Acceptable IT Systems

Usage Policy
Document Number: IBQ/ISO/2013/002
Version 1.0 – December 17, 2013

Internal Use Distribution:

The information contained in and transmitted with this document is for INTERNAL USE ONLY. It is intended only for the individual
or entity designated above. You are hereby notified that any dissemination, distribution, copying or use of or reliance on the
information contained in and transmitted within this document by or to anyone other than the recipient designated is unauthorised
and is strictly prohibited. This document is strictly to be used for the purpose it is defined for.
Document Control

Document Title Acceptable IT Systems Usage Policy

Document Author Information Security Office

Document Owner Information Security Office

Document Status Approved
Effective Date Post Approval
Classification Internal Use

Version History

Version Description Author Date

Abdullah Rimawi
1.0 Initial Publication 17 December 2013
Mahmoud Alslakhi

Approval List

Title Date
Information Security Group (ISG) 17 March 2014
Risk Management Committee (RMC) 19 March 2014
Board Risk and Compliance Committee (BRCC) 24 April 2014
Board of Directors (BOD) 27 April 2014

i
 Table of Contents
1. Introduction ...................................................................................................................... 1
1.1 Purpose .......................................................................................................................................................1
1.2 Scope ..........................................................................................................................................................1
1.3 Enforcement ...............................................................................................................................................1
1.4 Monitoring ...................................................................................................................................................2
1.5 Exception ....................................................................................................................................................3
2. Policy .................................................................................................................................. 3
2.1 IT Assets Handling ....................................................................................................................................3
2.2 System Usage ............................................................................................................................................3
2.3 Incident Reporting .....................................................................................................................................5
2.4 Internet Usage ...........................................................................................................................................5
2.5 User IDs and Passwords ..........................................................................................................................6
2.6 Password Standard ...................................................................................................................................6
2.7 Email Usage ...............................................................................................................................................6
2.8 Email Etiquette ...........................................................................................................................................8
2.9 File Server Usage ......................................................................................................................................9
3. Security Violations.......................................................................................................... 9
4. Confidential Information ............................................................................................. 10
5. Document Administration ........................................................................................... 11
5.1 Document Owner ..................................................................................................................................... 11
5.2 Document Review ................................................................................................................................... 11
Employee Declaration ............................................................................................................. 12

ii
This page intentionally left blank
1. Introduction
Effective security is a team effort involving participation and support of all the Bank personnel
who deal with information and/or information systems. It is the responsibility of every employee
to understand the policy, and to conduct their activities accordingly. All references made to
personnel in this policy include Bank employees - whether full time, part time - contractors or
third party personnel.

IT-related systems, including but not limited to computer equipment, software operating systems,
software applications, storage media, network accounts providing electronic email, internet
browsing, and File sharing, are the property of the Bank. In the course of normal operations,
these systems are to be used for business purposes in serving the interest of the Bank and of our
customers.

1.1 Purpose
This policy outlines the acceptable use of computer systems at the Bank. It is designed to prevent
misuse of the Bank’s IT systems, where such inappropriate use could expose the Bank to risks,
including virus attacks, compromise of network systems and services, and legal issues for the
Bank and the individual user. Users should note that the Bank reserves the right to claim against
individual users for losses caused due to misuse of the Bank’s IT systems.

1.2 Scope
The acceptable IT Systems Usage Policy applies to and is mandatory for all the Bank personnel
who use the Bank’s IT systems. It covers all use of the Bank’s IT systems and services including
privately owned systems used for the Bank’s business, systems or applications provided to the
Bank by third parties and any equipment owned or leased by the Bank.

This policy covers all IT assets defined as follows:

 All information stored in soft form;

 IT services such as email and internet;
 Computers, laptops, phones, printers, servers, networks, etc. and all other related
hardware; and,
 All software and applications.

1.3 Enforcement
Failure to comply with this Policy, whether deliberately or due to careless disregard, will be
treated as serious misconduct and may result in actions, including but not limited to, disciplinary
action, dismissal, and civil and/or criminal proceedings.

In the case of a written complaint of serious misuse, or evidence indicating that malicious
software may be present in certain material on the system, the Bank reserves the right to
temporarily remove material from the system for its review or to permanently remove and/or
destroy it, if appropriate. In some situations, it may also be necessary to restrict or suspend

1
access or account privileges to prevent on-going misuse while the situation is under
investigation.

Alleged infractions of this policy are handled via formal procedures and investigation by the
Information Security Office, Internal Audit, Human Resource Department or Legal Department
as appropriate. Upon determination of misuse, individuals who are found to be in violation of
this Policy may be subject to the following:

 Restriction or suspension of computer access privileges;

 Disciplinary action by their business unit up to and including termination;
 Referral to law enforcement authorities for criminal prosecution; or,
 Other legal action, including action to recover civil damages and penalties.
For enforcement questions or clarifications on any of the information contained in this policy
document, please contact the Information Security Office (ISO@ibq.com.qa)

1.4 Monitoring
The data processed by and stored on Bank’s computer systems are the property of the Bank and
are subject to applicable Bank copyright and intellectual property policies and applicable
government laws and Central Bank regulations.

Individuals should be aware that their use of Bank information resources, including accessing the
Internet or using electronic mail, social media, instant messaging, telephone, or voice mail, are
not private and may be monitored by the Bank. While the Bank does not routinely monitor
individual usage of the Bank’s information resources, the normal operation and maintenance of
these resources require the backup and caching of data and communications, the logging of
activity, the monitoring of general usage patterns, and other such activities that are necessary for
the provision of service. The Bank may specifically monitor the activity and accounts of
individual users of the Bank’s information resources, including individual login sessions, the
content of individual communications, and the contents of stored information, with or without
notice, when:

 The individual has voluntarily made the information accessible to the public;
 It reasonably appears necessary to do so to protect the integrity, security, or
functionality of the Bank’s information resources or to protect the Bank from
liability;
 A written complaint has been received, or there is reasonable cause to believe, that
the individual has violated or is violating this Policy;
 An account appears to be engaged in unusually excessive activity;
 There is a business need to do so; or,
 It is otherwise required by law.
Any such monitoring of communications or stored information, other than what is made
accessible by the individual, required by law, or necessary to respond to perceived emergency

2
situations, must be authorized in advance by the Managing Director, the AGM – Risk
Management or the AGM Operations and IT. The Bank, in its discretion, may disclose the results
of any such general or individual monitoring, including the contents and records of individual
communications or stored information, to appropriate Bank personnel or law enforcement
agencies and may use those results in appropriate Bank disciplinary proceedings (see Anti-
Fraud Policy).

1.5 Exception
Any department or business unit of the Bank that cannot comply with any portion of this Policy
must submit a written exception request to the Information Security Office for review and
disposition. Depending on the level of risk posed by granting the exception, the request may be
referred to the Information Security Group (ISG) for resolution.

Exception requests must include the scope and duration of the exception, the business reason for
the exception, and a committed remediation plan and time frame to achieve compliance.
Exception requests must be reviewed and signed off by the Information Owner of each
information resource affected by the exception before they are submitted.

Exceptions will be granted on a time-limited basis, and must be managed according to Bank’s
established information risk management process. Detailed requirements, steps, and forms for
making and tracking exception requests are described in the information security Procedure for
Policy Exception Requests.

2. Policy
2.1 IT Assets Handling
2.1.1 Movement of IT assets such as transfer and/or disposals are decided and managed by the
IT department in association with Facilities and Administration department.

2.1.2 Misuse, loss, damage, pilferage or theft of IT assets must be reported immediately to the
IT department.

2.2 System Usage

2.2.1 Systems include desktops, laptops and phones owned and/or provided by the Bank for
business use.

2.2.2 The Bank recognises that users may occasionally need to use the Bank's IT systems for
personal purposes. Personal use of the Bank's IT systems should be reasonable, i.e.
minimal in extent and always in compliance with this policy.

2.2.3 All users must adhere to the following:

3
Do:
 Users are primarily responsible for security of their machines and to take adequate
measures to restrict physical and logical access from unauthorised users.
 Log-out from all applications and lock machine when left unattended temporarily or for
an extended period of time; shut down at end of the day.
 Keep all their documents and other files in their folders on the “R” drive on the file
server.
 Keep all documents and other files that other members of the department need to access
in their department common folder on the “T” drive on the file server.

Don’t

 Don’t use the Bank’s IT systems to access, download, store, send or forward games,
graphics (including photographs), movies, music, radio stations, video clips or similar.
 Don’t download or install unauthorised application software or patches.
 Don’t use the Bank’s IT systems to send, forward, download, access, process or store
any material (including emails, news groups and internet sites or content) and any
software on or through the Bank’s IT systems that:
 Is defamatory, indecent, obscene, threatening, racist, sexist, offensive, abusive,
illegal or in any way breaches the Bank’s Equal Opportunities Policy;
 Contains computer viruses or other destructive software; or,
 Breaches the right of any third party including:
 Copyright;
 Trademarks, trade secrets, patents or intellectual property rights; or,
 Software licensing agreements (for further details on software licensing
policy, please contact the Head of IT).
 Don’t use any removable media such as USB drives, removable CD-ROM, floppy
drives, tape drives, etc. on desktops. Exceptions if any, needs prior approval from the
Department head and the Head of IT.
 Don’t keep any files in Desktop or on the local drive – they are not backed up.
 Don’t enable sharing of folders on your local machine with other users in the network.
If required, use department common share folder (T drive) provided on the file server.
 Don’t disable or change the installed anti-virus or the anti-spyware/adware agents.
 Don’t change any of the system settings defined during the installation.

4
2.3 Incident Reporting
Report all IT related issues/incidents to the IT department via the IT Help Desk system or send
an email to IT_Helpdesk@ibq.com.qa. Please ensure to give as much detail as possible to
describe the nature and type of the reported issue.

2.4 Internet Usage

2.4.1 Internet access is provided only for business purposes.

2.4.2 Users are granted Internet access only when it is required for their job function and where
their line managers request it through raising a computer access form in the IT Help Desk
system.

2.4.3 The Bank reserves the right to record, review and monitor all internet activity.

2.4.4 All users must follow the following Do and avoid the following Don’t:

Do

 Access to the internet must be through the assigned user IDs.

 Access to the internet from Bank systems must be through authorised services and
official connectivity setup by the Bank.

Don’ts

 Don’t bypass Bank services and official connectivity to the internet (e.g., by connecting
directly through a modem/router) and don’t bypass any other devices that the Bank may
install to protect the integrity of its data and network.
 Don’t use public mail services for official correspondence.
 Don’t use internet facilities to download, upload, share or distribute malicious software,
confidential documents, or conduct illegal or unethical activities including gambling,
accessing obscene material, or misrepresenting the Bank.
 Don’t allow others to use your Windows log-on ID to access internet service.
 Don’t use the internet in an inappropriate way that might cause network bandwidth
degradation, e.g., downloading personal information that uses all or part of the network
bandwidth, hence causing response delays for business use.
 Don’t use the Bank’s systems for instant messages (e.g., Yahoo Messenger, Google
Chat, etc.) in any form.
 Don’t use the Bank’s systems for Voice over IP (VoIP), e.g., Skype – calls, messaging
and video conferencing. Exceptions, if any, need prior approval from the Department
head and the Head of IT and application support and it must be via duly authorised
equipment and stations setup by IT.

5
2.5 User IDs and Passwords
2.5.1 All users must adhere to the following:
Do’s

 Change passwords regularly.

 Treat all passwords as sensitive and confidential.

Don’ts

 Don’t use generic accounts, e.g., system account unless no alternative exists and is
authorised by Business/Information Owner and Information Security Office (ISO).
 Don’t share User ID and passwords with anyone including colleagues and IT staff.
 Don’t ask others for their passwords.
 Don’t keep a written copy (in paper or electronic form) of passwords.

2.6 Password Standard

2.6.1 Password must be of a minimum length of 8 characters in all systems, including network
and applications.

2.6.2 Use strong passwords. A Strong password is derived through a mix of numerals (1, 2, 3,
etc.), special characters (! @, #, $, etc.), small letters (a, b, c, etc.) and capital letters (A,
B, C, etc.).

2.6.3 Choose passwords that are easy to remember, but difficult to guess. Some of the
guidelines for password constructions are:
 Do not use your own name, short form of own name, own initials, names of family,
friends, co-workers, company or popular characters.
 Do not use personal information such as date-of-birth, address, telephone numbers, etc.
 Do not use common words found in the English dictionary.
 Do not use word or number patterns like aaabbb, qwerty, zyxuvwts, 123321, etc.)
 Do not use any of the above proceeded or followed by a digit (e.g., secret1, 1secret,
letmein1, etc.).
Note: Do not use any of these examples or any examples given in seminars, workshops,
training, etc. as your passwords.

2.7 Email Usage

2.7.1 The Bank provides electronic mail (email) resources to support its business
communication and must not be utilized for personal use.

6
2.7.2 Remember that emails are neither confidential nor secure. You must not include
confidential information in the main body of the email, particularly if the email is going
to a recipient(s) outside the Bank.

2.7.3 By default, emails access is not provided to all users unless the line manager requests the
access through the raised Computer Access Form raised via the IT Help Desk system.

2.7.4 The Bank reserves the right to record and monitor all email received or sent, including
any which have been marked personal, private, restricted or confidential. The Bank
monitors email traffic to ensure both the on-going integrity of the Bank’s IT systems and
compliance with this policy.

2.7.5 Users are provided with a fixed amount of storage space in their mailboxes.

2.7.6 The maximum storage space for mail boxes are allotted as follows:
 Users: 200 MB
 Attachments: 20 MB
 Executives: 500 MB
Note: Any exceptions to this storage requirement must be approved by the Head of IT
and Application support.

2.7.7 All users must adhere to the following:

Do

 Periodically delete or archive older mails to your personal folder, i.e., R drive on the
file server
 Follow corporate email font and format standards for email communication:
 Font type as approved by Corporate Communications.
 Standard email signature and disclaimer as approved by Corporate
Communications and auto-configured by the IT department.
 Users are responsible for the content of email originated, replied or forwarded from
their account to other users inside or outside the Bank.
 Address emails only to intended persons and be careful when using “Reply All”.

Don’t

 Don’t change or alter the approved corporate email font, format, standard email
signature and disclaimers.
 Don’t allow any other person to use your official email.

7
  Don’t access websites by clicking on links provided in emails from unknown or
untrusted senders.
 Don’t unnecessarily copy or forward emails (cc) or create a loop that blocks server
space and congests the network.
 Don’t send or forward following categories of emails within or outside the Bank:
 Emails with libellous, defamatory, offensive, racist or obscene remarks, or
containing viruses or worms.
 Emails that reveal disclose or communicate any official/confidential information to
external parties without obtaining formal authorisation from the Information
Owner or appropriate authority.
 Chain emails forwarded from a chain of people. They main contain viruses,
hoaxes, jokes, political advocacy efforts, greeting email with download
picture/flash/ applications or others.
 Emails containing any document, software or other information where transmitting
it would breach copyright (unless there is an implicit or explicit permission from
the author/owner), privacy, confidentiality or disclosure regulations.
 Don’t send any fraudulent or misleading offers for products and services of the Bank
from the Bank business accounts (See also Acceptable Electronic Customer
Communication Use Policy (IBQ/ISO/2013/007)).
 Don’t use the Bank’s system to generate, send (or allow to be sent) spam emails and
spam instant messages.
 Don’t use the Blind Carbon Copy (“BCC”) feature in emails. If you need to send an
email to a group without identifying the members to each other, send personalised
individual messages.

2.8 Email Etiquette

The number of emails received by staff continues to grow, particularly due to the copy feature.
Every email received requires an amount of time to read – even if the email is not relevant to the
receiver. Before sending an email or copying staff with an email, staff should consider the
following:

 Is it necessary to send the email in the first place? Will a phone call suffice, particularly
for urgent matters?
 Do all the recipients really need to receive a copy?
 If a response is required, indicate by when the response needs to be received.
 Sending an email does not remove responsibility and accountability – issues requiring
action should still be followed-up by the sender of the email.

8
  Do not assume that an email has been read and actioned by the recipient just because
the email has been sent. Some staff may receive in excess of a hundred emails daily and
may not be able to read or action on the same day.
 Always include a subject line description of what the email is about
 As a receiver of an email, staff should try to respond in a timely manner.
 Avoid “Ping-Pong” emails bouncing backwards and forwards. Instead, pick up the
phone and speak to your colleague.
 Set the default on your email client to automatically spell-check your email before
sending.

2.9 File Server Usage

2.9.1 Department heads decide and initiate request for provisioning of server share folder space
for their department users.

2.9.2 Users and departments are provided with fixed storage space in the file server for storing
and sharing data within the department. The storage space is allotted as follows:
 Users: Up to max. 300 MB
 Department: Up to max. 30 GB
Note: Storage requirements for each department are decided by the IT Department.
Any exceptions to this storage allocation must be approved by the Head of IT and
Application support.

2.9.3 All users must adhere to the following:

Do

 Users who have a personal folder are responsible for their folder’s content and the
department head is responsible for the contents of the department shared folder.
 Keep only data that you need in your personal folder and regularly clean up data that is
no longer required. If you have long term retention requirements, ask IT for archive
option.
Don’t

 Don’t keep multiple copies of the same file (it consumes unnecessary disk space).
 Don’t keep non-business content in personal folder (e.g., music, games, etc.).

3. Security Violations
Certain categories of activities, which have the potential to harm, or do actually harm
information assets of the Bank are treated as security violations and are strictly prohibited. All
security violations entail disciplinary action. Any attempt to breach security of applications,

9
network and IT devices, whether or not it results in actual damage or financial loss is also a
security violation.

Some examples of security violations:

 Connecting modems/routers to machines without the approval of Head of IT and

Application support.
 Introducing viruses of any kind.
 Password guessing.
 Indulging in “Computer Impersonation” or spoofing.
 Erasing or modifying data on central systems (such as file servers, applications) without
approval from the Information Owner.
 Downloading or transmitting personal (photos, videos, songs, etc.) or any objectionable
(politics, pornographic materials, religious materials, etc. against local culture or
tradition) content through email or internet.
 Running attack tools or sniffing on the network.
 Bypassing access control mechanisms.
 Exploiting any system vulnerability.
 Installing or distributing unlicensed software.
 Indulging in vandalism.
 Involvement in computer fraud or theft.
 Changing system setups.

4. Confidential Information
Source code, customer data and information, software design and development methodology,
Bank’s business information and affairs are some examples of confidential and/or restricted
information. Refer to Information Classification Policy (IBQ/ISO/2013/011) for further guidance
on Information Classification.

You are reminded that it is a criminal offence under Qatari law to disclose customer information
to parties outside the Bank without the customer’s permission. Offenders can be fined and/or
sent to jail.

Failure to comply with the confidentiality required gives the Bank the right to take action as
deemed appropriate, including legal actions.

All users must adhere to the following:

10
Do

 Return, under acknowledgement to the Bank, any originals or copies of the above
mentioned material or any similar material on exit from employment.
 Adhere to the Global Information Security Policy of the Bank (IBQ/ISO/2013/001).

Don’t

 Don’t disclose, leak, or utilise any confidential information belonging to the Bank
either during or after employment.
 Don’t access, read, copy, disclose to others, delete or destroy any type of information
not in the scope of the employee’s job.
 Except as may be necessary for the purpose of his/her duties and with the consent of the
Bank, the employee must not remove from the Bank premises ( by any means, both
physical electronic) originals or copies of:
 Identity Cards.
 Customer information
 Letters/reports.
 Codes/scripts/programs.
 Specifications/ forms/ licenses/agreements.
 Any other form of information (electronic or paper) of whatever nature belonging
to the Bank.
 Personally retain any kind of physical or electronic information which may have come
into his/her possession by reason of his/her employment.
 Use personal IT assets, e.g., laptops, and/or PDA (Personal Digital Assistant) to
connect to the Bank local network, without appropriate authority.

5. Document Administration
5.1 Document Owner
This document is owned by the Information Security Office which is responsible for its content
and maintenance.

5.2 Document Review

This document is subject to review on an annual basis (or more frequently, if necessary) to
validate that its content remains relevant and up-to-date. Significant or material changes to this
document must be reviewed and approved by the Information Security Group (ISG) and then
submitted to Risk Management Committee (RMC) for ratification as described in Section 2,
Roles and Responsibilities, Global Information Security Policy (IBQ/ISO/2013/001).

11
Employee Declaration

Employee Number : ………………………………………………..

Name : ………………………………………………..
Department : ………………………………………………..

I have read and understand the Acceptable IT Systems Usage Policy (IBQ/ISO/2013/002),
version 1.0, dated 17/12/2013 and agree to abide by it.

Signature : …………………..………… Date: ……………………………………

12