Information Security Code of Conduct

(1)

IT’s up to us

> P a s s w o r d s

> A n t i - V i r u s

> S e c u r i t y L o c k s

> E m a i l & I n t e r n e t

> S o f t w a r e

> A o n I n f o r m a t i o n

Information Security Code of Conduct

(2)

Aon Information Security Policy . . . .1

Information Security Awareness . . . .2

Eight Steps to Security Passwords . . . .4

Anti-Virus . . . .5

Security Locks . . . .6

Internet & Email . . . .7

Software . . . .9

Aon Information . . . .10

Data Protection. . . .11

ID Badges . . . .12

> Contents

(3)

Chief Executive Officer’s Introduction

Aon relies on its information processing systems to conduct business. In order to ensure that these are adequately protected from unauthorised access or use, all employees, contractors, temporary employees and business partners must abide by these policies, procedures, and guidelines. Failure to do so may result in disciplinary action, including possible termination of employment and legal action.

It is every user’s responsibility to use Aon Limited and its associated companies’ computer resources and facilities responsibly, ethically, lawfully, and professionally.

Robert Brown

Chief Executive Officer, Aon Limited

>Aon IT Security Policy

> Aon Information Security Policy

It is every user’s responsibility to use Aon Limited and its associated companies’ computer

resources and facilities responsibly, ethically, lawfully,

and professionally

(4)

>Inormation Security Awareness

2

Eight Steps to Security

1 Always select strong, secure passwords (a mix of alpha and numeric minimum 8 characters). Never share or write down your passwords.

2 Ensure that anti-virus protection software is installed, up to date and operational on your PC or laptop.

3 Laptops must be securely locked at all times by using security locking cables. Information which is highly confidential to Aon and stored on Aon laptops must be encrypted.

4 Internet and email are to be used for business purposes only. Always delete any unsolicited (spam/junk) email from unknown recipients. Never open non business-related attachments and don’t distribute non business-related email to anyone.

5 Never install unauthorised software on Aon’s PCs or laptops.

Never attach unauthorised devices to Aon’s IT networks, PCs or laptops.

6 Never disclose Aon information without validating the identity of the requester. Ensure you are authorised to disclose the information.

7 Protect Aon’s information in all its forms. Classify information.

Lock away confidential material. Shred unwanted printed information. Operate a clear desk policy.

8 Always wear your ID badge. Politely challenge those without Aon ID badges who are in Aon offices. Keep Aon premises secure and report any suspicious activity to Premises Security.

> Information Security Awareness

(5)

>Information Security Awareness

Warning regarding Monitoring of Aon Systems

Aon monitors its IT systems. Abuse of Aon IT systems and information assets and failure to comply with company policy is a disciplinary offence which may result in termination of employment and/or legal action against the offender.

Storage of Personal Information on Aon IT Systems or Resources

Aon’s systems are for Aon business use and not for personal, non-business activities. If employees store personal information on Aon IT resources then Aon cannot guarantee that it will remain confidential. Employees are advised not to store this type of personal information on Aon’s systems or resources.

(6)

Always select strong, secure passwords. Never share or write down your passwords.

1

>Eight Steps to Security

4

Why? Weak passwords are easy to ‘crack’. A weak password means our security can be broken and information disclosed, changed or deleted.

You are issued with a personal user-id and password – for your exclusive use. Aon’s system audit trails makes you personally accountable for the use of your user-id. For this reason, you must never give your password to anyone, including IT staff*. Watch out for password scams when you receive an email looking authentic requesting you to disclose your password. These are hoaxes but many Internet banking customers have been caught out by their own gullibility.

Make your password easy for you to remember but difficult for others to guess. To create a ‘strong password’:

• It must have at least 8 characters and a mix of alpha and numeric characters eg M0use#12 (using zero not the letter O in Mouse)

• Mix upper and lower cases

• Avoid using words in dictionaries or names or things which others may associate with you, eg children’s names or dates of birth

* Note: If you do have to disclose your pasword for IT support purposes then please change it afterwards to minimise risk of exposure

> Eight Steps to Security

Watch out for password scams when you receive an email looking authentic

requesting you to disclose your password.

(7)

Ensure that anti-virus protection software is installed, up to date and operational on your PC or laptop.

2

Why? Virus and other malicious code is the most common source of major disruption to IT systems.

Prevention is better than cure. Aon invests a lot of money and effort in anti-virus controls. It is imperative that employees help to maintain the effectiveness of these controls by doing the following:

• Never tamper with anti-virus software controls. These are

normally ‘locked down’ (ie cannot be edited) but please don’t attempt to make changes if this is not the case

• Laptop users must check their anti-virus definitions are up to date on a regular basis (at least monthly). Visit the IT Intranet for instructions.

(www.ke.aon.co.uk/ke_it/home/default.jsp)

• Always read and act upon Information Security Services – UK email notifications regarding new virus threats

• Never stop the automatic download of new anti-virus definition files to your PC or laptop. Laptop users are advised to update these files when they are in Aon offices rather than via remote access

Virus and other malicious code is the most common

source of major disruption to IT

systems.

(8)

6

Why? Laptops are easy to steal or lose and contain lots of intellectual capital and Aon information, some of which may be confidential to our clients. All of our employees have a duty to protect Aon’s information. Laptops must be protected in the following ways:

• Always lock the device using the locking cable

provided. If you do not have a cable then order one immediately via the IT service desk (Extn 199 internal)

• Lock the laptop away at night in a secure cabinet if it is not required. Out of sight is out of mind

• Never leave laptops unattended in cars or hotels, while travelling. Secure them or keep them with you

• Always use PointSec encryption product if you have ‘Aon highly confidential’ information on the laptop (that is information which could cause significant damage to Aon if it were disclosed (medical records, kidnap/ransom, merger and other Aon stock-related information not in the public domain). PointSec must be purchased from the IT Procurement Catalogue

All of our employees have

a duty to protect Aon’s

information.

Laptops must be securely locked at all times by using security locking cables. Information which is highly confidential to Aon and stored on laptops must be protected using the Aon encryption product.

3

(9)

Why? Email is the preferred method for business and personal

communications. However, all messages sent from Aon’s email systems carry the Aon name. Inappropriate email damages Aon’s reputation.

For this reason Aon’s email system is for business use. Personal use is tolerated if in moderation and does not contain any inappropriate comment or material.

The following rules apply:

• Do not send email which contains inappropriate content or causes harassment (eg obscene or defamatory messages)

• If you receive inappropriate email then delete the message preferably without opening it

• Never open non business-related file attachments. These could be new virus-infected files. Delete them immediately

• Do not forward jokes or chain letter emails. These can cause significant waste of employee time and harassment to the recipients

• Only act upon Information Security warnings issued by Aon IT. Beware of email hoax warnings. Never forward these to anyone in Aon or externally

Only act upon information security warnings issued by Aon IT.

There are many hoax warnings – never forward these to anyone in Aon or

externally.

Internet and email are to be used for business purposes only.

4

(10)

8

Similarly, the Internet is a key business resource tool. The Internet must be used for business purposes and personal use must be kept to a minimum.

• Personal ‘surfing’ is only permitted if used in moderation, if appropriate sites only are accessed, and outside of core business hours (lunch break, before 08.00 or after 18.00)

• Never attempt to access any offensive sites. Attempts to access inappropriate non business-related Internet sites are logged and you may have to explain your actions to your line manager

• Never use the Internet in a way that may be offensive, disruptive or harmful to Aon’s reputation

• Never download any software

including games and music files. This may be an infringement of copyright laws. Business tools and other applications need to be authorised by Aon IT before they may be used within Aon’s environment

• Access to web mail/Internet email accounts such as hotmail and yahoo mail is prohibited. Webmail providers are considered high risk as they are often the source of virus infections

Never use the Internet in a way that may be offensive, disruptive or harmful to

Aon’s reputation.

(11)

Why? The use of unlicensed software on a computer is a criminal offence. It is easy to download software from the Internet or load personal software and not realise that the law is being broken. All software programs have terms and conditions, as set out by the software publisher or owner of the copyright and these must be adhered to and managed by Aon. Unauthorised devices may disrupt Aon’s networks especially if they are infected with viruses or malicious code.

• Never install any unauthorised software (including Freeware and Shareware) onto any of Aon’s devices

• Games, music and non business related pictures must not be installed on any computer

• Never attach any unauthorised devices including mobile phones, PDAs (eg Palm or IPAQ) and other IT equipment. Contact your IT Helpdesk for further information

• When storing data on USB hard drives you must ensure the data is secured (encrypted) to avoid exposure of company or client data eg use Winzip to encrypt data. Before connecting any USB hard

drive to the Aon network ensure it is scanned for viruses

Contact your IT Helpdesk for further information on how to do this or visit

Never install any unauthorised software onto any of

Aon’s devices.

Never install unauthorised software or attach unauthorised devices to Aon IT resources or networks.

5

(12)

10

Why? Disclosing information to the wrong people can cause major damage to Aon. It can also be a breach of the Data Protection legislation. Please consult the Data Protection Policy on the Knowledge Exchange for further information.

• Verify the identity of the person requesting the information

• Ensure they have a valid reason and are authorised to obtain the information

• Trust your instincts. If you are suspicious, refer the request to your line manager

Disclosing information to the wrong people can

cause major damage to Aon.

Never disclose Aon information without validating the identity of the requester.

Ensure it is appropriate to disclose the information.

6

(13)

Why? Information comes in many forms (eg written, spoken and electronic media ) and it needs protecting as it is created, stored, utilised, communicated and finally deleted. This is the information life cycle. There is no point having expensive IT security controls to protect confidential information if our employees leave information unprotected on their desks, or throw material away without placing it in the

‘Confidential Shredding’ sacks.

• Classify information when it is created (Aon Internal, Aon Confidential, Aon Highly Confidential). Please refer to the Information Classification Matrix within the IT Security Policy (www.ke.aon.co.uk/ke_it/

home/info_security/policies/default.jsp)

• Use ‘footers’ to label documents, presentations and files with the Aon classifications. This helps others to know how to protect the information

• Operate a clear desk policy – everyday

• Store information appropriately. Lock away confidential material Store information appropriately.

Lock away confidential material.

Protect Aon’s information in all its forms. Classify information, lock away confidential material and shred unwanted information. Operate a clear desk policy.

7

(14)

12

Why? Aon cannot protect your workplace if strangers are allowed into our offices without being challenged. Some Aon locations do not have ID badges but don’t be afraid to ask politely who strangers are and if you can help them to verify that they are in the right place.

• If you work in a site where Aon ID badges

are issued to all staff, you must wear your badge at all times. Don’t let strangers in if they don’t have a badge – direct them to reception

• Report suspicious activity to Premises Security in London 020 7216 3333

• For the 55 Bishopsgate office call 020 7814 9210

Don’t let strangers in if they don’t have a badge – direct them to

reception.

Always wear your ID badge. Politely

challenge those in Aon offices without Aon ID badges. Keep Aon premises secure and report suspicious activity.

8

(15)

>IT Security Basics Guide

It is every user’s responsibility to use Aon Limited and its associated companies’ computer

resources and facilities responsibly, ethically, lawfully,

and professionally

(16)

Aon Limited 8 Devonshire Square London EC2M 4PL United Kingdom

tel: +44 (0)20 7623 5500 fax: +44 (0)20 7621 1511 www.aon.co.uk

Published by Aon Limited.

Registered office 8 Devonshire Square, London EC2M 4PL.

No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any way or by any means, including photocopying or recording, without the written permission of the copyright holder, application for which should be addressed to the copyright holder.

Aon Limited is authorised and regulated by the Financial Services Authority in respect of insurance mediation activities only.

BC2120–10.09

This document has been produced using a minimum of 50% recycled material from a sustainable forest.