Original Issue: June 15, 1999 Policy 6

Current Issue: June 4, 2009

COMPUTER AND NETWORK SECURITY POLICY

I. Introduction

A. General Purpose.

The [THE COMPANY]., Computer and Network Security Policy establishes the standards for the
use of the Company’s computer and network resources in a secure environment. Through
adherence to this policy, employees will assure the integrity, availability, confidentiality and
accountability of information the Company needs to remain competitive in the information
technology market. Security of the Company’s computer and network effectiveness rests with
employees at all levels.

Appropriate security shall include protection of the privacy of information, protection of

information against unauthorized modification, protection of systems against denial of service
attacks, and protection of systems against unauthorized access. Furthermore, it shall include the
proper use and protection of computer and network hardware and software to preclude fraud,
waste, abuse, theft and loss.

The Company’s computer and network resources shall be accessed and used only by individuals
authorized by the Company. A user account must be approved and activated by the Company’s
designated computer and network system administrator. Any computer, computer system, or
network or device physically connected to or accessing the Company’s computer and network
resources will be subject to and must comply with this policy. Any question with regard to whether
a specific use is authorized must be referred to the System Administrator.

B. Scope.

This policy is effective at [THE COMPANY], and applies to all system users at any location,
including those using privately owned computers or systems to access the Company’s computer
and network resources. This policy represents the minimum requirements that must be in place.
This policy is not intended to inhibit access to information services that employees have made
accessible for public inquiry (e.g., WWW or anonymous ftp sites). However, use of such services
to access or attempt to access information not intended for public display or use, or to circumvent
or violate the responsibilities of the system users or the system administrator as defined in this
policy, is prohibited.

C. Ownership.

Internet related systems (including but not limited to: computer equipment; software and operating
systems; network accounts providing electronic mail, World Wide Web browsing, File Transfer
Protocol; networking and intra-net systems and software) are the property of the [THE
COMPANY], They are to be used for business purposes only in serving the interests of the
company and our clients in the normal course of business.

1
Original Issue: June 15, 1999 Policy 6
Current Issue: June 4, 2009

D. Privacy of Communications.

Employee communications on [THE COMPANY] computer, network systems, IP Telephone

systems and Blackberry’s are not private. While the network administration desires to provide a
reasonable level of privacy, users should be aware that the data they create on corporate systems
remains the property of the corporation, and usually can be recovered even though deleted by the
user.

E. Monitoring.

The company reserves the right to monitor all employee usage to ensure proper working order,
appropriate use by employees, the security of company data and to retrieve the contents of any
employee communication in these systems. The company may access user files, including archived
material of present and former employees without the user’s consent for any purpose related to
maintaining the integrity of the network or the rights of the corporation or other users or for any
reasonable purpose. All external correspondence will also be considered as property of the
corporation and can be monitored at the same level as internal communications.

F. Supplements.

Existing policies and procedures will be reviewed, updated, and changed from time to time. New
policies and procedures will be formulated as the need arises. In order to accommodate these
modifications, this policy is published in two formats 1) loose leaf format and distributed
separately and 2) PDF format and posted at the corporate web site and public folders available
through the corporate e-mail system. In this way, any change or addition may be conveniently
made.

II. Duties and Responsibilities.

A. President.

1. Manages the design, implementation, and maintenance of the Company’s computer and
network system resources as it applies to the growth and sustainment of the Company’s
business.

2. Provides computer and network system guidance to the system administrator as it applies to the
Company’s short and long term strategic planning and objectives.

B. Vice Presidents, Regional Directors, Managers and Supervisors.

1. Ensures employees use organizational computer and network resources for official business
only.

2. Recommends e-mail and internet access for their employees to the system administrator when
that use complies with the stipulations below:

(a) Enhances work productivity and does not deter from assigned work assignments and
performance.

(b) Is of reasonable duration and frequency.

2
Original Issue: June 15, 1999 Policy 6
Current Issue: June 4, 2009

(c) Serves as a legitimate organization interest such as notifying family of travel changes
while on a business trip, communication from a place of work during normal work hours,
performing research for organizational projects, or morale purposes if assigned for
extended period of time away from home.

3. - Implement security policies, controls, and procedures to protect the Company’s computer and
network resources from intentional or inadvertent modification, disclosure, or destruction of
computer databases.

4. - Monitor user adherence to security policies, controls and procedures.

5. - Respond to computer and network security incidents to include, but not limited to, notification
of incidents to law enforcement agencies and other Company offices as appropriate, and contact
outside computer emergency response teams or vendors as deemed necessary.

6. - Educate users in the ethical use of computer and network resources.

a. Assure new employees fully understand the contents of this policy.

b. Assure annually security awareness training is conducted and documented for all
employees.

C. Computer and Network System Administrator.

Unless otherwise stated, the system administrator has the same responsibilities as system users.
However, because of their position, the system administrator has additional responsibilities and
privileges for specific systems or networks. For systems that are directly administered, the system
administrator will:

1. Prepare and maintain security procedures that implement Company security policies and
address such details as access control, backup and disaster recovery mechanisms, and
continuous operation in case of power outages.

2. Take reasonable precautions to guard against corruption, compromise, or destruction of

computer and network resources. Reasonable precautions for the system administrator exceed
those authorized for system users. Specifically, the system administrator upon approval from
President may conduct a security scan of systems for which they administer. However, security
scans for any other system or network may not be conducted. Likewise, the system
administrator may conduct dictionary comparisons or otherwise check password information
related to system users on the systems for which they have administrative responsibility, but
not on other systems. The system administrator may also intercept or inspect information in
route through a network, but only information originating from or destined for systems for
which they have direct administrative responsibility and only for purposes of diagnosing
system or network problems or the implementation of the corporate proxy agreement.

3. Archiving and backing up the systems: The network administration will backup the network
shared resources and designated areas of the users personal computers on a daily basis. These
backups can be either to a tape backup system or to another designated server on the network.
Any data outside the normal designated areas that need to be backed up, will be added to the
system once the network administration is notified of its location.

3
Original Issue: June 15, 1999 Policy 6
Current Issue: June 4, 2009

4. Treat files and systems as private. It is recognized that a system administrator may have
incidental contact with system user files, including electronic mail, in the course of their duties.
The contents of such files must be kept private. Deliberate access to system user files is
authorized only in the event of a suspected security breach, if essential to maintain the system(s)
or network(s) for which the system administrator has direct administrative responsibility, or if
requested by or coordinated with the system user.

5. Take reasonable and appropriate steps to see that all hardware and software license agreements
are conscientiously executed on all systems, networks, and servers.

6. Ensure organizational network addresses are assigned to those entities or organizations that are
part of [THE COMPANY], only. The system administrator must not assign network addresses
to non-Company entities or agencies.

7. Limit access to root or privileged supervisory accounts. In general, only the system
administrator should have access to such accounts. System users will not be given unrestricted
access to root or privileged supervisory accounts unless the user has been designated as an
assistant system administrator who has been approved by the President. As with all accounts,
authorization for root or privileged supervisory accounts must be approved in accordance with
this policy.

8. Establish an audit record capable of tracing network activity to an individual user. As a

minimum the following events shall be recorded:

a. User Identification;
b. User actions to create, modify, or delete programs/files;
c. Actions taken by network operators, network administrators, and security operators;
d. Any event that attempts to change privileges or security profiles (e.g., change access
controls, change security level of the subject, change user password);
e. Any event that attempts to violate the security policy of the network (e.g., too many
attempts to log in, attempts to violate the access control limits of a file);
f. For each recorded event the audit trial shall record the date and time of event, the subject, the
type of event, the success or failure of the event, the origin of the request, and the name of
program/file introduced, accessed or deleted;
g. Any actions to change the configuration of the network (e.g., a component leaving the
network and rejoining).
h. Provide immediate feedback to the ISSO on e-mail received with viruses.
i Assure annually security awareness training is conducted and documented for all employees.

D. System Users. System users will:

1. Understand and agree to, and comply with this security policy, and all federal, state, and local
laws, including laws applicable to the use of computer and networking resources, and
electronically encoded data.

2. Safeguard passwords and/or other sensitive access code information related to their own
accounts or network access. Such information must not be transmitted to, shared with, or
divulged to others. Likewise, system users must recognize the sensitivity of all other passwords
and computer or network access information in any form, and must not use, copy, transmit,

4
Original Issue: June 15, 1999 Policy 6
Current Issue: June 4, 2009

share or divulge such information, nor convert the same from encrypted or enciphered form to
unencrypted form or legible text. Any attempt to conduct such actions by a user is a violation of
this policy.

3. Take reasonable precautions, including personal password configuration and maintenance and
file protect measures, to prevent unauthorized use of their accounts, programs or data by others.

4. Ensure accounts or computer and network access privileges are restricted for their own use.
System users must not share their accounts, grant accounts to others nor otherwise extend their
own authorized computer and network privileges to others.

4. Adhere to copyright restrictions.

6. Do not install or attempt to install any additional software. When additional software is needed
to complete the task assignment, contact your immediate supervisor first. The requests will be
evaluated on an individual basis by the Immediate Supervisor, Regional Director, and the
System Administrator. Decisions on additional software will be handled in the most expedient
manner possible.

7. Use accounts or network access only for the purposes for which they were authorized and only
for Company-related activities. User prohibitions are:

a. Use of accounts or networks access to conduct a personal commercial enterprise is

prohibited.
b. Transmitting or making accessible offensive, obscene, or harassing materials, and
transmitting or making accessible chain letters, etc., are prohibited.
c. Unauthorized mass electronic mailings and newsgroup posts are prohibited. System users
will not join outside e-mail lists and will refrain from using their company e-mail address
for personal business (i.e. shopping sites such as e-bay, amazon.com etc.)
d. Conducting or attempting to conduct security experiments or security scans involving or
using Company computer and network resources without specific authorization of the
computer and network system administrator is prohibited.
e. The intentional or negligent deletion or alteration of information or data of others,
intentional or negligent misuse of system resources, intentionally or negligently introducing
or spreading computer viruses, and permitting misuse of system resources by others is
prohibited.

f. Use of streaming video and audio is prohibited unless it is required in the performance of an
employees work. In this case, the requirement to use streaming video and audio must be
approved by the Immediate Supervisor and Regional Director, and coordinated with the System
Administrator

8. Represent themselves truthfully in all forms of electronic communication and must not
misrepresent themselves as others in electronic communications. Likewise, system users must
not cause a system to assume the network identity or source address of another computer or
network resource for purposes of masquerading as that resource. System users will not register
computer and network resources with Internet addresses, within the Company Internet domain,
under non-Company domain name. System users will not provide Domain Name Services for
any computer or network resource.

5
Original Issue: June 15, 1999 Policy 6
Current Issue: June 4, 2009

9. Respect the privacy of electronic communications. System users must not obtain nor attempt to
obtain any electronic communication or information not intended for them. In particular, system
users must not attempt to intercept or inspect information (e.g., packets) enroute through the
Company computer and network resources, nor use Company resources to attempt to intercept
or inspect information enroute through other networks outside the Company’s domain.

10.Respect the physical hardware and network configuration of Company owned networks. System
users must not extend the physical network on which their system resides (e.g., wiring, jacks,
wireless connection).

11. Treat non-Company computer and network resources in accordance with this policy.
The Company’s computer and network resources must not be used in an attempt to breach the
security or security policy of other sites (either willfully or negligently). An action or attempted
action affecting non-Company computer and network resources that would violate this policy if
performed on Company computer and network resources is prohibited.

12. Ensure no affiliate company (EADS, Cogent, etc.) computers are allowed to connect to the
internal corporate network.

13. No employee shall bring within the physical confines of the corporate network (any location)
any of the following items listed, their personal computers, flash drives, removable media
drives, micro drives, etc. The intent is to ensure that no computing equipment other than
company supplied has access or could have access to company Proprietary and Confidential
Information, and to lessen the opportunity to inadvertently infect our corporate resources.

14. Ensure non-company or corporate mobile computers are not connected to the corporate
network until they have been inspected and approved by the Network System Administrator.

III. Password Management.

A. Password Configuration.

Passwords are used as a means of access control by providing an authentication mechanism for
verifying the user’s identity when logging onto the computer system. Consequently, the proper
configuration of a password is a vital measure in protecting the user’s computer system from
unauthorized access. As a result, system users will comply with the following when configuring
their computer passwords: (Note: To ensure compliance with this policy a password cracking tool
will be run on a random and ongoing basis.)

1. Develop passwords with at least seven (7) alpha-numeric characters in length. At a minimum,
use at least 1 each of Upper Case, Lower Case, Number and Special Character in the password.
Passwords should never be words found in the dictionary, proper names or personal data (i.e.
user name, children’s name, birth dates etc.)

2. Do not repeat a single character more than two times.

3. Do not start your pass word with the number “1" or letter “a”.

6
Original Issue: June 15, 1999 Policy 6
Current Issue: June 4, 2009

4. Use phraseology in developing passwords. This allows for the configuration of a password
while making it easy for the user to remember. For example, the user could create a password
from the phrase “Kill two birds with one stone” (Password: k2Tbw10$). (Note: Do not use this
example for your password since it has already been published in clear text.)

B. Password Protection.

The effectiveness of a password depends on the confidentiality afforded to it. Just like the key to a
house, the resident stringently controls the key so it does not come into the possession of an
unauthorized person. In contrast, the user must take precautions to control and protect his/her
password. The following precautions will be taken by system users:

1. Protect passwords as sensitive information.

2. Do not post passwords on terminals, blackboards, bulletin boards, or in any other location
where they may be disclosed. Ideally, users should not record or store their password in clear
text, but memorize them. If the user must record the password, the password will be stored in a
sealed opaque envelope, stored in a locked file cabinet or desk drawer in which access is
controlled.

3. Change passwords immediately if they have been seen, guessed or compromised.

4. Change passwords at least every 90 days.

IV. Electronic Mail.

A.Management

Electronic mail (email) is provided by the corporation for employees to conduct company business
and personal use should be restricted. All electronic messages created and/or stored on the
corporations computers or networks are the property of the corporation and are not considered
private. As a result the following applies:

1. The company retains the right to access employee electronic mail if it has reasonable grounds to
do so. The contents of electronic mail will not be disclosed other than for security purposes or
as required by law. Email messages may be retrieved by the company even though they have
been deleted by the sender and the reader. Such messages may be used in disciplinary actions.

2. Users must not allow anyone else to send email using their accounts. This includes their
supervisors, secretaries, assistants and co-workers.

3. Directories of employee email addresses will not be made available for public access.

4. When confidential or proprietary information is sent by email, it must be encrypted so that it is

only readable by the intended recipient, this applies to e-mail sent to your home accounts or to
any employees working on client sites where the mail is sent to a non corporate account. The
corporate approved software is currently PGP and will be supplied to any employee who needs
a copy

7
Original Issue: June 15, 1999 Policy 6
Current Issue: June 4, 2009

5. No visitors, temporary employees, contractors or students may use corporate email. Nor will
they be allowed access to systems for connectivity to outside email systems (i.e. hotmail).

6. Electronic mail attachments should be viewed with suspicion. No attachments should be opened
directly from the received email. All attachments should be saved to a folder and scanned by the
virus protection program BEFORE opening. No executable (.exe) or visual basic scripts (.vbs)
files should ever be opened on company supplied systems. The use of preview pane is
prohibited. (Outlook200x and Outlook Express treat a number of viruses as opened if the mail is
viewed in a preview pane.) The receipt of .exe and .vbs files as attachments to an e-mail shall be
reported to the System Administrator or Information Systems Security Officer immediately…
DO NOT OPEN THE FILE.

7. The specified signature block should be included on all email that originates from company
owned computers. This signature should include name, job title, corporate name, corporate
address including city state and zip, phone number and url to the corporate website (i.e.
www.eads-na-security.com ).

8. Immediately report e-mail viruses to the system administrator.

9. If a virus is inadvertently opened and you believe your computer is infected, immediately
disconnect the network connection (cat 5 cable) and notify your network administrator. Do not
shut the computer off as vital information could be lost.

10. The use of outside e-mail systems (i.e. yahoo mail, hotmail, etc) is prohibited. This rule will
only be suspended with the approval of your Regional Director and Network Administrator
during times of corporate e-mail outages.

11. The use of and access to Outlook Web Access (OWA) will be limited to duty hours from
client or government locations. Access to corporate e-mail when not on duty or in a customer
location will be available to our employees using the corporate VPN clients.

12. Email forwarding: The company will not automatically forward e-mail to any employees
outside accounts or to any government supplied accounts. Employees will also refrain from
creating their own server side or client side rules that forward e-mail to outside accounts or
government supplied accounts.

13. It is mandatory that each employee shall check their EADS NA DS3 e-mail account at least
once per day for intercompany communications, as some items are proprietary and require
immediate action. Intercompany communications should not be conducted from onsite
government e-mail systems.

B – BlackBerry Handheld Policy

BlackBerry Password Requirements

A BlackBerry password is mandatory and required.
1) Password Requirements
a) Minimum of four (4) Characters non-sequential in nature
b) Must NOT include dictionary words or proper names
c) Must not be the same as your corporate network password

8
Original Issue: June 15, 1999 Policy 6
Current Issue: June 4, 2009

2) Users must change the password every 90 days

3) Users can not re-use previous 10 passwords or variants of a previous password
4) Password is locked after entering incorrect password five (5) times
a) When password is locked all user-specific data will be cleared and Message Service
will be removed. To reactivate the device you must re-cradle the BlackBerry to your
desktop and data will be restored to the level of your last backup.

BlackBerry Security Time-Out

When the BlackBerry is inactive and not in use it will time-out and be locked. To unlock
the security time-out, users must enter the BlackBerry password. Users can change the
default time-out timeframe. Users cab go to tools and then options to set the security
time-out value to no more than 20 minutes.

Backing Up Your BlackBerry Device

[THE COMPANY] BlackBerry devices are set to automatically back-up data every
seven (7) days when the device is in the cradle. BlackBerry data can be manually backed-
up by placing the device in the cradle at your workstation opening the BlackBerry
Desktop Manager and double clicking the Backup and Restore button.

SMS Messaging
SMS messaging is not allowed.

PIN to PIN Messaging

PIN to PIN messaging is not allowed.

Adding Applications
Adding applications to your BlackBerry is not allowed without prior approval from the
CTO and the Network Administrator.

Lost or Stolen Devices

If your BlackBerry is lost, stolen, compromised or damaged you must contact the systems
administrator immediately. The device can and will be disabled remotely, clearing all
contents stored in the device.

Discussion Topics and Classified Material

As with unclassified information systems (computers, networked devices, cellular
telephones, etc.) classified information should never be transmitted, received, or discussed
using your unclassified BlackBerry device. In the unfortunate circumstance you believe you
have inadvertently sent, received, or discussed classified information using your BlackBerry
device, you should immediately contact the Facility Security Officer (FSO) and your
supervisor for detailed guidance. Until such guidance is received, DO NOT repeat or
forward the information via your unclassified BlackBerry and ensure you keep the
BlackBerry in your personal possession and control at all times.

C. Retention Policy.

1. Official company records communicated through e-mail, must be identified, managed, protected
and maintained as long as needed for ongoing operations, audits, legal actions or any other
known purpose. Therefore, all Company employees are responsible for managing the creation

9
Original Issue: June 15, 1999 Policy 6
Current Issue: June 4, 2009

and retention of documents, both record and non-record, that are created or transmitted on the
Company’s electronic mail system.

2. To prevent premature deletion of records, employees must ensure a copy of such records are
filed in the e-mail archive. Both outgoing and incoming messages and attached files must be
stored. Any email containing a formal approval or constituting any commitment by the
corporation to any outside organization must be copied to the appropriate file (in hard copy if
required) to support accountability and audits.

3. Some categories of electronic mail messages that would be defined as records are:

a. Those containing unique, valuable information developed in preparing position papers,

reports and studies;
b. Those reflecting actions taken in the course of conducting Company business;
c. Those conveying unique, valuable information on Company products, services, policies,
decisions, and essential actions;
d. Those conveying statements of policy or the rationale for decisions or actions;
e. Those documenting oral exchanges (in person or by telephone) during which policy was
formulated or other Company activities were planned or transacted;
f. Copies of documents issued to multiple recipients. Usually, copies of documents received
by recipients of electronic mail are copies, not records, and should be disposed of as soon
as they are not needed for reference;
g. Draft copies circulated for comment. Draft documents or working papers that propose or
evaluate high-level policies or decisions and provide unique information that contributes
to the understanding of major decisions;
h. Those electronic mail systems that provide "calendar" and "task lists" creation functions
such as milestone management charts.

4. Some categories of electronic mail messages that would be defined as non-record material are
as follows:
a. Routine requests for information or publications and copies of replies which require no
administrative action, no policy decision, and no special compilation or research for
reply.
b. Originating office copies of letters of transmittal that do not add any information to that
contained in the transmitted material, and receiving office copy if filed separately from
transmitted material.
c. Notices including memoranda and other records that do not serve as the basis of official
actions, such as notices of meetings, bond campaigns, and similar correspondence.

5. When electronic mail is retained as a record, the period of its retention is three years from the
date of the correspondence or if the correspondence is part of a contract or project, three years
from the date the contract or project is completed. If the e-mail document pertains to business
with a City, County, State, or Federal government agency, retention is governed by the
appropriate records control schedule of that government agency. Company employees are
responsible to know and comply with the respective government agency’s records control
schedule.

V. Computer Virus Management.

A. Computer Viruses.

10
Original Issue: June 15, 1999 Policy 6
Current Issue: June 4, 2009

A computer virus is a computer program that can infect other computer programs by modifying
them in such a way as to include a copy of itself. Although a computer virus is the most widely
recognized example of a class of computer programs written to cause some form of intentional
damage to computer systems or networks, it does not have to be called a “virus”. A computer virus
performs two basic functions: it copies itself to other programs, thereby infecting them, and it
executes the instructions the author has included in it.

B. Virus Indicators.

Some of the ways in which viruses propagate so quickly include: sharing infected removable media
between users; downloading programs from public electronic bulletin boards, e-mail, attachments,
and using infected demonstration or system removable media. There are various kinds of
symptoms which some virus authors have written into their programs such as messages, music, and
graphic displays. However, the main indicators are:

1. Changes in file sizes and contents, unexplained appearance of unknown files or the
reassignment of system resources. The unaccounted use of RAM or a reduction in the amount
known to be in the machine can be important indicators. However, these are symptoms, along
with longer disk activity and strange behavior from the hardware can also be caused by genuine
software, by harmless “prank” programs, or by hardware faults.

2. Warning messages from anti-viral software.

C. Virus Protection.

Preventing a virus from infecting Company computer resources, requires virus awareness among
all users. The basic anti-virus practices and techniques described below are to be employed by all
Company employees in order to minimize the risk of introducing viruses and other malicious
software, to ensure timely detection of viral infections, to eliminate viral infections from the
inventory of microcomputers, and to minimize the risk from malicious programs to non-Company
network systems. The corporate strategy includes desktop virus scanners on each corporate
computer. This software is configured prior to the users receiving the computer and should never
be disabled or reconfigured.

1. Scan new software. There are documented instances in which Commercial “shrink wrapped”
software was inadvertently distributed containing viruses. Check all new software for infection
before running it for the first time. It is even advisable to use different anti-virus programs,
since no single virus scanner is able to detect all viruses.

2. Use only authorized software. Do not install any software on a PC unless the software has been
authorized for use by the Company’s computer and network administrator or security officer,
and scanned for viruses. Public domain software, shareware, freeware, computer games, and
software copied from a home system or another user’s system are frequent sources of viruses
and should not be installed on any Company systems without authorization.

3. Do not download software from public bulletin boards. Public bulletin boards are a source of
computer viruses. When necessary, download to a diskette when downloading from an
authorized source and use virus scanning software to test for viruses before copying files to a
hard disk. Never download software to a network server.

11
Original Issue: June 15, 1999 Policy 6
Current Issue: June 4, 2009

4. Do not copy and share software. Do not copy copyrighted software or share software with other
employees. Copying and sharing software are common ways of spreading computer viruses in a
personal computer environment in addition to potentially violating copyright laws.

5. Scan removable media from home or external sources. Do not use removable media from home
systems or other external sources that have not been approved and scanned for viruses, as these
removable media may be infected.

6. Make backups of critical files. Protect system files, critical data files and applications by
making backup copies (backup copies of applications for archival purposes generally do not
represent a copyright violation) and storing them on write protected removable media.

7. Beware of shareware and freeware.

8. Scan network servers. A network administrator should have a backup copy of every software
program every time it is modified in accordance with established software development
procedures and controls. This will provide some assurance that there is a clean backup in the
event a virus hits. The administrator should also periodically scan servers for viruses.

D. Virus Response.

If a computer is believed to be infected with a virus, the steps listed below should be followed.
Sometimes a badly thought out attempt to remove a virus will do much more damage than the virus
itself could have done. Viruses can be extremely unforgiving unless they are removed correctly.

1. Stop. Do not turn off the PC. Remove the network Connection (cat 5 cable) immediately.

2. Take notes. Identify what activity indicated a virus may be present.

3. The computer and network system administrator will respond to incidents of suspected viruses.
They will verify that there is a virus and clean the PC using the virus response procedures
below:

a. Boot the PC from a write-protected diskette containing the anti-virus software.

b. Scan the hard drive (memory, boot sector and all files) for viruses.
c. Identify any viruses found, by name.
d. Clear any specific viruses found.
e. Re-scan the hard drive and scan and clean all removable media.
f. Attempt to determine source of infection (for tracking purposes).
g. Determine any other infections that may have occurred due to this infection.
h. Restore any lost software from its original media or write-protected archives.
i. Restore any lost backup data from scanned media.

VI. Security Violations.

A. Reporting Security Violations or System Vulnerabilities.

12
Original Issue: June 15, 1999 Policy 6
Current Issue: June 4, 2009

System users aware of any breach of information or network security, or compromise of computer
or network security safeguards, must report such situations to the computer and network
administrator or security officer. The Company’s security officer, in coordination with executive
mangers, will determine if financial loss has occurred and if control or procedures require
modifications. When warranted by such preliminary review, law enforcement authorities will be
contacted as necessary to investigate criminal or malicious activities.

B. Sanctions for Policy Violations.

1. Violation of any provision of this policy may result in:

a. Restriction or termination of a system user’s access to the Company’s computer and network
resources, including the summary suspension of such access, and/or rights pending further
disciplinary and/or judicial action;
b. Initiation of legal action by [THE COMPANY] and /or respective federal, state or local law
enforcement officials, including but not limited to, criminal prosecution under appropriate
federal, state or local laws;
c. Restitution by the violator for any improper use of service;
d. Disciplinary sanctions, which may include up to termination of employment depending on
the severity of the violation.

2. Report all suspicious activity to the computer and network system administrator and security
officer. Chances are the suspicious activity is caused by something other than a virus, but if it is
a virus, only a rapid response will result in its successful containment and removal. Once a virus
infection has been determined, the need exists to eradicate the virus, prevent its spread and re-
infection, and getting the newly cleaned system back into full production.

VII. Physical Security.

A. Overview.

Physical security of computer and network resources is vitally important to the sustainment of the
Company’s operations. It provides employees defensive measures to protect the facility,
equipment, and information from theft, tampering, careless misuse, and natural disasters.
Consequently employees must implement the physical security measures presented in this policy to
assist in achieving an optimum level of protection with minimal degradation to operations.

B. Visitor Control.

Access to system user work areas will be controlled with access limited only to those employees
who are assigned to the respective areas. All other personnel who visit the work areas must be
escorted by one of the work area employees. If a visitor is found in a work area without an escort,
take the following actions:

1. Ask the visitor their name, purpose of their visit, and who escorted them into the facility.

2. Escort the visitor out of the work area.

3. Turn them over to the employee who initially escorted them into the facility, or;

13
Original Issue: June 15, 1999 Policy 6
Current Issue: June 4, 2009

4. If the visitor was not escorted into the facility by a Company employee, ask the visitor how they
entered the facility, and explain to them that the Company has a visitor control policy:

a. Escort them to the receptionist’s desk and have the receptionist page for an escort from the
work area the visitor needs to visit.
b. Escort the visitor out of the facility. If the visitor refuses to depart the facility, notify the
local law enforcement authorities and request their response.
c. If the visitor is a student, ascertain the purpose for them being in the area, and ask them to
depart the area or direct them to the employee who can help them.
d. Report all suspect visits to your immediate supervisor and Regional Director and
the System Administrator.

C. Systems Inventory Control.

The Systems Administrative Officer will control the receipt of, issuance, inventory, and final
disposition of all corporate computer systems, and operating and application software. An
inventory will be conducted upon receipt of all computer systems, peripherals, and software, and
entered into the Company’s computer and network inventory. The resources will be allocated to the
respective work centers at the discretion of the responsible Vice President, and coordinated with
the Computer and Network System Administrator. The Regional Directors will assume
responsibility for the full utilization and protection of resources. Resources redistributed across
work centers must be approved by the President, and coordinated with the Computer and Network
System Administrator. The System Administration Officer will inventory all computer and network
resources at least annually, and provide a written report to the President. An out-of-cycle inventory
may be conducted to support suspect events such as theft, loss, misappropriation of computer and
network systems resources, or a transfer of inventory account management responsibilities from
one employee to another.

D. Other Physical Security Measures.

While the control of Company’s environment and resources plays a major role in the physical
security, there are other security measures that are relevant to the protection of computer and
network resources. These measures are the responsibility of the individual system users and should
be implemented as part of every day work practices:

1. Implement a “clean desk” policy. Clear desk tops of all work at the end of the day. The
Company’s Proprietary Information should be locked up in the user’s desk or file cabinet, or at
least cleared from the desk top and stored in a desk drawer or overhead storage bin. Any
documents (excluding government classified documents which require special handling and
storage) belonging to the customer should be provided adequate protection to coincide with its
sensitivity (i.e., For Official Use Only). In this case, request guidance from the responsible
Vice President.

2. Close office doors at the end of the work day. While this does not physically prohibit entry into
an office area, it does present a psychological deterrence to visitors who may be wandering
around the facility. (Note: Because of the necessity of employees to use equipment in various
office areas, do not lock office doors without approval of the President, and coordination with
the work center manager or supervisor.)

14
Original Issue: June 15, 1999 Policy 6
Current Issue: June 4, 2009

3. Use “Time Out” screensaver capabilities with password protection to prevent unauthorized
personnel accessing personal computer systems. The “Time Out” time setting should be set at
no more than three (3) minutes. While users should lock their workstations and turn off their
monitor when away from their workstation, the “Time Out” invokes security measures should
the user forget.

4. Turn off all computer systems in the event of electrical storm within the immediate vicinity of
the Company’s facility. Also, system users must ensure their personal computer is plugged into
a surge protector when in operation. This will protect data and files in the event of an electrical
surge or power fluctuation.

VIII. Other Special Considerations.

A. Security Education and Training.

The Facility Security Officer (FSO) is responsible for establishing and maintaining a security
education and training program for the Company. At a minimum all employees will read,
acknowledge, agree to and sign a letter of compliance to this policy. Training will be conducted for
all newly hired employees within 30 days after their start date. Thereafter, employees will receive
security education and training at least annually, or unless otherwise determined by the responsible
Vice President.

B. Copyright and Intellectual Property.

Because electronic information is volatile and easily reproduced, respect for the work and personal
expression of others is especially critical in computer environments. Violations of authorial
integrity, including plagiarism, invasion of privacy, unauthorized access, and network resources are
prohibited. Computer software protected by copyright is not to be copied from, into, or by using
Company computer and network resources, except as permitted by the license or contract with the
owner of the copyright.

15