Information Technology Policy

This Acceptable Usage Policy covers the security and use of all MedAsia Philippines information and IT equipment. It also includes the use of email, internet, voice and mobile IT equipment. This policy applies to all information, in whatever form, relating to MedAsia Philippines business activities, and to all information handled by MedAsia Philippines relating to other organisations with whom it deals. It also covers all IT and information communications facilities operated by MedAsia Philippines or on its behalf.

Policy

1. Computer Access Control – Employee's Responsibility

Access to the MedAsia Philippines IT systems is controlled by the use of User IDs, passwords and/or tokens. All User IDs and passwords are to be uniquely assigned to named employees and consequently, individuals are accountable for all actions on the MedAsia Philippines IT systems,

2. Employees must not:

• Allow anyone else to use their user ID/token and password on any MedAsia Philippines IT System.

• Leave their user accounts logged in at an unattended and unlocked computer.

• Use someone else’s user ID and password to access MedAsia Philippines IT System.

• Leave their password unprotected (for example writing it down).

• Perform any unauthorised changes to MedAsia Philippines IT Systems or information.

• Attempt to access data that they are not authorised to use or access.

• Exceed the limits of their authorisation or specific business need to interrogate the system or data.

• Connect any non-MedAsia Philippines authorised device to the MedAsia Philippines network and IT Systems.

• Store MedAsia Philippines data on any non-authorised MedAsia Philippines equipment.

• Give or transfer MedAsia Philippines data or software to any person or organisation outside MedAsia Philippines without the authority of the management.

3. Internet and Email Conditions of Use

Use of MedAsia Philippines internet and email is intended for business use. Personal use is permitted where such use does not affect the individual’s business performance, is not detrimental to MedAsia Philippines in any way, not in breach of any term and condition of employment and does not place the individual or MedAsia Philippines in breach of statutory or other legal obligations.

All employees are accountable for their actions on the internet and email systems.

Details may be found in Employee Internet Usage Policy and Email Policy.

4. Clear Desk and Clear Screen Policy

In order to reduce the risk of unauthorized access or loss of information, MedAsia Philippines enforces a clear desk and screen policy.

• Computers terminals shall not be left logged-on when unattended and shall be password-protected.

• The Windows Security Lock shall be set to activate when there is no activity for five minutes.

• The Windows Security Lock shall be password protected for reactivation.

• Employees shall shut down their machines when they leave for the day,

• There shall be no screen savers set on for the individual’s desktops and laptops.

• Where practically possible, paper and computer medasia shall be stored in suitable locked safes, cabinets or other forms of security furniture when not in use, especially outside working hours.

• Sensitive or classified information, when printed, shall be cleared from printers immediately,

• The reception desk can be particularly vulnerable to visitors. This area shall be kept as clear as possible at all times.

• Individual Personal belongings like bags, books, edibles, etc. shall be kept in drawers.

• Before leaving for the day an individual shall make sure not to leave any paper or belongings on the desk.

• Desktops shall have only shortcuts instead of having complete files or folders.

• Computer screens shall be angled away from the view of unauthorized persons.

• Physical access to the information system device that displays information shall be controlled to prevent unauthorized individuals from observing the display output.

• Server rooms and office areas shall remain locked when they are not in use.

• All Confidential and Internal Use information must be removed from the desk and locked in a drawer or file cabinet when the workstation is unattended and at the end of the workday.

• All Confidential and Internal Use information must be stored in lockable drawers or cabinets.

• File cabinets containing Confidential or Internal Use information must be locked when not in use or when not attended.

• Keys used to access Confidential or Internal Use information must not be left in an unattended work area.

• Laptops must be either locked with a locking cable or locked away in a drawer or cabinet when the work area is unattended or at the end of the workday.

• Passwords must not be posted on or under a computer or in any other accessible location.

• Copies of documents containing Confidential or Internal Use information must be immediately removed from printers.

5. Working Off-site

It is accepted that laptops and mobile devices will be taken off-site. The following controls must be applied:

• Working away from the office must be in line with MedAsia Philippines employee remote work policy.

• Equipment and media taken off-site must not be left unattended in public places and not left in sight in a car.

• Laptops must be carried as hand luggage or bag when travelling.

• Information should be protected against loss or compromise when working remotely (for example at home or in public places). Laptop encryption must be used.

• Particular care should be taken with the use of mobile devices such as laptops, mobile phones, smartphones and tablets. They must be protected at least by a password or a PIN and, where available, encryption.

The purpose of Server Security is to establish the standards for the base configuration of internal server equipment that is owned and/or operated by MedAsia Philippines. Effective implementation of this policy will minimize unauthorized access to MedAsia Philippines proprietary information and technology.

This policy applies to server equipment owned and/or operated by MedAsia Philippines and to servers registered under any MedAsia Philippines owned internal network domain.

Policy

1. Server Location

Servers should be placed in physically secured areas accessible only to authorized personnel.

2. System Configuration

• The system administrators and information technology department must review the purpose or role of the server.

• Operating System configuration must be in accordance with approved Information Technology Guidelines

• Remove or disable unnecessary services, applications and sample content.

• Configure server user authentication and access controls.

• Access to services must be logged and/or protected through access-control methods.

• System administrators must provide relevant logfile extracts to IT staff(s) when this is required in order to investigate incidents involving suspected misuse of the system.

• The most recent security patches must be installed on the system as soon as practical by the systems administrator, the only exception being when immediate application would interfere with business requirements.

• Do not use default admin/root when a non-privileged account with minimum access as possible can be used.

• Test the security of the server application (and server content, if applicable).

• Maintain backups and operational continuity

• Report any security issues immediately to the Information Technology Department when necessary.

All administrator accounts will be assigned a password of a minimum of nine characters and be unique and conform to the password section of the Password Policy

• Users possessing Admin/Administrator/root rights will be limited to trained members of the Information Services (IT) staff only or the department system administrator of the server.

3. Physical Security

• Servers must be located in secure area that is locked when not occupied at the very minimum. Access to physical consoles must be restricted to prevent interference with server configuration or software.

• Remote access to servers for the purposes of system administration must use only approved secure protocols.

4. Server Logs

Logs of user activity must be retained for a period of at least six months. Logs should include (where feasible) the time and date of activities, the user ID, commands (and command arguments) executed, ID of either the local terminal or remote computer initiating the connection, associated system job or process number, and error conditions (failed/rejected attempts, failures in consistency checks, etc.). Logs should be checked for signs of malicious activity on a regular daily or weekly basis. Knowledge that logs are kept acts as a deterrent to abuse. Logs are also essential in investigating incidents after the fact. Many attempted break-ins can be detected early, and sometimes prevented, by early detection of unusual activity.

5. Remote Administration

In order for server administrators and information technology staff to gain access to the server from off the office, they must be assigned a VPN account. The system administrator is responsible for registering the IT Staffs before the VPN can be assigned.

The purpose of Removable Media Policy is to minimize the risk of loss or exposure of sensitive information maintained by MedAsia Philippines and to reduce the risk of acquiring malware infections on computers and other devices operated by MedAsia Philippines.

Purpose

The purpose of this policy Scope

1. Removable media refers to computer storage devices that are not fixed inside a computer and includes:

• USB Flash Drives

• Optical Discs (Blu-Ray discs, DVDS, CD-ROMs)

• Memory Cards (Compact Flash card, Secure Digital card, Memory Stick)

• Zip Disks/ Floppy disks

• External hard drives (DE, EIDE, SCSSI, and SSD)

• Digital cameras

• Smart phones

2. All removable media for use on information systems owned or operated by MedAsia Philippines are covered by this procedure.

3. Only MedAsia Philippines encrypted USB flash drives are used by employees independently. Other removable media are only used with agreement and in conjunction with the information technology department.

Policy

1. Guidelines for Managing Removable Devices

• Install anti-virus solution(s) on computers that will actively scan for malware when any type of removable media or device is connected.

• Ensure that all removable media and devices are encrypted.

• Never connect found media or devices to a computer. Give any unknown storage device to the information technology department.

• Always apply new passwords before and after every business/personal trip where company data is being utilized on removable media or device.

• Never disclose the passwords used with removable media or device to anyone.

• Keep your personal and business data separate. Do not store MedAsia Philippines data on your personal device.

2. Restricted Access to Removable Devices

It is MedAsia Philippines policy to prohibit the use of all removable media devices. The use of removable media devices will only be approved if a valid business case for its use is developed. There are large risks associated with the use of removable media, and therefore clear business benefits that outweigh the risks must be demonstrated before approval is given.

Requests for access to, and use of, removable media devices must be made to [name a role or department – e.g. Sales and Marketing]. Approval for their use must be given by Information Technology Department

Should access to, and use of, removable media devices be approved the following sections apply and must be adhered to at all times.

The purpose of Employee Internet Usage Policy is to establish rules and guidelines about the appropriate use of company equipment, network and internet access. We want to avoid inappropriate or illegal internet use that creates risks for our company’s legality and reputation.

This policy applies to all our employees of MedAsia Philippines who have access to computers and the internet to be used in the performance of their work. Use of the internet by employees of MedAsia Philippines is permitted and encouraged where such use supports the goals and objectives of the business. However, access to the internet through MedAsia Philippines is a privilege and all employees must adhere to the policies concerning computer, email and internet usage.

1. Policy

All MedAsia Philippines employees must strictly observe the following rules when using the internet.

• Employees are expected to use the internet responsibly and productively. Internet access is limited to job-related activities only and personal use is permitted with limited access.

• Job-related activities include research and educational tasks that may be found via the internet that would help in an employee’s role.

• The equipment, services and technology used to access the Internet are the property of MedAsia Philippines and the company reserves the right to monitor internet traffic and monitor and access data that is composed, sent or received though its online connections.

• Email sent via the MedAsia Philippines email system should not contain content that is deemed to be offensive. This includes, though is not restricted to, the use of vulgar or harassing language/images. Further details may be found in the Email Policy.

• All sites and downloads may be monitored and/or blocked by MedAsia Philippines if they are deemed to be harmful and/or not productive to business.

• The installation of software such as instant messaging technology and/or other software is strictly prohibited.

• Employees may not access pronographic or other offensive websites (including, but not limited to, sexist, racist, discriminatory, intolerance & hate, gambling, hacking, pro-suicide & self harm, or other sites that would offend a reasonable person in the same or similar circumstances). If the employee has any doubt whether access to a specific site is proper, he or she should seek approval from the information technology department.

• Downloading, copying or pirating software and electronic files that are copyrighted or without authorization is strictly prohibited.

• Hacking into unauthorized websites is strictly prohibited.

• Access Control

  • Employees may not use any other user’s ID, password or other identification to access the internet.

  • Employees attempting to establish a connection with this office computer system via the internet must authenticate themselves at a firewall before gaining access to its internet network.

  • Employees may not establish modems, internet or other external network connections that could allow unauthorized users to access internal networks without the prior approval of the information technology department.

  • Employees may not establish or use new or existing internet connections to establish new communications channels without the prior approval of the information technology department.

MedAsia Healthcare System Philippines, Inc. is committed to protecting its employees and partners from illegal or damaging actions, either intentional or unintentional, through the use of email. MedAsia Philippines employees are responsible for taking appropriate use of email as a means of communication.

The purpose of this policy is to ensure the proper use of the MedAsia Philippines e-mail system. All messages distributed or received via the MedAsia Philippines e-mail system, even personal emails, are subjected to all Information Technology Policies.

Policy

1. Prohibited Use

MedAsia Philippines E-mail System shall not to be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin. Employees who receive any emails with this content from any MedAsia Philippines employee should report the matter to their supervisor immediately. The following activities are strictly prohibited, with no exceptions:

• Sending unsolicited e-mail messages, including the sending of “junk mail” or other advertising material to individuals who did not specifically request such material (email spam).

• Any form of harassment via email, telephone or paging, whether through language, frequency, or size of messages.

• Unauthorized use, or forging, of email header information.

• Solicitation of e-mail for any other e-mail address, other than that of the poster’s account, with the intent to harass or to collect replies.

• Creating or forwarding “chain letters”, “Ponzi” or other “pyramid” schemes of any type.

• Use of unsolicited e-mail originating from within MedAsia Philippines networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by MedAsia Philippines or connected via MedAsia Philippines network.

• Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).

• Giving out user credentials for any type of MedAsia Philippines account via email.

• 
  

• 
  

2. Personal Use

Using a reasonable amount of MedAsia Philippines resources for personal e-mails is acceptable, but nonwork related email shall be saved in a separate folder from work related email. Sending chain letters or joke emails from MedAsia Philippines email accounts is prohibited.

3. Email Retention

All MedAsia Philippines email information sent or received is kept for seven years. All email stored on the email server will be backed up and retained indefinitely on the Vault: eDiscovery and Email Archiving.

After the departure of an employee, the email account will be changed to inactive. Files, messages, records and information with lasting value are properly transferred to the Information Technology Department for retention and disposition purposes. Email accounts should be deleted not more than 14 days.

4. Monitoring

MedAsia Philippines Employees shall have no expectation of privacy in anything they store, send or receive on the MedAsia Philippines Email System. MedAsia Philippines may monitor messages without prior notice. MedAsia Philippines is not obliged to monitor e-mail messages.

The VPN Policy is to provide guidelines for Remote Access L2TP or SSL Virtual Private Network (VPN) connections to the MedAsia Philippines corporate network. This policy applies to all MedAsia Philippines employees, to access the MedAsia Philippines network. This policy applies to implementations of VPN that are directed through a VPN Concentrator.

Policy

Approved MedAsia Philippines employees may utilize the benefits of VPNs, which are a "user managed" service. This means that the user is responsible for selecting an Internet Service Provider (ISP), coordinating installation, installing any required software, and paying associated fees. Further details may be found in the Remote Access Policy.

Additionally,

• It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to MedAsia Philippines internal networks.

• VPN use is to be controlled using either a one-time password authentication such as a token device or a public/private key system with a strong passphrase.

• When actively connected to the corporate network, VPNs will force all traffic to and from the PC over the VPN tunnel: all other traffic will be dropped.

• Dual (split) tunneling is NOT permitted; only one network connection is allowed.

• VPN gateways will be set up and managed by the Information Technology Department.

• All computers connected to MedAsia Philippines internal networks via VPN or any other technology must use the most up-to-date anti-virus software that is the corporate standard; this includes personal computers.

• VPN users will be automatically disconnected from the MedAsia Philippines network after fifteen minutes of inactivity. The user must then login again to reconnect to the network. Pings or other artificial network processes are not to be used to keep the connection open.

• Users of computers that are not MedAsia Philippines-owned equipment must configure the equipment to comply with MedAsia Philippines VPN and Network policies.

The Password Policy is to establish a standard for creation of strong passwords, the protection of those passwords and the frequency of change. The policy includes all MedAsia Philippines Employees who have or are responsible for an account (or any form of access that supports or requires access to a username and password) on any system and application that reside at any MedAsia Philippines network and cloud productivity applications.

Policy

1. Requirements

   1. All system-level passwords (Administrator, etc.) must be changed on a quarterly basis, at a minimum.

   2. All user-level passwords (e.g., email, web application, desktop computer, cloud productivity applications, etc.) must be changed at least every three months.

   3. After the departure of an employee, any user-level accounts for that individual must be disabled or changed to a role suitable to their status and all system-level passwords known to that individual should be changed as soon as possible, not to exceed three days.

   4. All user-level and system-level passwords must conform to the standards described below.

2. Standards - All users at MedAsia Philippines should be aware of how to select strong passwords. Strong passwords have the following characteristics:

   1. Contain at least three of the five following characters classes:

      1. Lower case characters

      2. Upper case characters

      3. Numbers

      4. Punctuation

      5. Special characters (e.g. @%<>*$#*& etc.)

   2. Contain at least nine to fifteen alphanumeric characters.

   3. Are not based on birthday, name of family and other personal information such as address and phone numbers.

   4. The password is not a word found in a dictionary (English or Foreign).

   5. The password is not a common usage word such as:

• Computer terms and names, commands, sites, companies, hardware, software. Passwords should NEVER be “Password1”, “Password” or any derivation.

• Word or number patterns like qwerty, 123321, abcdef, etc.

• The words of “MedAsia” or any derivation.

• Any of the above spelled backwards.

• Any of the above preceded or followed by a digit (e.g., secret1, 1secret).

3. Protective Measures

   1. Do not share passwords with anyone. All passwords are to be treated as sensitive, confidential information.

   2. Passwords should never be written down or stored online without encryption.

   3. Do not reveal passwords in email, chat, phone calls or other electronic communication.

   4. Do not speak about a password in front of others.

   5. Do not hint at the format of passwords (e.g., “my family name”).

   6. Do not reveal a password on questionnaires or security forms.

   7. If someone demands a password, refer them to this document and direct them to the Information Technology Department.

   8. Always decline the use of the “Remember Password” feature of applications.

   9. If an account or password is suspected to have been compromised, report the incident immediately to the Information Technology Department and change all passwords.

4. Passphrases

Access to the MedAsia Network via remote access is to be controlled using either a one-time password authentication or a public/private key system with a strong passphrase.

• A good passphrase is relatively long and contains a combination of upper and lowercase letters and numeric and punctuation characters. An example of a good passphrase: “@pp73&sTi%qx”

• All of the rules above that apply to passwords apply to passphrases.

The IT Audit Policy is to advise users of security scanning procedures and precautions used by MedAsia Philippines to audit their network and systems. Other persons or entities, unless authorized, are prohibited from performing any such audits.

Audit may conduct to:

• Ensure integrity, confidentiality and availability of information and resources.

• Investigate possible security incidents to ensure conformance to MedAsia Healthcare System Philippines, Inc. security policies

• Monitor user or system activity where appropriate.

The policy covers:

1. All computer and communication devices owned or operated by MedAsia Healthcare System Philippines, Inc.

2. All computer or communications devices connected to the MedAsia Philippines network.

3. Any computer or communication device which has been connected to the MedAsia Philippines network, if it is believed such computer or communication device has been contrary to any Information Technology policy while so connected.

4. All computers and communication devices that are attempting in any manner to interact or interface with the MedAsia Philippines network

Policy

MedAsia Healthcare System Philippines, Inc. shall utilize auditing software to perform electronic scans of their networks, servers, switches, routers, firewalls, and/or any other systems at MedAsia Philippines. This also includes scans of any electronic communication and e-mails regardless of by or to whom the communications are sent.

This access may include:

• User level and/or system level access to any computing or communications device.

• Access to information (electronic or hardcopy, etc.) that may be produced, transmitted or stored on MedAsia Healthcare System Philippines, Inc. equipment or premises.

• Access to work areas (offices, storage areas).

• Access to interactively monitor and log traffic on MedAsia Healthcare System Philippines, Inc. networks.

• Penetration testing

• Password auditing

• Scanning for Personally Identifiable Information

1. Definition

MedAsia Philippines

Being connected to a MedAsia Philippines network includes the following:

• If you have a network capable device (ex. Laptop) plugged into a MedAsia Philippines network, you should login first in MedAsia Captive Portal to have access on the internet and limited access on MedAsia Philippines LAN (Local Area Network).

• If you have a wireless capable device (ex. Laptop, Android Phones) and connect to MedAsia Wireless Connection, you should login first in MedAsia Captive Portal to have access on the internet and limited access on MedAsia Philippines WLAN (Wireless Local Area Network).

• If you connect from a computer and laptop through MedAsia Philippines VPN (Virtual Private Network), you are then connected to the MedAsia Philippines LAN (Local Area Network).

MedAsia Philippines IT Department will manage risk by identifying, evaluating, controlling and mitigating vulnerabilities that are potential threat to the data and information systems under its control; it will execute its defined risk management process on an ongoing basis, periodically assessing risks and implementing new controls in response to changes in its information systems as well as to changes to MedAsia Philippines policies.

• Risk assessment will be performed on all systems or on systems undergoing significant change before they are moved into active production stage, and appropriate measures will be taken to address the risks associated with identified vulnerabilities.

• Annual risk assessments will be performed on active production information systems, and appropriate measures will be taken to address the risk associated with identified vulnerabilities.

• Vulnerability or threat notifications from vendors and other appropriate sources will be monitored and assessed for all systems and applications associated with any MedAsia Philippines information system

• When required, security authorization for MedAsia Philippines information systems to operate with security risks that have been evaluated and determined to be acceptable will be obtained from the IT Officer and CEO