Information and Cyber Security Declaration

Please read the followings carefully and sign at the end of the document.
Company will keep the original signed copy. Employee may keep scanned
and / or softcopy.

Following will serve as a basis for cyber Security Guidelines for

MobileComm India Employees

 MobileComm has ownership of all assets, business data and information.

 The Company's computer, network and all other resources are made available
for the Company's business purposes ONLY and should not be used for personal
purposes.

 All the employees need to follow the information security policy and make all
effort to ensure the confidentiality of information.

 Any breach of confidentiality will call for a disciplinary action as per laid
guidelines.

Employees are advised to refrain from the following activities

 Connecting computer/ tablet/ PDA to our Network.

 Sending/ copying files to external portal or to another mobile device/

storage device.

 Sending files via personal email to non-work related email receivers.

 Don’t Access the Customers network without written confirmation.

 Customer’s network data shouldn’t be transferred to China without

written consent.

 Don’t bypass any of the Customer security tools

 Don’t Use Third Party IM applications to discuss customer related

information until unless exception approved by Customer
 DO’s

 Other than direct work related activities, use your company laptops or
desktops to self-study and strengthen the technical skills, therefore
outside office hours they should be used for same purpose, not for
personal matters.

 Use the software that is supplied by IT and is on the approved software

list (e.g. from iDesk).

 Always keep Customer information confidential and don’t disclose it to

irrelevant parties

Be reminded that:

All company’s computers are being actively monitored. The monitoring

system is a well proven tool and thus please do not try to test how much
it can do.

Any attempt to send or copy files to unrelated locations will be subject

to security reporting and management escalation.

Once a breach is testified, regardless of the intent, different levels of

disciplinary actions may be exercised (warning letter, downgrading in
PBC etc).

I. Cyber Security Redline:

1. It is prohibited to Access customer's system and collect, process, or modify

the data and information on customer network without documented
permission.
2. It is prohibited to Connect personal portable device or storage media to
customer network without documented permission.
3. It is prohibited to do Operations beyond the scope approved by customer.
4. It is prohibited to do Operations by using other people's account or
unauthorized account to log in to customer's devices.
5. It is prohibited to Implant malicious codes, malicious software, backdoor,
reserve concealed interfaces or accounts in products or services.
6. It is prohibited to Attack and undermine customer networks. Crack
customer's account password.
7. It is prohibited to Disclose and spread the data and information on
customer's network.
8. It is prohibited to Use shared accounts and passwords without customer's
documented permission.
9. It is prohibited to Retain or use the administrator account and
unauthorized accounts after the commercial use of network or the
maintenance transition.
10. It is prohibited to Run the unauthorized software unless approved in
writing by Customer or Customer client on a customer network, or use
software versions, patches, or licenses that are not obtained through official
channels.
11. It is prohibited to Use information and data in customer's system to
seek improper gains or for illegal purposes.
12. It is prohibited to Participate in government-related sensitive business
and providing any equipment maintenance service to the Monitoring Centre
(MC).
13. It is prohibited to Access lawful interception activity data and carrying
out lawful interception activities and training. Lawful interception activities
include lawful interception object management, lawful interception event
management and lawful interception content management, witout approval
by competent authority.
14. It is prohibited to Participate in equipment maintenance for the
switching network element (the network element provides lawful
interception interface) and the Lawful Interception Gateway (LIG) without
authorization from the customer. If authorization from the customer is
obtained, execution of maintenance work must also follow the two-man rule.
The contract must explicitly state both the customer’s and Customer’s
responsibility as regard the lawful interception equipment maintenance
service. The responsibilities for handling equipment maintenance of other
suppliers/ vendors/ manufacturers on behalf of the customer must also be
clearly stated.
15. It is prohibited to Reveal or disseminate the content of security
incidents related to lawful interception and data retention without
authorization from the customer.
16. It is prohibited to Collect, store, transfer, modify or remove customer
network data (including personal data) and performing similar operations
without signing a "Data Protection Agreement" with the customer or
obtaining written authorization from the customer.
17. It is prohibited to Transfer personal data used in business analysis
away from the customer network without being anonymized. The collection
and use of personal data must follow the need-to-know principle.
18. It is prohibited to Send any customer network data (including personal
data) to China without written authorization from the customer.

19. It is prohibited to transmit personal data without encryption.

20. It is prohibited to Share accounts with others; operate beyond the
scope of job responsibilities. Account passwords must follow strong password
rules and be changed regularly.
21. It is prohibited to implement a data retention policy in relation to
traffic data and location data without obtaining written customer approval
before.
22. It is prohibited to take over or grants account privilege which can
collect content of communications (such as short messaging and call
content) without written authorization from the customer; The personnel to
use this kind of accounts must be clearly stated in the written authorization.
The authorization document must be kept properly.
23. It is prohibited to collect content data of communications; Authorized
person(s) can only perform the operations to collect the content of
communications under the consent of the end-user and the written approval
of the customer when the end-user reports a failure related to the content
of communications. The person(s) must follow the need-to-know principle.
The collected files containing content of communications must be encrypted
and stored on shore. They must not be accessed by a non-authorized person.
They must be deleted irreversibly after the completion of troubleshooting.
24. It is prohibited to Tamper with or remove logs from the customer
network. The integrity of logs must be maintained to assist with customer
security incident investigations.
 25. It is prohibited to Use operations tools without prior customer
approval in the customer networks. Those tools / software must be obtained
from either the Customer Support web site or customers' authorized
channels.

II. Non Compliance and Disciplinary Actions

Any Non compliance of any manner is not be acceptable at all. If someone found
to be at fault in regards cyber security, a very stern action would be initiated
against that person which will amount to immediate termination of services with
the company along with a penalty of Rs 50000/- (Rs. Fifty Thousand),irrespective
of any level or position a person is holding in the organization

Declaration:

I (__________________) have fully studied and understood that the Information

security regulations and the red lines of Cyber security conducts specified by
MobileComm Technologies India Pvt Ltd are practices that may affect information
and cyber security and are prohibited by the laws and regulations. If I break the
regulations, I will be held with legal liabilities even criminal charges. I hereby
commit that I will strictly follow MobileComm information and cyber security
management regulations and hold the corresponding legal liabilities according to
the appropriate laws and regulations if I violate any of the above information
security regulations and red lines of cyber security conducts. Also, I will be
responsible for the losses brought to the company caused by these violations.

Commitment Maker's Info

Department/ Project: GDC, MobileComm Technologies (India) Pvt. Ltd.

Name： Employee ID：

Committed by (Signature): Date：

Place : -