INFORMATION SECURITY CHARTER

V1.0 corporate (04/2013) – EN (1.0)

This Information Security Charter for end users (ISC) is a synthesis of the security requirements spread in all SE policies.
1- The Principles of IT security list the responsibilities and accountabilities every user shall understand and acknowledge.
2- The Acceptable use of information systems provides the best secured practices for every IT platform and usage
3- Useful links & Glossary will help users to find the most relevant documentation and support.
Dedicated awareness programs will help users to better understand those requirements and to actively improve their conduct.
This charter is the corporate reference for all SE IT systems in all SE entities. These entities must implement this charter in enforceable
local provisions which bind employees and partners in accordance with national legislation.

Principles of IT security

Be professional and responsible in the use of information technology

SE provides equipment and access privileges to Information Systems for company purposes.
Security and acceptable usage of company technology systems and related data are essential to SE’s and its customers’ business. Any
violation of the provisions of this charter will be subject to corrective action, in accordance with national legislation provisions. Any request for
exceptions that end users may seek to make will have to be reviewed and approved by the management and IPO.

Safeguard IT systems Confidentiality, Integrity and Availability

IT equipment and privileges provide access to, and permit use of, SE’s sensitive business processes and proprietary information.
Users are responsible to comply with all the acceptable use requirements and to avoid any action that could damage, disrupt or affect system
integrity. They are responsible to return SE-provided IT equipment, as well as SE-provided data, including all hard copies and electronic copies
on any storage media at the termination of their employment or upon SE’s request.

Protect sensitive information

Regardless of its form, all SE information shall be protected in accordance with its classification level.
Users are expected to take all reasonable steps to safeguard the confidentiality and the integrity of SE information. They are not allowed to
access, modify, produce, communicate or distribute any information unless authorized to do so for business purposes. They are accountable
for unauthorized disclosure including any action that permits or results in an unauthorized disclosure of confidential information.

Secure identities and comply with the segregation of duties

Each user is individually identified by a security code (Logon ID / password issued in that user’s name and only for that user’s use.)
Users are responsible to never share their Logon IDs with anyone and to take all reasonable steps to keep their password secure and
confidential. Users are accountable for all access by themselves or others using their Logon ID. SE may modify these access rights to services
(intranet, telephony, web…) and systems at any time and for any reason.
reason

Facilitate system maintenance and collaborate with incident resolution

To comply with legislation and mitigate business risks (disruption, leakage, spying, cyber crime, fraud), SE has the right and the duty to
monitor, operate and investigate its information systems by collecting, storing, accessing, intercepting and reviewing its data.
Users are responsible to report any known or suspected IT incident (disruption of service, unauthorized access, malicious activity, loss, theft).
They must facilitate authorized administrators to maintain systems and remotely operate them for any technical or security reason deemed
necessary. They must also collaborate with authorized security officers for investigation of an HR, security, or legal request.

Useful links
IT Security policies and awareness (charter, tutorials, presentations …)
http://ipo.schneider-electric.com/itsecurity
Visit other IPO pages for service-catalog and organization

Security incidents and IT support (software installation, technical issue…)

Call 29.29
For local procedures, exceptions or legislations,
contact also your local HR or your management

Global IPO security

Schneider Information
Electric
- DivisionSecurity
- NameCharter
– Date(corporate) - v2013-04 p 1/4 1
 ACCEPTABLE USE of the information system
Best practices help to implement the Principles of IT security

Desktop / Laptop SE smartphone & Telephony

Prevent loss & theft Prevent Loss / Theft & Denial of service
- Lock your equipment (PC, laptop, storage disk) to your desktop - Outside the office, never leave SE mobile devices unattended
with a protection cable - Inform SE immediately if the device is lost or stolen
- Store your mobile IT (Laptop, backup disk, USB key) in a - Back up the content of the device because it can be remotely
locked desk, drawer, or safe when you are not using it and wiped in the event of theft, loss or on request of authorized
never leave it unsecured after business hours or on vacation. personnel like HR, legal or the management
- When travelling, keep your mobile IT with you at all times; never
leave it in unsecured locations Prevent Hacking / Spying / Social engineering
- Immediately inform SE of any loss or theft of IT equipment - Limit your disclosure of information and always check the
identity and origin of a strange call (name, phone number…)
Prevent Spying & Hacking - Do not use external Internet telephony without SE approval
- Never transfer CONFIDENTIAL files to mobile IT devices - In addition to your PIN code (which does not protect embedded
(laptop, removable media) without enhanced security data), activate the automatic screen lock with password control
(encryption, user access control)
- Do not insert removable media into your PC if you don't trust its - If necessary, encrypt sensitive data (agenda, mail, contacts…)
origin (usb key found on the floor, advertising, visitor…). - Compliance with all other security requirements (information
- Do not insert your personal removable media in a third party PC protection, software, network access, web usage, mailing, …)
if you don't trust its owner (internet cafe, prospect, visitor).
- If your business requires such unsecured behavior, use specific Personal device: Unless you have signed a BYOD agreement
mobile IT devices without any sensitive data nor SE connection • You must not transfer SE data to any personal device
capability, and scan them (antivirus) before returning to SE. (smartphone, iPad, home PC…) or service (email, storage …).
• You must not connect personal devices (laptop, smartphone) to
the SE network even for business purposes

Mobile phone security policy

Network equipment
Bring Your Own Device (BYOD)
Prevent disruption of service and security breaches
- Within SE locations, do not install any individual network
equipment (e.g., switch, WiFi box, ADSL modem).
- Request IPO service desk by calling 29.29 to get standard Software
equipment, procedure and technical support
- Do not establish any bridge between SE and any external Prevent Hacking
network (VPN connection, Remote Access Service to home…)
- Only use SE-approved software. Do not use shareware or
- Do not modify IPO’s existing connectivity & procedures (e.g., freeware without advance approval by SE management or IPO
network filtering to secure web access)
- Do not install personal software (gaming, peer-to-peer, free
- From any public network (e.g., home, hotels, airports), use only hosting services…) on SE equipment, even for incidental use
the SE VPN solution to access SE information systems
- Never disable any systems management-related services
- Do not use traffic capturing, administration or hacking tools (antivirus, personal firewall, automatic update, etc…)
without prior approval
- Activate the automatic update function for your utilities (Adobe,
Java, …) and ensure that you are receiving all security updates
- Log on to the SE network and restart your PC at least once a
Unauthorized Network & Software policy week to ensure that software & security protections are updated
Comply with use terms & copyright
- Carefully review the licensing agreement and the use terms of
Protect Sensitive information all software before agreeing to them and installing it
- Do not make unauthorized copies of software (hacked version,
Protect Sensitive documents unofficial website, personal copy, peer-to-peer)
- Clear from your desk any visible documents and store them in a
locked place (e.g., drawer, safe) when unattended
- Gather your print outs from all copiers and printers and your
faxes or scans from the fax machine or scanner
- Regularly shred documents and media no longer needed
- Stamp documents according to the SE classification scheme* Backup Critical data
RESTRICTED information
- Publish your reference documents to project shares with
- Share RESTRICTED information on a strict need-to-know basis access restriction to allow your team to work when you are not
- Never share RESTRICTED information on any social media. available (this will prevent you from sharing your PC or your
logon ID).
CONFIDENTIAL information - Archive a copy of your data on a secondary controlled secured
- Define the exhaustive access list to every CONFIDENTIAL file, storage (backup media, file server, SE storage services, etc…)
and write it on the document next to the stamping. - Do not carry personal backup media in your laptop luggage
- Use the SE encryption standards (in compliance with the law) to - To backup CONFIDENTIAL files, encrypt them before
store and exchange any CONFIDENTIAL data (storage, backup , transferring them to the media, or encrypt the whole media
sharing, transfer, printing…)
- Never share CONFIDENTIAL information on cloud-based
collaborative tools without specific security options (encryption,
access lists, user control, traceability).
- Do not transfer CONFIDENTIAL information to any third party
without prior written consent of the information owner
PRIVACY
- SE is responsible for users data privacy Sensitive information protection policy
- Users are responsible for the protection of their privacy and the Data Privacy Binding protection policy
privacy of any other SE employees or third parties

Global IPO security

Schneider Information
Electric
- DivisionSecurity
- NameCharter
– Date(corporate) - v2013-04 p 2/4 2
 Logon ID & User access **** Passwords
Prevent unauthorized access Prevent identity theft
- Do not allow members of the public (including family members) - Never reply to any email or phone call requesting your
to use your SE computer systems (e.g. SE laptop from home) ID/password ("phishing“ attacks), even from IT professionals
- Never share your personal Logon ID / password (or Token) - An IPO administrator could request your password under
with anyone else (trainee, assistant) nor use other users’ ones exceptional circumstances for a PC replacement: Confirm their
- Do not use your SESA nor any SE username for external identity, give them a temporary password and change it just
applications (ex: on the Internet) after the operation.
- Never leave your PC or laptop with an open session at any - Do not write passwords anywhere in clear text (Post-it, excel).
time, even for short periods Use the secure password database manager delivered by IPO.
- Ensure automatically lock is set after #15 minutes of inactivity - Do not use same passwords for business and private accounts.
- When needed (e.g. in transportation), use a privacy screen to - Change your passwords every 90 days, or as soon as you
prevent shoulder-surfing believe it has been compromised
- Don’t try to access data or applications you don’t need to know In SE policy, a strong password is at least 8 character long with
numbers, upper/lower case letters, special characters ($ & # @ )
- You must comply with legal controls and may be requested to
give access to police authority (e.g. at customs) . - Do not use simple default passwords (e.g., 1234, 0000, root) or
passwords too easy to guess (birthdates, names)
- Immediately report to IPO any unauthorized access to your IT
equipment, applications or to your documents - Define your own method to build a strong password !
Ex: use a personal phrase easy to memorize and replace few
letters by specific characters
Password security policy

Mail usage Collaborative tools

Prevent Failure / Misuse - Comply with the eMail usage policy
- You are personally accountable and liable for your outgoing - Do not use Internet collaborative tools not authorized by SE
messages (online storage, file sharing from home, instant messaging …)
- Do not harass, abuse, harm or send unwelcome messages - Read and acknowledge the ‘use terms’ displayed before using
Prevent Spying & Data leakage SE collaborative platforms
- Be aware that any content you send can be forwarded to others - Do not handle or create any content that is unethical, unlawful
or inappropriately secured
- Use REPLY TO ALL and attach histories only if necessary
- Do not communicate information you don’t have the
- Do not activate automatic forwarding toward external mailboxes authorization to disclose
- Never send CONFIDENTIAL data without specific protection - Never publish CONFIDENTIAL information on any cloud-based
(encryption, electronic signature, copy/printing prevention…) platform without encryption and strict access control.
Prevent Hacking & social engineering - Keep your profile information accurate, and check that every
submission is recorded under your employee name.
- Use your SE address exclusively for professional purposes
- When the e-mail is unsolicited or suspicious, do not open any
file attachment, nor click on a link in the body Social Enterprise Desktop policy
- Never answer any request for your password (“phishing”)

Social media
Web usage Prevent Failure / Misuse
- Unless authorized (e.g. Marketing), do not post SE information
Prevent Failure / Misuse on social media
- Demonstrate responsibility in your web usage - Only use social media channels authorized by SE and do not
- Do not visit sexual, pornographic, violent content or content that add any page without SE owner’s approval.
violates any SE policy or local legislation (consult your local HR) - When you post proprietary information, comply with copyright,
- Don’t consume excessive bandwidth (streaming, large files…) trademark, privacy and other applicable law.
- Avoid Internet-related distractions from non-business-related - Use common sense and courtesy, post respectful comments,
work (e.g., games, social networking, shopping…) respect discrimination policies and values whatever your country
or culture.
Prevent Hacking
- “Peer-to-peer” (P2P) sharing of files is strictly forbidden. Prevent Spying / Social engineering
- Don’t click on pop-ups you don’t trust (bargains, lottery win…) - Never communicate any SE CONFIDENTIAL information (new
product, R&D, financial results, trends, legal matters & litigation)
Prevent Spying / Social engineering - Never communicate to the press (restricted to spokespeople)
- Do not fill in web inquiries and online profiles with too many - Be transparent, never represent yourself in a misleading way.
details on your business or your private life - Before posting any content, always double-check the identity
- Never authorize websites to memorize your credit card number and email address of your contact.
for further visits (prioritized targets for cybercrime and hackers).

Web usage policy Social media policy

Security incidents
Incidents can also be detected by monitoring systems (see
- Call IPO service desk (29.29) in case of security issue suspicion Principle of security N°5). All SE controls comply with SE
- Highlight all unusual IT behaviors (yours and your PCs) and any policies, labor laws and legal requirements.
potential business impacts (ex: confidential data leakage) - Monitoring history is available upon audit request to control
- To facilitate technical investigations, do not erase access history, acceptable use (e.g., web usage, sensitive data access, etc…)
temporary internet files, etc... - SE reserves the right to restrict, suspend or close accounts or
usage of equipments or services at any time
- Fully collaborate with IPO and security support

Schneider
p 3/4 Electric
- Division - Name –- Date
- RESTRICTED p3/4 3
 Glossary

Corporate organization IT & Security technical terms

SE: Schneider-Electric group and all its subsidiaries Antivirus: Software used to protect IT equipment from viruses
(automatic scanning and removing from disks, downloaded files,
IPO (Information Process & Organization): SE entity in charge of inserted media, emails…).
all information resources, organization, operating and support.
Backup: copy of files in case the original data is lost or becomes
IT equipment & Information resources for end users : unusable (servers have automatic backup, but not personal
includes but not limited to computers, telephony, storage systems).
media, network devices, software, Intranet services, SE
collaborative tools, Internet services. Bandwidth: data transfer rate on a network. IT infrastructures
are sized to share the bandwidth between all users for normal
User: person who has been authorized to access SE information usages.
resources (e.g., employee, contractor, part-time, temporary
worker, and any third party with onsite or remote access). Blacklist: List of denied access (internet addresses, network
protocols). The opposite is a whitelist which explicitly authorizes
Administrator: person allowed to manage IT systems (e.g., specific access.
installing, maintaining and supervising systems, responding to
service incidents and problems). Bluetooth: Wireless short-range connections for smartphones,
keyboards, ... Misconfiguration can allow a hacker to take control
IT security officer: person whose function is to ensure that of the device (e.g. in a train).
information resources are protected by establishing appropriate
policies, procedures, standards and controls. Bridge: IT equipment or configuration which connects networks
together. This can introduce critical vulnerability if it bypasses
security controls (e.g., smartphone with WiFi or 3G access).
BYOD (Bring Your Own Device): specific agreement and setup
to allow an employee to connect a personal device (smartphone,
Information classification scheme tablet, …) to the SE network for business purpose
Cloud-based services: applications and services offered over
SE has setup a 3-level classification scheme for all information. the Internet to share information (e.g., backup services, social
Unless intentionally reclassified, SE information is RESTRICTED. networking) and accessed from multiple systems (PC,
smartphone, home…).
RESTRICTED: information required to be accessed only by the
people who need to know in the normal course of business. This Encryption: coding of information so that it can only be read by
information must be kept within the control of SE, not disclosed the owners of the decoding key. Encryption secures confidential
nor used in an unauthorized way by anyone. Leakage may data storage or transfers (Banking, VPN access, USB key).
adversely affect the organization. Hackers intercepting the traffic or stealing equipments could not
read the data.
CONFIDENTIAL: information whose unauthorized disclosure or
use could strongly influence SE's operational effectiveness, Endpoint protection: software bundling antivirus service with
cause a financial loss, provide advantages to a competitor or firewall, file encryption and other security features.
reduce customer confidence. Firewall: Software or hardware device protecting a network or a
PUBLIC: Can be made public without any implication for SE computer from unauthorized traffic. A personal firewall is installed
(e.g., product brochures widely distributed; Information available on every SE PC: it must never be disabled.
in the public domain and SE web site areas, financial reports Freeware: software anyone can download and distribute without
required by regulatory authorities, newsletters for the public). any payment. Freeware can be used to spread malware.
IT (Information technology): information computing equipment or
people working with these technologies.
Sensitive information protection policy
Log files: history of technical events automatically recorded
(e.g., date, alerts..), used by administrators for troubleshooting.
Monitoring: automatic survey of the IT systems to maintain
optimum usage and compliance with security requirements.
Monitoring systems can automatically alert the IT support.
Protocol: technical language between systems. Secured
IT Threats protocols (ex https with s) strengthen your security
(authentication, eBanking)
Hacker : technical expert who can gain unauthorized access to VPN (Virtual Private Network): extension of a private network over
IT systems (by writing custom programs to break PC's security). the Internet. The SE VPN allows users to work remotely with the
It is unlikely that the average person will get "hacked", but large same protection as from a SE office (web filtering, antivirus…).
organizations like SE receive multiple hacking attempts a day. WiFi (Wireless Fidelity) wireless technology to connect
Cybercrime : criminal activity done using computers and the equipment to networks. Fake public WiFi (hotel, airport lounge)
Internet (e.g., creating viruses, stealing bank accounts, identities can be used by hackers to capture traveler’s traffic.
or business information). Every compromised equipment or
identity can be used to support cybercrime activity.
Malware (malicious software): programs designed to damage or
do unwanted actions on IT systems. For examples, Viruses can
cause havoc by deleting files ; Spyware can gather data from a
user's system ; Keylogger can directly record your keystrokes
(credit card numbers, password…); Trojan horses can remotely
take the control of your computer for spying, spamming or
sabotage ; etc …
Spam : unsolicited e-mail and posting for advertisement, but
hiding virus infection or phishing attempts. Spam can come from
a trusted friend whose PC has been compromised.
Phishing : attempt to steal personal information (password,
Credit card number) through fake email or web pages looking like
legitimate ones (e.g. eCommerce, banks, IT support). Stating
that your information requires update or validation, the message
asks for your password or other personal details.
Denial of service attack : method used to make an IT system
unavailable by sending a large number of simultaneous requests
(e.g., web or mail server, telephony).
Botnet : group of computers (up to several thousand PCs)
infected with malware and controlled by a hacker for malicious
purposes (spreading viruses, spamming, crashing web servers).
Social engineering: manipulate and abuse people into divulging
confidential information or performing actions (e.g., phishing,
guessing a password, virus infection with USB key, …)

Global IPO security

Schneider Information
Electric
- Division - Name
Security – Date
Charter (corporate) - v2013-04 p 4/4 4