Information Security Policy

1.0 PURPOSE

1.1 Crowley’s Information Security policy establishes roles and responsibilities for developing, implementing, monitoring and enforcing an IT Security Program at Crowley.

2.0 SCOPE

2.1 This policy applies to all subsidiaries, agents, and or consultants at each of the companies who utilize and/or support company IT assets, systems and information. References in this policy to the “Company” shall mean the company at which you are employed or for which you provide services.

3.0 DEFINITIONS

3.1 None.

4.0 RESPONSIBILITY

4.1 Company Employees

4.1.1 Read and comply with this policy.

4.1.2 Protect the confidentiality, integrity, and availability of Company electronic information.

4.1.3 When contracting with an external IT supplier, help ensure the supplier meets contractual obligations to protect and manage Company IT assets.

4.2 Information Security

4.2.1 Review and update the policy as needed.

5.0 POLICY/PROCEDURE

5.1 IT Security Program

5.1.1 Crowley IT Information Security (“IT Security”) must maintain an IT Security program.

5.1.2 The program shall:

        • Define roles, responsibilities, authorities, and accountabilities related to IT Security.
        • Approve services, solutions, and/or computer systems to enhance IT security.
        • Provide coordination, evaluation, communication, and awareness about information security.

5.1.3 Crowley IT Security shall establish and maintain a security awareness program.

5.2 Access Control

5.2.1 Crowley IT Security shall oversee and grant access to information resources for the Company based on a need, right, and time to know basis.

5.2.2 All Crowley employees, equipment, batch processes, agents, consultants, or any person whose services are obtained by a contract or through a temporary agency must use a unique identifier to access Crowley’s information resources.

5.2.3 Access entitlements must be approved by the department manager or data owner (unless granting pre-approved Job Function Profiles) prior to processing.

5.2.4 Access must be removed within a reasonable timeframe upon termination notification by a manager and/or HR.

5.2.5 Group accounts or sharing individual accounts for computer and network access is restricted. Group accounts should be used as infrequently as possible, and will be permitted on an exception basis. Group accounts must be approved by the application owner and the Director of Technology or their designee.

5.2.6 Generic and Non-expiring accounts:

      • The Manager of Information Security or their designee must approve in writing all generic accounts and non-expiring passwords.
      • Business justification for generic accounts and non-expiring passwords must be obtained from the requestor and the justifications must be approved by the Manager of Information Security or their designee.

5.2.7 Controls must be in place to identify accounts with administration and enterprise domain administration access.

5.2.8 Accounts must be disabled upon notification of:

      • A user termination;
      • An expiration of employment or business partner contract;
      • A user id is no longer required;
      • 90 days of non-usage.

5.3 Anti-virus protection

5.3.1 All devices connected to the network must contain and use Crowley-approved virus protection software. Owners of equipment that is not connected to the network are responsible for ensuring that this software is at the current release level. Data files or executable files received must be checked for malicious code and/or viruses prior to opening the file. The Service Desk must be notified immediately upon identification of any virus.

5.4 Bypassing Security Controls

5.4.1 All employees of Crowley, its subsidiaries, agents, consultants, or any other person whose services are obtained by a contract or through a temporary personnel agency must not attempt to bypass established system security controls to gain access to systems or files unless approved by the data owner and the Director of Technology.

5.5 Data Access

5.5.1 All wireless access to Crowley’s data must comply with company security standards.

5.5.2 Employees must not put the only copy of a Company record or information on a portable device or media.

5.6 Data Archiving

5.6.1 Employees must request IT to dispose of archived data when it is no longer required for business purposes, provided all records management obligations have been satisfied.

5.7 Data Backup

5.7.1 Information Security’s obligations are to:

      • Develop and comply with retention periods and procedures for the maintenance of backup data.
      • Ensure that the suppliers it retains to create, rotate, and recycle backup data comply with the retention periods and procedures.
      • Ensure that backup data in its possession is maintained in accordance with applicable retention periods.

5.8 Data Classification

5.8.1 Crowley IT Security classifies three levels of data classification:

      • Public, Private and Confidential.
      • Refer to CPP-IT-006a: Information Security Data Classification Policy.

5.9 Data Display

5.9.1 Employees with access to private or confidential information should position screens to prevent inadvertent disclosure unless employees in the same work area have access to the same information. Employees must ensure workstations are secured from unauthorized use while unattended by invoking the “Lock Workstation” feature. White boards with confidential and private information must be erased after meetings.

5.9.2 Private data must be obscured or masked when entered.

5.10 Data Distribution

5.10.1 Confidential and private information must be controlled.

5.10.2 Private data must be sent encrypted when sending outside of the Crowley network.

5.10.3 Reports and other sensitive documents must be placed in a sealed envelope marked as confidential.

5.10.4 Faxing of private and confidential information must be confirmed with the recipient at the destination and must include a confidentiality statement on all cover sheets.

5.10.5 Transmission of sensitive and confidential Company information over the Internet must be done using a secure transmission mechanism approved by Crowley’s information Security department.

5.11 Data Labeling

5.11.1 All data that is classified as confidential or private must be clearly labeled and specify special handling instructions. Appropriate control statements must be included at the bottom of the page or underneath the classification label. Tapes and other electronic media must have an external label attached.

5.12 Data Migration

5.12.1 When migrating data, Crowley IT Security and the business owner must confirm that data was migrated successfully from one system to another. A successful migration occurs when data is transferred completely and the integrity of the data is maintained.

5.13 Data Storage

5.13.1 Confidential and private information must be stored securely.

5.13.2 Private information when not in use must be stored in a locked drawer or file cabinet.

5.13.3 Departments that process or store private and confidential information should be locked when no one from the department is present.

5.14 Data Storage of Private Data

5.14.1 Private data should be encrypted at the data level during storage.

5.15 Diagnostic Tools

5.15.1 Distribution or use of network diagnostic tools, sniffers, or monitoring and scanning tools is not allowed except in accordance with job responsibilities and authorization by Crowley IT Services. This includes software that can replicate the function of such tools.

5.16 Disaster Recovery Plan

5.16.1 Crowley’s Disaster Recovery Plan must be reviewed and tested annually.

5.16.2 Crowley IT shall oversee the development, implementation, publishing, and maintenance of the IT Business Continuity Plan.

5.17 Event Monitoring

5.17.1 Audit trails must be in place to ensure that the actions of individual information system users can be uniquely traced to those users.

5.17.2 Significant computer and security-related events must be securely monitored and logged, when applicable. These events include, but are not limited to:

      • Failed system logon attempts;
      • Security setting changes;
      • System shutdowns and restarts;
      • Application errors;
      • System service failures
      • Faults or error messages.

5.18 Internet Security

5.18.1 No employee should expect the right to privacy when assessing Crowley’s data or using Crowley’s resources or devices. The company has the right and does monitor Internet usage.

5.18.2 Accessing inappropriate sites may result in disciplinary action, up to and including termination and/or criminal prosecution. Inappropriate sites include, but may not be limited to, sites that contain violence, profanity, nudity, sexually explicate material, cult, militant, extremist, streaming videos (unless authorized), and gambling sites.

5.18.3 Crowley controls the administration of the IP addresses. All potential users of such Internet addresses must coordinate their requirements and receive approval for the use of such addresses from Crowley’s Director of Technology or their designee.

5.19 Media Disposal

5.19.1 Confidential and private hardcopy information should be shredded before being discarded.

5.19.2 Confidential and private electronic media must be erased before being discarded.

5.20 Passwords

5.20.1 Passwords must be protected at all times.

5.20.2 Passwords must be difficult to guess.

5.20.3 Passwords must not be shared.

5.20.4 Every password must be changed regularly.

5.20.5 Stored passwords must be encrypted.

5.20.6 Passwords must not be in clear text.

5.20.7 System software must enforce the changing of passwords and the minimum length of passwords.

5.20.8 System software must disable the user identification code after three consecutive invalid password attempts.

5.20.9 System Software must maintain a history of previous passwords and prevent reuse for a period of time.

5.21 Personal Use

5.21.1 You must limit personal use of the Company information system, including e-mail, to occasional use, and you must not:

      • Consume more than a minimal amount of system resources;
      • Transmit inappropriate messages;
      • Interfere with productivity or preempt business activity;
      • Violate policies, procedures or law;
      • Spam;
      • Violate copyright or licensing agreements; or
      • Use personal email accounts for Crowley business.

5.22 Physical Access Controls

5.22.1 All facilities containing computer or telecommunications equipment must be secured. Only authorized employees, contractors and vendors are allowed within restricted facilities and must be authenticated by electronic badge readers when possible.

5.22.2 Piggybacking on another person’s badge is not permitted.

5.23 Policies and Procedures

5.23.1 Crowley IT Security shall oversee the development, implementation, publishing, distribution, and monitoring of IT Security policies and procedures.

5.24 System Retirement

5.24.1 The owner of a system or their designee must notify the director of technology of their designee when a system has retired and is no longer being used by Crowley resources.

5.25 Testing

5.25.1 The test environment must be kept separate from the production environment at all times.

5.25.2 Testing must follow change control procedure and must ensure that all moves between the test and production environments have been authorized by the appropriate manager.

5.25.3 Program development staff should not have update access to production data.

5.25.4 All temporary update access to production by IT developers’ data must be authorized by Crowley IT Security and logged.

5.26 Threat and Vulnerability Management

5.26.1 Crowley IT Security shall oversee assessments of critical IT threats to the Company computing environment.

5.26.2 Crowley IT Security shall oversee the monitoring, evaluating and investigating of security breaches and report all instances to proper stakeholders and authorities.

5.27 Reporting security problems or incident

5.27.1 Users must report system or network malfunctions, including a suspected network security problem (e.g., virus, an intrusion or non-compliance situation), to the Crowley IT Service Desk at 1 (904) 727-2255 or 1 (866) 287 -3366 or by sending an email to support@crowley.com.

6.0 RELATED DOCUMENTATION

6.1 IT Security Policies and Procedures