Skip to content

End User Computing Policy

Overview/Purpose

The purpose of this Booklet is to enable end-users to understand the security requirements and policies to be followed for day-to-day computing activities. End-user Computing Policy is aimed at providing preventive/corrective measures to be taken for minimising risks arising from computing resources used by end-users.

The policy statements in the End-user Computing Policy document are extracted from core Krenovate Information Security Policies.

The objectives of this policy are as follows:

  • To set forth, acceptable usage norms for the Krenovate End-user computing resources;
  • To foster and maintain an environment where the management and end-users have confidence in the security of these resources;
  • To ensure that all applicable hardware inventory and software licensing requirements are met; and
  • Establish consistency in computer use procedures and regulations at Krenovate.

Scope

This poiicy is applicable to all users of computing resources at Krenovate. The term "resources" includes, but is not necessarily limited to:

  • Personal Computers/Laptops (networked and stand-alone);
  • Network Infrastructure (includes active networking equipment, data ports, connecting cables and switches);
  • Project Servers;
  • Internal Tools and Software;
  • Application Servers;
  • Database Servers;
  • Intranet Servers; or
  • Gateways used to access external networks, such as the Internet.

User Responsibilities

  • Users should understand and follow the Information Security Policies of Krenovate as they relate to safeguarding of information assets. Users will be accountable for their actions.
  • Users need to respect the rights of other users, including their rights as set forth in other policies; these rights include but are not limited to privacy, freedom from harassment and freedom of expression.
  • Users should respect the computing needs of others by not deliberately performing acts that are wasteful of computing resources or those thet unfairly monopolise resources to the exclusion of other users.
  • Users are not permitted to use the name of Krenovate clients in their general communication (written or verbal) unless required for the business function.
  • Users need to exercise due precautions to ensure that client details or sensitive business information are not discussed in a public place or any other location where outsiders/other process group Employees might have access to.
  • Users are not permitted to send any client/official data to any personal/third-party email ID without the prior approval of their Group Head/CISO.
  • Krenovate follows the policy of data classification under the following heads: confidential, restricted, internal and public. Users are required to have a fair understanding of the definition, implication and handling procedure for each from their group heads/HR/ISG.
  • Data stored on local hard drives is susceptibie to toss of critical files. Chances of recovering data from hardware failures or loss of disk resources are less, thus users should save their project- related data on the network file servers.
  • Important files such as client project deliverables should be stored on network file servers in the client deliverables folder with appropriate access control measures (accessible only to the respective project team and the project owner) on the completion of the projects or on appropriate milestones [as decided by the project manager(s)].
  • Users will work and save all their project-related data in the client project's Work in Progress (WIP) folder on the network file server till the completion of the project or as decided by the project manager(s).
  • Users will be responsible for maintaining the security and integrity of research work/deliverables and other business documents developed/processed by them for performing their job.
  • Users are accountable for ensuring that information being processed by them is made available only to the authorised employees within the organisation.
  • Users should not save any personal document, such as pictures, songs, etc., on the network file server and local desktops. Any such personal document found on the server will be deleted, and the user will be liable for disciplinary action.
  • The content of any infortnation made available to others via the Krenovate network is the sole responsibility of the project manager(s) handling the project/the employee who is sending the information.
  • Information contained in computer files should be accessed or used for authorised business purposes only. Casual browsing of computer files stored on other user's machines for personal reasons is strictly prohibited.
  • Personal software/software downloaded from the Internet should not be loaded on Krenovate computers. If there is a specific reason for which the same needs to be done, a prior approval of both the CISO and the respective business function head needs to be obtained. The request should state the duration of the use and project details for which such a requirement is necessary. (Also refer to the "Internet Usage Policies" mentioned below).
  • Management may approve limited personal use of Krenovate's computing resources on request.
  • Users shall not use Krenovate resources (including scanners, fax machines, printers and CD burning facility) for their personal work and are responsible for following the policies and procedures developed by Krenovate for the use of these facilities. No personal document will be scanned or sent by fax outside the Krenovate premises.
  • Computers should neither be used for commercial purposes nor should personal use interfere with normal business operations.
  • Users shall not damage, alter or disrupt computer systems.
  • Users will not bring or use any personal entertainment/computing devices/storage media, such as voice recorders, cameras, headphones, floppies, CDs/DVDs, USB drives, flash disks, hard drives, laptops, iPods, etc inside the office premises. Users shall put the printed copies of official data (if it is not to be used in future) in the shredder box.
  • In the course of normal day-to-day operations, users should be aware that ISG may audit, monitor and log desktop activities, with or without notice, if a situation warrants immediate or further investigation.
  • In cases where the ISG is investigating possible misuse, files, programmes, hard copies or other computing material may be examined without notice.

  • All the users should report any observed (or suspected) security weaknesses/incidents to the ISG. Such activities include, but are not limited to the following:

    • Violation of Information Security Policies and Procedures;
    • Breach of confidentiality/access control;
    • Software malfunction;
    • Virus activity;
    • System failure; or
    • Degradation of information processing services.

  • All the users must be uniquely identified and authenticated before being allowed to access the Internet. All activities performed under a user'S identity will be identifiable and users wilt be accountable for any activities performed using their identity.

  • Users must not use Internet resources for soliciting personal business, selling personal products or otherwise engaging in commercial activities other than those expressly permitted.
  • Users will be responsible for all activities performed using their personal user IDs. User ID will not be used by anyone other than the individual to whom it has been assigned. Users will not allow others to perform any activity using their own user IDs.
  • Users will not be permitted to establish independent external connections unless the same has been authorised by the ISG.
  • Users are not allowed to share files and folders with other users over the network unless authorised by the project owners.
  • Users who violate the poticy may have their privileges, such as user accounts and/or passwords access revoked without notice when it is deemed necessary for the security of Krenovate computing resources.
  • Users should use good judgment in conducting computer operations as per the policy set forth in this Booklet.
  • Krenovate has formulated a Crisis Management Team for ensuring the business continuity of its critical business functions. In cases of any ernergency situation, users have to follow the directions provided by the crisis management team.

End-User Computing Requirements

User Account and Password Management

User Accounts

To protect the information stored in Krenovate enterprise network, a number of security measures has been taken. A few of these measures are as follows:

  • Users need to notify and take approval from Group Head/Associate Vice President (AVP), Compliance Head and Global Head — Human Resources (as may be applicable) in order to be granted logical and physical access privileges when they join or need any modification in the same.
  • Users will have valid, authorised accounts and will only use the computing resources for which they are specifically authorised.
  • Users are required to take reasonable steps to ensure the security of their accounts and not to share their passwords with anyone.
  • Users may not try in any way to obtain a password for another user's account.
  • Users should not permit other individuals' access to their accounts or other user accounts.
  • Users authorization to use a facility is not transferable to others.

Password Management

  • Users will be responsible for selection of password, its use and management as a means to control access to the systems.
  • Users will not share their passwords with anyone; should change their passwords frequently and/or if there is an indication of a compromise and will be responsible to maintain the confidentiality of passwords; guidelines will be defined for the users to maintain and select their passwords, which make it difficult for hackers to guess or make out the password.

  • The password guidelines will specify the following parameters for maintaining passwords:

    • Minimum password length;
    • Password history;
    • Complexity of password;
    • Account lockout on consecutive unsuccessful logon attempts;
    • Avoid keeping a record a passwords;
    • Change temporary passwords at first log-on; and
    • Do not include passwords in any authomated log-on process, e.g. macros.

Unattended User Equipment

Users will be responsible for safeguarding the information assets installed in their areas. They will be made aware of the following measures to be taken to protect the information assets:

  • Users will not leave their personal computers unattended.
  • Active sessions will be secured by an appropriate locking mechanism, such as locking workstation and password-protected screen saver. In the absence of a locking mechanism, the active session will be terminated after a certain period of inactivity.
  • Users will log off/shut down from the terminals after the completion of a session.
  • The terminals, PCs will be secured from unauthorised use by setting up BIOS password or by key lock.
  • Network printers will be appropriately secured. Users will ensure that any confidential information being printed on the printer is closely supervised and not left on printers unattended.

Illegal use of software is not permitted at Krenovate. The following points provide more details about user responsibilities in this regard:

  • In view of licensing concerns and the need for standard desktop configurations, no personal software rney be loaded on Krenovate resources, unless expressly permitted by Krenovate
  • Krenovate Employees will use only authorised software and utilities ae provided to them by Krenovate IT.
  • Users must not make software available for others to use or copy in violation of the software's license agreement(s).
  • Unlicensed and unauthorised software from any third party should not be accepted for installation and use at Krenovate.
  • Copyright materials are the Intellectual Property (IP) of their creators. Therefore, pasting, copying, redistribution or uploading of copyrighted material without the permission of the owner of such material is prohibited.
  • If software media is delivered to the user, it may be used only on the computing resources for which the license was purchased.
  • No programmes that could damage a file or computer system and/or lead to the reproduction of it may be loaded on Krenovate's computing resources.

Antivirus

Users must be aware of their responsibilities regarding anti-virus measures and they need to comply with the following:

  • Users will follow all anti-virus awareness guidance from the IT Department promptly and completely.
  • Users will contact the IT department for all virus management specific queries and follow the incident reporting mechanism.

Mobile Computing

Users will take special care of mobile computing resources, such as laptops, mobile phones and palmtops, to prevent the compromise of business information.

  • Employees in the possession of portable computers, laptops, palmtops, mobile phones and other transportable computer or storage media containing non-public information will not leave them unattended at any time unless the information has been properly safeguarded. Such Employees are responsible for the safety and custody of the official equipment and the data contained thereupon.
  • Users will take special care while using the mobile computing resources in public places to protect the information from unauthorized access.
  • Users will not be allowed to remotely connect to the Krenovate network. Users who are stationed outside Krenovate premises for a few days are allowed access to their e-mails for a limited period, subject to the business head's and CISO's approval. (Also refer *"Exception to End User Computing Policy"** mentioned below*)

Fraudulent Behaviour

Fraudulent behaviour can cause losses to Krenovate. Users must understand and implement the following:

  • Respect the integrity of computing and network systems;
  • Should not intentionally develop, download or use programs that harass other users or infiltrate a computer, computing system or network and/or damage or alter the software components of a computer, computing system or network;
  • Correct identification of network data and network users is essential for shared network operations. Users may not misrepresent themselves or their data on the network;
  • Use Krenovate's network resources to gain or attempt to gain unauthorized access to remote computers;
  • Must not deliberately perform an act that will seriously impair the operation of conputers, terminals, peripherals or networks. This includes, but is not limited to tampering with components of a LAN or the high-speed backbone network, blocking communication lines or interfering with the operational readiness of a computer;
  • Must grant pernnission to another user before another user may read, copy, change, or delete the user's files or software, and is solely responsible for granting such a privilege to another user.

E-mail Usage

  • E-mail plays a crucial business role in communicating more effectively and providing faster and better client service. The policy for the use of Krenovate e-mail system must be adhered to.
  • Krenovate reserves the right to read or delete the content of user's mailbox when it is in the interest of the organisation. Also, Krenovate may, for the reason of security, intercept or otherwise monitor the e-mails sent out through the mailing system.
  • As every e-mail message contains Krenovate in the address, the user must ensure that all activities are conducted in a professional manner.
  • Users are responsible for storing, purging and securing messages in their personal e-mail storage area. They can protect their personal folders by passwords.
  • Users should ensure that all e-mails sent by them are addressed to the intended recipients only.
  • E-mail users will be personally responsible for taking all reasonable steps to prevent unauthorised use of their e-mail facility and will be held accountable for all the activities performed using their mailboxes.

  • Users will be prohibited from the following:

    • Blanket forwarding of unofficial e-mail messages to any address;
    • Originating or distributing chain letters by e-mail and any offensive, junk, or unsolicited e-mail received from any other user or external network;
    • Sending illegal, defamatory, obscene, pornographic, offensive, damaging messages or which may be considered by others to cause distress, sexual, racial or other harassment and/or discrimination;
    • Automatic forwarding of e-mails from external addresses to Krenovate e-mail system to protect from threats, such as mail bombs, Trojan Horse virus attacks;
    • Users will treat unsolicited e-mails with caution and should not open/respond to such mails; or
    • Users should ensure that they do not use e-mail casually when dealing with client matters. Users should be aware that e-mail could be used as evidence in a libel action.

  • Users are not permitted to send, on behalf of Krenovate, any e-mail, attachment or posting to a bulletin board which:

    • Contains information that may have legal implications for Krenovate;
    • Contains commercially sensitive information where users do not have written approval from the management to send such information via e-mail;
    • May damage the Krenovate reputation or its relationships with its clients, or which may embarrass clients of Krenovate
    • May infringe copyright;
    • May introduce a virus to any of the Krenovate or other networks;
    • Constitutes "junk" e-mail or is posted to multiple news groups; or
    • Is for private commercial purposes unrelated to Krenovate.

  • Users should refrain from sending large mail attachments through the e-mail system. Large e-mail sizes will cause the e-mail system for all users to be affected.

  • Users are required to undersign e-mails using their own name, job, title and Company name and logo. None of the users will send any e-mail communication "for and on behalf of" the Company unless specifically authorised to do so.
  • Users will be allowed to post personal messages, but these messages will contain the Krenovate standard disclaimer as given in the Information Security Manual document.

Internet Usage

The following points describe the policy on Internet usage by users of Krenovate:

  • Internet access will be permitted based on the business need after the approval from the Business Head.
  • Users will be restricted from accessing all web-based e-mail sites, chat sites, online music, gaming, entertainment, hacking, proxy avoidance, social networking, peer-to-peer file sharing and pornographic sites; using instant messengers; and downloading wall papers, screensavers, software applications and other websites that are not required for business purposes, unless expressly permitted by Krenovate.
  • Users will use only Microsoft Internet Explorer for Web browsing and Microsoft Office Communicator for instant messaging.
  • All web browsers would be configured with CISO approved secure gateway proxy. These systems will prevent all services except those which are explicitly allowed.
  • Users must not use Internet resources for soliciting business, selling personal products or otherwise engaging in commercial activities other than those expressly permitted which might cause adverse publicity of Krenovate.
  • Users must be aware that access to the Internet will be logged and monitored. The management retains the right to inspect any and all files stored on or transmitted over its network assets (including but not limited to local storage media, memory and mail files) for the purpose of investigating suspected violations of its business policies or non-compliance with local regulations.
  • Users will not attempt to probe other systems in the external world for security weaknesses, compromise other systems, possess or transfer data illegally, or send offensive or abusive messages.
  • Users will not claim to represent Krenovate on the Internet unless authorised to do so by the management.

  • Data and/or programs should be downloaded from the Internet to Krenovate network only under the following conditions:

    • Downloaded data and programs should be checked for virus using an approved methodology and tools before it is stored on the network.
    • Data and/or programs should be business-relevant and appropriate, and will be acquired and used in compliance with all the legal requirements.
    • Users will not download and install any programs or software themselves. They will request the IT department to do so.
    • Downloaded programs or executable applications should be checked for suitability, compatibility and security before being installed on the network.

Clean Desk and Clear Screen

  • Adequate controls will be exercised to reduce the risk of unauthorised access, loss of and damage to the information available in the form of paper, stored on computer and removable media during and after the normal working hours.
  • Employees will store information assets, such as printouts of client deliverables and notepads containing client data, at a secured place when not in use, especially after working hours.
  • Documents classified as confidential and restricted will be maintained in specified locations provided for in each business function/process.
  • Any document containing sensitive or critical business information should be removed from printers as soon as possible.
  • Users will protect the personal computers and terminals with adequate controls (workstation locks, passwords, etc.) when not in use and will log off/shut down when leaving the office.

Disciplinary Action

Krenovate reserves the right to take disciplinary action against users. It may occur because of many reasons including but not lirnited to the following:

  • When an instance of non-compliance of security policies and processes is suspected or discovered, the CISO will work with the user's group/department head to determine the proper investigative and disciplinary action. Criminal or civil action may be initiated in appropriate instances, if deemed necessary. Global Head- Human Resources will be responsible for all disciplinary activities at Krenovate.
  • When users attempt to remove malfunctioning software, without the support of appropriately trained and experienced staff, thereby resulting in compromising the security of and/or affecting other EVS resources.
  • When users attempt to prove (or test) a suspected security weakness under any circumstances. Such action on part of users would be interpreted, as a potential misuse of Krenovate's resources.
  • Tampering with data or attempting to circumvent the flow of data as this is strictly prohibited.
  • Any use of information processing facilities for non-business purposes without management approval or for any unauthorised activity.

Exceptions to End-User Computing Policy

  • Scanning, floppy, CD burning facility: In case of a business need, users can avail scanning and floppy/CD burning facility for sending data/deliverables to clients. They will have to seek approval from the CISO/designated ISG member to avail this facility.
  • Administrative privileges/Backup rights: Only the IT network team has access to the stored data on the network file servers apart from project team. They require this access to take back-up of the data and for server administration.
  • Remote monitoring/administration software: IT Network team can use ISG-approved Remote Control/Monitoring software for remotely addressing or resolving a user's problem or for auditing/logging/monitoring a user's activity.
  • Cybercafes: Employees can use cybercafe facility provided by Krenovate for surfing the internet.
  • Web access of Krenovate mails: At Krenovate nly the senior management, AVPs and Client Executives have been provided web access to their official corporate e-mails. Besides this, only a few users who are stationed outside Krenovate premises for business purpose are allowed to access their e-mails for a limited period subject to CISO and business head's approval.
  • Client specific policies: In addition to the standard Krenovate Information Security Policy, the client dedicated areas will be governed by the security policy and compliance guidelines framed by the respective client.

Acknowledgement of Policy is annexed as Annexure B

Last update: July 28, 2020