The IT Security Policy has been finalized and completed (Copy enclosed).

You are requested to please approve the inclusion of the IT Security policy as official document and allow circulation of its copies to GHPL Department Heads and relevant staff involved for strict compliance.

Assistant Manager (IS) December 07, 2011

Managing Director/CEO

IT Security Policy

Page 1 of 13

IT Security Policy

Page 2 of 13

TABLE OF CONTENTS Purpose of the Policy ...................................................................................................................... 4 Scope ............................................................................................................................................... 4 1. Software & Software Applications: ..................................................................................... 4 2. Backup and Recovery: ......................................................................................................... 5 3. IT Hardware Usage: ............................................................................................................. 6 4. Internet Access: .................................................................................................................... 7 5. E-mail Management: ............................................................................................................ 7 6. Network Security: ................................................................................................................ 9 7. Computer Usage: ................................................................................................................. 9 8. Non-Organization Personnel:............................................................................................. 10 9. Password Protection: .......................................................................................................... 10 10. Virus Protection: ................................................................................................................ 10 Role Creation, Modification or Deletion Request Form ............................................................... 12 Acknowledgement ........................................................................................................................ 13

IT Security Policy

Page 3 of 13

Purpose of the Policy Government Holdings (Private) Limited provides IT infrastructure and computer facilities to facilitate its employees in achieving the companys business goals. The purpose of the policy is to educate, sensitize, identify the associated risks and highlight the responsible use of the IT infrastructure to its users. Inappropriate use of the IT infrastructure can expose the company to risks including virus attacks, data security/integrity and legal issues. The policy is to protect the interest of employees and the company. All users of the IT infrastructure are expected to be familiar with this policy and the consequences of its violation.

Scope This policy applies to employees, person on deputation, consultants, persons affiliated with third party and Internees working at Government Holdings Private Limited. The scope of this policy includes the following information:1. Software & Software Applications 2. Backup and Recovery 3. IT Hardware Usage 4. Internet Access 5. Mail Management 6. Network Security 7. Computer Usage 8. Non-organization Personnel 9. Password protection 10. Virus Protection

1. Software & Software Applications: Installation, configuration and support of all softwares and software applications used within GHPL shall be the responsibility of IT department. Requirements for new software/software applications, modifications, enhancements and upgrades of existing softwares should be discussed with the IT department to assess the detailed specification and implications. Software licences record shall be maintained by the IT department to ensure compliance with legislation. Ten users licenses have been purchased from SAP Siemens Pakistan. Users are divided into three categories. Description Full authorization, change , delete, edit, add Can only view/display the records. Used for customization of ABAP code. 7 Professional Users 2 Limited Professional Users 1 Developer user

S.# User Category 1. 2. 3.

IT Security Policy

Page 4 of 13

Addition/Deletion or change in access authorizations in SAP finance and HRM modules shall be approved by Director Finance/Chief Financial Officer on the prescribed Authorization Request Form (Annex-A). While access authorizations of BI production Server shall be granted by the Director Technical. Duplication of licensed softwares or related documentation for the use either on company premises or elsewhere shall only be allowed after written approval by Head of IT department. Only those softwares approved by the Head of IT shall be installed in the office computers. Any personal software approved installed for use have to be registered with the IT Department. In the event the Head of IT Department believes, in his or her sole discretion, that the personal software installed may harm the computer equipment, he may direct the employee to remove the software from companys computer equipment.

2. Backup and Recovery: The backup schedule for servers is based on weekly and monthly basis which include data, log and operating system backups. Weekly backup will include only Database backup of all SAP Servers while full System backup of all SAP server will be taken up on monthly basis. Tape cartridges or other removable media may be used for data backup and the following strategy would be used for backing up data: a. Full backup of all servers, folders and emails would be taken on two external hard drives/tape cartridges. One of which would be placed in the server room and the other one would be placed in a different physical location. Doing this we will achieve two goals, first if server crashes then one can recover all data from the external hard drives/tape cartridge placed in server room and second if that tape cartridge fails or server room faces a natural disaster then one can recover the data from the tape cartridge which was placed in the different physical location. b. The remaining removable derives/cartridges may be used for export and database backups. The backup may be taken of the following servers, users folders and E-mails: a. SAP Servers Database. b. Network Shared Directories. c. Backup of Mailboxes of each user. d. Petrel Server database.

IT Security Policy

Page 5 of 13

Security: Access to backup media, devices or backup systems software is restricted to authorized staff. Requests for physical or system access by unauthorized staff require prior approval of Head of the IT department.

Off-Site Storage: Copies of backups will be stored in a safe location, physically distant from the data processing center to facilitate disaster recovery efforts.

Supporting Documentation: Documentation regarding the build and recovery of the implemented backup solution must be maintained in locations that allow for access during disaster recovery efforts. Tape and other backup media must be clearly labelled to reflect the data written to the media and the date which the backup action occurred. Report regarding data backup status will be sent to the concerned authority.

Disposal: Backup media will be physically destroyed in a secure manner that renders the stored data irretrievable. Media destruction shall be conducted by authorized staff or by an approved designate.

Restoration: Users that need files restored must submit a request to the IT Manager. Include information about the file creation date, the name of the file, the last time it was changed, and the date and time it was deleted or destroyed

3. IT Hardware Usage: Hardware may be defined as (Server Computers, Computer systems, Laptops, Notebooks, Printers, Wireless Modems, Multimedia or any other hardware not defined herein). All IT equipments record including items (Addition, Deletion, Movement, allocation etc) shall be maintained by the IT department. Requirements for new hardware should be discussed in advance with the Head of IT Department to assess the detailed specification. The deployment of new equipment or re-deployment of existing equipment can only be undertaken with the approval of Head of IT. The security and safekeeping of portable device such as laptops is the responsibility of the employee using it. All employees are responsible for the proper usage, care and cleanliness of the IT equipment under their use. Any hardware issued to the employees must be handled with extra care and caution. If, due to negligence or mishandling, the hardware gets faulty/damaged then it is

IT Security Policy

Page 6 of 13

employees responsibility to have it repaired at his/her own expense. Similarly, if hardware gets irreparable damage, then the employee will be liable to pay the net depreciated amount to the company. Net book value will be as of the date of damage. 4. Internet Access: Internet access is provided to staff to enable them to undertake company business only. Use of the Internet for personal reasons should be of limited and infrequent, In case of excess use of internet on personal work the internet facility may be withdrawn any time without notification. The company reserves the right to block user access to specific web sites, or group of web sites, without notice to staff. While the company respects the privacy of individual staff, it reserves the right to assign a member of IT to track and log web access, including sites visited, if it believes violation of these rules at any stage. Staff are prohibited at all times from using the companys computers for shopping, trading in stocks, shares or other negotiable instruments, or participating in online auctions. Staff should not subscribe to chat rooms, dating agencies, messaging services or other on-line subscription Internet sites. Company retains the right to monitor Internet usage by staff. This right will be exercised solely through the IT Department only on instructions from Head of the IT. It is forbidden to send any audio/video files or pictures (any kind of multimedia files) from GHPL domain for private purposes. Limited exchange of private multimedia files are allowed by putting in a public dedicated folder, the address of which is available with the IT department.

5. E-mail Management: No e-mail may be sent or forwarded through a company computer for purposes that violate company policies, for an illegal or criminal purpose. The administrator of the e-mail system will not read staff e-mails unless authorized by the Head of IT department solely for the purpose of safeguarding company interest. Users should compress large size files before attaching them with the E-Mail. This will help to optimize the bandwidth. Users should delete items from their inbox and outbox when they are no longer needed. If a mail item needs to be retained it should be moved to an archive folder, a disk, or be printed. Unsolicited mail should be deleted immediately.

IT Security Policy

Page 7 of 13

It is possible to receive a virus when receiving E-Mail, and some viruses are embedded in attachments. If you receive a suspicious E-Mail, do not open it, but instead contact the IT Department. Users should be aware that their deletion of electronic information will often not erase such information from the systems storage until it is overwritten with other data and it may, in any case, still reside in the companys network either on various back-up systems or other forms, and even if erased, may still exist in the form of print-outs. Limited personal use of email is permitted. Managers should ensure there is no abuse of this privilege. Email to all staff should be used only when appropriate. Staff should minimise the number of messages in their email in-box to ensure maximum efficiency of the delivery system. Staff should utilise the archiving facility within the Email system in accordance with current guidelines. Company retains the right to access and view all Emails sent and received through the Email system. Every user should have the following disclaimer with each outgoing email after their signatures: The information transmitted is intended only for the person or the entity to which it is addressed and may contain confidential and/or privileged material. Any review, retransmission, disseminations or other use of, or taking of any action in reliance upon, this information by person or entities other then the intended recipient is prohibited. If you have received this in error, please contact the sender and delete the material from your computer. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. Finally the recipient shall check this email and any attachments for the presence of viruses. The company accepts no liability for any damage caused by virus transmitted by this email

Users may not discuss their opinions on religious/sectarian, or political matters. Users may not use email to propagate indiscipline in office matters. User may not use email for purposes of disrepute/ill repute of any individual or organization. Users may only use proper official language in their emails. Unsolicited e-mail messages to multiple users are prohibited unless explicitly approved by the concerned Head of Department. All messages must show accurately from where and from whom the message originated. Inappropriate mass mailing or talk requests such as multiple mailings to newsgroups, mailing lists, or individuals (e.g., spamming, flooding, blogging, bombing or snerting) are serious violations of IT policy. The company reserves the right to refuse mail and other connections from outside hosts that send unsolicited, mass or commercial messages, or messages that appear to contain viruses to company or other users, and to filter, refuse or discard such messages.

IT Security Policy

Page 8 of 13

6. Network Security: Unauthorized attempts to gain privileged access or access to any account or computer not belonging to you on any company computer or system are not permitted. Creation of any program, Web form, or other mechanism that asks for a company user identity and password is prohibited. Downloading, installing or running security programs or utilities which reveals weaknesses in the security of the network unless a job specifically requires it, is strictly prohibited. Computer and network accounts provide access to personal, confidential data. Therefore, individual accounts cannot be transferred to or used by another individual. Sharing accounts or passwords is strictly prohibited. Each computer user is responsible for the security of any computer he/she connects to the network. A computer seen to be attacking other systems will be taken off the network, generally without notice, until it has been made secure. For security and network maintenance purposes, IT department staff is authorized to monitor equipment, systems and network traffic at any time. GHPL reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. Any user who finds a possible security lapse on any company system must report it to the IT Department. . User files on central company systems are kept as private as possible. Attempts to read another persons files will be treated with the utmost seriousness.. The use of removable devices (flash drives, CD-Disks, floppies) should be minimized as these are also the potential sources of viruses, Trojans, leakage of information etc.

7. Computer Usage: Use of any company computer by an individual/ group other than an employee requires approval from the Head of IT Department. Use of the computers for commercial purposes other than those of the company is strictly prohibited, beside explicitly approved by the Head of IT Department Consuming gratuitously large amounts of system resources (print quotas and network bandwidth) or by deliberately/Unintentionally crashing the machine(s) shall be avoided. Large jobs shall be run on shared systems after peak hours. Playing online or computer games on official computers is prohibited. Copying, storing, displaying, or distributing copyrighted material using company computers or GHPL network without the express permission of the copyright owner, except as otherwise allowed under the copyright law, is prohibited.

IT Security Policy

Page 9 of 13

Copying, storing, displaying, or distributing pornographic material using company computers is prohibited. This prohibition extends to using company computers to view web sites displaying such material. Computer users must ensure that their systems are properly shut down and turned off at the end of the day. Installation/Removal of any software/hardware on the system without prior permission from IT Head is not permitted. Users are not allowed to change the system parameters such as computer name, IP address, Primary and Secondary DNS Server, Outlook setting etc. The Head of HR/Admn department should notify the Head of IT about creation/deletion of the staff e-mail accounts and system permissions.

8. Non-Organization Personnel: External or non-organization personnel are not permitted to access internal network resources unless specifically approved in advance by the Head of IT Department. 9. Password Protection: Users are responsible for the security of their password; they should change their passwords frequently for better security of their machines. Passwords must be chosen which are difficult to guess. This means that passwords must not be related to one's job or personal life. For example, a car license plate number, a spouse's name, or fragments of an address must not be used. This also means passwords must not be a word found in the dictionary or some other part of speech. For example, proper names, places, technical terms, and slang must not be used. A good password may be a mixture of alphabets in upper & lower case along with numbers Whenever a user is leaving his computer unattended, user must ensure that the system is secured with a password-protected screensaver or by they should lock their computers using (control-alt-delete) command.

10. Virus Protection: Every PC/laptop machine should be fully protected by antivirus software, and end users will not be authorized to remove/uninstall antivirus software installed by the IT department. It is the responsibility of the end users to immediately report to the IT department of any virus attacks on their computers. Employees should virus-scan all media (including floppy disks, zip disks, flash drive and CDs) before first use.

IT Security Policy

Page 10 of 13

 Under no circumstances should employee attempt to disable or interfere with the virus scanning software. Any problems caused by an anti-virus shall be reported to the IT department immediately.

Violations of these policies may result in the immediate suspension of computer account and network access. Serious violations of the policy will be referred directly to management which may result in disciplinary action.

IT Security Policy

Page 11 of 13

Annex-A Role Creation, Modification or Deletion Request Form Request Date: ____________ Role Information: Module FICO HCM PS JVA Add Transactions: S. NO. Transaction Code 1 2 3 4 5 Delete Transactions: S. NO. Transaction Code 1 2 3 4 5 Approval Signatures: Role Deleted: Yes / NO

Role Description

S. NO. 6 7 8 9 10

Transaction Code

S. NO. 11 12 13 14 15

Transaction Code

S. NO. 6 7 8 9 10

Transaction Code

S. NO. 11 12 13 14 15

Transaction Code

User

Manager

Chief Financial Officer

For IT Department Created/Modified/Delete By Creation/Modification/Deletion Date Communication Date Remarks if any:

IT Security Policy

Page 12 of 13

Acknowledgement I have read and understood this policy statement:

(Signature)

(Date)

IT Security Policy

Page 13 of 13