Tata Power IT Policy for Providing E-Mail Facility to Employees

Tata Power Co. Ltd. IT Policy – Information Access via PC, Network - Intranet and Internet

IT Policy- Information Access via PC, Network - Intranet and Internet

Tata Power Company Ltd.

Rev. 1.0 February 2005

Corporate Information Technology

1 Tata Power Co. Ltd. IT Policy – Information Access via PC, Network - Intranet and Internet

Approval History

Rev. 0 January 2004

Created By Shrikant H. Agarwal January 2, 2004 SHA Checked By V. N. Prabhu January 3, 2004 VNP Approved By VP (F) AC

Rev. 1. February 2005

Created By Shrikant H. Agarwal Checked By E. R. Batliwala Approved By VP

4 Tata Power Co. Ltd. IT Policy – Information Access via PC, Network - Intranet and Internet Tata Power Company Ltd IT Policy- Information Access via PC, Network - Intranet and Internet

About This Document

There exists a large amount of Business and Process data stored within various servers in the TPC network. This document details the laid out policy for accessing and using information via Network, Web and Personal Computers.

Infrastructure

Access to latest and accurate information and data is critical to Organizational business of Tata Power. Due to heavy organizational dependence on electronic information, Tata Power employs a variety of Electronic Systems (Hardware and Software) Personal Computers (Desktops, Laptops, and PDAs), Servers for providing services such as SAP, Office Productivity tools, MIS. All the offices have LAN connectivity to desktop and Laptops are interconnected to the network either via copper, fiber or wireless media. In all, there are about 1000 PCs in the organization deployed for a variety of use.

Tata Power has Optical and Microwave links connecting all the divisions and departments in and around Mumbai. All the stations are interconnected to the corporate WAN via 10/100 Mbps network except Bhivpuri and Ambernath where we have a microwave link/VSAT with a speed of 64/128 Kbps. The TPC WAN thus provides a very high-speed connectivity to the various network services/resources such as Servers (SAP, Internet, Intranet, PMS etc.) The outlying SBUs are connected to Mumbai via VSAT links or thro’ leased lines/VPN.

Various Backup devices have been made available such as CDROMs, Tape, and Backup Server etc. in order to facilitate the software and corporate data. Backup servers have been provided by IT in order to facilitate storage and retrieval of user generated data in compressed form and password protected at different locations.

Information and Data Access

Access to the Tata Power Network and Information resource is a privilege, not a right. Access to networks and computer systems owned and operated by Tata Power requires certain user responsibilities and obligations and is subject to Organizational policies and local, state and Indian laws. Appropriate use should always be legal and ethical. Users should reflect Tata Code of Conduct, and show consideration and restraint in the consumption of shared resources. Users should also demonstrate respect for intellectual property; ownership of data; system security mechanisms; and individual rights to privacy and to freedom from intimidation, harassment, and annoyance.

In order to enable the employees to fulfill the duty, employees have been given the privilege of accessing organizational information and data depending upon the level, and need to use basis. The preservation of that privilege for the all employees requires that every employee and other authorized user comply with organizational standards for appropriate use.

To assist and ensure such compliance, Tata Power establishes the following policy, which supplements all applicable Tata Power policies, employee disciplinary policies, as well as other applicable Indian laws.

Definitions

Authorized users

Authorized users of Tata Power computing and network resources are defined as those individuals provided a username and password (for their own use in order to discharge organizational duties only) through legitimate Tata Power processes for assignment of such identification from Computing Services. An authorized use of Tata Power computing and network resources is initiated by entering that individual’s username and password. Using another individual’s username and password is an unauthorized use. The only exception to this authorized use definition is access on designated computers provided in Control Rooms and Maintenance where the user ID and Password needs to be shared amongst several authorized Tata Power control rooms/maintenance personnel.

Authorized users are (1) Permanent Employees having network (Internet and Intranet) and email account (2) Trainees who have been given network and or email accounts with prior approval (3) Approved Vendors and Partners having been given a valid network and Email Account for enabling them to fulfill organizational obligations. In addition, a user must be specifically authorized to use a particular computing or network resource by the campus unit responsible for operating the resource

Authorized use

Authorized use of the Tata Power owned or operated computing and network resources shall be consistent with the Tata Code of Conduct, Tata Power Vision, Mission and Values, and consistent with this and Organizational Policy.

Unauthorized access

Any misuse of computing and network (by authorized or unauthorized) affecting the Tata Power business, and contrary to the Tata business ethics and Tata Code of Conduct is prohibited.

Authorized users also shall not:

· Physically Damage computer systems · Obtain extra resources not authorized to them · Deprive another user of authorized resources · Gain unauthorized access to systems by using knowledge of:

· A special password · Loopholes in computer security systems · Another user’s password · Access abilities used during a previous position at the TPC

User’s Responsibilities

Users are responsible for knowing what information resources (including networks) are available, remembering that the members of the community share them, and refraining from all acts that waste or prevent others from using these resources, or from using them in whatever ways have been proscribed by the Organizational and the Indian laws.

Sharing of access

Computer accounts, passwords, and other types of authorization are assigned to individual users and not to be shared with others. The assigned user is responsible for any (mis) use of the account. Sharing of a computer account constitutes an inappropriate use and may lead to termination of that account.

Permitting unauthorized access

Users may not run or otherwise configure software or hardware to intentionally allow access by unauthorized users. Failure to configure hardware or software in a way that reasonably prevents access by unauthorized users is a violation of acceptable use.

Reporting of Resource Misuse

All authorized users are stakeholders in TPC networks and are expected to ensure that the organizational resources are not misused, as these will also in turn affect their own operational effectiveness. All unauthorized access or misused shall be reported to Information Security Committee or the SBU Head immediately. All security incidents reported shall be promptly investigated by the Information Security Committee.

Policy Guidelines

This policy may be supplemented with additional guidelines by campus units that operate their own computers or networks, provided such guidelines are consistent with this policy.

Copyright of Media and Software Licenses:

Computer users must respect copyrights and licenses to software, entertainment materials, published and unpublished documents, and any other legally protected digital information.

All software and other intellectual material used in Tata Power must be legally purchased. Written permission from the copyright holder is required to duplicate any copyrighted material. Users are required to respect and abide by the terms and conditions

7 Tata Power Co. Ltd. IT Policy – Information Access via PC, Network - Intranet and Internet of software use and redistribution licenses. Such restrictions also include prohibitions against copying programs or TPC owned data and for use in Tata Power network.

All copyrighted information (text, images, icons, programs, video, audio, etc.) retrieved from external/internal computer or networks resources must be used in conformance with applicable copyright and other law. Copied material must be properly attributed. Plagiarism of digital information is subject to the same sanctions as apply to plagiarism in any other media.

Number of Simultaneous Users

The number and distribution of copies of copyrighted materials must be handled in such a way that the number of simultaneous users in a department does not exceed the number of original copies purchased by that department, unless otherwise stipulated in the purchase contract or as otherwise permitted by copyright law.

Intellectual property

Users are responsible for recognizing and honoring the intellectual property rights of others and take actions, which are in accordance with the law.

Individual Access and Information Privacy

TPC Network and Computer users must not encroach on others' (within or outside TPC) access and use of the Tata Power computers, networks, or other information resources, including digital information. This includes but is not limited to: attempting to access or modify personal, individual or any other Tata Power Organizational information for which the user is not authorized; attempting to access or modify information systems or other information resources for which the individual is not authorized; unauthorized modification of system facilities, operating systems, or disk partitions; attempting to crash or tie up the Tata Power Computers, network or other information resource; or otherwise damaging or vandalizing Tata Power Information and Data Access computing facilities, equipment, software, computer files or other information resources.

Abuse of Network and Computing Privileges

Use of Bandwidth

Tata Power has optical backbone network connecting all users. Since the bandwidth is a precious and limited commodity and is critical for Tata Power Business, all users must undertake measures not to over utilize this resource. Care must be exercised not to execute programs, which tend to flood the network.

Similarly, Copying and transferring of large pictures, movies, audio, and other multimedia contents (MPEG etc.) distribution using the network tend to overload the network and therefore is prohibited except when essential for the Tata Power Business.

Password and Code breaking

Computer users must respect the rights of other computer users. Tata Power systems provide mechanisms (Encryption, Password Access) for the protection of private information from examination by others. Attempts to circumvent these mechanisms in order to gain unauthorized access to the system or to another person’s information are a violation of Tata Power policy and may violate applicable law

Modification or Removal of Equipment:

Computer users must not attempt to modify or remove computer equipment, Networks, software, or peripherals without proper authorization.

Harassment

No user of TPC network may, under any circumstances, use Tata Power computers or networks to harass any other person.

The following constitutes computer-aided harassment:

· Intentionally using the computer to annoy, harass, terrify, intimidate, threaten, offend, or bother another person by conveying obscene language, pictures, or other materials or threats of bodily harm to the recipient or the recipient’s immediate family; · Intentionally using the computer to contact another person repeatedly with the intent to annoy, harass, or bother, whether or not an actual message is communicated, and/or the purpose of legitimate communication exists, and where the recipient has expressed a desire for the communication to cease. · Intentionally using the computer to contact another person repeatedly regarding a matter for which one does not have a legal right to communicate, once the recipient has provided reasonable notice that he or she desires such communication to cease (such as debt collection).

Unlawful Messages

Use of electronic communication facilities (such as electronic mail or instant messaging, or systems with similar functions) to send fraudulent, harassing, obscene, threatening, or other messages that are a violation of applicable Indian law or TPC policy is prohibited.

Advertisements

Tata Power Network facilities should not be used to transmit external commercial or personal advertisements, solicitations or promotions contrary to Tata Power business policies and interests.

Personal Usage

Tata Power information resources should not be used for personal activities not related to appropriate Tata Power functions, except in a purely incidental manner.

Personal business

Computing facilities, services, and networks should not be used in connection with compensated neither outside work nor for the benefit of organizations not related to TPC.

Commercial Use

Tata Power information resources shall not be used for commercial purposes, except in a purely incidental manner or except as permitted under other written policies of Tata Power or with the written approval of the TPC official having the authority to give such approval. Any such commercial use should be properly related to TPC activities.

Chain Letters

The propagation of chain letters is considered an unacceptable practice by TPC and is prohibited. Chain letters especially with graphics and/or attachments load the critical e- mail facility and may adversely affect the email operation.

Unauthorized Servers:

Tata Power has provided several servers for various uses such as e-mail, Intranet, Data Backup etc. for the users. Users are expected not to install servers or, establish a background process that services incoming requests from anonymous users for purposes of email, FTP, Web Hosting gaming, chatting or browsing the Web on other unauthorized servers.

Unauthorized Monitoring:

A user may not use computing resources for unauthorized monitoring of electronic communications.

Political Advertising or Campaigning:

Use of TPC computers and network for political use contrary to Tata Code of Conduct is prohibited.

Information Security

TPC has laid out an Organizational Information Security Policy. All users must make themselves familiar with the security policy and are expected to abide by the security policy.

Encryption and password protection

A computer user who has been authorized to use a password, or otherwise protected, account may be subject to both civil and criminal liability if the user discloses the

10 Tata Power Co. Ltd. IT Policy – Information Access via PC, Network - Intranet and Internet password or otherwise makes the account available to others without permission of the system administrator.

Information Integrity

Each individual is responsible for being aware of the potential for and possible effects of manipulating information, especially in electronic form. Each individual is responsible for understanding the changeable nature of electronically stored information, and to verify the integrity and completeness of information compiled or used. No one should depend on information or communications to be correct when they appear contrary to expectations. It is important to verify that information with the source.

Use of personally managed systems

Personally managed systems are not limited to computers physically located on the campus, but include any type of device that can be used to access Organizational computing and networking resources from any location.

Authorized users have a responsibility to ensure the security and integrity of system(s) accessing other computing and network resources electronically stored therein must be protected.

Appropriate precautions for personally owned or managed systems include performing regular backups, controlling physical and network access, using virus protection software, and keeping any software installed (especially anti-virus and operating system software) up to date with respect to security patches.

Decoding access control information

Users are prohibited from using any computer program or device to intercept or decode passwords or similar access control information.

Denial of service

Deliberate attempts to degrade the performance of a computer system or network or to deprive authorized personnel of resources or access to any TPC computer system or network are treated as hostile and are prohibited.

Harmful activities

Harmful activities are prohibited. Examples include IP spoofing; creating and propagating viruses; port scanning; disrupting services; damaging files; or intentional destruction of or damage to equipment, software, or data.

Unauthorized Network monitoring and sniffing

Authorized users may not use computing resources for unauthorized monitoring of network communications.

Circumventing Security

Users are prohibited from attempting to circumvent or subvert any system's security measures. Users are prohibited from using any computer program or device to intercept or decode passwords or similar access control information.

Breaching Security

Deliberate attempts to degrade the performance of a computer system or network or to deprive authorized personnel of resources or access to any TPC computer or network is prohibited. Breach of security includes, but is not limited to, the following:

- Creating or propagating viruses - Hacking - Password grabbing or sniffing - Disk scavenging

Unauthorized or Destructive Programs:

Computer users must not intentionally develop or use programs, which disrupt other computer or network users or which access private or restricted information or portions of a system and/or damage software or hardware components of a system. Computer users must ensure that they do not use programs or utilities, which interfere with other (Internal or External) computer users, or which modify normally protected or restricted portions of the system or user accounts.

Access to facilities and information

Sharing of access

Computer accounts, passwords, and other types of authorization are assigned to individual users and must not be shared with others. Users are responsible for any misuse of their accounts.

Permitting unauthorized access

Authorized users may not run or otherwise configure software or hardware to intentionally allow access by unauthorized users.

Use of privileged access

Access to information should be provided within the context of an authorized user’s official capacity within TPC. Authorized users have a responsibility to ensure the appropriate level of protection over that information.

Termination of access

When an authorized user changes status (e.g., terminates employment, retires, changes positions or responsibilities within TPC etc.), the department responsible for initiating that change in status must coordinate with the user to ensure that access authorization to all TPC resources is appropriate. An individual may not use facilities, accounts, access codes, privileges, or information for which he/she is not authorized.

Access to Tata Power Network Services

Users shall have only the direct access to the services and networks that they have been specifically authorized to use.

Individual departmental data traffic shall be isolated either by use of VLANs or by use of enforced path from all sensitive users’ computer to all sensitive services. Network hubs shall not be permitted.

All remote users will be provided only on need basis and shall be authenticated by means of passwords before access is granted to information services.

Network connections using WiFi access shall have node (MAC Address) authentication and Network Keys. All the WiFi access points shall have WEP security enabled.

Remote Access to diagnostic ports to sensitive switches, routers, firewalls proxy etc shall be avoided to the extent possible and protected at least by means of strong login passwords and password policy enforced.

Access to Internet and Web Browsing

All user activities and traffic to the internet is monitored and logged by the network monitoring system. Email contents (sent of received) of users shall be examined by the Sys- tem Administrator upon the instructions of the Head of the Information Security Commit- tee/Top Management.

The Internet access shall be used only when required for company’s business. All internet usage will be allowed only with prior authorization. (Form A and B).

Visitors shall not permitted to connect to the company LAN/WAN for accessing the In- ternet unless specifically authorized. All users on the company network must not remote- ly connect to the internet/external systems via modems, Wi-Fi etc within the company premises, without authorization from Information Security Committee.

Hosting of individual/personal sites using company facilities is prohibited.

Users are prohibited to browse or connect to illegal, rouge, obscene, porno sites in all cas- es.

Users should be aware that the Tata Power Company accepts no liability for their intentional/unintentional exposure to offensive material that they may access via the Internet, for which the individual users/user shall be held responsible and accountable for Indian

Cyber Laws.

The ability to connect with a specific web site does not in itself imply that users of Com- pany systems are permitted to visit that site.

The use of Company computing facilities or IT resources leading to abusive, unethical or inappropriate use of the Internet is prohibited. Such users will face Disciplinary, legal and/or penal actions, including termination of employment. Examples of prohibited In- ternet use include, but are not limited to, the following:

 Introduce material considered indecent, offensive, or is related to the production, use, storage, or transmission of sexually explicit or offensive items on Company’s network or systems.  Conduct illegal activities, including gambling. Access or download pornographic material etc.  Enter into contractual agreements via the Internet.  Solicit for any purpose which is not expressly approved by company management  Use Company logos or Company materials in any way unless it has been approved, in advance, by Company management. Reveal or publicize proprietary or confidential information.(Company logos to be used for internal communication only).  Upload or download music, video, media, or commercial software in violation of its copyright.  Intentionally interfere with the normal operation of any Company internet gate- way or hog the bandwidth.  Attempt to gain illegal access to remote systems on the Internet.  Attempt to inappropriately telnet to or port scan remote systems on the Internet.  Use or possess Internet scanning or security vulnerability assessment tools, without the permission of the Head Information Security.  Establish Internet or other external network connections that could allow unauthorized users to gain access into Company systems and information assets.  Spoofing the identity of another user on the Internet or on any Company communications system is forbidden.