Canpar Information Security Policy v1-3.doc3.2 An appropriate summary of the Information Security Policies must be formally delivered to any such contractor, prior to any supply of

Confidential

CCaannppaarr TTrraannssppoorrtt LL..PP..

IINNFFOORRMMAATTIIOONN SSEECCUURRIITTYY PPOOLLIICCYY

Canpar Transport L.P. Information Security Policy

Confidential

Version #:

1.3_________

Issued By:

Kent McDonald__________

Approved By:

James Houston ___________

Kent McDonald ___________

Ron Pogson______________

Effective Date:

September 28, 2009_______


Confidential

Document History

Revision Date Description Page Author

1.1 Jan.27,2009 Added HR process for Access to Information Systems under SECTION 1 - 8.

Changed password expiry time from 60 days to 45 days to temporarily handle the inability for Novell to enforce complexity.

3

9

Ron Pogson

1.2 Jan.30, 2009 Added documentation regarding the shared hub-terminal-workstation accounts. Section 3.7

10 Ron Pogson

1.3 Aug.24, 2009 Update to section 4.8.1 and 6.4.3 to include personal pictures as a prohibited activity unless pre-approved by immediate supervisor or manager.

Added section 9.3, Laptop Guidelines.

14 & 16

20

Ron Pogson


Confidential

TTAABBLLEE OOFF CCOONNTTEENNTTSS

Page

INFORMATION SECURITY POLICY – SECTION 1 – GENERAL CONCERNS ...................................................... 1

INFORMATION SECURITY POLICY – SECTION 2 – GENERAL USERS CONCERNS ........................................... 4

1. Information Sensitivity Policy .................................................................................................. 4

2. Remote Access Policy ............................................................................................................ 7

3. Password Policy ...................................................................................................................... 8

4. Acceptable Use of Technology Policy .................................................................................. 11

5. Network and Internet Policy .................................................................................................. 15

6. Email Use Policy ................................................................................................................... 16

7. Anti-Virus Policy .................................................................................................................... 17

8. Wireless Network Policy ....................................................................................................... 18

9. Computer Equipment ............................................................................................................ 19

10. Clear Screen and Desk Policy .............................................................................................. 20

11. Others Policy ......................................................................................................................... 20

INFORMATION SECURITY POLICY – SECTION 3 – IT MANAGEMENT AND STAFF CONCERNS ........................ 21

1. Server Security Policy ........................................................................................................... 21

2. Contracting with External Suppliers / other Service Providers Purpose .............................. 22

3. Access Control Policy ........................................................................................................... 22

4. Network Management and Security ...................................................................................... 23

5. Antivirus Management and Policy ........................................................................................ 23

6. Information Retention Policy ................................................................................................. 23

7. Problem and Security management ..................................................................................... 24

8. System Developpement and Change Control Policy ........................................................... 24

9. End-user computing Policy (spreadsheet) ............................................................................ 25

10. Physical Security ................................................................................................................... 26

11. Backup .................................................................................................................................. 26

12. Disaster Recovery Plan ........................................................................................................ 27

APPENDIX - DEFINITIONS

Canpar Transport L.P. Information Security Policy Page 1

Confidential

INFORMATION SECURITY POLICY – SECTION 1 – GENERAL CONCERNS

1. Purpose

1.1 The purpose of this document is to define Canpar Transport L.P. (hereafter called “Canpar”) Information Security Policy. Security and privacy must focus on controlling unauthorized access to information. Security compromises or privacy violations could jeopardize our ability to provide service, lose revenue through fraud or destruction of proprietary or confidential data; violate business contracts, trade secrets, and customer privacy; or reduce credibility and reputation with our customers, shareholders and partners.

1.2 Information entered, processed, stored, generated or disseminated by information systems must be protected from internal data or programming errors and from misuse by individuals inside or outside Canpar Specifically the information must be protected from unauthorized or accidental modification, destruction or disclosure.

1.3 Providing secure, efficient accessibility to necessary information is the impetus for establishing and maintaining automated information systems. Protecting that information and the surrounding investment is the impetus for establishing an information security program.

1.4 All Canpar information is categorized into two main classifications:

• Public

• Confidential

1.5 Public information is information that has been declared public knowledge by someone with the authority to do so, and can freely be given to anyone without any possible damage to Canpar .

1.6 Confidential information is information that is generally for internal company (including TransForce) use. This information has some importance to the company and must be protected against such acts as unauthorized disclosure or malicious destruction. Disclosure of this information could result in lost business or competitive advantage. Some information is more sensitive than other information and should be protected in a more secure manner. Unauthorized use or disclosure of this information could severely impact business operations, make a segment of the company unable to function or cause high monetary loss.

1.7 Refer to the Canpar Information Sensitivity Policy (below) for further definition of confidential information. This policy also defines the rule for access, protection, distribution, storage, destruction and disclosure of sensitive and confidential information. Protecting information assets includes:

• Physical protection of information processing facilities and equipment.

• Maintenance of application and data integrity.

• Assurance that automated information systems perform their critical functions correctly,

in a timely manner, and under adequate controls.

• Protection against unauthorized disclosure of information.


Confidential

• Assurance of the continued availability of reliable and critical information.

1.8 An effective and efficient security management program requires active support and ongoing participation from multiple disciplines and all levels of administration. Responsibilities include identifying vulnerabilities that may affect information assets and implementing cost-effective security practices to minimize or eliminate the effects of the vulnerabilities.

2. Policy Administration

2.1 The Information Security Policy is administered by the V.P. Finance and reviewed and approved by the CEO. Policy violations are reported to the CEO.

3. Policy Applicability

3.1 The Information Security Policy applies to all Canpar staff and any person under contract to any division of Canpar.

3.2 An appropriate summary of the Information Security Policies must be formally delivered to any such contractor, prior to any supply of services.

3.3 Employees who have been granted corporate access to the Internet by Canpar will be provided with a copy of this Policy.

4. Compliance

4.1 Though each individual is responsible for his/her own actions, management personnel are responsible for ensuring employee compliance with Company policy.

4.2 Any employee aware of a policy violation should immediately report the violation to their supervisor, the V.P. Finance and/or the V.P. Human Resources.

5. Sanctions for Non-Compliance

5.1 Any employee found to have violated this or any policy referenced above may be subject to disciplinary action, up to and including termination of employment.

5.2 Assuming the action is inadvertent or accidental, first violations of information security policies or procedures must result in a warning. Second violations involving the same matter must result in a letter being placed in the involved worker's personnel file. Wilful or intentional violations, regardless of the number of violations, may result in disciplinary action up to and including dismissal.

6. Security Awareness and Training

An effective level of awareness and training is essential to a viable information security program. Employees who are not informed of risks or of management’s policies and interest in security are not likely to take steps to prevent the occurrence of violations.

6.1 All new executive, management, clerical or lead hand employees must have information security awareness training as part of their orientation.

6.2 The company shall also provide an ongoing awareness and training program in information security and in the protection of computer resources for all personnel whose duties bring them into contact with critical or sensitive Canpar computer resources (i.e. the above mentioned group of employees). The organisation is committed to providing training to all


Confidential

users of new systems to ensure that their use is both efficient and does not compromise Information Security

6.3 Upon termination or resignation of any employee, management shall immediately revoke all access authorizations to computer resources.

7. Internal Audit Review of Information System Controls

7.1 The Internal Audit department of Transforce will periodically review the adequacy of information system controls, as well as compliance with such controls.

8. Access to Information Systems

8.1 No employee will be given access to any IT systems until Human Resources has had the “Acknowledgement of Receipt” for the Canpar Information Security Policy signed by the employee as well as a signed User Request Form and both these documents forwarded to IT. It is imperative that new employee orientations be conducted prior to or on the hire date, the forms signed and either delivered by hand or via scanning to the IT department as this is their authority to set the new employee up with network, email, and other system access. If a hiring manager defers the paperwork then no computer access will be granted until the forms are completed. The forms will be placed in the employee’s personnel file.

8.2 Whenever an employee with any computer access leaves the company an email from HR is to be immediately sent to the Network Operations Centre (NOC) advising the employee name, employee number, and date of termination. This will ensure that the computer access is disabled without delay. Do not wait for paperwork. If you are advised verbally then ensure that IT receives written notification without delay.

This Policy is subject to ongoing review and evaluation and may be amended from time to time.


Confidential

INFORMATION SECURITY POLICY – SECTION 2 – GENERAL USERS CONCERNS

1. Information Sensitivity Policy

11..11 Purpose

1.1.1 The Information Sensitivity Policy is intended to help employees determine what information can be disclosed to non-employees, as well as the relative sensitivity of information that should not be disclosed outside of Canpar without proper authorization.

1.1.2 The information covered in this policy includes, but is not limited to, information that is either stored or shared via any means. This includes: electronic information, information on paper, and information shared orally or visually (such as telephone and video conferencing).

1.1.3 All employees should familiarize themselves with the information labelling and handling requirements that follow this introduction. It should be noted that the sensitivity level definitions were created as guidelines and to emphasize common sense steps that you can take to protect Confidential information (e.g. Confidential information should not be left unattended in conference rooms).

Please Note: The impact of these guidelines on daily activity should be minimal.

1.1.4 Questions about the proper classification of a specific piece of information should be addressed to your manager. Questions about these guidelines should be addressed to the V.P. Finance.

11..22 Scope

1.2.1 This policy applies regardless of the media on which information is stored, the locations where the information is stored, the systems technology used to process the information or the people that handle the information.

All Canpar information is categorized into two main classifications:

• Public information is information that has been declared public knowledge by

someone with the authority to do so, and can freely be given to anyone without

any possible damage to Canpar .

• Confidential is information that is generally for internal company (including

TransForce) use. This information can be shared with members of the owning

department. Sharing such information with individuals outside of the owning

department requires authorization by the manager of the department that owns

the data. This information has some importance to the company and must be

protected against such acts as malicious destruction. Disclosure of this

information could result in lost business or competitive advantage. Unauthorized

use or disclosure of some of this information could severely impact business

operations, make a segment of the company unable to function or cause high

monetary loss. This information should therefore be protected in a more secure

manner. Included is information that should be protected very closely, such as

financial data, HR, Payroll, trade secrets, development programs, potential


Confidential

acquisition targets, and other information integral to the success of our

company.

1.2.2 Canpar personnel are encouraged to use common sense judgment in securing Confidential information to the proper extent. If an employee is uncertain of the sensitivity of a particular piece of information, he/she should contact their manager.

1.2.3 Administrative Data Ownership

The administrative data “owner” is the department having primary responsibility for creation and maintenance of the data content

1.2.4 Data Owner Responsibilities

The data owner is responsible for determining how the data may be used within existing policies, and authorizing who may access the data.

1.2.5 Data User Responsibilities

The data user is the person who has been granted explicit authorization to access the data by the owner. This authorization must be granted according to established procedures. The user must use the data only for purposes specified by the owner, comply with security measures specified by the owner or custodian, and not disclose information in the data nor the access controls over the data unless specifically authorized in writing by the owner.

11..33 Policy

1.3.1 Information Ownership Must Be Assigned. Management must clearly specify in writing the assignment of ownership responsibilities for databases, master files, and other shared collections of information. Such statements must also indicate the individuals who have been granted authority to originate, modify, or delete specific types of information found in these collections of information.

1.3.2 With the exception of operational computer and network information, I.T must not be the owner of any information.

11..44 Guidelines

The Guidelines below provides details on how to protect information at the appropriate level. Use these guidelines as a reference only, as information in each category may necessitate more or less stringent measures of protection depending upon the circumstances and the nature of the information in question.

1.4.1 Confidential: Financial, Payroll, HR, Trade secrets, operational, source code, & technical information integral to the success of our company, general corporate information, customer information, sales, pricing, internal email and telephone listings.

1.4.2 Marking guidelines for information in hardcopy or electronic form.

1.4.3 Marking is at the discretion of the owner or custodian of the information. If marking is desired, the words “Confidential" may be written or designated in a conspicuous place on or in the information in question. Other labels that may be


Confidential

used include "Canpar Proprietary" or similar labels at the discretion of your individual business unit or department. Even if no marking is present, Canpar information is presumed to be "Confidential" unless expressly determined to be Public information by a the President.

1.4.4 Access: Canpar authorized employees or contractors with a signed non-disclosure agreement who have a business need to know.

1.4.5 Distribution within Canpar Standard interoffice mail, marked “Personal & Confidential”, approved electronic mail and electronic file transmission methods.

1.4.6 Distribution outside of Canpar internal mail: Canada Post or USPS and other public or private carriers (at the discretion of the owner of the information), approved electronic mail and electronic file transmission methods.

1.4.7 Electronic distribution: No restrictions to authorized recipients within Canpar, but should be password protected or sent via a private link to approved recipients outside of Canpar premises.

1.4.8 Storage: Keep from view of unauthorized people; erase whiteboards, do not leave in view on tabletop. Machines should be administered with security in mind. Protect from loss; electronic information should have individual access controls where possible and appropriate. Individual access controls are highly recommended for electronic information.

1.4.9 Disposal/Destruction: Shred or deposit outdated paper information in Pro-Shred disposal bins on Canpar premises; electronic data should be expunged/cleared. Reliably erase or physically destroy media.

1.4.10 Penalty for deliberate or inadvertent disclosure: Up to and including termination, possible civil and/or criminal prosecution to the full extent of the law.

11..55 Terms and Definitions

1.5.1 Appropriate measures

To minimize risk to Canpar from an outside business connection. Canpar computer use by competitors and unauthorized personnel must be restricted so that, in the event of an attempt to access Canpar corporate information, the amount of information at risk is minimized.

1.5.2 Configuration of Canpar to other business connections

Connections shall be set up to allow other businesses to see only what they need to see. This involves setting up both applications and network configurations to allow access to only what is necessary.

1.5.3 Approved Electronic File Transmission Methods

Includes supported FTP clients and Web browsers.

1.5.4 Envelopes Stamped Confidential

You are not required to use a special envelope. Put your document(s) into an interoffice envelope, seal it, address it, and stamp it confidential.

1.5.5 Approved Electronic Mail


Confidential

Includes all mail systems supported by the IT Department. If you have a business need to use other mailers contact the appropriate support organization.

1.5.6 Company Information System Resources

Company Information System Resources include, but are not limited to, all computers, their data and programs, as well as all paper information and any information at the Internal Use Only level and above.

1.5.7 Expunge

To reliably erase or expunge data on a PC you must use a separate program to overwrite data, otherwise, the PC normal erasure routine keeps the data intact until overwritten.

1.5.8 Individual Access Controls

Individual Access Controls are methods of electronically protecting files from being accessed by people other than those specifically designated by the owner. On PC's, this includes using passwords on screensavers.

2. Remote Access Policy

22..11 Purpose

The purpose of this policy is to define standards for connecting to Canpar's network from any host. These standards are designed to minimize the potential exposure to Canpar. from damages which may result from unauthorized use of Canpar resources. Damages include the loss of sensitive or company confidential data, intellectual property, damage to public image, damage to critical Canpar internal systems, etc.

22..22 Scope

This policy applies to all Canpar employees, contractors, vendors and agents with a Canpar owned or personally-owned computer or workstation used to connect to the Canpar network. This policy applies to remote access connections used to do work on behalf of Canpar, including reading or sending email and viewing intranet web resources. Remote access implementations that are covered by this policy include, but are not limited to, dial-in and VPN.

22..33 Policy

2.3.1 It is the responsibility of Canpar employees, contractors, vendors and agents with remote access privileges to Canpar's corporate network to ensure that their remote access connection is given the same consideration as the user's on-site connection to Canpar.

22..44 Requirements

2.4.1 Secure remote access must be strictly controlled. Access must be approved by the requestor’s manager and the Director IT. Control will be enforced via password authentication or public/private keys.

2.4.2 At no time should any Canpar employee provide their remote login or email password to anyone, not even family members.


Confidential

2.4.3 It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Canpar’s internal networks.

2.4.4 Canpar employees and contractors with remote access privileges must ensure that their Canpar owned or personal computer or workstation, which is remotely connected to Canpar's corporate network, is not connected to any other network at the same time, with the exception of personal networks that are under the complete control of the user.

2.4.5 Canpar employees and contractors with remote access privileges to Canpar's corporate network must not use non-Canpar email accounts (i.e., Hotmail, Yahoo), or other external resources to conduct Canpar business, thereby ensuring that official business is never confused with personal business.

2.4.6 Non-standard hardware configurations must be approved by the I.T. Department must approve security configurations for access to hardware.

2.4.7 All hosts that are connected to Canpar’s internal networks via remote access technologies must use the most up-to-date anti-virus software, this includes personal computers.

2.4.8 Personal equipment that is used to connect to Canpar's networks must meet the requirements of Canpar owned equipment for remote access.

2.4.9 Organizations or individuals who wish to implement non-standard Remote Access solutions to the Canpar production network must obtain prior approval from the I.T. Department.

3. Password Policy

33..11 Overview

Passwords are an important aspect of computer security. They are the front line of

protection for user accounts. A poorly chosen password may result in the compromise of

Canpar Transport L.P.'s entire corporate network. As such, all Canpar Transport L.P.

employees (including contractors and vendors with access to Canpar Transport L.P.

systems) are responsible for taking the appropriate steps, as outlined below, to select

and secure their passwords.

33..22 Purpose

The purpose of this policy is to establish a standard for creation of strong passwords, the

protection of those passwords, and the frequency of change.

33..33 Scope

The scope of this policy includes all personnel who have or are responsible for an

account (or any form of access that supports or requires a password) on any system that

resides at any Canpar Transport L.P. facility, has access to the Canpar Transport L.P.

network, or stores any non-public Canpar Transport L.P. information.

33..44 Policy

3.4.1 Userids and passwords must control access to all computer resources except for those designated as having access to only Canpar Public information. Some of


Confidential

the more common uses include: user level accounts, web accounts, email accounts, screen saver protection and voicemail passwords.

3.4.2 Users are responsible for managing their passwords and for all actions and functions performed by the userids.

3.4.3 Persons using or attaching to Canpar computer resources acknowledge compliance with the Information Security Policy when userids and passwords are assigned, and when an application is accessed.

3.4.4 All users must have a unique user ID and a personal secret password in order to gain access to every computer network.

3.4.5 All account passwords must be changed every 45 days. Passwords can only be used once every eight times. Minimum password age is one day.

3.4.6 The length of passwords must always be checked automatically at the time that users construct or select them. All passwords must have at least 8 alphanumeric characters. All passwords must have digits, punctuation characters as well as letters.

3.4.7 The initial passwords issued by a security administrator must be valid only for the involved user's first on-line session. At that time, the user must choose another password.

3.4.8 To prevent password-guessing attacks, the number of consecutive attempts to enter an incorrect password must be strictly limited. After 5 unsuccessful attempts to enter a password within 30 minutes, the involved user ID or password will be temporarily disabled for fifteen minutes and reset after 30 minutes if account has been locked out.

3.4.9 Passwords should never be written down, stored on-line or inserted into e-mail messages or other forms of electronic transmissions. Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. (e.g., The phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation. NOTE: Do not use either of these examples as passwords)

33..55 Guidelines - General Password Construction

• Should contain both upper and lower case characters

(e.g., a-z, A-Z) • Are not words in any language, slang, dialect, jargon,

(e.g. hello, yeah, etc.)

• Are not based on personal information, names of family, (e.g. John, Smith, Danny, Yonge)

33..66 Password Protection Standards

3.6.1 Do not use the same password for Canpar accounts as for other non-Canpar access (e.g., personal banking, personal internet, personal e-mail).


Confidential

3.6.2 Where possible, don't use the same password for various Canpar access needs.

3.6.3 Do not share Canpar passwords with anyone, including administrative assistants or secretaries. All passwords are to be treated as sensitive, Confidential Canpar information.

3.6.4 Here is a list of "don’ts":

• Don't talk about a password in front of others

• Don’t reveal a password over the phone to anyone

• Don’t reveal a password in an e-mail message

• Don’t reveal a password to your boss

• Don't hint at the format of a password (e.g., "my family name")

• Don't reveal a password on questionnaires or security forms

• Don't share a password with family members

• Don’t reveal a password to co-workers while on vacation

3.6.5 If someone demands a password, refer them to this document or have them call someone in the Information Technology Department.

3.6.6 Do not use the "Remember Password" feature of any application.

3.6.7 Do not write passwords down and store them anywhere in your office. Do not store passwords in a file on ANY computer system (including Palm Pilots or similar devices) without encryption.

3.6.8 If an account or password is suspected to have been compromised, report the incident to the I.T. Department and change all passwords.

3.6.9 Password cracking or guessing will be performed on a periodic or random basis by the I.T. Department or its delegates for audit purposes. If a password is guessed or cracked during one of these scans, the user will be required to change it.

33..77 Shared Account Access

• Shared accounts are used in Canpar’s Hub Terminal Workstation systems. These systems are strictly used for hand held scanner data reporting and all other system functionality will be locked down and unavailable.

• Users with password access to these systems should be minimized and only those that require access for the purpose of hand held scanner reporting.

• It is the terminal supervisor’s function to control who has access to the password and will be responsible for the password policy of these workstations. Any person that is given access to this password must sign the Information Security Policy.


Confidential

• Any employee terminations where a password is compromised needs to be reported to the Service Desk immediately so these passwords can be changed.

33..88 Application Development Standards

Application developers must ensure their programs contain the following security precautions. Applications:

3.8.1 should support authentication of individual users, not groups.

3.8.2 should not store passwords in clear text or in any easily reversible form.

3.8.3 should provide for some sort of role management, such that one user can take over the functions of another without having to know the other's password.

4. Acceptable Use of Technology Policy

44..11 Overview

4.1.1 Use of Canpar systems to attack other computer systems, internal or external to the company is a violation of this policy.

4.1.2 Attempting to circumvent security or administrative access controls for computer resources is a violation of this policy, as is assisting someone else or requesting someone to circumvent security or administrative access controls.

4.1.3 All Canpar technology (computer equipment, software, operating systems, storage media, email systems, Internet access, network systems, etc.) are to be used for business purposes in serving the interests of the company, and of our clients and customers in the course of normal operations.

4.1.4 The I.T. department is committed to protecting Canpar's employees, partners and the company from illegal or damaging actions by individuals, either knowingly or unknowingly.

4.1.5 Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, and FTP, are the property of Canpar. These systems are to be used for business purposes in serving the interests of the company, and of our clients and customers in the course of normal operations.

4.1.6 Effective security is a team effort involving the participation and support of every Canpar employee and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines, and to conduct their activities accordingly.


Confidential

44..22 Purpose

4.2.1 The purpose of this policy is to outline the acceptable use of computer equipment at Canpar. These rules are in place to protect the employee and Canpar. Inappropriate use exposes Canpar to risks including virus attacks, compromise of network systems and services, and legal issues.

44..33 Scope

4.3.1 This policy applies to employees, contractors, consultants, temporaries, and other workers at Canpar, including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by Canpar.

44..44 Policy General Use and Ownership

4.4.1 While Canpar's network administration desires to provide a reasonable level of privacy, users should be aware that the data they create on the corporate systems remains the property of Canpar Because of the need to protect Canpar's network, management cannot guarantee the confidentiality of information stored on any network device belonging to Canpar

4.4.2 Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Individual departments are responsible for creating guidelines concerning personal use of Internet/Intranet/Extranet systems. If there is any uncertainty, employees should consult their supervisor or manager.

4.4.3 For security and network maintenance purposes, authorized individuals within Canpar may monitor equipment, systems and network traffic at any time.

4.4.4 Information which is confidential must be protected from unauthorized access or modification. Data which is essential to critical functions must be protected from loss, contamination, or destruction.

4.4.5 Confidential information shall be accessible only by personnel who are authorized by the owner on a strict “need to know” basis in the performance of their duties. Data containing any confidential information shall be readily identifiable and treated as confidential in its entirety.

4.4.6 Canpar reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.

44..55 Security and Proprietary Information

4.5.1 Employees should take all necessary steps to prevent unauthorized access to confidential information.

4.5.2 Keep passwords secure and do not share accounts. Authorized users are responsible for the security of their passwords and accounts.

4.5.3 Because information contained on portable computers is especially vulnerable, special care should be exercised with this equipment.

4.5.4 Postings by employees from a Canpar email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and


Confidential

not necessarily those of Canpar, unless posting is in the course of business duties.

4.5.5 Employees must use extreme caution when opening e-mail attachments as they may contain viruses, e-mail bombs, Trojan horse code, or other malicious code.

44..66 Unacceptable Use

4.6.1 The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).

4.6.2 Under no circumstances is an employee of Canpar authorized to engage in any activity that is illegal under local, provincial, state, federal or international law while utilizing Canpar owned resources.

4.6.3 The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use.

44..77 System and Network Activities

The following activities are strictly prohibited, with no exceptions:

4.7.1 Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by Canpar

4.7.2 Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which Canpar or the end user does not have an active license is strictly prohibited.

4.7.3 Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. The appropriate management should be consulted prior to export of any material that is in question.

4.7.4 Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, spyware, etc.).

4.7.5 Revealing any system passwords to others or allowing use of your accounts by others. This refers to, but is not limited to dial-up access, remote VPN access, local Windows network access, email and the OASIS system. This includes family and other household members when work is being done at home.

4.7.6 Using a Canpar computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user's local jurisdiction. This includes the creation, distribution, downloading or storing of any disruptive or offensive material concerning race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin.


Confidential

4.7.7 Making fraudulent offers of products, items, or services originating from any Canpar account.

4.7.8 Making statements about warranty, expressly or implied, unless it is a part of normal job duties.

4.7.9 Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.

4.7.10 Port scanning or security scanning is expressly prohibited unless prior notification to the I.T. department is made.

4.7.11 Executing any form of network monitoring which will intercept data not intended for the employee's host, unless this activity is a part of the employee's normal job/duty.

4.7.12 Circumventing user authentication or security of any host, network or account.

4.7.13 Interfering with or denying service to any user other than the employee's host (for example, denial of service attack).

4.7.14 Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the Internet/Intranet/Extranet.

4.7.15 Downloading and/or installing files such as wallpaper, screensavers, utilities, chat, messenger and any other executable program, unless authorized by the IT department.

4.7.16 Providing information about, or lists of, Canpar employees to parties outside Canpar, unless such action is normally part of an employees legitimate job responsibilities.

44..88 Communications & Email Activities

The following activities are strictly prohibited, with no exceptions:

4.8.1 Sending or exchanging non-business related video clips, audio clips, personal pictures, or PowerPoint presentations unless authorized in advance by your immediate supervisor or manager.

4.8.2 Any form of harassment via email, telephone or paging, whether through language, frequency, or size of messages.

4.8.3 Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).


Confidential

5. Network and Internet Policy

55..11 Purpose

The Company’s Network and Internet Policy is to use the Internet exclusively to advance the business of Canpar

55..22 Scope

The Policy is applicable to all employees who have been granted corporate access to the Network and Internet by Canpar using Canpar hardware and software resources. For the purpose of this agreement, the term “employee” shall pertain to employees or persons under contract to Canpar

55..33 Policy - Prohibited Use.

Without affecting the generality of the foregoing, the Policy includes the following:

5.3.1 The Network and Internet may not be accessed for personal or social purposes.

5.3.2 Canpar specifically prohibits its employees from accessing the following types of sites using company computers: gambling sites, auction sites, hate sites, pornographic sites, any site engaging in or encouraging illegal activity.

5.3.3 Sending corporate controlled, corporate sensitive or corporate proprietary information over the Internet.

5.3.4 Loading information from the Internet onto the corporate computer systems (this is to prevent spreading computer viruses)

5.3.5 Finding and/or displaying sensitive material on any computer, resulting in perceived “hostile environments” for co-workers.

5.3.6 Conducting personal business from the Company Internet server (such as accepting on-line orders).

5.3.7 Not to violate software licensing laws by illegally downloading unlicensed software.

55..44 Monitoring

The company reserves the right to use monitoring software to make sure the company’s Security Policy is being adhered to by its employees. The company may record and/or monitor one or more employees’ computer and Internet activity for any reason and without any specific notice. Violation of the Internet Policy will subject an employee to disciplinary action, including termination of employment.

55..55 General

Employees who have been granted corporate access to the Internet by Canpar will be provided with a copy of this Policy.


Confidential

6. Email Use Policy

66..11 Purpose

The Canpar e-mail system is designed to improve service to our customers, enhance internal communications, and reduce paperwork. To prevent tarnishing the public image of Canpar When email goes out from Canpar the general public will tend to view that message as an official policy statement from Canpar. To prevent the unauthorized or inadvertent disclosure of sensitive company information. This policy covers automatic also email forwarding, and thereby the potentially inadvertent transmission of sensitive information by all employees, vendors, and agents operating on behalf of Canpar

66..22 Scope

This policy covers appropriate use of any email sent from a Canpar email address and applies to all employees, vendors, and agents operating on behalf of Canpar

66..33 Policy - General

Electronic mail is provided to staff as part of the computer resources of Canpar to conduct the business of Canpar. Email shall not be forwarded automatically unless approved by the IT department.

66..44 Policy - Prohibited Use

The Canpar email system shall not to be used for:

6.4.1 The creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin. Employees who receive any emails with this content from any Canpar employee should report the matter to their supervisor immediately.

6.4.2 Sending unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (email spam).

6.4.3 Sending or exchanging non-business related video clips, audio clips, personal pictures, or PowerPoint presentations unless authorized in advance by your immediate supervisor or manager.

6.4.4 Any form of harassment via email, telephone or paging, whether through language, frequency, or size of messages. E-mail messages must contain professional and appropriate language at all times. Employees are prohibited from sending abusive, harassing, intimidating, threatening, and discriminatory or otherwise offensive messages via email.

6.4.5 Unauthorized use, or forging, of email header information

6.4.6 Solicitation of email for any other email address, other than that of the poster's account, with the intent to harass or to collect replies

6.4.7 Use of unsolicited email originating from within Canpar's networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by Canpar or connected via Canpar's network.


Confidential

6.4.8 Employees must exercise utmost caution when sending any email from inside Canpar to an outside network. Unless approved by the I.T. Department, Canpar email will not be automatically forwarded to an external destination.

6.4.9 Chain messages and executable graphics and/or programs should be deleted.

6.4.10 Alternate Internet Service Provider connections to the Canpar's internal network are not permitted unless expressly authorized by the Company and properly protected by a firewall or other appropriate security device(s) and/or software.

6.4.11 Only authorized management personnel are permitted to access another person’s e-mail without consent.

66..55 Guidelines

6.5.1 Use extreme caution to ensure that the correct e-mail address is used for the intended recipient(s).

6.5.2 Any message or file sent via e-mail must have the employee’s name attached.

66..66 Policy Personal Use.

Using a reasonable amount of Canpar resources for personal emails is acceptable, but non-work related email shall be saved in a separate folder from work related email. Sending chain letters or joke emails from a Canpar email account is prohibited. Virus or other malware warnings and mass mailings from Canpar shall be approved by the Director IT, Canpar before sending. These restrictions also apply to the forwarding of mail received by a Canpar employee.

66..77 Monitoring

All information created, sent, or received via the Company’s e-mail system, network, Internet, or Intranet, including all e-mail messages and electronic files, is the property of the Company. Employees should have no expectation of privacy regarding this information. The Company reserves the right to access, read, review, monitor, copy all messages and files on its computer system at any time and without notice. When deemed necessary, the Company reserves the right to disclose text or images to law enforcement agencies or other third parties without the employee’s consent. Canpar is not obliged to monitor email messages.

7. Anti-Virus Policy

77..11 Purpose

To establish requirements which must be met by all computers connected to Canpar networks to ensure effective virus detection and prevention.

77..22 Scope

This policy applies to all Canpar computers that are PC-based or utilize PC-file directory sharing. This includes, but is not limited to, desktop computers, laptop computers, file/ftp/tftp/proxy servers, and any PC based lab equipment such as traffic generators.


Confidential

77..33 Policy

7.3.1 All computers on or accessing the Canpar network must have virus protection software installed.

7.3.2 All Canpar PC-based computers must have Canpar's standard supported anti-virus software installed and configured to active at all times.

7.3.3 The anti-virus software and the virus pattern files must be kept up-to-date.

7.3.4 Virus-infected computers may be removed from the network until they are verified as virus-free.

7.3.5 IT Department is responsible for creating procedures that ensure anti-virus software is active on all computers and computers are verified as virus-free.

7.3.6 Any activities with the intention to create and/or distribute malicious programs into Canpar's networks (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.) are prohibited, in accordance with the Acceptable Use Policy.

77..44 Guidelines to help prevent virus problems

7.4.1 NEVER open any files or macros attached to an email from an unknown, suspicious or untrustworthy source. Delete these emails immediately.

7.4.2 NEVER open any files or macros attached to an email that are not business related. Delete these emails immediately.

7.4.3 Delete spam, chain, and other junk email without forwarding, in accordance with Canpar's Email Policy.

7.4.4 Never download files from unknown or suspicious sources.

7.4.5 Back-up critical data on a regular basis.

8. Wireless Network Policy

88..11 Purpose

This policy prohibits access to Canpar networks via unsecured wireless communication mechanisms. Only wireless systems that meet the criteria of this policy or have been granted an exclusive waiver by the I.T. Department are approved for connectivity to Canpar's networks.

88..22 Scope

This policy covers all wireless data communication devices (e.g., personal computers, cellular phones, PDAs, etc.) connected to any of Canpar's internal networks. This includes any form of wireless communication device capable of transmitting packet data. Wireless devices and/or networks without any connectivity to Canpar’s networks do not fall under the purview of this policy.

88..33 Policy - Register Access Points and Cards

8.3.1 All wireless Access Points / Base Stations connected to the corporate network must be registered and approved by the I.T. Department.


Confidential

8.3.2 All wireless Network Interface Cards (i.e., PC cards in corporate laptop or desktop computers) used to access corporate wireless networks must be registered with the I.T. Department

88..44 Approved Technology

8.4.1 All wireless LAN access must use corporate-approved vendor products and security configurations.

88..55 Encryption and Authentication

8.5.1 Wireless implementations must maintain point to point hardware encryption of at least 56 bits. All implementations must support a hardware address that can be registered and tracked, i.e., a MAC address.

9. Computer Equipment

99..11 Purpose

This policy is designed to reduce repair costs, maintain the integrity of our system and protect the Company’s assets.

99..22 Policy

Employees should adhere to the following:

9.2.1 Do not keep liquids or magnets on or near the computer.

9.2.2 Do not remove any computer from the building without written permission from management (excluding laptops or other portable hardware).

9.2.3 Equipment is always to be safeguarded appropriately - especially when left unattended

9.2.4 Access to the Canpar network, whether internal or remote, must be authorized, controlled and monitored.

9.2.5 Computer resources are valuable assets and unauthorized use, alteration, destruction, or disclosure of these assets is prohibited.

9.2.6 Computer software purchased by the company is Canpar property and will be protected as such.

9.2.7 Unauthorized/unlicensed use of software (software piracy) will not be tolerated and such software will be removed by the appropriate administrators.

9.2.8 All computer resources used for mission critical applications shall have a cost effective, written contingency plan that will provide for prompt and effective continuation of critical missions in the event of a disaster.

9.2.9 Computer workstations used in sensitive or critical tasks must have adequate controls to provide continued confidentiality, integrity, and availability of data stored on the system.

9.2.10 All information processing areas used to house computer resources supporting mission critical applications must be protected by physical controls appropriate for the size and complexity of the operations and the criticality or sensitivity of


Confidential

the systems operated at those locations. Physical access to these areas shall be restricted to authorized personnel.

9.3 Laptop Guidelines

Laptop computers are especially vulnerable to theft. This risk can be minimized by following the guidelines set out below. 9.3.1 Laptop computers should never be left unattended when off Canpar premises.

9.3.2 If a laptop has to be left unattended on a regular basis, it should be equipped with an appropriate metal locking device that will be attached to the furniture. This can be arranged through IT if required.

9.3.3 In order to avoid attracting unwanted attention, do not take the laptop from place to place in a carrying case that bears the manufacturer’s logo.

9.3.4 Laptop users working in public places (e.g., cafés, airports) should be wary of the curious. They would be well-advised to choose locations that are deserted and sit with their backs to the wall in order to avoid others looking indiscreetly over their shoulders.

9.3.5 The I.T. Department must keep track of all laptops issued to employees. The following information must be recorded: laptop brand, model, serial number, and employee’s name.

9.3.6 Personal laptops must not be connected to Canpar’s internal network, in order to avoid any potential virus infection.

9.3.7 Laptops must be equipped with anti-virus software that can work independently of corporate systems implemented by the I.T. Department.

10. Clear Screen and Desk Policy

1100..11 Purpose

This policy is designed to ensure all user workstations and laptop that their screens are clear/blank when not being used.

1100..22 Policy

Employees are not permitted to load non-approved screen savers onto the organisation's PCs, laptops and workstations.

11. Others Policy

Employees travelling on business are responsible for the security of information in their custody


Confidential

INFORMATION SECURITY POLICY – SECTION 3 – IT MANAGEMENT AND STAFF CONCERNS

1. Server Security Policy

11..11 Purpose

The purpose of this policy is to establish standards for the base configuration of internal server equipment that is owned and/or operated by Canpar. Effective implementation of this policy will minimize unauthorized access to Canpar proprietary information and technology.

11..22 Scope

This policy applies to server equipment owned and/or operated by Canpar, and to servers registered under any Canpar-owned internal network domain.

11..33 General Configuration Guidelines

1.3.1 Operating System configuration should be in accordance with approved I.T. Department guidelines.

1.3.2 The most recent security patches should be installed on the system as soon as practical, the only exception being when application would interfere with business requirements. Changes to routine systems operations are to be fully tested and approved before being implemented. Necessary upgrades to the Operating System of any of the organisation’s computer systems must have the associated risks identified and be carefully planned, incorporating tested fall-back procedures. All such upgrades being undertaken as a formal project.

1.3.3 All servers should be physically located in an access-controlled environment

1.3.4 Access is to be logged and monitored to identify potential misuse of systems or information.

1.3.5 Error logs must be properly reviewed and managed by qualified staff.

1.3.6 Operational audit logs are to be reviewed regularly by trained staff and discrepancies reported to the owner of the information system.

11..44 Monitoring

1.4.1 I.T. Department personnel will review logs and report incidents to IT management. Corrective measures will be prescribed as needed.

Security-related events include, but are not limited to:

1.4.2 Port-scan attacks

1.4.3 Evidence of unauthorized access to privileged accounts

1.4.4 Anomalous occurrences that are not related to specific applications on the host.


Confidential

2. Contracting with External Suppliers / other Service Providers Purpose

Permitting access by a third party can not only compromise the confidentiality of your

information, but can also result in loss of data validity and integrity. Ambiguous or

inappropriate data may be released to third parties, resulting in possible confusion and / or

reduced business confidence in the Company and its products / services.

22..11 Policies

2.1.1 Agreements with Third Parties Who Handle Information

All agreements dealing with the handling of information by third parties must include a special clause. This clause must allow the organization to audit the controls used for these information handling activities and to specify the ways in which information will be protected.

Third party access to corporate information is only permitted where the information in question has been ‘ring fenced’ and the risk of possible unauthorised access is considered to be negligible

2.1.2 All external suppliers who are contracted to supply services to the organisation must agree to follow the Information Security policies of Canpar. An appropriate summary of the Information Security Policies must be formally delivered to any such supplier, prior to any supply of services.

3. Access Control Policy

33..11 Purpose

Access control standards are rules which the Company applies in order to control access to its information assets. The lack of uniform standards controlling the access to information and systems can lead to disparities and weaknesses, which could be exploited for malicious or other raison, thereby compromising confidentiality or integrity of the data.

Allocating inappropriate privileges to inexperienced staff can result in accidental errors and processing problems.

33..22 Policies

3.2.1 Access to all systems must be authorized by the owner of the system

3.2.2 All requests for creation of new employee accounts or modification in access authorities to existing userids must be made by Department Managers to the Director of IT.

3.2.3 Only the HR department can forward terminated employee status to IT department for deletion of access rights.

3.2.4 On an annual basis a list of employees’ access privileges will be forwarded by the IT department to all Dept heads to review for accuracy.


Confidential

4. Network Management and Security

44..11 Purpose

Network Management and Security is necessary to prevent damage to Canpar’s Network through inappropriate access from outside the company

Policies

4.1.1 Access to information available through the organisation’s network systems must be strictly controlled in accordance with approved access control criteria, which is to be maintained and updated regularly.

4.1.2 Plans are to be prepared, maintained and regularly tested to ensure that damage done by possible external cyber crime attacks can be minimized and that restoration takes place as quickly as possible.

5. Antivirus Management and Policy

55..11 Purpose

Antivirus Management and Policy is necessary to prevent and/or detect

damage caused by infection of Canpar’s Network and/or databases from

externally contracted computer viruses.

55..22 Policies

5.2.1 Without exception, Anti Virus software is to be deployed across all PCs with regular virus definition updates and scanning across servers, PCs and laptop computers.

5.2.2 Anti Virus software must be chosen from a proven leading supplier.

6. Information Retention Policy

66..11 Purpose

Not having a Retention Policy may lead to data or files being deleted inappropriately resulting in both embarrassment and possibly legal action.

66..22 Policies

6.2.1 The information created and stored by the organisation's information systems must be retained for a minimum period that meets both legal and business requirements

6.2.2 Data retention periods for e-mail must be established to meet legal and business requirements and must be adhered to by all staff


Confidential

7. Problem and Security management

77..11 Purpose

Problem and Security management is necessary to ensure that problems

detected in Canpar’s information systems are communicatedand escalated in

a timely and appropriate fashion in order to minimize any possible damage to

the company.

77..22 Policies

7.2.1 Problem Reporting and Management Process: Information reflecting the effects of system faults, breakdowns, and computer-related problems must be made available to users on a regular basis.

7.2.2 A formal problem management process must be in place to record the problems, reduce their incidence, and prevent their recurrence.

7.2.3 Security Violations Requiring Instant Termination: Unless the special permission of a senior executive is obtained, all workers who have stolen organizational property, acted with insubordination, or been convicted of a felony must be terminated immediately. Such instant terminations must involve both escort of the individual off the premises and assistance in collecting and removing the individual's personal effects.

8. System Development and Change Control Policy

88..11 Purpose

System Development and Change Control Policy is necessary to optimally manage any proposed change to Canpar’s information systems such that the risk of damage to the company is mitigated.

88..22 Policies

8.2.1 Management must ensure that proper segregation of duties applies to all areas dealing with systems development, systems operations, or systems administration

8.2.2 Training is to be provided to users and technical staff in the functionality and operations of all new systems.

8.2.3 Formal Change Control Process Required for Business Applications

A formal written change control process must be used to ensure that all business application software which is in development moves into production only after receiving proper authorization from the management of both the management information systems department management and user organization.


Confidential

8.2.4 Separation Between Production and Development Environments

Business application software in development must be kept strictly separate from production application software. If existing facilities permit it, this separation must be achieved via physically separate computer systems. When computing facilities do not allow this, separate directories/libraries with password-based access controls must be employed.

8.2.5 Development Staff Access to Production Application Information

Business application software development staff must not be permitted to access production information, with the exception of the production information relevant to the particular application software on which they are currently working.

8.2.6 Control over Movement of Software from Development to Production

Business application development staff must not have the ability to move any software into the production processing environment.

8.2.7 Formal change control procedures with comprehensive audit trails are to be used to control Program Source Libraries

9. End-user computing Policy (spreadsheet)

99..11 Purpose

End-user computing policy is necessary to ensure that adequate controls are in place over end user practices with respect to information management and distribution to protect Canpar sensitive and confidential information.

99..22 Policies

9.2.1 The classification of spreadsheets must be appropriate to the sensitivity and confidentiality of data contained therein. All financial / data models used for decision making are to be fully documented and controlled by the information owner

9.2.2 All software that handles sensitive, critical, or valuable information and that has been developed by end-users and is to be integrated into Canpar’s computer Network must have its controls approved by the VP Accounting prior to being used for production processing.


Confidential

10. Physical Security

1100..11 Purpose

Physical security is necessary to mitigate the risk to Canpar’s information systems that may arise from inappropriate access or to and/or physical damage to the related physical assets (eg. Computer room and terminals).

1100..22 Policies

10.2.1 The sites chosen to locate computers and to store data must be suitably protected from physical intrusion, theft, fire, flood and other hazards

10.2.2 When locating computers and other hardware, suitable precautions are to be taken to guard against the environmental threats of fire, flood and excessive ambient temperature / humidity.

10.2.3 Buildings which house computers or communications systems must be protected with physical security measures that prevent unauthorized persons from gaining access. All computer premises must be protected from unauthorised access using ID cards to more complex technologies to identify, authenticate and monitor all access attempts.

10.2.4 An Uninterruptible Power Supply is to be installed to ensure the continuity of services during power outages

10.2.5 Any movement of hardware between the organisation's locations is to be strictly controlled by authorised personnel

11. Backup

1111..11 Purpose

Backup of the organisation’s data files and the ability to recover such data is a top priority. Management are responsible for ensuring that the frequency of such backup operations and the procedures for recovery meet the needs of the business

1111..22 Policies

11.2.1 Information system owners must ensure that adequate back up and system recovery procedures are in place.

11.2.2 Information and data stored on Laptop or portable computers must be backed up regularly. It is the responsibility of the user to ensure that this takes place on a regular basis.

11.2.3 Day-to-day data storage must ensure that current data is readily available to authorised users and that archives are both created and accessible in case of need


Confidential

12. Disaster Recovery Plan

1122..11 Purpose

Disaster recovery plan is necessary to prevent any material damage to the company caused due to a catastrophic event impacting Canpar’s information system (eg. Blackout, fire, flood etc.).

1122..22 Policies

12.2.1 Owners of the organisation's information systems must ensure that disaster recovery plans for their systems are developed, tested, and implemented


Confidential

APPENDIX - DEFINITIONS

Term Definition

Email The electronic transmission of information through a mail protocol such as SMTP or IMAP. Typical email clients include Eudora and Microsoft Outlook.

Forwarded email Email resent from an internal network to an outside point.

Chain email or letter Email sent to successive people. Typically the body of the note has direction to send out multiple copies of the note and promises good luck or money if the direction is followed.

Sensitive information Information is considered sensitive if it can be damaging to Canpar or its customers' reputation or market standing.

Virus warning. Email containing warnings about virus or malware. The overwhelming majority of these emails turn out to be a hoax and contain bogus information usually intent only on frightening or misleading users.

Unauthorized Disclosure The intentional or unintentional revealing of restricted information to people, both inside and outside Canpar, who do not have a need to know that information.

Canpar Information Security Policy v1-3.doc3.2 An appropriate summary of the Information Security Policies must be formally delivered to any such contractor, prior to any supply of

Documents