Code Creators Inc.

Code Creators Inc.

Acceptable Use Policy

Proprietary and Confidential

2023
This document is highly confidential and for internal use only. Any unauthorized amendment, reproduction, copying etc. is
grounds for disciplinary action as deemed appropriate by the Code Creators Inc.
 Code Creators Inc.

Code Creators Inc.

Version. 01 Classification Ownership IS Deptt.

Title: Acceptable Use Policy Document ID: CCI-HRS-2023-0003 Effective Date 18-Dec-2023

CHANGE CONTROL
Author(s)/
Version# Date Brief Description of Changes Reviewed By Approved By
Updated by:
1.0 18-Dec-2023 Nadeem Ahmed Initial Release George Ali Sherry Rajani

Proprietary and Confidential

2023
This document is highly confidential and for internal use only. Any unauthorized amendment, reproduction, copying etc. is
grounds for disciplinary action as deemed appropriate by the Code Creators Inc.
 Code Creators Inc.

TABLE OF CONTENTS
1. PURPOSE............................................................................................................................................ 4

2. SCOPE................................................................................................................................................. 4

3. LAWS & REGULATIONS.................................................................................................................. 4

4. POLICY GOVERNANCE................................................................................................................... 4

4.1. ROLES AND RESPONSIBILITIES...............................................................................................................4

4.2. REVIEW AND REVISION.........................................................................................................................5

5. POLICY............................................................................................................................................... 5

5.1. ACCEPTABLE USE OF INFORMATION ASSETS..........................................................................................5

5.2. DEFINITIONS..........................................................................................................................................5
5.3. ACCEPTABLE USE..................................................................................................................................5
5.4. RESPONSIBILITY FOR ASSETS.................................................................................................................5
5.5. PROHIBITED ACTIVITIES.........................................................................................................................6
5.6. RETURN OF ASSETS UPON TERMINATION OF CONTRACT........................................................................6
5.7. BACKUP PROCEDURE.............................................................................................................................6
5.8. ANTIVIRUS PROTECTION........................................................................................................................6
5.9. AUTHORIZATIONS FOR INFORMATION SYSTEM USE................................................................................6
5.10. USER ACCOUNT RESPONSIBILITIES.........................................................................................................7
5.11. PASSWORD RESPONSIBILITIES................................................................................................................7
5.12. INTERNET USE....................................................................................................................................... 8
5.13. MONITORING THE USE OF INFORMATION AND COMMUNICATION SYSTEMS............................................8
5.14. INCIDENTS.............................................................................................................................................8

Proprietary and Confidential

2023
This document is highly confidential and for internal use only. Any unauthorized amendment, reproduction, copying etc. is
grounds for disciplinary action as deemed appropriate by the Code Creators Inc.
 Code Creators Inc.

1. Purpose
The purpose of this document is to define clear rules for the use of the information system and
other information assets atin Code Creators Inc.

2. Scope
This policy is applicable to all employees of Code Creators Inc., including contractual third
parties who are granted access to Code Creators Inc. information systems, encompassing both
software components and physical systems/tools.

3. Laws & Regulations

Code Creators Inc. recognizes the critical importance of compliance with applicable laws and
regulations governing our industry. This policy establishes our commitment to conducting our
operations ethically, transparently, and in full accordance with the legal and regulatory
requirements that impact our business activities. Below table describes the Code Creators
applicable lLaws & rRegulations.

Guidance Sections

- SOC 2 Trust Services Criteria - Confidentiality

SOC 2 - SOC 2 Trust Services Criteria - Security, Availability, Processing
Integrity, and Privacy

4. Policy Governance

4.1. Roles and Responsibilities

The following table identifies the roles and responsibilities within Code Creators Inc.
concerning this policy. The definitions provided below clarify these roles:
Responsible: The individuals responsible for formulating and executing the policy.
Accountable: The person vested with ultimate accountability and authority over the policy.
Consulted: The individuals or groups to be consulted before the final implementation or
modification of the policy.
Informed: The individuals or groups to be notified after the policy has been implemented or
modified.

Proprietary and Confidential

2023
This document is highly confidential and for internal use only. Any unauthorized amendment, reproduction, copying etc. is
grounds for disciplinary action as deemed appropriate by the Code Creators Inc.
 Code Creators Inc.

Role Responsibility

Responsible - R Compliance / IS Department

Accountable - AI Compliance Officer, Chief Technology Officer (CTO),
Management
Consulted -– C Security Team
Informed -– I All employees, contractors, and relevant third parties

4.2. Review and Revision

This policy will be reviewed as it is deemed appropriate, but no less frequently than every 12
months.
Policy review will be undertaken by Compliance at least annually or when a significant
change
occurs.

5. Policy

[5.1.] Acceptable use of Iinformation Aassets

5.1.[5.2.] Definitions

Information system – includes all servers and clients, network infrastructure, system and
application software, data, and other computer subsystems and components which are owned
or used by the organization or which are under the organization's responsibility. The use of
an information system also includes the use of all internal or external services, such as
Internet access, e-mail, etc.

Information assets – in the context of this pPolicy, the term information assets are applied to
information systems and other information/equipment including paper documents, mobile
phones, portable computers, data storage media, etc.

5.2.[5.3.] Acceptable use

Information assets may be used only for business needs with the purpose of executing
organization-related tasks.

5.3.[5.4.] Responsibility for assets

Proprietary and Confidential

2023
This document is highly confidential and for internal use only. Any unauthorized amendment, reproduction, copying etc. is
grounds for disciplinary action as deemed appropriate by the Code Creators Inc.
 Code Creators Inc.

Each information asset has an owner designated in the Inventory of Assets. The asset owner
is responsible for the security, confidentiality, processing integrity, availability & privacy of
information in the asset in question.

5.4.[5.5.] Prohibited activities

It is prohibited to use information assets in a manner that unnecessarily takes up capacity,

weakens the performance of the information system or poses a security threat. It is also
prohibited:

 To download image or video files which do not have a business purpose, send e-mail
chain letters, play games, etc.
 To install software on a local computer without explicit permission by iInformation
sSecurity department.
 To use Java applications, Active X controls and other mobile code, except when
authorized by Information Security department.
 to use cryptographic tools (encryption) on a local computer, except in the cases
specified in the Information Classification Policy.
 to download program code from external media without line manager concern.

5.5.[5.6.] Return of assets upon termination of contract

Upon termination of an employment contract or other contract on the basis of which

equipment, software or information in electronic or paper form is used, the user must return
all such information assets to the relevant department.HR department.

[5.7.] Backup Pprocedure

Back up for the critical machines or data is taken up over the planned interval.

5.6.[5.8.] Antivirus protection

Antivirus must remain activated on systems; the user must not deactivate it.

5.7.[5.9.] Authorizations for information system use

Users of the information system may only access those information system assets for which
the asset owner has explicitly authorized them.

Proprietary and Confidential

2023
This document is highly confidential and for internal use only. Any unauthorized amendment, reproduction, copying etc. is
grounds for disciplinary action as deemed appropriate by the Code Creators Inc.
 Code Creators Inc.

Users may use the information system only for purposes for which they have authorized., i.e.
for which they have granted access rights.

Users must not take part in activities which may be used to bypass information system
security controls.

5.8.[5.10.] User account responsibilities

The user must not, directly or indirectly, allow another person to use his/her access rights, i.e.
username, and must not use another person’s username and/or password. The use of group
user names is forbidden.

The owner of the user account is its user, who is responsible for its use, and all transactions
performed through this user account.

5.9.[5.11.] Password responsibilities

Users must apply good security practices when selecting and using passwords:

 passwords must not be disclosed to other persons, including management and system
administrators
 User-generated passwords must not be distributed through any channel (using oral,
written or electronic distribution, etc.)
 passwords must be changed if there are indications that the passwords or the system
may have been compromised – in that case a security incident must be reported.
 Password configurations/setting must be followed as per the approved password
settings.
 strong passwords must be selected, in the following way:
o using at least eight characters
o using at least one numeric character
o using at least one uppercase and at least one lowercase alphabetic character
o using at least one special character
o a password must not be a dictionary word, dialectal or jargon word from any
language, or any of these words written backwards
o Passwords must not be based on personal data (e.g. date of birth, address, name
of family member, etc.)
o the last three passwords must not be re-used

Proprietary and Confidential

2023
This document is highly confidential and for internal use only. Any unauthorized amendment, reproduction, copying etc. is
grounds for disciplinary action as deemed appropriate by the Code Creators Inc.
 Code Creators Inc.

 passwords must be changed every 3 months

 password must be changed at first log-on to a system
 passwords must not be stored in an automated log-on system (e.g. macro or browser)
 passwords used for private purposes must be avoided to be used for business purposes

5.10.[5.12.] Internet use

The user must regard information received through unverified websites as unreliable. Such
information may be used for business purposes only after its authenticity and correctness have
been verified.
The user is responsible for all possible consequences arising from unauthorized or
inappropriate use of Internet services or content.

5.11.[5.13.] Monitoring the use of information and communication systems

All data which is created, stored, sent or received through the information system or other
organization's communication systems, including various applications, e-mail, Internet, etc.,
whether it is personal or not, is considered the ownership of Company.

Users agree that authorized persons from the organization may access all such data, and that
access by such persons will not be considered a violation of the users' privacy.

The organization may use specialized tools for the purpose of identifying and blocking
forbidden methods of communication and filtering forbidden content.

Incidents

Each employee, supplier or third person who is in contact with data and/or systems of Code
Creators Inc. must report any system weakness, incident or event pointing to a possible
incident as specified in the Incident Management Procedure.

Proprietary and Confidential

2023
This document is highly confidential and for internal use only. Any unauthorized amendment, reproduction, copying etc. is
grounds for disciplinary action as deemed appropriate by the Code Creators Inc.