IT Access and Security

Management Guidelines

B-GDL-1602.370001-ver.01

INTRANET.BOURBON-ONLINE.COM/QMS
 IT Access and Security Management Guidelines
B-GDL-1602.370001

Table of Contents

1 Purpose...................................................................................................................................................... 3

2 Scope ......................................................................................................................................................... 3

3 Responsibility, authority and accountability ......................................................................................... 4

4 Description ................................................................................................................................................ 6
4.1 Connection to the BOURBON network ............................................................................................. 6
4.1.1 User name .................................................................................................................................. 6
4.1.2 Password control ........................................................................................................................ 6
4.1.3 Workstation security ................................................................................................................... 7
4.1.4 Access security ........................................................................................................................... 7
4.2 IT assets security .............................................................................................................................. 7
4.3 Data protection and retention ............................................................................................................ 8
4.3.1 Personal data .............................................................................................................................. 9
4.4 Use of software ................................................................................................................................. 9
4.5 Using the Internet .............................................................................................................................. 9
4.6 Using the e-mail ................................................................................................................................ 9
4.6.1 General rules ............................................................................................................................10
4.6.2 Unsolicited e-mail (spam) .........................................................................................................10
4.7 Access to BOURBON applications from the Internet ......................................................................10
4.7.1 Pin safe .....................................................................................................................................10
4.8 Wireless Internet for Frequent Interface access .............................................................................11
4.9 Outsourcing .....................................................................................................................................11
4.10 Biometrics ........................................................................................................................................11
4.11 Penetration testing ..........................................................................................................................11
4.12 Use of social networks ....................................................................................................................11

5 Records....................................................................................................................................................13

6 Related documents .................................................................................................................................14

7 Terms and definitions ............................................................................................................................15

8 Review, approval, revision and identification of changes .................................................................16

Version 01. Original date: 01 February 2016. Version date: 01 February 2016. Valid version only on QMS site. 2 / 16
Guidelines prepared by: Telecom, Security and Network Manager. Approved by: Vice President Information Technology. Validated by: Quality Manager.
 IT Access and Security Management Guidelines
B-GDL-1602.370001

1 Purpose
The purpose of these guidelines is to define the security requirements for the proper and secure use of the
Information Technology (IT) services in BOURBON. Its goal is to protect the Organization and users to the
maximum extent possible against security threats that could jeopardize their integrity, privacy, reputation and
business outcomes.

2 Scope
This document applies to all Employees onshore and offshore (such as, but not limited to, Seafarers), in
BOURBON, including temporary users, visitors with temporary access to services and partners with limited
or unlimited access time to services. Compliance with requirements in these guidelines is mandatory.

IT assets refer to desktops, laptops, smart phones, printers and other IT equipment; applications and
software; anyone using those assets, including internal users, temporary workers and visitors; and in general
to any resource and capabilities involved in the provision of the IT services.

Version 01. Original date: 01 February 2016. Version date: 01 February 2016. Valid version only on QMS site. 3 / 16
Guidelines prepared by: Telecom, Security and Network Manager. Approved by: Vice President Information Technology. Validated by: Quality Manager.
 IT Access and Security Management Guidelines
B-GDL-1602.370001

3 Responsibility, authority and accountability

3.1 Corporate
Vice President Information Technology has the responsibility, authority and accountability for:
a) Being accountable for all aspects of the Organization’s information security.

Telecom, Network and Security Manager has the responsibility, authority and accountability for:
a) The security of the IT network;
b) Planning against IT security threats, vulnerabilities and risks;
c) Implementing and maintaining IT security policy documents;
d) Ensuring IT security training programs;
e) Ensuring IT network supports IT security policies;
f) Responding to information on IT security incidents;
g) Helping in disaster recovery plans.

Infrastructure and Operations Manager has the responsibility, authority and accountability for:
a) The security of the IT infrastructure;
b) Planning against IT security threats, vulnerabilities and risks;
c) Implementing and maintaining IT security policy documents;
d) Ensuring IT security training programs;
e) Ensuring IT infrastructure supports IT security policies;
f) Responding to information on IT security incidents;
g) Helping in disaster recovery plans.

Each employee from IT department has the responsibility, authority and accountability for:
a) Implementing and operating IT security;
b) Implementing the privileges and access rights to the resources;
c) Supporting IT security policies.

BOURBON employees have the responsibility, authority and accountability for:

a) Meeting IT security policies;
b) Reporting any attempted IT security breaches.

3.2 Affiliate
Managing Director has the responsibility, authority and accountability for:
a) Ensuring that these guidelines are being implemented locally.

IT Manager has the responsibility, authority and accountability for:

a) Applying IT security policy established at Corporate level;
b) Controlling operations locally (respect for procedures, local legislation, BOURBON ethic principles,
appropriate documentation, adequate booking, etc.);
c) Providing compliance guidance where needed;
d) Alerting of any failure of IT security.

Version 01. Original date: 01 February 2016. Version date: 01 February 2016. Valid version only on QMS site. 4 / 16
Guidelines prepared by: Telecom, Security and Network Manager. Approved by: Vice President Information Technology. Validated by: Quality Manager.
 IT Access and Security Management Guidelines
B-GDL-1602.370001

IT Officer has the responsibility, authority and accountability for:

a) Applying IT security policy established at Corporate level;
b) Controlling operations locally (respect for procedures, local legislation, BOURBON ethic principles,
appropriate documentation, adequate booking, etc.);
c) Providing compliance guidance where needed;
d) Alerting of any failure of IT security.

BOURBON employees have the responsibility, authority and accountability for:

a) Meeting IT security policies;
b) Reporting any attempted IT security breaches.

Version 01. Original date: 01 February 2016. Version date: 01 February 2016. Valid version only on QMS site. 5 / 16
Guidelines prepared by: Telecom, Security and Network Manager. Approved by: Vice President Information Technology. Validated by: Quality Manager.
 IT Access and Security Management Guidelines
B-GDL-1602.370001

4 Description

4.1 Connection to the BOURBON network

Users should not have access to IT systems or information without the required authorization.

4.1.1 User name

All users shall use a personal user name assigned by the IT department for access to shared resources.

4.1.2 Password control

Any system that handles valuable information shall be protected with a password-based access control
system.

Every user shall have a separate, private identity for accessing IT resources.

Identities are created and managed at Corporate level.

4.1.2.1 Construction

Each identity should have a strong, private, alphanumeric password to be able to access any service. The
minimum length of the password is eight characters.

The password should include at least three of the following:

 Upper case characters from A to Z;
 Lower case characters from a to z;
 Numeric characters;
 Special characters (i.e. !,$,#,%).

No personal identifiers should be included (i.e. name, surname, date of birth, etc.) that can be linked to the
user; use of complete or easy to guess words should also be avoided.

The password should not repeat any characters in succession.

4.1.2.2 Maintenance

Passwords shall be kept secret and should not be kept in places or ways that make it easy for other people
to find it.

At the first logon, the system will advise the user to change the password.

Passwords expire every 60 days.

New passwords shall differ from the six previous ones.

4.1.2.3 Lock/unlock

The user account will be locked after five failed attempts to access the network.

If an account is locked, the user should call Help Desk to unlock the account (Help Desk/Telephone
number: 1000; E-mail address: helpdesk@bourbon-online.com).

Version 01. Original date: 01 February 2016. Version date: 01 February 2016. Valid version only on QMS site. 6 / 16
Guidelines prepared by: Telecom, Security and Network Manager. Approved by: Vice President Information Technology. Validated by: Quality Manager.
 IT Access and Security Management Guidelines
B-GDL-1602.370001

Recommendations:

 Sharing of passwords is forbidden. They should not be revealed or exposed to public sight.
 Whenever a password is deemed compromised, it shall be changed immediately.
 For critical applications, multiple factor authentications shall be used whenever possible.
 Identities shall be locked if password guessing is suspected on the account.

4.1.3 Workstation security

To protect work while away from the desk:

 Lock the workstation using the “Control-Alt-Delete” (CTRL-ALT-DEL) keys every time the workstation
needs to be left on.

When the workstation is left unlocked accidentally:

 The workstation will lock automatically after 10 minutes without activity;

TM
Application sessions (Oracle application for example) will close automatically after 30 minutes of
inactivity.

4.1.4 Access security

This section defines the requirements for the proper and secure control of access to IT services and
infrastructure in the Organization. It applies to all the users in the Organization, including temporary users,
visitors with temporary access to services and partners with limited or unlimited access time to services.
1. Any system that handles valuable information shall be protected with a password-based access
control system.
2. A discretionary access control list shall be in place to control the access to resources for different
groups of users.
3. Mandatory access controls shall be in place to regulate access by process operating on behalf of
users.
4. Access to resources shall be granted on a per-group basis rather than on a per-user basis.
5. Access shall be granted under the principle of “less privilege”, i.e., each identity should receive the
minimum rights and access to resources that he/she needs to be able to perform successfully his/her
business functions.
6. Whenever possible, access should be granted to centrally defined and centrally managed identities.
7. Users should refrain from trying to tamper or evade the access control in order to gain greater
access than they are assigned.
8. Automatic controls, scan technologies and periodic revision procedures shall be in place to detect
any attempt made to circumvent controls.

In practices, the user account will be disabled after three months without use and will be removed after six
months without use.

4.2 IT assets security

No equipment should be used except for Organization work purposes.

The loss, theft or damage to hardware equipment shall be immediately reported to the relevant department.

For laptops in particular: lock the laptop with appropriate steel cables or docking station locks, where
possible; never leave the laptop in poorly protected places (i.e. hotel rooms, cars, etc.); if travelling by plane,
the laptop shall be carried on board as hand luggage.

Version 01. Original date: 01 February 2016. Version date: 01 February 2016. Valid version only on QMS site. 7 / 16
Guidelines prepared by: Telecom, Security and Network Manager. Approved by: Vice President Information Technology. Validated by: Quality Manager.
 IT Access and Security Management Guidelines
B-GDL-1602.370001

1. IT assets shall only be used in connection with the business activities they are assigned to and/or
authorized.
2. Every user is responsible for the preservation and correct use of the IT assets he/she has been
assigned.
3. All the IT assets shall be in locations with security access restrictions, environmental conditions and
layout according to technical specifications of the aforementioned assets.
4. Active desktop and laptops shall be secured if left unattended. This policy is automatically enforced
by the fact that workstations lock automatically after a timeout is passed (10 minutes) without
activity; main critical business application sessions automatically end after a timeout is passed
without activity.
5. Smart phones and mobile devices shall be secured with a Personal Identification Number (PIN) code
or password.
6. Access to assets is forbidden for non-authorized personnel. Granting access to the assets involved
in the provision of a service shall be completed through the approved request form.
7. All personnel interacting with IT assets shall have the proper training.
8. Users shall maintain the assets assigned to them clean and free of accidents or improper use.
9. Access to assets in the Organization location shall be restricted and properly authorized, including
those accessing remotely. Organization’s laptops, smart phones and other equipment used at
external location shall be periodically checked and maintained.
10. The IT technical teams are solely responsible for maintaining and upgrading configurations. No other
users are authorized to change or upgrade the configuration of the IT assets - this includes
modifying hardware or installing software.
11. Special care shall be taken for protecting laptops, smart phones and other portable assets from
being stolen. Be aware of extreme temperatures, magnetic fields and falls.
12. When travelling by plane, portable equipment like laptops and smart phones shall remain in
possession of the user as hand luggage.
13. Losses, thefts, damages, tampering or other incidents related to assets that compromise security
shall be reported as soon as possible to the Helpdesk.
14. Disposal of assets shall be completed according to the specific procedures for the protection of the
information. Assets storing sensitive information shall be completely erased before disposing.

IT assets shall be requested to Help Desk with the appropriate document dedicated to Employee IT
request (cf chapter 6, Related documents).

4.3 Data protection and retention

It is forbidden to reveal confidential information, classified as property of BOURBON, without the specific
authorization of the competent data Manager. Data and information processing is exclusively for the financial
operating and developmental goals of the Group. Important data shall be saved on the network drive,
correspondent to the department it belongs to, or in particular cases on other media (floppy disk, CD-ROM,
etc.) that shall be securely kept.

Antivirus within BOURBON:

1. All computers and devices with access to the Organization network shall have an antivirus client
installed, with real-time protection.
2. All servers and workstations owned by the Organization or permanently in use in the Organization
facilities shall have an approved, centrally managed antivirus. This also includes travelling devices
that are regularly used to connect to the Organization’s network or that can be managed via secure
channels through the Internet.
3. Travelling computers from the Organization that are seldom connected to the Organization’s network
should have installed an approved antivirus independently managed.
4. All installed antivirus shall automatically update their virus definition. They shall be monitored to
ensure successful updating is taken place.

Version 01. Original date: 01 February 2016. Version date: 01 February 2016. Valid version only on QMS site. 8 / 16
Guidelines prepared by: Telecom, Security and Network Manager. Approved by: Vice President Information Technology. Validated by: Quality Manager.
 IT Access and Security Management Guidelines
B-GDL-1602.370001

4.3.1 Personal data

BOURBON complies with the regulations* through prior notification and applications for authorizations for
personal data used in its information system.

BOURBON loyally collects data in order to guarantee the quality of personal data regarding the following
aspect:
 Personal data will be treated as confidential and will not be shared with third parties.

*NOTE: Regarding the French law “Informatique et Libertés” of 06 January 1978, modified in 2004, the European Union Data Protection
Directive (95/46/EC).

4.4 Use of software

The use of unauthorized software, including portable installations, is forbidden.

Only IT Officers are authorized to install software.

Per default, Organization computers are provided with standard software and all software needed by
Employees follow technical validation before installation.

All new software shall be requested to Help Desk. Employees do not have the right to install any
software, except for IT Officer.

4.5 Using the Internet

Access to the Internet is exclusively for work purposes. Users connecting to the Internet shall be aware that
the improper use of this service might have serious consequences as regarding ethics in the workplace,
Organization image and IT system security.

IT department has implemented a Universal Resource Locator (URL) filter that prevents access to a number
of categories of sites (violence, pornography, etc.) and consumer websites with high bandwidths usage
(YouTube, social networking, etc.) in accordance to BOURBON Corporate network constraints (using small
bandwidth and expensive satellite links).

Personal use of internet is tolerated if it is reasonable and does not affect network security or
productivity.

4.6 Using the e-mail

E-mail shall be used for work purposes.

The following e-mails shall never be sent:

 E-mails which break the current laws;
 E-mails which may harm the reputation and image of BOURBON, or damage relations with Clients,
Suppliers or Third Parties;
 Defamatory, obscene and offensive emails that may be considered as molestation or discrimination
(whether religious, sexual, racial, political or union-related);
 E-mails that spread viruses in the BOURBON network or could be considered “junk-mail”.

Personal use of e-mail is tolerated if it is reasonable and does not affect network security or
productivity.

Version 01. Original date: 01 February 2016. Version date: 01 February 2016. Valid version only on QMS site. 9 / 16
Guidelines prepared by: Telecom, Security and Network Manager. Approved by: Vice President Information Technology. Validated by: Quality Manager.
 IT Access and Security Management Guidelines
B-GDL-1602.370001

4.6.1 General rules

Avoid sending and forwarding large attachments unless strictly necessary and in this case use the ZIP
function (file extension) which will help to reduce network traffic, especially when sending to other locations.
Keep your mailbox tidy, deleting unwanted messages. Important messages can be saved in a personal
folder on a local disk (regular backup of this personal folder is advised). Beware for messages of dubious
origin or from unknown addresses. Above all, never open attachments from these messages because they
may contain viruses.

4.6.2 Unsolicited e-mail (spam)

The BOURBON e-mail should only be given to trusted parties, in the same way as with private telephone
numbers.

Do not respond to unsolicited e-mails, nor to those of dubious origin. In particular, do not request to be
removed from subscription lists using ‘REMOVE’ buttons (this is a trick used by spammers to verify that an
address is active).

Do not forward chain-letter e-mails.

4.7 Access to BOURBON applications from the Internet

Each BOURBON public site (http://) should be encrypted (https://) by a Certificate Authority or Certification
Authority (CA). The CA is an entity which issues digital certificates which contain a public key and the identity
of the owner. The CA also attests that the public key contained in the certificate belongs to the person,
Organization, server or other entity noted in the certificate. A CA's obligation in such schemes is to verify an
applicant's credentials, so that users and relying parties can trust the information in the CA's certificates.

4.7.1 Pin safe

The Swivel PINsafe solution provides authentication for access via Virtual Private Networks (VPN), websites
and Corporate web-applications, by using mobile devices and web-browsers. PINsafe is designed to combat
threats ranging from skimming, phishing and spyware to shoulder-surfing, key-logging. Its unique
combination of registered PINs and randomly generated security strings delivered simply to the user makes it
the safest, easiest and most reliable and cost-effective authentication solution available.

PINsafe has a full range of user interface options, including mobile and image based authentication models,
all included in the license. The different user interface options can be assigned to different users based on
Corporate security and access policies.

For example: if PIN is 2-4-6-8 and the security string is 5173920648 the One-Time Code (OTC) would be the
second, fourth, sixth and eighth digits: 1-3-2-6. See below for illustration:

Version 01. Original date: 01 February 2016. Version date: 01 February 2016. Valid version only on QMS site. 10 / 16
Guidelines prepared by: Telecom, Security and Network Manager. Approved by: Vice President Information Technology. Validated by: Quality Manager.
 IT Access and Security Management Guidelines
B-GDL-1602.370001

4.8 Wireless Internet for Frequent Interface access

This section defines the requirements for the secure Wireless Internet for Frequent Interface (WIFI) access
to the Organization’s internal resources through Organization’s WIFI access points. It applies to all the users
in the Organization, including temporary users, visitors with temporary access to services and partners with
limited or unlimited access time to services.
1) Two WIFI connection possibilities are provided by the Organization in its premises: one dedicated to
the users in the Organization, protected by network login and password; and another, completely
independent from the previous one, dedicated to external users (temporary users, visitors, etc.),
protected by a one-time pass code provided by the Organization.
2) Only users in the Organization should access internal resources via WIFI.
3) Temporary users and visitors should only access Internet via WIFI.

4.9 Outsourcing
This section defines the requirements needed to minimize the risks associated to the outsourcing of IT
services, functions and processes. It applies to the Organization; the services providers to whom IT services,
functions or processes have been outsourced, and the outsourcing process itself.
1. Before outsourcing any service, function or process, a careful strategy shall be followed to evaluate
the risk and financial implications.
2. Whenever possible, a bidding process should be followed to select between several service
providers.
3. In any case, the service provider should be selected after evaluating their reputation, experience in
the type of service to be provided, offers and warranties.
4. Audits should be planned in advance to evaluate the performance of the service provider before and
during the provision of the outsourced service, function or process. If the Organization does not have
enough knowledge and resources, a specialized one should be hired to do the auditing.
5. A Service Contract and defined service levels shall be agreed between the Organization and the
service provider.
6. The service provider shall get authorization from the Organization if it intends to hire a third party to
support the outsourced service, function or process.

4.10 Biometrics
Access to the datacenter (laboratory and servers room) is secured by a biometric system. The objective is to
protect computer servers against intrusion.

4.11 Penetration testing

Penetration tests (internal and external) are scheduled throughout the BOURBON IT system to check and
improve IT security.

4.12 Use of social networks

The following best practices for using social networks have been described in the document Social Media
Guidebook:
1) Never disclose confidential information related to operations when operating in sensitive areas. The
security of BOURBON employees is everyone’s business.
2) Never suggest that safety, on board and onshore, is not optimal. This is a strategic issue for
BOURBON and the sustainable development of its business.
3) You are just as responsible for the image of our clients as for the Group’s image. Any post harmful to
one of them is therefore harmful to BOURBON.

Version 01. Original date: 01 February 2016. Version date: 01 February 2016. Valid version only on QMS site. 11 / 16
Guidelines prepared by: Telecom, Security and Network Manager. Approved by: Vice President Information Technology. Validated by: Quality Manager.
 IT Access and Security Management Guidelines
B-GDL-1602.370001

4) Always think twice before posting content regarding BOURBON. Your words are binding and can
engage BOURBON.
5) Generally, show restraint regarding anything related to your professional life at BOURBON.

In the Organization, the use of social networks is authorized only in certain time periods and if it is
reasonable and does not affect network security or productivity.

Version 01. Original date: 01 February 2016. Version date: 01 February 2016. Valid version only on QMS site. 12 / 16
Guidelines prepared by: Telecom, Security and Network Manager. Approved by: Vice President Information Technology. Validated by: Quality Manager.
 IT Access and Security Management Guidelines
B-GDL-1602.370001

5 Records
 Employee (New/Leave/Move/Update) IT Request Forms
 Help Desk ticketing

TM
Oracle records
 Penetration tests reports
 Service Contracts

Version 01. Original date: 01 February 2016. Version date: 01 February 2016. Valid version only on QMS site. 13 / 16
Guidelines prepared by: Telecom, Security and Network Manager. Approved by: Vice President Information Technology. Validated by: Quality Manager.
 IT Access and Security Management Guidelines
B-GDL-1602.370001

6 Related documents
 B-CHR-1603.550001 – New Employee IT Request Flow-Chart
 B-CHR-1603.550002 – Employee Update IT Request Flow-Chart
 B-CHR-1603.550003 – Employee Move IT Request Flow-Chart
 B-CHR-1603.550004 – Employee Leave IT Request Flow-Chart
 B-FRM-1603.550001 – New Employee IT Request Form
 B-FRM-1603.550002 – Employee Update IT Request Form
 B-FRM-1603.550003 – Employee Move IT Request Form
 B-FRM-1603.550004 – Employee Leave IT Request Form
 B-INS-14.0001 - Social Media Guidebook
 BOURBON Applications Access Security (IN PROJECT)
 B-POL-01.0016 – Information Technology Policy
 European Union Data Protection Directive through the U.S. Department of Commerce Safe Harbor
Program
 Fair information practices established by the Organization for Economic Co-operation and Development
(OECD)
 French law “Informatique et Libertés” of 06 January 1978, modified in 2004

TM
Oracle
 Remote Access Guidelines (IN PROJECT)

Version 01. Original date: 01 February 2016. Version date: 01 February 2016. Valid version only on QMS site. 14 / 16
Guidelines prepared by: Telecom, Security and Network Manager. Approved by: Vice President Information Technology. Validated by: Quality Manager.
 IT Access and Security Management Guidelines
B-GDL-1602.370001

7 Terms and definitions

CA
Certification Authority.

IT
Information Technology.

IT assets
Desktops, laptops, smart phones, printers and other IT equipment, to applications and software, to anyone
using those assets including internal users, temporary workers and visitors, and in general to any resource
and capabilities in the provision of the IT services.
TM
Oracle
Oracle is a DBMS (Database Management System Data) edited by the same name, the world of databases.

OTC
One-Time Code.

PIN
Personal Identification Number.

URL
Uniform Resource Locator.

VPN
Virtual Private Network.

WIFI
Wireless Internet for Frequent Interface.

ZIP
File extension.

Version 01. Original date: 01 February 2016. Version date: 01 February 2016. Valid version only on QMS site. 15 / 16
Guidelines prepared by: Telecom, Security and Network Manager. Approved by: Vice President Information Technology. Validated by: Quality Manager.
 IT Access and Security Management Guidelines
B-GDL-1602.370001

8 Review, approval, revision and identification of changes

Reviewed by Change Approved Validated Version Changes
(job title) management by by (Nº and date) (chapter/reference)
requested by (job title)
Process Owner
(Yes/No)
Telecom and No Vice Quality N°01,  First issue.
Security President Manager 01 February
Network Information 2016
Manager Technology

Version 01. Original date: 01 February 2016. Version date: 01 February 2016. Valid version only on QMS site. 16 / 16
Guidelines prepared by: Telecom, Security and Network Manager. Approved by: Vice President Information Technology. Validated by: Quality Manager.