only allow Staff to access the company data via company owned devices, in some instances
we do allow staff to use their personal phones to access company email and this is down to the
management’s discretion and staff are required to sign the additional paper work to comply with the IT
Security Policy applicable to the use of personal devices. These devices are able to be remotely
wiped to protect our data.

 No Company owned data/information may be transferred to, or used, on personally owned equipment
unless specifically approved by line management. This includes backing up company data to personal
online backup solutions i.e. drop box, USB devices and DVD.

ELECTRONIC MAIL & Skype for Business

 Access to the Airswift email service is provided to users for authorised business purposes only and
while limited and infrequent use for non-business purposes is permissible, sending and receiving
personal emails with large attachments (>20Mb) is prohibited. This is due to a 20MB or larger volume
likely to be blocked at the recipient’s e-mail servers and PC performance issues.

 Do not share your account details with anyone and must not disclose your password to anyone
including your co- workers/IT. Do not use other people's accounts and do not attempt to gain
unauthorised access to data and resources. Change your password frequently, ideally every 50 - 60
days. Password to be compliant with Airswifts password policy.

 The content of e-mail messages should be carefully considered. An e-mail is not akin to a telephone
conversation. Inappropriately worded e-mails may expose the company in any subsequent litigation or
regulatory investigation. You should not write anything in an e-mail in which you would not be
prepared to see produced in court proceedings or be read by regulators. The guiding principle is if you
would not put it in a letter then do not put it in an e-mail. Deletion of e-mails does not mean the e-mail
is lost forever. Microsoft Email Archiving services keep a copy of every e-mail sent and received
externally.
 Airswift Holdings Ltd.
IT Security Policy
Date of Issue: 05 July 2016
Version: 1
Owner: Chief Information Officer

 Staff must not send email messages that are abusive, malicious, discriminatory on the basis of age,
gender, sexual orientation, religion or political beliefs, are defamatory about any person or
organisation, or which contain inaccurate, illegal or offensive material or language.

 Users of the Airswift e-mail service should also discourage external contacts from sending them
inappropriate material. All incoming e-mail is filtered and in the interests of security and general
systems’ management, many file attachment types are automatically blocked at Microsoft. If users do
receive something which causes concern or offence, then it should be reported to IT at
IT@airswift.com as soon as possible. Users should also be careful to whom they give their e-mail
address; unsolicited mail shots and other material can be both a nuisance and place unacceptable
strain on the system.

 Check your mailbox on a frequent basis and review your Inbox and delete all unwanted items. Failure
to complete this exercise will have a detrimental effect on your email storage.

 Forwarding of email to your personal e-mail address is prohibited and will result in disciplinary action if
continued instances are identified. http://outlook.com/airswift.com is in place to provide a secure
connection to the Airswift webmail.

SKYPE FOR BUSINESS

Skype for Business service is provided to users for authorised business purposes only and while limited and
infrequent use for non-business purposes is permissible. Skype for busines should be used as the default
communication tool for IM, video/audio calls and desktop sharing with Airswift. Skype use is prohibited within
the organisation. Again you should not write anything in a Skype IM which you would not be prepared to see
produced in court proceedings or be read by regulators. Microsoft Archiving services keep a copy of every
Skye conversation send and received externally.

SYSTEM AND NETWORK ACTIVITIES

Computer Security: Only legally licensed software will be installed on Airswift computers. Users are
expected to read, understand and conform to the license requirements of any software product(s) they use or
install. Software cannot be copied or installed without the permission or involvement of the IT department.
IT will configure all workstations with virus protection software, which should not be removed or disabled.
Each employee is responsible for protecting their computer against virus attack/s by following IT guidelines for
scanning all incoming communications and media, and by not disabling the anti-virus application installed on
their workstation. All data disks and files entering or leaving Airswift should be scanned for viruses.

Access to Airswift Computers: Airswift will provide computer accounts to all Airswift staff. External people
who are determined to be strategically important to Airswift, such as temporary staff, volunteers, or
contractors, will also be provided accounts as appropriate, on a case-by-case basis. The employee managing
the temporary or contract staff assumes responsibility for the identification of access requirements and use of
the account. Accounts will be revoked on request of the user or manager or when the employee terminates
employment at Airswift.

Passwords: Access to the system is confidential and must not be revealed to other employees. If access to
another employee’s PC is required, department manager or IT department will log the individual on to system.

VIRUSES & EXTERNAL SOFTWARE

To ensure information assets are protected from all virus related threats, whether internal or
external, deliberate or accidental, the following list of Do’s and Don’ts must be complied with.
 Airswift Holdings Ltd.
IT Security Policy
Date of Issue: 05 July 2016
Version: 1
Owner: Chief Information Officer

Do
 Inform IT when you receive either a USB or CD for usage; ensuring possible viruses are kept to a
minimum.

 Lock all diskettes/CD ROMS away when not in use.

 Ensure that only original versions of software are used. This will reduce the risk of virus infection and
ensure compliance with Copyright laws.

 Ensure that all virus incidents are immediately reported to IT.

 Ensure information assets are protected from all virus related threats, whether internal, external,
deliberate or accidental, ensure all licensing laws are adhered to and not breached.

Do Not

 Download or install software (including screen savers or wallpaper) from the Internet. Downloads
should only be completed by appropriate IT support functions who will virus check and test the
software prior to release.

 Disable your anti-virus scanner. If performance problems are experienced, contact the IT department.

 Install personally owned software on company equipment.

 Install company owned data or software on personally owned equipment.

 Allow other people to access company’s IT assets.

REMOTE CONNECTIVITY

Ensure that you comply with Airswift IT security policy when using our remote connections (RDC/VPN/Remote
App). Also make sure the connection is logged off when not using for remote connection. Only devices that
are fully patched and up to date with Antivirus are authorised to connect remotely to our services

INTERNET USE

When on the internet employees must regard themselves as representing Airswift and must conduct
themselves so as to avoid bringing Airswift into disrepute. To achieve this, the following list of Do’s and Don’ts
must be adhered to. Access to sites not relating to work should be kept to a minimum. Downloads of explicit,
copyrighted or pirated materials is strictly forbidden and could result in criminal proceedings. Visiting of
suspicious websites should be avoided.

Do
 Keep access to a minimum to reduce the impact on overall network performance.

 Reasonable private internet use (must not compromise your work).

Do Not
 Access, publish or transmit material of a potentially offensive or illegal nature.
 Airswift Holdings Ltd.
IT Security Policy
Date of Issue: 05 July 2016
Version: 1
Owner: Chief Information Officer

 Download or install software (including screen savers or wallpaper). Downloads must only be
completed by appropriate IT support functions that will virus check and test the software prior to
release.

 Transmit copyright protected material as this may contravene copyright and licensing laws.

 Change the Internet software configuration on your workstation.

COMPANY MOBILE PHONES

The Company provides mobile phones to employees based on the needs of their job and the business.
Company mobile phones remain the property of the Company at all times and must be returned on request or
on the last day of your employment if you leave the Company. The company reserves the right to prohibit or
require removal of certain apps on Devices used for Company purposes for any reason, including apps that
are deemed to be security risks; Only approved mobile applications can be used on company mobile devices

Do
 Immediately notify the Company by calling your local IT or designated company representative who
manage your mobile if the Device is lost or stolen.
 Device must lock itself with a PIN (personal identification number set by you).
 Keep personal calls and data usage to a minimum. Monthly spend will be monitored on a regular
basis, any out-of-plan spend which does not conform to policy or is considered to be excessive will be
automatically flagged for review and referred to the account holder’s Line Manager. Company
reserves the right to recover any out-of-plan spend which does not conform to policy from the account
holder’s salary.

Do Not
 Include any comments in texting/voice calls that could be construed as offensive or defamatory.
 Knowingly install software applications on the Device that may have the potential to expose Company
Information to unauthorized parties (such as iCloud for device backup).
 Allow other people to use the company mobile phone.
Airswift Holdings Ltd.
IT Security Policy
Date of Issue: 05 July 2016
Version: 1
Owner: Chief Information Officer

PLEASE SEND THE COMPLETED SLIP TO YOUR LOCAL HR REPRESENTIVE.

Employee Acknowledgement

Name: _________________________________

 I confirm that I have read and understood the contents of the ‘Information Systems
– Acceptable User Policy’ document and will comply with its requirements.
 I understand that failure to comply with these requirements could result in
disciplinary action.
Airswift Holdings Ltd.
IT Security Policy
Date of Issue: 05 July 2016
Version: 1
Owner: Chief Information Officer

 I consent to reasonable interception by the Company of any emails I send or

receive. This consent applies to both internal and external mails.
 I consent to the monitoring by the Company of my Internet use.

Signed: Date:
_______________________________ _______________________________