Acceptable Use Policy

1.0 PURPOSE

1.1 The purpose of this policy is to detail the acceptable use of corporate information technology resources for the protection of all parties involved.

1.2 This policy explains how corporate information technology resources are to be used and specifies what actions are prohibited. While this policy is as complete as possible, no policy can cover every situation, and thus the user is asked to use common sense when using company resources. Questions on what constitutes acceptable use should be directed to the user’s supervisor or IT Information Security.

2.0 SCOPE

2.1 This policy applies to all subsidiaries, agents, and or consultants at each of the companies who utilize and/or support company IT assets, systems and information. References in this policy to the “Company” shall mean the company at which you are employed or for which you provide services.

3.0 DEFINITIONS

3.1 Denial-of-Service – An attack which is characterized by attempt to prevent legitimate users from using a service. Examples of attacks include consumption of resources (such as bandwidth), disruption of configuration (such as routing information), and physical disruption or destruction.

3.2 Keystroke logging – Monitoring and recording a user’s keyboard strokes.

3.3 Malware – Software used to perform malicious actions.

3.4 Network Sniffing – Method of intercepting and recording traffic passing over a network with the intent of capturing and analyzing information.

3.5 Packet Spoofing – An attack in which the attacker sends IP packets from a false source address in order to disguise themselves as a legitimate source.

3.6 Peer-to Peer (P2P) File Sharing – A distributed network of users who share files by directly connecting to the users’ computers over the Internet rather than through a central server.

3.7 Port scanning – An attack in which client requests are sent to a range of server port addresses with the goal of exploiting a vulnerability on a port.

3.8 Removable Media – External storage devices, such as USB flash drives, disks, memory cards, and external hard drives.

3.9 Spyware – Software that is hidden from the user which gathers information or takes control of a computer.

3.10 Streaming Media – Information, typically audio or video, that can be heard or viewed as it is being delivered, which allows the user to start playing a clip before the entire download has completed.

4.0 RESPONSIBILITY

4.1 Company Employees

4.1.1 Read and comply with this policy.

4.1.2 Protect the confidentiality, integrity, and availability of Company electronic information.

4.1.3 When contracting with an external IT supplier, help ensure the supplier meets contractual obligations to protect and manage Company IT assets.

4.2 IT Information Security

4.21 Review and update the policy as needed.

5.0 POLICY/PROCEDURE

5.1 General Use and Ownership

5.1.1 Monitoring and Privacy

5.1.1.1 Users should expect no privacy when using the corporate network or company resources. Such use may include but is not limited to: access, transmission and storage of files, data, and messages.

5.1.1.2 The company reserves the right to monitor any and all use of the computer network. To ensure compliance with company policies this may include the interception and review of any emails, or other messages sent or received, inspection of data stored on personal file directories, hard disks, and removable media.

5.2 Security and Confidential Information

5.2.1 Circumvention of Security

5.2.1.1 Using company-owned or company-provided computer systems to circumvent any security systems, authentication systems, user-based systems, or escalating privileges is expressly prohibited.

5.2.1.2 Knowingly taking any actions to bypass or circumvent security is expressly prohibited.

5.2.1.3 In the event an employee knowingly takes action to bypass or circumvent security, the said employee may be subject to disciplinary action up to and including termination of employment.

5.2.1.4 The user should take reasonable efforts to avoid accessing network data, files, and information that are not directly related to his or her job function. Existence of access capabilities does not imply permission to use this access.

5.2.2 Unless expressly authorized, confidential data must not be:

        • Shared or disclosed in any manner to non-employees of the company,
        • Posted on the Internet or any publicly accessible systems, or
        • Transferred in any insecure manner.

5.3 Unacceptable Use: System and Network Activities

The following actions constitute unacceptable use of the corporate network. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities. This list is not exhaustive, but is included to provide a frame of reference for types of activities that are deemed unacceptable.

5.3.1 Computer Resources

5.3.1.1 Excessive use of company bandwidth or other computer resources is not permitted. Large file downloads or other bandwidth-intensive tasks may degrade network capacity or performance, Crowley reserves the right to monitor and delete unauthorized files that may degrade network capacity and or performance.

5.3.1.2 Actions detrimental to the computer network or other corporate resources, or that negatively affect job performance are not permitted.

5.3.1.3 Streaming media can use a great deal of network resources and thus must be used carefully. Streaming media is allowed for authorized, business-related functions.

5.3.2 Peer-to-Peer (P2P) networking is not allowed on the corporate network.

5.3.3 Software Installation

5.3.3.1 Installation of non-company-supplied software is prohibited. Numerous security threats can masquerade as innocuous software – malware, spyware, and Trojans can all be installed inadvertently through games or other programs.

Alternatively, software can cause conflicts or have a negative impact on system performance.

5.3.3.2 Pirated software is considered open source, freeware, shareware, stolen software, and/or software that has been installed, distributed, and/or copied illegally from either an internal or external source without proper approval and/or licensing. Installation or distribution of unlicensed or “pirated” software is prohibited.

5.3.4 Web Browsing

5.3.4.1 The Internet is a network of interconnected computers of which the company has very little control. The user should recognize this when using the Internet, and understand that it is a public domain and he or she can come into contact with information, even inadvertently, that he or she may find offensive, sexually explicit, or otherwise inappropriate. The user must use the Internet at his or her own risk. The company is specifically not responsible for any information that the user views, reads, or downloads from the Internet.

5.3.4.2 Personal use of company computer systems to access the Internet is limited to occasional use.

5.3.5 Downloading, storing, or distributing unauthorized copyrighted material, such as:

          • Copying and sharing images, music, movies, or other copyrighted material using P2P file sharing or unlicensed CD’s and DVD’s
          • Posting or plagiarizing copyrighted material
          • Downloading copyrighted files which the employee has not already legally procured

5.3.6 No company-owned or company-provided computer systems may be knowingly used for activities that are considered illegal under local, state, federal, or international law. Such actions may include, but are not limited to, the following:

          • Unauthorized network and wireless hacking
          • Unauthorized interference or denial of service
          • Unauthorized disruptions of network communication including, but not limited to: network sniffing, pinged floods, and packet spoofing
          • Unauthorized circumvention of user authentication or security of any host, network, or account
          • Any act that may be considered an attempt to gain unauthorized access to or escalate privileges on a computer or other electronic system
          • Acts of terrorism
          • Identity theft
          • Spying
          • Downloading, storing, or distributing violent, perverse, obscene, lewd or offensive material as deemed by applicable statues
          • Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws

5.4 Unacceptable Use: Email and Communications Activities

5.4.1 Use email in compliance with the Crowley Email Security Policy.

5.4.2 Communications

5.4.2.1 Disseminate defamatory, discriminatory, vilifying, sexist, racist, abusive, rude, annoying, insulting, threatening, obscene or otherwise inappropriate messages or media.

5.4.2.2 Engage in activities that cause disruption to the workplace environment or create a hostile workplace.

5.4.2.3 Engage in any activities that may cause embarrassment, loss of reputation, or other harm to the company.

5.4.2.4 Engage in activities that cause an invasion of privacy. These activities include but are not limited to the following: port scanning, security scanning, keystroke logging, or other IT Security information gathering technique when not part of an employee’s job function.

5.4.2.5 Make fraudulent offers for products or services.

5.4.2.6 Reveal personal or network passwords to others, including family, friends, or other members of the household when working from home or remote locations.

5.5 Unacceptable Use: Wireless Telephones, Smartphones and Other Electronic Devices

5.5.1 Automobiles: Use of wireless phones while driving a company issued automobile (including rentals) or while driving a personal vehicle while on company business is prohibited. All wireless phone users must complete phone calls prior to operating a vehicle. If a call is received while driving it should not be answered until the vehicle can be carefully stopped and parked in a safe area. This applies to the use of any wireless device, including those that allow for hands free operation, for receiving or placing calls, text messaging, surfing the internet, receiving or responding to email and checking voice mail messages either from a company provided device or personal device in conducting activities related to your employment.

5.5.2 Terminal and Warehouse Locations: Use of wireless phones is prohibited while operating equipment or machinery or in areas of the terminal or warehouse where moving equipment may suddenly be present in the work area. Equipment and machinery includes, but is not limited to brutes, hustlers, cranes, forklifts, automated conveyors and cargo and fuel transfers.

5.5.3 Vessels: Wireless devices are prohibited while on duty / watch or otherwise engaged in work aboard vessels, except for official ship’s business. Other electronic devices which are part of the vessels navigations, communication or management system are to be used in accordance with good seamanship, prescribed operating instruction and prudent navigation so as not to interfere with but rather promote the safe operation of the vessel.

5.5.4 Personal Use of Wireless Devices in the Workplace: Use of wireless devices for personal business during working hours will be kept to a minimum. Any form of wireless communication should always be made in a safe, controlled environment. In office environments, areas such as break rooms, enclaves and conference rooms should be used to avoid distraction of others. In operating environment such as on vessels and in terminals or warehouses, the personal use of wireless devices should only occur during breaks or when off duty and in a safe environment such as break rooms, offices or crew quarters.

6.0 RELATED DOCUMENTATION

6.1 This document is part of the company’s cohesive set of security policies. Other policies may apply to the topics covered in this document and, as such, the applicable policies should be reviewed as needed:

6.1.1 CPP-IT-006 Information Security Policy

6.1.2 CPP-IT-009 Email Security Policy

Effective Date: 1/19/2018 – CPP-IT-015