Ref. No.: CPP-IT-0201_V2_Network Services Acceptable Usage Policy.doc 

Prepared	W. Cundangan		04/26/2017
Approved	R. Eldridge		05/01/2017

1.1 The purpose of this policy is to outline and establish guidelines the acceptable use of company IT services and equipment. 

2.1 This policy applies to the use of information, electronic and computing devices, and network resources to conduct Infinit-o business or interact with internal networks and business systems, whether owned or leased by Infinit-o, the employee, or a third party. All employees, contractors, consultants, temporary, and other workers at InfinitO and its subsidiaries are responsible for exercising good judgment regarding appropriate use of information, electronic devices, and network resources in accordance with Infinit-o policies and standards, and local laws and regulation. Exceptions to this policy will be documented at later sections. 

3.1 General Use and Ownership 

3.1.1 Infinit-O proprietary and client owned information stored on electronic and computing devices whether owned, leased or processed by Infinit-o, the employee or a third party, remains the sole property of Infinit-o and or its clients. You must ensure through legal or technical means that proprietary information is protected in accordance with the company standards. 

3.1.2 You may access, use or share Infinit-o proprietary information only to the extent it is authorized and necessary to fulfill your assigned job duties. 

3.1.3 You have a responsibility to promptly report the theft, loss or unauthorized disclosure of Infinit-O proprietary information to your direct superiors or direct contacts within the company. 

3.2 Privacy 

3.2.1 The content of electronic communications may be monitored and the usage of electronic communications systems will be monitored to support, among others, operational, maintenance, auditing, security and investigative activities. The Company may from time to time be called upon to turn over electronic communications to law enforcement and private litigants who may be suing Infinit-O or who may be engaged in third party litigation. Employees must be aware that no computer-based communications can be guaranteed to be free of unauthorized monitoring or interception by other parties. It is therefore the responsibility of employees to ensure that confidential company or private information is transmitted securely as per Company standards. Except as otherwise specifically provided or expressly authorized by Infinit-o, employees may not intercept or disclose, or assist in intercepting or disclosing, electronic communications. The Company is committed to respecting employees’ reasonable expectations of privacy. However, the Company also is responsible for servicing and protecting its electronic communications networks and maintaining this policy. As a result, it is occasionally necessary for the Company to intercept or assist in intercepting or disclosing electronic communications. It may be necessary for technical personnel to review the content of an individual employee's communications during the course of problem resolution. Technical support personnel may not review the content of an individual employee's communication out of personal curiosity or at the behest of individuals who have not gone through proper approval channels. 

3.2.2 For security and network maintenance purposes, authorized individuals within Infinit-O may monitor equipment, systems and network traffic at any time.

3.1 Passwords 

3.1.1 Passwords will comply to the company standards level of complexity. 

3.1.1.1 Minimum 8 Characters 

3.1.1.2 Mix of Alphanumeric, uppercase, lowercase, numbers and special character 

3.1.1.3 Changed at least every 60 days 

3.1.2 Passwords will be delivered directly to the intended user or via their immediate superior. 

3.1.3 End user’s credentials are configured to change passwords immediately upon first log in. (newly designated or password changed per request) 

3.1.4 After successful logon users should ensure that equipment is not left unattended and active sessions are terminated or locked as necessary. Systems should be logged off, closed down or terminated as soon as possible. Devices must be configured to lock and sleep/shutdown as necessary. 

3.1.5 System log-on data should not be copied or shared to others and should only be used by the designated user. 

3.1.6 If no password change feature is present to any client provided systems (owned or leased), a waiver must be secured from the client. 

3.1.7 Two Factor Authentication (2FA) must be used if feasible/available.

3.2 Workstations, Laptops, Portable devices and teleworking 

3.2.1 Any laptop/portable item deployed to team members must be accompanied with a proper pullout form. 

3.2.2 Users must not leave laptops/portable devices outside the office premises unattended even in a short period of time. 

3.2.3 Users must store laptops in a lockable container, cabinet or room when not in use. Please refer to company access control policy for physical security. 

3.2.4 Users must immediately inform the IT department if a laptop/computer/ portable device is stolen or lost. 

3.2.5 When entering passwords users must take precautions to prevent others from observing. 

3.2.6 Encryption technologies to laptops and portable devices must be applied when available. 

3.2.7 Personal Laptops used for corporate work shall be registered to the IT department upon securing proper authorization from the IT head. All personal laptops shall comply with all necessary company policies. 

3.2.8 Unauthorized copying of copyrighted material and the installation of any copyrighted software for which or the end user does not have an active license is strictly prohibited. 

3.2.9 All workstations/laptops/portable devices are to be installed with antivirus software’s when applicable. 

3.2.10 Users are to lock or log off from their workstations when they leave their workstations. (stations are configured to auto lock within 8 minutes) 

3.2.11 Additional software request not included on the standard list must be approved by their respective managers, such approval may be changed/suspended/revoked by the IT head upon audit. 

3.2.12 Employees are responsible for exercising good judgment regarding the reasonableness of personal use of computing systems, if there is any uncertainty, employees should consult their team leader or manager.

3.3 Internet Usage 

3.3.1 Please refer to Internet Usage Policy

3.4 Telephone Systems 

3.4.1 Extensions are assigned to specific groups or team members only and should not be used by other team members. 

3.4.2 Phones are to be used for business purposes only. 

3.4.3 Phone calls may be recorded for security purposes.

3.5 Fax 

3.5.1 Fax machines are to be used only for business purposes and by the assigned team only. 

3.5.2 Unassigned/unauthorized Team members that needs access to fax services must seek approval from their immediate supervisors/managers, such approval may be changed/suspended/revoked by the IT head upon audit.

3.6 Printers 

3.6.1 Printers are to be used for business purposes only. 

3.6.2 Printers should not be used as duplicating machines. For multiple copies of documents, print one copy and then use a photocopy machine to make more copies. 

3.6.3 Team members are to exercise good judgment when printing confidential items, if you are unsure of this, please consult your immediate supervisor. 

3.6.4 Unassigned/unauthorized Team members that needs access to printers must seek approval from their immediate supervisors/managers, such approval may be changed/suspended/revoked by the IT head upon audit.

3.7 CCTV Systems 

3.7.1 All recordings shall remain the property of Infinit Outsourcing, Inc 

3.7.2 Recordings shall be maintained for 30 days. 

3.7.3 Users cannot request for recordings that are past 30 days. 

3.7.4 HR shall handle the review of requested CCTV recordings.

3.8 Door Proximity System 

3.8.1 Door proximity systems are to be used for Access Control and as a secondary attendance reference should the biometrics system is inoperable. 

3.8.2 Logs are to be reviewed regularly. 

3.8.3 All team members (includes OJT and Temporary employees) are expected to swipe in their cards accordingly. 

3.8.4 Ingress and Egress Setup (reword- in and Out door setup) 

3.8.4.1 This setup comprises of controls for Ingress and Egress direction (In and Out) 

3.8.4.2 No Piggybacking is allowed on both Ingress and Egress Doors

3.8.5 Ingress Setup (Reword - In setup only) 

3.8.5.1 This setup comprises of controls for Ingress direction only (In) 

3.8.5.2 No Piggybacking is allowed on the Ingress door. 

3.8.5.3 Event logs without any reflected name for this Door setup due to usage of the provided exit push buttons (Item also includes Forced Door Open) are to be disregarded due to system design and limitation. 

3.9 Proximity Cards 

3.9.1 Proximity cards are to be used only by the person assigned to it, lending is not allowed 

3.9.2 In the event of a loss card, report immediately to your supervisor or to HR or IT. 

3.9.3 Temporary proximity cards will be usable for 24 hours only. Any extension should be requested separately.

3.10 Mobile Phones 

3.10.1 Usage - Please see the latest Mobile Telephone usage policy. 

3.10.2 Enable Passcode and Auto delete Data if applicable 

3.10.3 Encrypt Phone Data if available 

3.10.4 Disable Blue tooth when not in use 

3.10.5 When on the phone, users must take precautions to prevent others from eavesdropping on confidential items. 

3.10.6 Built-in cameras are to be restricted or disabled or must not be used whenever inside the production area through built in settings or use of Camera Stickers if applicable/available. 

3.10.7 Using company issued phones to take pictures within the company premises is subject for approval from their respective managers. 

3.10.8 Visitors or 3rd party Contractors are not allowed to take pictures within the company processing areas without approval. Any visitors/3rd party contractors that has secured approval must be escorted during picture taking.

3.11 GoogleApps/Email/Docs 

3.11.1 Googleapps is available for all team members that requires email/docs functionality based on business requirements. 

3.11.2 Googleapps services should be used for business purposes only and in accordance with relevant company policies. This includes Email, Google Drive, Photos, Chat. 

3.11.3 Access to the account must not be shared to other team. 

3.11.4 Password must be followed as per company policy. 

3.11.5 Employees must use extreme caution when opening e-mail attachments received from unknown senders, which may contain malware. 

3.11.6 Storing or transmitting copyrighted materials for which Infinit-o or the end user does not have active license is strictly prohibited. 

3.11.7 All data used with conjunction with the Googleapps suite will be subject to the process and procedures stated on the company control of records policy/document.

3.12 Call Center Headsets (For Voice accounts) 

3.12.1 Headsets will be under the accountability of a team’s respective Team leader or Manager 

3.12.2 Headsets are returned and logged by the Team leaders or managers before team members leaves the office after their shift. 

3.12.3 In the event that the Team Leader or Manager is unavailable, he or she can designate a representative to receive and log the headsets.

3.13 Unacceptable Use 

The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services). Under no circumstances is an employee of Infinit-o authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing Infinit-o owned resources. The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use. 

3.13.1 System and Network Activities The following activities are strictly prohibited, with no exceptions 

3.13.1.1 Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by. 

3.13.1.2 Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which Infinit-o or the end user does not have an active license is strictly prohibited. 

3.13.1.3 Accessing data, a server or an account for any purpose other than conducting Infinit-o business, even if you have authorized access, is prohibited. 

3.13.1.4 Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question. 

3.13.1.5 Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.). 

3.13.1.6 Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home. 

3.13.1.7 Using a Infinit-o computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user's local jurisdiction. 

3.13.1.8 Making fraudulent offers of products, items, or services originating from any account. 

3.13.1.9 Making statements about warranty, expressly or implied, unless it is a part of normal job duties. 

3.13.1.10 Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes. 

3.13.1.11 Port scanning or security scanning is expressly prohibited unless prior notification to IT is made. 

3.13.1.12 Executing any form of network monitoring which will intercept data not intended for the employee's host, unless this activity is a part of the employee's normal job/duty. 

3.13.1.13 Circumventing user authentication or security of any host, network or account. 

3.13.1.14 Introducing honeypots, honeynets, or similar technology on the Infinit-o network. 

3.13.1.15 Interfering with or denying service to any user other than the employee's host (for example, denial of service attack). 

3.13.1.16 Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the Internet/Intranet/Extranet. 

3.13.1.17 Providing information about, or lists of, Infinit-o employees to parties outside unless it is part of the employee’s normal job/duty.

3.13.2 Email and Communication Activities When using company resources to access and use the Internet, users must realize they represent the company. Whenever employees state an affiliation to the company, they must also clearly indicate that "the opinions expressed are my own and not necessarily those of the company". Questions may be addressed to the IT Department. 

3.13.2.1 Sending unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (email spam). 

3.13.2.2 Any form of harassment via email, telephone or paging, whether through language, frequency, or size of messages. 

3.13.2.3 Unauthorized use, or forging, of email header information. 

3.13.2.4 Solicitation of email for any other email address, other than that of the poster's account, with the intent to harass or to collect replies 

3.13.2.5 Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type. 

3.13.2.6 Use of unsolicited email originating from within 's networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by or connected via 's network. 

3.13.2.7 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)

3.13.3 Social Media 

3.13.3.1 Employees shall not engage in any social media channels that may harm or tarnish the image, reputation and/or goodwill of and/or any of its employees. Employees are also prohibited from making any discriminatory, disparaging, defamatory or harassing comments when using social media or otherwise engaging in any conduct prohibited by Infinit-O’s policy 

3.13.3.2 If an employee is expressing his or her beliefs and/or opinions in social media, the employee may not, expressly or implicitly, represent themselves as an employee or representative of Infinit-o. Employees assume any and all risk associated with use of social media platforms. 

3.13.3.3 Apart from following all laws pertaining to the handling and disclosure of copyrighted or export controlled materials, Infinit-o’s trademarks, logos and any other Infinit-O intellectual property may also not be used in connection with any social media activity

3.14 Exceptions Any exception to the policy must be approved by the IT Head in advance. 

3.15 Non- Compliance An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. 

4.0 Responsibility

4.1 Vice presidents and Directors are responsible for ensuring that all staff and managers are aware of security policies and that they are observed. Managers need to be aware they have a responsibility to ensure staff have sufficient, relevant knowledge concerning the security of information and systems. Designated owners of systems, who have responsibility for the management of systems and inherent information, need to ensure that staff have been made aware of their responsibilities toward security. Designated owners of systems and information need to ensure they uphold the security policies and procedures.

5.0 Distribution

5.1 Team members 

5.2 Team Leaders/Managers/Directors 

5.3 Execom