mis policy

INFORMATION TECHNOLOGY POLICY, CODE OF PRACTICE

& PROCEDURE MANUAL

CONTENTS

SECTION A : INFORMATION TECHNOLOGY POLICY 1. Policy Statement SIB/MIS/P/001 2. Information Technology Facilities SIB/MIS/P/002 Usage 3. Electronic Mail SIB/MIS/P/003 4. IT Equipment Lifecycle Policy SIB/MIS/P/004 SECTION B : INFORMATION TECHNOLOGY CODE OF PRACTICE 1. Physical Security of Information SIB/MIS/COP/001 2. Employment, Education & Training SIB/MIS/COP/002 SECTION C : INFORMATION TECHNOLOGY PROCEDURE MANUAL 1. E-Mail Services SIB/MIS/PM/001 2. Computer Usage Procedure SIB/MIS/PM/002

INFORMATION TECHNOLOGY POLICY

SSSAAA PPPUUU RRRAAA IIINNN DDDUUU SSSTTT RRRIII AAALLL BBB EEERRRHHHAAA DDD DDD ooo ccc uuu mmm eee nnn ttt NNN ooo ... ::: SSS III BBB /// MMM III SSS /// III TTT PPP /// 000 000111

IIINNNFFFOOORRRMMMAAATTTIIIOOONNN TTTEEECCCHHHNNNOOOLLLOOOGGGYYY PPPOOOLLLIIICCCYYY III sss sss uuu eee NNN ooo ... ::: 111 ... 000

PPPOOOLLLIIICCCYYY SSSTTTAAATTTEEEMMMEEENNNTTT RRR eee vvv ... NNN ooo ::: 000 ... 000

DDD aaa ttt eee ::: 111 sss ttt... MMM aaa yyy 222 000 000 777

PPP aaa ggg eee ::: 111 ooo fff 555

SIB/MIS/ITP/001 Page 1 of 5

INTRODUCTION

1.1 GENERAL

1.1.1 Information System plays a major role in supporting the day-to-day activities of the Company. The availability, reliability, confidentiality and data integrity of the Company Information Systems are essential to success of company activities.

1.1.2 This manual outlines statements relating to the Information System Policies & Procedures

governing the employment of all employees in the Company. They relate to their use of company-owned/ leased/ rented and on–loan facilities, to all private systems, owned/ leased/ rented/ on-loan, when connected to the company network directly or indirectly to all company-owned/ licensed data/ programs, be they on Company or on private systems, and to all data/ programs provided to Company by external agencies or sponsors. It is envisaged that by doing so, written policies and procedures will be interpreted equitably by those in supervisory and management positions on regular basis within the Company.

1.1.3 The Company reserves the right to amend, delete, augment any policy or procedure or part

thereof as and when deemed necessary for any individual employee or group of employees. The Senior Management and Managing Director shall approve all changes to the policies and procedures.

1.1.4 The Information System Policies and Procedures in general may be reviewed at any time if

it needs to be reviewed. A task force shall be formed to review and make recommendation on the revised policies or procedures. All revised policies and procedures shall require the approval of the Senior Management and Managing Director “Deviation” from the approved policies and procedures are to be notified to the Head of Department Management Information System Department.

1.1.5 Head of Management Information System Department shall responsible for ensuring the

updating of this manual and communication any policy and procedure changes to employees of the company. The head of subsidiaries or those assigned will be responsible for disseminating the changes to employee. They shall notify the Head of Department Management Information System whenever problems are encountered or when improvements are to be made.

1.1.6 The Head of Department Management Information System of Sapura Industrial Berhad shall

be custodian of Information Technology Policies and Procedures.

1.1.7 This manual is assigned to all Head of Subsidiaries or any other personnel approved by Senior Management of Sapura Industrial Berhad.







1.2 POLICY OBJECTIVE

The objectives of the Policies are to:

• Ensure that all of the Company computing facilities, programs, data, network and equipment are adequately protected against loss, misuse or abuse.

• Ensure that all users are aware of and fully comply with this Policy Statement and all

associated policies and are aware of and work in accordance with the relevant Code of Practice.

• Ensure that all users are aware of and fully comply with the relevant Malaysian legislation.

• Create across the Company the awareness that appropriate security measures must be

implemented as part of the effective operation and support of Information Security. • Ensure that all uses understand their own responsibilities for protecting the confidentiality

and integrity of the data they handle.

1.3 EXCEPTION OF POLICIES

1.3.1 No exception will be made to the policies and procedures without the written approval of the Head of Department Management Information System of Sapura Industrial Berhad (unless otherwise provided for in this manual) who is the custodian of Information Technology Policies and Procedure. In the event you feel dissatisfied with the action or non-action of those implementing the Policies and Procedures in the allowing or disallowing any exception, a written explanation describing the deviation is to be forwarded to the Head of Department Management Information System of Sapura Industrial Berhad.

1.4 DEFINITIONS The following definitions shall apply in the manual unless expressly stated otherwise:

1.4.1 The “Company” shall mean Sapura Industrial Berhad Group’s of Companies. 1.4.2 “ Policy” shall mean the company’s specific standpoint or general of company goal

1.4.3 “Procedure” shall mean the methodology or specific steps used in the implementation of

the policy.

1.4.4 “Management’ shall mean Executive who have supervisory responsibilities and or accountable for the work performance of their subordinates.

1.4.5 “Supervisor” shall mean immediate supervisor, Head of Department, Head of Section or

Head of Unit.







1.4.6 The masculine gender “He” shall include the feminine gender unless otherwise expressly stated. Words in the singular will include the plural except the text clearly indicated otherwise.

1.5 POLICY APPROVAL

This Policies and Procedures have been approved by the Managing Director, Chief Operating Officer and Senior Management who has delegated the implementation of it to the Head of Management Information System.

1.6 RESPONSIBILITIES FOR INFORMATION SYSTEMS SECURITY

1.6.1 The Managing Director is responsible for approving the Information System Policies and Procedures and the associated policies and for ensuring that they are discharged to the various subsidiaries, departments and staff through Heads of those units.

1.6.2 Head of Subsidiaries and Supervisor are required to implement the Policies with respect to

the systems that are operated by their Subsidiaries, Departments and Units. They are responsible for ensuring that staff and anyone else authorized to use those systems are aware of and comply with them and the associated Code of Practice. To assist them in this, they are required to appoint a Custodian for each system operated by them, the duties of which are set out in a Code of Practice associated with the Policies.

1.6.3 It is the responsibility of each individual to ensure his understanding of and compliance

with the Policies and the associated Code of Practice. 1.7 COMPLIANCE WITH LEGISLATION

1.7.1 The Company has an obligation to abide by Malaysian legislation. Of particular importance in this respect is Computer Crimes Act 1997. The requirement for compliance devolves to all users defined in (1.1.2) above, who may be held personally responsible for any breach of the legislation.

1.8 RISK ASSESSMENT AND SECURITY REVIEW BY SUBSIDIARIES AND DEPARTMENT

1.8.1 Custodians must periodically carry out a risk assessment of the system that they are currently responsible for, including the Information System security control currently in place. This is to take into account changes to operating systems changing Company requirement and priorities and any changes in the relevant legislation, hence revisiting their security arrangements accordingly.

1.8.2 Head of Subsidiaries and Supervisor should establish effective Contingency Plans

appropriate to the outcome of any risk assessment. In addition, they are required to carry out an annual assessment of the security arrangements for their Information Systems and submit a report on this to MIS Department.







1.9 BREACHES OF SECURITY

1.9.1 The MIS Department will monitor network activity, reports from Malaysian Computer Emergency Response Team (MyCERT) and other security agencies and take action/ make recommendations consistent with maintaining the security of the Company Information System.

1.9.2 Any Head of Subsidiaries suspecting that there has been, or likely to be breach of

Information System security should inform the Head of MIS Department immediately, who will then advise the Company on what actions should be taken.

1.9.3 In the event of the suspected or actual breech of security, the Head of MIS Department may,

after consultation with the relevant Custodian or Head of Subsidiaries, make inaccessible/ remove any unsafe user/ login names, data and/or programs on the system from the network.

1.9.4 Any breach of security of an Information System could lead to destruction or loss of security

of personal information. This would be an infringement of the Computer Crime Act 1977 and could lead to civil or criminal proceedings. It is vital, therefore that users of the Company’s Information Systems comply with the Policies.

1.9.5 The Managing Director or Chief Operating Officer has the authority to take whatever action

is deemed necessary to protect the Company against breaches of security. 1.10 POLICY AWARENESS AND DISCIPLINARY PROCEDURES

1.10.1 The new members of staff will have a copy and /or explanations given by the Human Resource Department. Existing staff of the Company, authorized third parties and contractors given access to the Company network will be advised of the existence of this Policy Statement and the availability of the associated policies, codes of practice and procedures that are published on the Company Intranet.

1.10.2 Failure of an individual member of the staff to comply with the Policies my lead the

investigation of the relevant disciplinary procedures and in certain circumstances, legal action may be taken. Failure of the contractor to comply could lead to the cancellation of a contract.

1.11 SUPPORTING POLICIES, CODES OF PRACTICE AND PROCEDURES

1.11.1 The Supporting Policies, Code of Practice and Procedures associated with this Policy Statement are available on the Company Intranet. Staff and any third parties authorized to access the Company Intranet to use the systems and facilities identified in 1.1.2 of this Policy Statement, are required to familiarize themselves with these and to work in accordance with them.







1.12 STATUS OF THE INFORMATION SYSTES SECURITY POLICIES

1.12.1 The Policies do not form part of a formal contract of employment with the Company, but it is a condition of employment that employees will abide by the regulations and policies made by the Company from time to time.

SSSAAA PPPUUU RRRAAA IIINNN DDDUUU SSSTTT RRRIII AAALLL BBB EEERRRHHHAAA DDD DDD ooo ccc uuu mmm eee nnn ttt NNN ooo ::: SSS III BBB /// MMM III SSS /// III TTT PPP /// 000 000222

IIINNNFFFOOORRRMMMAAATTTIIIOOONNN TTTEEECCCHHHNNNOOOLLLOOOGGGYYY PPPOOOLLLIIICCCYYY III sss sss uuu eee NNN ooo ... ::: 000 111

FFFAAACCCIIILLLIIITTTIIIEEESSS UUUSSSAAAGGGEEE RRR eee vvv NNN ooo ... ::: 000 000

DDD aaa ttt eee ::: 111 sss ttt MMM aaa yyy 222 000 000 777



1.0 PURPOSE 1.1 To establish a procedure of the Information Technology facilities usage of the Company

1.2 To clearly define the use of all network, computer systems, computer hardware, software and

internal access and computer codes in the Company.

2.0 SCOPE

The policy applies to all the Company employees (hereinafter referred to as “users”) whose access to use IT facilities owned, leased, rented or on-loan by the Company.

3.0 DEFINITIONS

3.1 HR - Human Resources 3.2 MIS - Management Information System 3.3 CAPEX - Capital Expenditure 3.4 PO - Purchasing Order 3.5 DO - Delivery Order

3.6 LAN - Local Area Network 3.7 IT - Information Technology 3.8 “Company” - Sapura Industrial Berhad Group of Companies 4.0 PROCEDURES

4.1 The use of the Company computer hardware and software is for official purpose. 4.2 Workstations shall be located in a physically protected environment where access control measures are in place and applied consistently. 4.3 The maintenance of hardware and software shall only be done by authorized contractors who have the appropriate security clearances.

4.4. Procurement of Computer Equipment

4.4.1 In order to acquire computer equipment or software, procurement process needs to follow standard guidelines of the Company Capital Expenditure (CAPEX) procedure. MIS Department shall advise on the need and specification of purchase equipment.

4.4.2 Upon received, Purchaser must fill up the “Computer Registration Form” and submit

it to MIS Department within seven (7) days together with the copy of documents.







4.5 Computer Security

4.5.1 Every computer must be protected by a password. The password must consist of at least five (5) letters or/and numbers. It needs to be changed within three (3) months interval or when necessary.

4.6 Unlicensed/Unauthorized Software (Anti-Piracy)

4.6.1 No unlicensed software, privately owned software, games, public domain software or pornographic material shall be installed or loaded on official computer equipment.

4.7 Piracy

4.7.1 This involves the blatant copying of computer programs and the making of copies on disks for distribution to others. Regardless of what is done with the copies, the action of copying is against the law.

4.7.2 It is deemed an infringement even if copies are made for the copyist's own domestic use, unless this is specifically allowed by the copyright owner under a "home use" policy or the copies are legitimate back-up copies.

4.7.3 Whilst there may be a moral difference between people copying software to sell to others and those copying for personal use, there is no legal distinction between the two – both are illegal.

4.8 Dealer Infringement

4.8.1 Dealers who load software packages on hardware that is then supplied to a client are clearly infringing copyright. Providing reproductions of manuals to go with illicit software is also an infringement.

4.9 End-user Infringement

This typically occurs in one of the following forms:-

4.9.1 Use of Infringing Copies

4.9.1.1 The end-user breaks the law whenever he or she uses a program that has been illegally copied from a floppy, compact disk, hard disk (or whatever other means) on to a computer.

4.9.1.2 Copyright is infringed not only by the person who initiated the copying but by all subsequent people using copied programs. In addition, if an end-user makes use of a legitimate copy of a program contrary to the terms of the license, or in a situation where there is no implied license, copyright is being infringed.

4.9.2 Use in a Local Area Network (LAN)







4.9.2.1 Whenever software packages are sold for use on a network, the number of users is designated. As soon as an extra user is provided access to this software, an infringement is constituted.

4.9.3. Use of Unauthorized Screen Savers

4.9.3.1 Screensavers may not be loaded by computer users. The reasons for this are numerous, but the main reason is that many of these are "downloaded" from the Internet and could contain "new" viruses which the latest virus protection software cannot detect.

4.9.3.2 Secondly, some are not compatible with certain types of software and cause endless problems (usually the computer "hangs" or "freezes" and all unsaved work is lost when the computer has to be re-started), which is unnecessary and unacceptable.

4.9.3.3 All screen-savers are memory resident (they are automatically activated after a pre-determined period of time when the computer is not being used) and this tends to slow the processing time of the computer down.

4.10 Pornographic Material

Persons found with any form of pornographic or offensive material within their directories or on the hard-drives of their computers, or it is found that they are distributing this material by whatever means (e-mail, diskettes, placing it on the computer network etc.), will be formally charged with misconduct and, depending on the severity of the matter, handed over to the Malaysian Police Services for prosecution.

4.10. System Security

The used of system utility programs (e.g. monitoring/sniffing tools), that might be capable of overriding system and application controls, is prohibited. Where an employee might want to load such software for whatever reason, a written request for the loading of the software must be submitted to the Head of the MIS Department, stating the reasons for the loading of the software and the duration that it will be required. It is the responsibility of each user to ensure that no unauthorized software is installed on the computer systems allocated to them.

4.12. The user shall be held liable for any unlicensed software that is found in their possession, and as such will take full responsibility of the consequences that might follow by contravening the Malaysian Copyright Act.

4.13 General Care of Computer Equipment

4.13.1 Potted plants, coffee mugs, water decanters etc. must not be placed on computers as any form of liquid can potentially damage the equipment and will most certainly leave unsightly stains on the external casing.

4.13.2 Computer equipment must also not be “decorated” with anything non removable, e.g.: stickers, graffiti etc., as such things reduce the value of the equipment significantly.







4.13.3 Computer equipment should always be kept clean and dust free. Computer screens, external casings, and keyboard keys can be cleaned with anti static cleaner and a lint-free duster. Never use a dripping wet cloth to clean the equipment.

4.13.4 Practices such as eating, drinking and smoking should not be exercised whilst working at a computer as cigarette ash and bits of food are invariably dropped or spilt on the computer’s keyboard, resulting in damage.

4.14 Staff Leaving/ Staff Termination/ Resignation

4.14.1 When staff joining the Company, the subsidiary head arranges access to the network on their behalf. It is therefore also the subsidiary head’s responsibility to ensure that when staff leaves the service that their user accounts are removed from the network.

4.14.2 The subsidiary head or HR department must contact the MIS department and provide the user’s particulars as well as instructions pertaining to the data that resides in the user’s home directory on the network.

4.14.3 If this is not carried out, the ex-staff member’s user account will remain on the network. Network security is therefore seriously breached as the ex-staff member could easily gain access to data on the network and remove or manipulate it.

4.15 Asset Tracking & Recording

4.15.1 Upon delivery of the assets IT related hardware/software, purchasing department shall submit copy of quotation/PO/DO/Invoice to MIS Department.

4.15.2 Purchasing/Account department inform the asset tagging, location & user’s name for the asset.

4.15.3 Account department should inform for any transfer or dispose of assets.



EEELLLEEECCCTTTRRROOONNNIIICCC MMMAAAIIILLL RRR eee vvv NNN ooo ... ::: 000 000




1.0 PURPOSE

1.1 The purpose of this "Electronic Mail Policy" is to establish guidelines and minimum requirements governing the acceptable use of the Company electronic mail (e-mail) services.

2.0. SCOPE

2.1 This policy applies to all the Company employees (hereinafter referred to as "users") whose access

to or use of e-mail services is funded by the Company or is available through equipment owned/ leased/ rented and on-loan facilities by the Company.

3.0 DEFINATIONS

3.1 E-mail - Electronic Mail refers to the electronic transfer of information, in

the form of electronic messages, memorandum and attached documents from a sending party to one or more receiving parties via an intermediate telecommunications system. Stated differently, e-mail is a means of sending messages between computers using a computer network.

3.2 “Company” - Sapura Industrial Berhad Group of Companies. 3.3 Virus - A virus is a piece of computer code that attacks itself the program

or file, so it can spread from computer to computer, infecting as it travels. Viruses can damage your software, hardware and files.

3.4 Encryption - A method of “scrambling” data using a cryptographic algorithm

based on a secret key that is known only to the originating system and the destination system.

4.0 RESPONSIBILITIES

4.1 The Company reserves the right to amend this policy from time to time at its discretion. In case of amendments and revisions, users will be informed appropriately.

4.2 The management of the Company has the right to access or monitor the e-mail user contents of

massages and attached document.

4.3 The Company reserves the right to revoke or limit the User’s access to this e-mail account and address at any time. Common reasons for e-mail access revocation include the failure to comply with the Company policies, and termination of the employee’s service with the Company.







5.0 APPROPRIATE USE OF COMPANY E-MAIL RESOURCES Use of e-mail facilities is subject to all the same laws, policies and codes of practice that apply to the use

of other means of communications and shall comply with the Company policy on Facilities Usage. Access to the publication of information on the Web shall also subject to this policy.

5.1 Users may not use Company resources and facilities to transmit:

• Commercial material unrelated to illegitimate business of the Company, including the transmission of bulk e-mail advertising (spamming).

• Bulk non-commercial-mail unrelated to the legitimate business activities of the Company

that is likely to cause offence or inconvenience to those receiving it. This includes the use e-mail exploders (i.e. list servers) at the Company and elsewhere, where the e-mail sent is unrelated to the stated purpose for which the relevant e-mail exploder was to be used (spamming).

• Unsolicited e-mail messages requesting other users, at the Company of elsewhere, to

continue forwarding such e-mail messages to others, where those e-mail messages have no business information purpose (chain e-mails).

• E-mails that purport to come from an individual other than the user actually sending the

massage or with forged addresses (spoofing). • Material that is sexist, racist, homophobic, xenophobic, pornographic, pedophilic or

similarly discriminatory and or offensive. • Material that advocates or condones, directly or indirectly, criminal activity or which may

otherwise damage the Company’s activities in Malaysia or abroad. • Text or images to which a third party holds an intellectual property right, without the

express written permission of the copyright holder. • Material that is defamatory, libelous or threatening. Material that could be used in order to

breach computer security, or to facilitate unauthorized entry into computer systems. • Material that is likely to prejudice or seriously impede the course of justice in Malaysian

criminal or civil proceedings. • Material containing personal data about third parties, unless their permission has been

given explicitly.

5.2 Whilst the Company provides staff with access to e-mail systems for the conduct of Company-related business, incidental and occasional personal use of e-mails is permitted so long as such use does not disrupt or distract the individual from the conduct of Company business (i.e. due to







volume, frequency or time expended) or restrict the use of those systems to other legitimate users.

6.0 PENALTIES FOR IMPROPER USE OF E-MAIL FACILITIES

6.1 Failure to comply with this e-mail policy could result in access to the facility being withdrawn or, in more serious cases, to disciplinary action being taken.

6.2 The Head of MIS Department shall be the final arbiter of whether e-mail messages are in breach

of this e-mail policy or not.

7.0 PRIVACY

7.1 Data users must assume that all e-mail by default is not secure and thus, they should not send via e-mail any information that is confidential, private or sensitive in nature. The use of e-mail encryption technologies such as PGP (Pretty Good Privacy) will improve the confidentiality of the e-mail, although they are by no means perfect.

7.2 Users may not under any circumstances, monitor and intercept or browse other users e-mail

messages unless authorized to do so.

7.3 In all other circumstances, monitoring, interception and reading of other users e-mail by network and computer operations personnel or system administrators may only occur with the permission of the Head of MIS Department.

7.4 The Company reserves the right to access and disclose the contents of a user’s e-mail

massages, in accordance with its legal and audit obligations and for legitimate operational purposes. The Company reserves the right to demand those encryption keys, where used, is made available so that it is able to fulfill its right of access to a user’s e-mail messages in such circumstances.

8.0 BEST PRACTICES 8.1 The Company considers e-mail as an important means of communication and recognizes the

importance of proper e-mail content and speedy replies in conveying a professional image and delivering good customer services. Users should take same care in drafting an-email as they would for any other communication. Therefore the Company wishes users to adhere to the following guidelines:

8.1.1 Writing e-mails:

• Write well-structure e-mails and use short, descriptive subject. • The Company style is informal. This means that sentences can be short and to the

point. The use of internet abbreviations and characters such as smiley however, is not encouraged.







• Signatures must include you name, job title and company name. and should follow company branding guideline.

• User must spell check all mails prior to transmission.

• Do not send unnecessary attachments. Compress attachments larger than 1MB before sending them.

• Do not write e-mails in capitals.

• Do not use cc. or bcc: fields unless the cc: or bcc: recipient is aware that you will be copying a mail to him/ her and knows what action, if any to take.

• If you forward mails, state clearly what action you expect the recipient to take.

• Only send e-mails of which the content could be displayed on a public notice board.

If they cannot be displayed publicly in their current state, consider rephrasing the e-mail, using other means of communication or protecting information by using a password.

• Only mark e-mails as important if they really are important.

8.1.2 Replying to e-mails: • E-mails should be answered within at least eight (8) working hours, but users must

endeavor to answer priority e-mails within four (4) hours.

• Priority e-mails are emails from existing customers and business partner.

9.0 WRITTEN AGREEMENT REQUIRED

Users having access to state-provided e-mail services are advised that all such network activity is the property of the group, and therefore, they should not consider any activity to be private. All users of e-mail services are required to acknowledge acceptance of and intention to comply with this "Electronic Mail Policy" by signing the Company E-Mail Request Form.

INFORMATION TECHNOLOGY CODE OF PRACTICE

SSSAAA PPP UUURRR AAA III NNNDDD UUUSSSTTTRRR IIIAAA LLL BBBEEERRR HHHAAADDD DDD ooo ccc uuu mmm eee nnn ttt NNN ooo ::: SSS III BBB /// MMM III SSS /// CCC OOO PPP /// 000 000111

CCCOOODDDEEE OOOFFF PPPRRRAAACCCTTTIIICCCEEE III sss sss uuu eee NNN ooo ... ::: 000 111

PPPHHHYYYSSSIIICCCAAALLL SSSEEECCCUUURRRIIITTTYYY OOOFFF IIINNNFFFOOORRRMMMAAATTTIIIOOONNN

RRR eee vvv NNN ooo ... ::: 000 000

DDD aaa ttt eee ::: 111 sss ttt ... MMM aaa yyy 222 000 000 777


SIB/MIS/COP/001 Page 1 of 3

PURPOSE

To maintain the physical security of the hardware used to store and process information as it is to

ensure the security of information contained within the Company information systems.

2.0 SCOPE

2.1 Specific code of practice covering: physical security of Information System.

3.0 DEFINATIONS 3.1 PIN - Personal Identification Number 4.0 PROCEDURES 4.1 SECURITY OF PREMISES

4.1.1 Security of Premises

While it is difficult to make premises in accompany completely secure, buildings

and offices are now equipped with strong locks that provide a good level of

protection against opportunist intrudes so long as they are used intelligently and

correctly by those who have a right of access.

In order to reduce the risk of theft, the following rules should be adhered to:

4.1.1.1 Offices or rooms that house valuable equipment should not be left

unattended with the door unlocked or with window open.

4.1.1.2 Keep an eye open for anyone who appears to be loitering in the vicinity of

locked door, challenge him or her and report any suspicions to the

authorize personnel:

4.1.1.3 Where buildings/offices are secured by card controlled doors or keypads

looks, do not lend your card to anyone or give away details of PIN/ keypad

number;








4.1.1.4 Valuable equipment or equipment storing valuable data should not be

located in a vulnerable location such as just beside the fire escape door or

beside the window that can see from the outside.

4.1.2 Security of People

In order to ensure your personal safety and that of your colleagues:

4.1.2.1 Challenge anyone who you suspect has no right to be on the premises in a

friendly way by offering to help them find the location they are looking for.

4.1.2.2 Avoid confrontation and conflict with anyone who reacts aggressively and

contact your authorize personnel/ security lodge immediately.

4.1.2.3 Do not take any action that may endanger you or other members of the

Company by causing a potential or actual thief.

4.1.3 Security of Equipment

In order to ensure that you computing equipment itself is secure:

4.1.3.1 All computers and other equipment with a value of more than RM300.00

must be clearly marked as company property, security tagged and recorder

on company inventory. This should be done as soon as possible after the

installation and set-up of the equipment.

4.1.3.2 All computers, others equipments including hardware and software

marked as company property must be insured.

4.1.3.3 Carry out a risk assessment in relation to the cost of the replacing the

equipment and the value of the data stored on it in order to determine

what additional security measures need to be taken, such as marking, cable

restraint, lockdown fixtures, alarms and arrange fitting as soon as possible;

4.1.3.4 Dispose of any computer packaging as quickly as discretely as possible in

order not to advertise the arrival of new equipment.








4.1.4 Security of Data

4.1.4.1 Any media containing data that has been backed up should be held

securely i.e. in a locked container, drawer or cupboard and placed in

allocation commensurate with a department’s procedures for ensuring

business continuity i.e. away from the area where that data is normally

processed.

Before disposing of computing equipment ensure that any data held on the hard

disk is destroyed by fully reformatting the hard disk, or using special tools to

overwrite the hard disk’s contents with random, useless data.



EEEMMMPPPLLLOOOYYYMMMEEENNNTTT,,, EEEDDDUUUCCCAAATTTIIIOOONNN AAANNNDDD TTTRRRAAAIIINNNIIINNNGGG





PURPOSE

To address the new staff on information security at the recruitment stage.

2.0 SCOPE

2.1 Specific code of practice covering: on relevant security responsibilities.

3.0 DEFINATIONS 3.1 IS - Information System 3.2 IT - Information Technology 4.0 PROCEDURES 4.1 SECURITY IN JOB DESCRIPTIONS

Security roles and responsibilities as laid down in the Company IS Security Policies should

be included in the job descriptions, where appropriate. These should include any general

responsibilities for implementing the security policies as well as any specific responsibilities

for implementing the security policies as well as specific responsibilities for the protection

of particular assets, or for the execution of particular security processes of activities.

4.2 RECRUITMENT SCREENING

Applications for employment should be screened if the job involves access to the company

Information Systems for handling of commercially or otherwise sensitive information, as

identified by the relevant Custodian. The checks should include obtaining two (2) character

references, checking the accuracy of CV’s confirmation of academic or professional

qualifications and carrying out identification check.

4.3 CONFIDENTIALITY AGREEMENT

When signing acceptance of conditions of employment, user of IT facilities will be required

to agree to respect the confidentiality of any information that they encounter in their work.

Confidentiality agreements should be reviewed when there are changes to the terms of

employment or when contracts are due to be renewed..

4.4 INFORMATION SECURITY EDUCATION AND TRAINING



EEEMMMPPPLLLOOOYYYMMMEEENNNTTT,,, EEEDDDUUUCCCAAATTTIIIOOONNN AAANNNDDD TTTRRRAAAIIINNNIIINNNGGG





New users of IT facilities and staff should be instructed on the Company policies and codes

of practice relating to information security and given training on the procedures relating to

the security requirements of the particular work they are to undertake and on the correct

use of the Company IT facilities in general before access to IT services is granted They

should be made aware of the reporting procedures to be adopted in respect of different

types of incident (security breach, threat, weakness or malfunction) which might affect the

security of information they are handling, as set out in Information System Security Policies.

INFORMATION TECHNOLOGY PROCEDURE MANUAL

SSSAAA PPP UUURRR AAA IIINNN DDDUUU SSSTTT RRRIII AAALLL BBB EEERRRHHHAAA DDD DDD ooo ccc uuu mmm eee nnn ttt NNN ooo ::: SSS III BBB /// MMM III SSS /// PPP MMM /// 000 000111

PPPRRROOOCCCEEEDDDUUURRREEE MMMAAANNNUUUAAALLL III sss sss uuu eee NNN ooo ... ::: 000 111

EEE--- MMMAAAIIILLL SSSEEERRRVVVIIICCCEEESSS RRR eee vvv NNN ooo ... ::: 000 000



SIB/MIS/PM/001 Page 1 of 2

1.0 PURPOSE

1.1 To establish and maintain the procedure or guidelines and minimum requirements governing the acceptable use of the Company electronic mail (e-mail) services.

2.0. SCOPE

2.1 This policy applies to all SIB Group employees whose access to or use of e-mail services is funded

by the Group or is available through equipment owned or leased by the Company. 3.0 DEFINATIONS

3.1 “Company” - Sapura Industrial Berhad Group of Companies 32 E-mail - Electronic Mail refers to the electronic transfer of information, in

the form of electronic messages, memorandum and attached documents from a sending party to one or more receiving parties via an intermediate telecommunications system. Stated differently, e-mail is a means of sending messages between computers using a computer network.

3.3 MIS - Management Information System 4.0 RESPONSIBILITIES

4.1 User and MIS Department

5.0 ATTACHMENTS

5.1 E-Mail Services Form 5.2 E-Mail Services Process Flow

6.0 PROCEDURES

6.1 All E-mail address requested to be initiated by raising of E-mail Services Form and the step as follows:

i. New E-mail Account fill-up by requester ii. Reactivated Disabled/ Blocked Account fill-up by Human Resources Department

representative. iii. Approved by Head of Subsidiaries/ General Manager iv. Submit to MIS Department trough Human Resource Department



EEE--- MMMAAAIIILLL SSSEEERRRVVVIIICCCEEESSS RRR eee vvv NNN ooo ... ::: 000 000




6.2 All the E-mail Services Form shall clearly specify the requirement which my include the

followings:

i. Desired e-mail ID (e.g. [email protected]) , nick name are strongly avoided. ii. Justification and effective date.

6.3 The MIS Department shall determine the availability of e-mail accounts allocation and suitability of desired e-mail ID.

6.4 E-mail account shall be created for the requester subject to availability of E-mail account and

notify the requester default password and the e-mail user shall be guided by MIS representative to set an E-mail on Outlook Express and how to access E-mail trough Web Mail.

6.5 The representative of MIS Department shall inform the requester within five (5) working days

receipt of the application form if they require any additional information or ready to commencement the e-mail account.

6.6 Copy of successful E-mail application form shall be sent to SIB Group Account/ Finance

Department for charges preparation.

6.7 Human Resources Department shall be notify MIS Department within five (5) working days on any employee tendering their resignation or termination from his services or for temporary block account/reactivated disabled due to his disciplinary action taken by the company.

SIB/ MIS / EMS/ 01-01

E-Mail Services Form1. User Particulars

name : designation :

department : desired e-mail id : 1.

company : 2.

tel no./ext : (e.g: [email protected])

date of requested :

2. Detail of Request

New Account Effective Date:

Justification

Reactivate Disabled / Blocked Account Effective Date: Justification

Delet Exsiting Account Effective Date:

Justification

Applicant Particulars I have read, understood and acknowledge receipt of Acceptable E-mail policy below. I hereby agree to comply with the rules and regulations as stated in the policy and understand the falure to comply will result in severe diascplinary action.

name signature date

Approval by General Manager

name signature date

MIS Use Only date received:

e-mail account created by

initial password effective date:

SIB Account/ Finance Use

received date approved by

charge to date approved

3. Acceptable Internet & E-Mail Use PolicyIntroductionSapura Industrial Berhad Group of Companies provides staff with Internet access and e-mail communication services as required for the performance and fulfill of job responsibilities. These services are for purpose of increasing productivity and not for non-business activities.

Use PolicyOccasional and reasonable personnel use of SIB Group Internet & e-mail services is permitted, provided that this does not interfere with work performance These services may be used outside of scheduled hours of work, provided that such use is consistent with professional conduct.

Users should have no expectation of privacy while using company-owned or company-leased equipment. Information passing through or stored on company equipment can and will be monitored.

Violations of internet and e-mail use include, but are not limited to, accessing, downloading, uploading, saving, receiving or sending material that includes sexually explicit content or other material using vulgar, sexist, racist, threatening, violent or defamatory language. Users should not useSIB Group services to disclose corporate information without prior authorization. Gambling and illegal activities are prohibited on company resources.

Infringements of this policy will investigated on a case by-case basis.

Your signature indicate that you have read SIB Group internet and e-mail use policy. By signing this document means that you agree toabide by the regulations set in this policy.

INPUT PROCESS FLOW WHO OUTPUT DESCRIPTION

Completed

Form - Approved by GM of company

NO

YES

- Evaluation base on company

e-mail allocation.

E-mail Account - creat E-mail account base

Created on desired e-mail idMIS TECHNICIAN

E-Mail Request Form

E-Mail Request Form

HEAD OF MIS

ASST. SYS. APPLICATION

E-Mail Request Form

E-Mail Request Form


DOC NUM : PFC/SIB/MIS/EMS/01-02DATE ESTABLISH :01/04/07REV : 0.0PAGES : 1 of 1E-MAIL SERVICES FLOW CHART

PROCESS FLOW CHART

RECEIVED APPLICATIONFORM

PREPARE FOR E-MAIL INSTALLATION

EVALUATE REQUISITION

VERIFY

STOP

NO

OK

- copy form send to SIB Acct.for

charges.

REQUESTER


APPLICATION

REQUESTERREQUESTER RECEIVED

E-MAIL ACC.

INFORM SIBACC. DEPT.

TEST RUN

END


Completed

Form - Approved by GM of company

NO

YES

- copy form send to SIB Acct.

E-mail Account - E-mail account terminated base

Terminated on HR application.

E-Mail Termination Form


HEAD OF MIS

E-Mail Termination Form

E-Mail Termination FormASST. SYS.

APPLICATION

E-Mail Termination Form MIS TECHNICIAN


DOC NUM : PFC/SIB/MIS/DATE ESTABLISH : 01/04/07REV : 0PAGES : 1 of 1E-MAIL TERMINATION

PROCESS FLOW CHART

RECEIVED APPLICATIONFORM HR

PREPARE FOR E-MAIL TERMINATION

EVALUATE REQUISITION

E-MAIL ACC. TERMINATION

VERIFY

STOP

INFORM ACC. DEPT.

END



CCCOOOMMMPPPUUUTTTEEERRR UUUSSSAAAGGGEEE PPPRRROOOCCCEEEDDDUUURRREEE RRR eee vvv NNN ooo ... ::: 000 000




1.0 PURPOSE

1.1 To ensure new employee have access to Information Technology resources and services should dedicated to legitimate group business and is governed by rules of conduct.

2.0. SCOPE

2.1 Every time are made to newly appointed staff.

3.0 DEFINATIONS 3.1 Nil

4.0 RESPONSIBILITIES

4.1 The Human Resource Department Managers of subsidiaries or its appointed nominee.

5.0 ATTACHMENTS

5.1 Information Technology User Declaration Agreement. 5.2 Process Flow Information Technology User Declaration Agreement.

6.0 PROCEDURES

6.1 The Human Resource Manager or its appointee and the immediate superior shall responsible for filling the Information Technology User Declaration Agreement as part of Employee Orientation Checklist has to submit to Human Resource Department within five (5) working days of completion.

6.2 Human Resources Department Manager or its appointee shall be explaining the contents of

Information Technology User Declaration Agreement to the newly appointed staff.

6.3 The completed declaration agreement shall keep safely in his personal file.

SIB/MIS/CUP/02-01

SAPURA INDUSTRIAL GROUP OF COMPANIES

INFORMATION TECHNOLOGY USER DECLARATION AGREEMENT

Access to information technology resources and services has been granted to me, as a privilege, for performing job duties and responsibilities for my Directorate. I have read and agree to abide by the policies and procedures which govern my use of these services: COMPUTER, E-MAIL AND INTERNET ACCEPTABLE Usage Statement USE POLICY I will refrain from monopolizing systems, overloading networks with excessive data, or wasting computer time, connect time, disk space, printer paper, or other information technology resources. I will report to SIB management any observations of attempted security violations or illegal activities. I will report to SIB management if I receive or obtain information to which I am not entitled.

By signing this agreement, I certify that I understand and accept responsibility for adhering to the policies, procedures, and additional Sapura Industrial Berhad Group terms and conditions listed above. I also acknowledge my understanding that any misuse on my part may result in disciplinary action including, but not limited to, termination of my access privileges. Employee Name (Print): __________________________ Signature: _______________________

Date: _______________

Head of Section/Subsidiary: Name: ______________________________ Signature: __________________________ Date: __________________


Completed

Form

- Approved by GM of company

- Document keep in the Employee

Personnel File

HEAD OF SUBSIDIARIES /

Information Technology Declaration Agreement Form

E-Mail Request Form

GENERAL MANAGER

HR DEPT.


HR DEPT.


DOC NUM : PFC/SIB/MIS/ITDA/0DATE ESTABLISH :01/05/07REV : 0.0PAGES : 1 of 1

INFORMATION TECHNOLOGYDECLARATION AGREEMENT FLOW CHART

PROCESS FLOW CHART

RECEIVED IT DECLARATION AGREEMENT FORM

APPROVAL

END

FILLING

mis policy

Documents

company information

use of company

company network

success of company activities

sss ttt

revised policies

sss sss uuu eee nnn

procedure changes