Information Security Policy

POLICY No: 1
POLICY: Information Security Policy
Effective: September 30, 2003
Reviewed: December 31, 2013
Revised: January 1, 2014; August 1, 2009

INFORMATION SECURITY POLICY

In the course of their work for The Belt Railway Company of Chicago (BRC), employees may become aware of confidential information about customers, suppliers or other business contacts or proprietary information. Such information must be held in the strictest confidence. Furthermore, it is to be used solely for corporate purposes and never for the personal gain of any employee. When an employee leaves BRC, no such information may be taken.

As an employee of BRC, you should understand that you are obligated to preserve the confidential and/or secret information of the Company, its clients, customers, and suppliers. To ensure confidentiality, all employees are to treat everything concerning BRC as confidential. Confidential information should not be used to the disadvantage of BRC or any client, customers, or suppliers, or to the advantage of anyone other than the Company. As an employee, you have a duty of confidentiality not only to BRC itself, but also to each of the Company’s employees. Due to the importance of this policy, adherence to this policy is a term and condition of your employment. A breach of this obligation on your part is a serious matter, and may result in discipline up to and including termination. After reading this policy, all BRC employees are required to complete and execute the attached Receipt and Acknowledgement form and return same to BRC’s Human Resources Department. Compliance with this policy is a condition of employment.

Although not limited to computer, e-mail and internet use, a substantial amount of confidential BRC information is stored in its computer systems. The revealing or misuse of such information, or like information stored manually, is prohibited and could result in dismissal.

An additional purpose of this policy is to ensure the proper use of BRC’s e-mail system and make users aware of what BRC deems as acceptable and unacceptable use of its e-mail system. BRC reserves the right to amend this policy at its discretion. In case of amendments, users will be informed by posting this policy on the property for not less than (30) thirty calendar days. Employees are required to make sure they understand the provisions of this policy. If you have any questions about this policy, you should contact your supervisor or the Human Resources Department.

The internet and e-mail are great tools to enhance productivity because they allow employees to access and share detailed, current information that can aid in job performance. For these reasons, BRC encourages you to use these electronic tools. On the other hand, much of the information available to you on the Internet is not related to job performance, and unrestricted use of the Internet has the potential to drain, rather than increase, productivity and Company resources. You should also be aware that information transmitted over the Internet is not completely secure and information you transmit or receive can damage the reputation and/or competitiveness of the BRC. Because BRC wants you to benefit from Internet and e-mail use, BRC encourages these tools to be used for the following purposes:

• To communicate with fellow employees, customers and suppliers regarding railroad business;
• To acquire information that will aid in assigned duties; and
• To occasionally use for personal reasons, with the understanding that such access must not interfere with your job or with the ability of others to use BRC electronic communication systems for business purposes.

EMPLOYEE USE OF E-MAIL:
E-mail is a business communication tool and users are obliged to use this tool in a responsible, effective and lawful manner. Although by its nature e-mail seems to be less formal than other written communication, the same laws and internal BRC rules and policies apply. Therefore, it is important that users are aware of the legal risks of e-mail:
• If you send e-mails with any libelous, defamatory, offensive, racist or obscene remarks, you and BRC can be held liable.
• If you forward e-mails with any libelous, defamatory, offensive, racist or obscene remarks, you and BRC can be held liable.
• If you unlawfully forward confidential information, you and BRC can be held liable.
• If you unlawfully forward or copy messages without permission, you and BRC can be held liable for copyright infringement.
• If you send an attachment that contains a virus or any other form of harmful software, you and BRC can be held liable.

By following the guidelines in this policy, the e-mail user can minimize the legal risks involved in the use of e-mail. If any user disregards the rules set out in this policy, the user will be fully liable and BRC will disassociate itself from the user as far as legally possible. In other words, violation of any part of this policy may result in discipline, up to and including dismissal.

The following rules are required by law and are to be strictly adhered to. To ensure that you do not abuse the use of Internet or e-mail, the BRC requires all employees to:
• Abide by all United States and international copyright laws and licenses granted in connection with Internet access;
• Abide by all state, federal and international laws and regulations;
• Not access sites, nor send or solicit electronic communications which carry offensive or illegal material as this may damage the railroad’s reputation if such information is publicly disclosed. Offensive material includes, but is not limited to, pornography or other material of a sexual nature, hate literature, racial or other offensive jokes, cartoons or comments, or any other material which violates any other BRC policy;
• Refrain from using chat rooms, news groups or netservers. If you wish to express personal opinions on the internet please use only your personal internet account, not the BRC’s.
• Refrain from using the Internet in a manner that may be construed to be harassment or disparagement of others based on their race, national origin, sex, sexual orientation, age, medical condition or disability, veteran status, religion,political beliefs, or any ground prohibited under federal, state or local law (“protected status”).
• Avoid taxing computer resources by downloading large files or using sites that use video or audio streaming (i.e. video or audio that is pulled from the Internet as a continuing stream of data rather than as a file).

It is further prohibited to:
• Send or forward e-mails containing libelous, defamatory, offensive, racist or obscene remarks. If you receive an email of this nature, you must promptly notify your supervisor.
• Forge or attempt to forge e-mail messages.
• Disguise or attempt to disguise your identity when sending mail.
• Send e-mail messages using another person’s e-mail account.
• Copy a message or attachment belonging to another user without permission of the originator.

Best Practices for Writing E-mails:
BRC considers e-mail as an important means of communication and recognizes the importance of proper e-mail content and speedy replies in conveying a professional image and delivering good customer service. Users should take the same care in drafting an e-mail as they would for any other communication. Therefore, BRC expects users to adhere to the following guidelines:

• Write well-structured e-mails and use short, descriptive subjects.
• BRC’s e-mail style is informal. This means that sentences can be short and to the point. You can start your e-mail with “Hi’, or ‘Dear’, and the name of the person. Messages can be ended with ‘Best Regards’. The use of Internet abbreviations and characters such as smileys however, is not encouraged.
• Signatures must include your name, job title and company name.
• Users must spell check all e-mails prior to transmission.
• Do not send unnecessary attachments. Compress attachments larger than 1MB before sending them. If you need help doing so, please contact Tech Support.
• Do not write e-mails in capitals.
• If you forward e-mails, state clearly what action you expect the recipient to take.
• Only send e-mails of which the content could be displayed on a public notice board. If they cannot be displayed publicly in their current state, consider rephrasing the e-mail, using other means of communication, or protecting information by using a password (see confidential).
• Only mark e-mails as important if they really are important.

Replying to E-mails:
• E-mails should be answered within at least 8 working hours, but users must endeavor to answer priority e-mails within 4 hours.
• Priority e-mails are emails from existing customers and business partners.

Newsgroups:
• Users need to request permission from their supervisor before subscribing to a newsletter or news group.

Maintenance:
• Delete any e-mail messages that you do not need to have a copy of, and empty your “trash” folder on a weekly basis.

Personal Use of E-mail:
It is expected that employees will at times use their BRC e-mail accounts for personal e-mails; however, the sending of chain letters, junk email, any offensive material and executables (potentially harmful files such as .exe or .jar files, for example) is prohibited. All messages distributed via BRC’s e-mail system are BRC’s property. The occasional use of a personal e-mail account (Gmail, etc.) is permitted so long as it does not interfere with your job or with the ability of others to use BRC electronic communication systems for business purposes.

Confidential Information
Never send any confidential information via e-mail. If you are in doubt as to whether to send certain information via e-mail, check first with your supervisor.
Encryption
Users may not encrypt any e-mails without obtaining written permission from their supervisor. If approved, the encryption key(s) must be made known to the Company.

E-mail Retention
All e-mails should be deleted after 30 days. If a user has sufficient reason to keep a copy of an e-mail, the message must be moved to the folder “For archiving’.

E-mail Accounts
All e-mail accounts maintained on our e-mail system are property of BRC. Passwords should not be given to other people and should be changed periodically, no less than every 90 days. E-mail accounts not used for 60 days will be deactivated and possibly deleted.

EMPLOYEE USE OF INTERNET:
The Internet is a tool that is intended for BRC business and not a right of any employee. Good judgment must be exercised with Internet use. It is the responsibility of the employee to inquire with a supervisor as to the appropriateness of any Internet use in advance if unclear about any of the provisions of this Policy. Inappropriate use will subject an employee to discipline, up to and including dismissal.
• Access to the Internet is intended for bona fide business purposes. Only properly licensed software and browsers that are placed on the Company computer terminal by the MIS Department may be used to gain access to the Internet. Excessive employee use of the Internet for non-business reasons during working hours will be considered a violation of this policy.
• No software, executable files, databases or other “live” technology may be received through e-mail, downloaded from the Internet, installed from external discs or otherwise placed on any BRC computer without written approval from a management official. Prior to any approval, the MIS Department shall assure that the information is appropriately licensed for use installed on BRC machines and is free from viruses.
• Each employee using Internet technology shall do so with sensitivity to the need to protect confidential and proprietary information of BRC. Employees must always assume that the Internet does not provide adequate measures to protect the security and confidentiality of transmitted information. Employees are NOT authorized to transmit any such information over the Internet without the advanced consent of his or her supervisor or the Human Resources Department.
• The BRC reserves the right to monitor and inspect the computer systems (hard drives and external drives), history files, log files and all other aspects of BRC computers and software for any reason at its discretion. Employees have no right of privacy as to any item or communication using the Internet.
• Inappropriate Internet use may lead to severe disciplinary action, up to and including dismissal. This is including but not limited to accessing any sexually explicit materials, sexually-oriented materials, or any materials in violation of BRC policy, including but not limited to BRC’s policy on conduct, sexual harassment, and discrimination in the workplace. Abuse of the Internet through inappropriate browsing may constitute negligence to duty, immoral conduct, criminal conduct, conduct unbecoming an employee, conduct bringing discredit to the Company, or other violations of BRC rules and regulations.
• All of the policies set forth above with respect to use of e-mail shall apply equally to use of general Internet access, including but not limited to Web-based e-mail application, chat room participation, newsgroup access and all other Internet related use and access.
• This policy applies to any computer use that is in relation to performing duties as a BRC employee. Any violation of these policies may lead to disciplinary action, up to and including termination.

System Monitoring
Users expressly waive any right of privacy in anything they create, store, send or receive on the Company’s computer system. BRC can, but is not obliged to, monitor e-mails and Internet without prior notification. If there is evidence that you are not adhering to the rules set out in this policy, BRC reserves the right to take disciplinary action, including termination and/or legal action.

Questions
If you have any questions or comments about this Information Security Policy, please contact your supervisor or the Human Resources Department. If you do not have any questions, BRC presumes that you understand and are aware of the rules in this Information Security Policy and will adhere to them.

*Effective September 30, 2003; Policy reissue: January 1, 2014. This directive becomes the governing policy regarding information security and E-mail/internet use by authorized employees at The Belt Railway Company of Chicago. If you need additional information, please contact the Human Resources Department.