All users of the Company’s networks and systems shall undergo security awareness training to explain these security policies prior to being allowed access. Current users shall undergo training within 30 days from when these policies will be put into effect.

The Human Resources Department shall be responsible for publishing the Information Security Policies and all updates on the Company’s intranet. The Human Resources Department shall notify every user that the policies have been published and how they may be accessed.

The Human Resources Department shall provide each department and users without access to the intranet one printed copy of these policies at the same time the electronic version is published.

Management shall monitor all systems activity and network traffic to enforce the provisions of these policies. Management shall be allowed to assign monitoring and other information security duties to appropriate administrators.

Management shall install access controls consistent with the requirements of these policies.

Management and assigned administrators shall have the responsibility for testing access controls and the network for vulnerabilities. Users shall not test for vulnerabilities and access controls by manual or programmatic means.

When vulnerabilities are known, users shall not exploit their effects by manual or programmatic means.

Management and assigned administrators shall have access to the tools that can help manage and test information security. Users shall not have access to these tools on the Company’s network. Users shall not load or download these tools from any location.

Security, systems, and network administrators shall maintain records of all security violations. These records shall be in sufficient detail so that they may be used for disciplinary actions and policy review.

Security administrators shall maintain Risk Acceptance Memos for each waiver granted to these policies. Managers who want to ignore a part of these policies must sign that memo accepting responsibility for the security of those systems and networks.

Systems and network administrators shall be designated as the maintainers of user and access control information. These duties shall include the creation and modification of user accounts and changing access controls when necessary.

Security, systems, and network administrators shall perform a semi-annual audit of user accounts and associated access controls to ensure validity and accuracy.

Security, network, and systems administrators shall define the information that will be saved in systems and network logs. These definitions shall include a record of all security relevant activities.

Authorized administrators shall review the system and other logs on a regular basis.

Administrators shall take appropriate precautions to prevent logs from being deactivated, modified, or deleted.

Administrators shall follow appropriate procedures when discovering violations of these policies or network security.

Administrators shall backup active logs to an on-line storage facility. The on-line backup shall be archived to an off-line storage medium on the last day of each month. The off-line storage of logs shall be maintained for two years unless contract or the law requires longer periods.

All users shall be responsible for maintaining and enforcing the provisions of these policies and associated procedures. Violations to these policies and associated procedures shall be reported using the designated reporting procedures.

Administrators shall monitor public disclosure organizations that report incidents, bugs, and other problems that could affect the security of the Company’s network and systems. These public disclosure organizations shall include the vendors of the information systems in use by the Company, at least two general organizations, and the vendor of the Company’s chosen anti-virus software.

The response of violations from law enforcement shall be coordinated with management. Management shall be the lead internal investigator and shall take responsibility for interfacing and cooperating with law enforcement.

Data regarding information security violations and incident handling shall be retained so that it may be used during the analysis of the information security policies.

Users whose association with the Company is terminated shall have their access privileges to the Company’s resources immediately revoked. Administrators shall arrange for the programs and other data used by these users archived. Administrators shall create procedures for revoking access of these users.

Any conduct which adversely affects the ability of others to use the company’s systems and networks, or which can harm or offend others, shall not be permitted.

Management shall have the right to revoke any user’s access privileges and terminate their association with the Company at any time for violations of this policy or demonstrates conduct that disrupts the normal operation of the Company’s network and computing systems.

Management shall have the right to sever contracts and agreements with contractors and other outside users if they violate this policy or demonstrates conduct that disrupts the normal operation of the Company’s network and computing systems.

Management shall have the right to exercise their options under the appropriate criminal and civil laws to seek legal remedies from anyone who uses, abuses, or attacks the Company’s network and information systems in a manner that would be in violation of the law and these policies.