GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY
Transcription
GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY
GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY Subject: Original Issue Date: May 1, 2009 Acceptable Use of Company Information Sources Policy (V 2.0) Revision Dates: October 10, 2011; January 31, 2012 Effective Date: U.S. - November 17, 2011 RoW – by March 15, 2012 Policy No.: IT-5 GENERAL ELECTRIC CAPITAL CORPORATION (GECC) Acceptable Use of Company Information Sources Policy (Short Name: AUP) Issued by: GECC Information Technology and Legal Issue Date: November 17, 2011 Effective Date: U.S. – November 17, 2011 Rest of World –by March 15, 2012 Approved on: October 14, 2011 By: GECC Chief Information Officer and General Counsel Policy Owners: GECC Chief Information Officer and Chief Privacy Leader Policy Owners: GECC Chief Information Officer and Chief Privacy Leader Policy Contact: GECC Chief Privacy Leader GE Internal Page 1 of 24 GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY Subject: Acceptable Use of Company Information Sources Policy (V 2.0) Original Issue Date: May 1, 2009 Revision Dates: October 10, 2011; January 31, 2012 Effective Date: U.S. - November 17, 2011 RoW – by March 15, 2012 Policy No.: IT-5 Contents 1. Scope .............................................................................................................................................. 4 1.1 Applicability ............................................................................................................................................................................... 4 1.2 Effective date ............................................................................................................................................................................ 4 2. Definitions ...................................................................................................................................... 5 3. Company Information Resources Ownership ............................................................................... 6 4. Protection and Acceptable Use of Company Data ....................................................................... 7 4.1 Access to Company Data ................................................................................................................................................... 7 4.2 Control .......................................................................................................................................................................................... 7 4.3 Confidentiality of Company Data................................................................................................................................... 7 4.4 Sharing of Company Data with Third Parties .......................................................................................................... 7 4.5 Data Transmissions ............................................................................................................................................................... 8 4.6 Document Retention ............................................................................................................................................................. 8 4.7 Data Classification ................................................................................................................................................................. 8 4.8 Data Privacy .............................................................................................................................................................................. 8 4.9 Use of Personal Devices for Company Data ............................................................................................................ 9 4.10 Inappropriate Access Prohibited .................................................................................................................................... 9 4.11 Return of Company Data ................................................................................................................................................... 9 4.12 Disposal of Company Data ................................................................................................................................................ 9 4.13 Other Requirements Governing Company Data .................................................................................................... 9 5. Protection and Acceptable Use of Company Equipment ........................................................... 10 5.1 Use of Company Equipment ...........................................................................................................................................10 5.2 Control ........................................................................................................................................................................................10 5.3 Company Software on Company Equipment ........................................................................................................10 5.4 Reasonable Non-business Use .....................................................................................................................................10 5.5 Identity Management and Passwords ......................................................................................................................11 5.6 Protection of Company Equipment and Company Data .................................................................................11 5.7 Backup of Company Data ................................................................................................................................................11 5.8 Inappropriate Use Prohibited .........................................................................................................................................11 5.9 Return of Company Equipment ....................................................................................................................................11 5.10 Compliance with Other Rules .........................................................................................................................................11 6. Acceptable Use of Online Services .............................................................................................. 12 6.1 Use of Online Services ........................................................................................................................................................12 6.2 Use of Third Party Online Services for Company Business .............................................................................12 6.3 Reasonable Non-business Use .....................................................................................................................................12 6.4 Protecting the Company’s Online Services .............................................................................................................12 6.5 Company Email......................................................................................................................................................................12 6.6 Identity Management and Passwords - Protecting Security of Online Services.................................13 6.7 Inappropriate Use Prohibited .........................................................................................................................................13 6.8 Public Comment on Behalf of Company or GE is Restricted .........................................................................14 6.9 Social Media ............................................................................................................................................................................14 6.10 Use of New Technologies and Services ....................................................................................................................14 7. Monitoring of Users ..................................................................................................................... 15 8. Reporting of Violations and Incidents ......................................................................................... 16 9. Suppliers, Contractors and other Third Parties .......................................................................... 17 10. Questions about this Policy ......................................................................................................... 17 11. Document Change History .......................................................................................................... 17 Policy Owners: GECC Chief Information Officer and Chief Privacy Leader Policy Contact: GECC Chief Privacy Leader GE Internal Page 2 of 24 GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY Subject: Acceptable Use of Company Information Sources Policy (V 2.0) Original Issue Date: May 1, 2009 Revision Dates: October 10, 2011; January 31, 2012 Effective Date: U.S. - November 17, 2011 RoW – by March 15, 2012 Policy No.: IT-5 Appendix A – Social Media Guideline Appendix B – Links to Other Policies Mentioned in this Policy Policy Owners: GECC Chief Information Officer and Chief Privacy Leader Policy Contact: GECC Chief Privacy Leader GE Internal Page 3 of 24 GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY Subject: Original Issue Date: May 1, 2009 Acceptable Use of Company Information Sources Policy (V 2.0) Revision Dates: October 10, 2011; January 31, 2012 Effective Date: U.S. - November 17, 2011 RoW – by March 15, 2012 Policy No.: IT-5 1. Scope 1.1 Applicability This Policy applies to GE Capital (the ―Company‖) employees globally, and all others who have been authorized to use Company Information Resources or have access to Company Data, including, but not limited to, contractors, temporary or contingent workers, agency workers, employees of suppliers and vendors or employees of joint ventures (collectively referred to as "Users"), all subject to the extent of their access. This applies to the use of Company Information Resources in the workplace, at home, or at any other location. This Policy is issued pursuant to General Electric Company’s (―GE‖) The Spirit & The Letter Privacy and Protection of GE Information policies, and is a substitute to the GE Acceptable Use of GE Information Resources (AUGIR). This Policy applies in addition to other applicable policies of the Company and GE, but where such other policies conflict with this one, this Policy shall prevail for the subject matter covered herein. Use of Company Information Resources constitutes acceptance of this Policy and its requirements. The Company reserves the right to change this Policy at any time. This Policy sets a baseline of rules for all of the Company’s Users. However individual business units of the Company may impose additional requirements where necessitated by local law or regulation, or to comply with local business unit policies or requirements. Where a business unit would like to impose requirements that do not meet the requirements under this Policy, it shall contact the Policy Owners to seek an exception in accordance with the process for policy exceptions. Non-compliance with this Policy can result in disciplinary action, up to and including termination of employment or assignment, in accordance with local law. Users who have knowledge of a violation of this Policy and fail to report it to appropriate management will be considered non-compliant with this Policy, in accordance with the requirements set forth in Section 8 below, subject to local law and any legal restrictions on such reporting. 1.2 Effective date This Policy has been issued on November 17, 2011. It is effective from the date of issue in the U.S. and by March 15, 2012 in the rest of the world – business units shall communicate the Policy to its employees once approved locally for rollout. Delays beyond March 15, 2012 shall require the filing of an exception request. Policy Owners: GECC Chief Information Officer and Chief Privacy Leader Policy Contact: GECC Chief Privacy Leader GE Internal Page 4 of 24 GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY Subject: Original Issue Date: May 1, 2009 Acceptable Use of Company Information Sources Policy (V 2.0) Revision Dates: October 10, 2011; January 31, 2012 Effective Date: U.S. - November 17, 2011 RoW – by March 15, 2012 Policy No.: IT-5 2. Definitions Company Information Resources – includes Company Data, Company Equipment, Software and Online Services as well as Personal Devices, as defined below. Company Data – any electronic information that is owned, used or stored by the Company or GE, or that is otherwise collected and/or processed by a User in the ordinary course of business. This includes information about, relating to, or from the Company’s or GE’s customers and suppliers or potential customers and suppliers, which resides on or is accessed from Company Equipment or Online Services, or from Personal Devices, as defined below. Company Data does not include private data stored on a Personal Device. Company Equipment – this consists of the following components: a. Hardware – desktops, servers, peripherals and any other device that connects to the Company network/infrastructure such as printers, copiers, video conferencing systems, CCTV, and wireless network equipment, that is purchased, provided, paid for or otherwise approved by the Company or GE for business use by Users, or otherwise used in connection with Company Data. b. Portable Devices – any type of electronic device that is meant to be carried rather than kept stationary, such as laptops, Blackberries, iPhones and other cell phones, iPads and other tablet computers, and Removable Data Storage Media, that is purchased, provided or approved by the Company or GE for business use by a User, or any other such device that is used in connection with Company Data. c. Telecommunications Equipment – Company telephone services (including voicemail), facsimile machines and related telecommunications hardware purchased, provided or approved by the Company or GE for business use by Users, or otherwise used in connection with Company Data. d. Removable Data Storage Media – Disks, Tapes, DVDs, CDs, USB Thumb Drives, external hard drives and other data storage devices purchased, provided or approved by the Company or GE for business use by Users, or otherwise used in connection with Company Data. Online Services – the Internet, intranets of GE or the Company, email, and other online data services or collaboration tools such as SupportCentral, WebEx, GE Folders and GE Libraries, and instant messaging solutions that are provided, purchased or approved by the Company or GE for business use by Users, or otherwise used in connection with Company Data. Policy Owners: GECC Chief Information Officer and Chief Privacy Leader Policy Contact: GECC Chief Privacy Leader GE Internal Page 5 of 24 GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY Subject: Original Issue Date: May 1, 2009 Acceptable Use of Company Information Sources Policy (V 2.0) Revision Dates: October 10, 2011; January 31, 2012 Effective Date: U.S. - November 17, 2011 RoW – by March 15, 2012 Policy No.: IT-5 Personal Device – any type of Hardware, Portable Device, Telecommunications Equipment, Removable Data Storage Media or Online Service that is purchased or supplied by a User without reimbursement by the Company - and is used for business purposes (even if also used for personal purposes) or is used in connection with Company Data (even if it also stores private data). Any Personal Device that is not used for business purposes AND is not used in conjunction with Company Data is out of scope of this Policy and is an Exempt Personal Device. Social Media – Internet-based tools and services that allow subscribers to network and communicate with each other as well as share data, photos, files, and other User generated content, or to provide updates about themselves, as well as other sites that allow users to read and share their views, or virtual worlds, to name some of the more common social media segments. Some popular social media services include, but are not limited to, Facebook, LinkedIn, Twitter, and YouTube as well as blogs, vlogs, and content sharing sites. Software – any application installed by the Company on Company Equipment, including but not limited to the Coreload Operating System and other software installed by the Company on a User’s PC, networked applications such as Oracle GL, or any other application, including online applications such as SalesForce.com or Intralinks, that is licensed and provided by the Company or GE, or otherwise approved by the Company or GE for business use by Users, or in connection with Company Data. 3. Company Information Resources Ownership The Company and/or GE is the owner of all Company Information Resources other than Exempt Personal Devices. Subject to local laws and regulations, Users shall have no expectation of privacy in their use of Company Information Resources, including Personal Devices, and may be subject to monitoring, as described in this Policy. Policy Owners: GECC Chief Information Officer and Chief Privacy Leader Policy Contact: GECC Chief Privacy Leader GE Internal Page 6 of 24 GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY Subject: Original Issue Date: May 1, 2009 Acceptable Use of Company Information Sources Policy (V 2.0) Revision Dates: October 10, 2011; January 31, 2012 Effective Date: U.S. - November 17, 2011 RoW – by March 15, 2012 Policy No.: IT-5 4. Protection and Acceptable Use of Company Data 4.1 Access to Company Data Access to Company Data is provided to Users for legitimate business purposes only and in accordance with applicable policies, guidelines and instructions of the Company. Company Data is intended for business use only. Users may only seek access to Company Data that is necessary to perform their current job responsibilities and requests for access to Company Data to which they do not ordinarily have access shall follow any existing processes and controls of the Company, in accordance with local laws and regulations. 4.2 Control It is each User’s responsibility to properly manage, maintain, and guard the security of the Company Data to which he/she has access or control as specified in the GE Capital Information Security Policy and any other applicable policy or guidance issued by the Company or GE, or any separate agreement signed between the User and the Company. 4.3 Confidentiality of Company Data Users should be aware that Company Data and/or the processes used to transmit, store or access Company Data, may be proprietary, confidential, or business-sensitive to the Company, its clients, customers, partners, suppliers or others. Company Data may be subject to contractual limitations on its use, or may be the subject of intellectual property rights such as patents or copyrights. Therefore, Users need to safeguard all Company Data that they possess or have access to from unauthorized or accidental disclosure, use, modification, copying, publication, damage, loss or destruction, consistent with policies and procedures of the Company, as well as local legal requirements. This includes exercising care in handling of Portable Devices, and in discussing business matters over cellular phones, cordless phones, speakerphones, or in public areas so as not to compromise GE Confidential or GE Restricted data. Users should also be aware that emails and voicemails may easily be copied or forwarded to others and therefore Users should not send any email or voicemail that they wouldn’t feel comfortable seeing reproduced in public. As a reminder, all Company Data, whether in paper or electronic format (this may include email and Webex chats) may be subject to discovery in litigation, subject to local laws and regulations. When sending GE Confidential or GE Restricted data outside of the Company, Users shall follow the Data Transmissions rules in Section 4.5 below. 4.4 Sharing of Company Data with Third Parties Users are not allowed to release Company Data to third parties without a business justification and without the proper controls as specified below. Users should be cautious when transmitting, sending or forwarding email messages and attachments, documents and files, voice mail messages, instant messaging texts (i.e., chat or SMS) or other Policy Owners: GECC Chief Information Officer and Chief Privacy Leader Policy Contact: GECC Chief Privacy Leader GE Internal Page 7 of 24 GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY Subject: Original Issue Date: May 1, 2009 Acceptable Use of Company Information Sources Policy (V 2.0) Revision Dates: October 10, 2011; January 31, 2012 Effective Date: U.S. - November 17, 2011 RoW – by March 15, 2012 Policy No.: IT-5 information to other Users (even if they are co-workers), as they may not have a valid need to know the contents of such data. Users shall not forward GE Confidential or GE Restricted data outside the Company without permission from the original sender or author of the data, or their manager, unless they are acting in the ordinary course of business as part of their Company role. When sending such information, Users shall follow the Data Transmissions rules in Section 4.5 below. Engagements with suppliers, contractors, and other third parties shall be handled consistent with the GE Capital Sourcing Policy and GE Capital Material Activities Outsourcing Policy to ensure the IT and Information Security teams are properly consulted on necessary precautions before transferring Company Data to a third party and adequate contractual provisions are in place 4.5 Data Transmissions In light of the inherent risk that data sent over the Internet (including email) may be intercepted or altered during transmission or in storage, and the risk that unauthorized third parties may seek to use the data for financial gain, it is crucial that all data transmissions be done securely. When sending GE Confidential or GE Restricted data outside the Company, Users need to employ the most current security technology recommended by the Company and available to them, such as password protection, encryption, digital certificates and digital signatures, all as specified in the GE Capital Information Security Policy. 4.6 Document Retention All Company Data is subject to the Company’s Records Management policy, procedures, retention schedules and the GE Capital data classification requirements in Section 4.7 below. Users shall be familiar with the rules that apply to them and adhere to those rules from the reception or creation and storage of Company Data, through final disposition. 4.7 Data Classification All Company Data should be defined, stored and handled in accordance with Appendix A of the GE Capital Information Security Policy, which outlines the appropriate treatment for various types of information (such as GE Restricted, GE Confidential, GE Confidential with Sensitive PII, etc). 4.8 Data Privacy Use of Company Information Resources and handling of Company Data is subject to the Company’s and/or specific business unit data privacy policies and guidelines, and local legal requirements. Users should be familiar with and follow any such rules that apply to Company Data they handle in the ordinary course of business. In particular, Users should follow the Spirit & Letter Privacy Policy and the Employment Data Protection Standards. Policy Owners: GECC Chief Information Officer and Chief Privacy Leader Policy Contact: GECC Chief Privacy Leader GE Internal Page 8 of 24 GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY Subject: Original Issue Date: May 1, 2009 Acceptable Use of Company Information Sources Policy (V 2.0) Revision Dates: October 10, 2011; January 31, 2012 Effective Date: U.S. - November 17, 2011 RoW – by March 15, 2012 Policy No.: IT-5 4.9 Use of Personal Devices for Company Data Personal Devices may not be used for any business purpose or to store Company Data without approval of the User’s manager and in accordance with policies and rules of the Company for the use of Personal Devices. If approval is given, all such devices become subject to this Policy as applicable. Users may also be required to sign an agreement imposing supplemental requirements and terms of use as a condition to the use of Personal Devices. By way of example, if you use a home PC or laptop to access Remote Office, if you get approval to use a personal iPad or other tablet computer in the office, or if you get approval to purchase a thumb drive to port Company Data from work to your home PC or laptop, such devices all become subject to the relevant portions of this Policy and may be subject to search, monitoring or document disclosure and production obligations, subject to local law. Users may also be required to install certain software on their Personal Device and to deploy other controls such as use of a password on the device. Failure to comply with all such requirements violates this Policy. Users may not use or install Software on any Personal Device if advised by the Company that such Software is on the list of unapproved Software. This section does not apply to Exempt Personal Devices. 4.10 Inappropriate Access Prohibited Users are prohibited from accessing the data of another User or accessing Company Data to which they have not been granted access, unless such access is: (1) with the other User's or owner of the Company Data’s express consent; or (2) required as part of the User's job responsibilities and the User has gone through the appropriate approval process to gain such access, as further described in Section 7 below. 4.11 Return of Company Data Company Data shall be returned to the Company immediately upon termination of employment or status as an authorized User, as further detailed in Section 5.9 below. 4.12 Disposal of Company Data Company Data should be disposed of in accordance with the Company’s Records Retention rules, any data disposal guidance issued by the Company, any applicable business unit policies and rules, and local laws and regulations. When in doubt, apply the most secure manner of disposal taking into account the highest potential data classification for the Company Data being disposed. 4.13 Other Requirements Governing Company Data Users should become familiar with and ensure they are complying with all applicable laws, regulations and GE policies that apply to the Company Data they are handling, as well as any contractual obligations that may apply. Policy Owners: GECC Chief Information Officer and Chief Privacy Leader Policy Contact: GECC Chief Privacy Leader GE Internal Page 9 of 24 GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY Subject: Original Issue Date: May 1, 2009 Acceptable Use of Company Information Sources Policy (V 2.0) Revision Dates: October 10, 2011; January 31, 2012 Effective Date: U.S. - November 17, 2011 RoW – by March 15, 2012 Policy No.: IT-5 5. Protection and Acceptable Use of Company Equipment 5.1 Use of Company Equipment Company Equipment is provided to Users for legitimate business purposes only and in accordance with applicable policies, guidelines and instructions of the Company. Users outside of IT may not modify Company Equipment configurations without proper approval from the IT team. 5.2 Control It is each User’s responsibility to properly manage, maintain, and safeguard all Company Equipment to which he/she has access or control. 5.3 Company Software on Company Equipment Company Equipment may come with standard pre-installed Software. Users may not disable or uninstall such Software. The Company may also routinely install additional Software on Company Equipment and any attempt to permanently prevent such Software installations is prohibited. Only Software that was reviewed and approved by the Company may be loaded onto Company Equipment. The Company reserves the right to monitor Company Equipment and remove unapproved software including, but not limited to, freeware, open source software, peer-to-peer file sharing programs, remote control software, voice chat, hacking tools, anonymizers, instant messaging tools or any Software determined or suspected of being malware. 5.4 Reasonable Non-business Use Reasonable or occasional non-business use of Company Equipment is permitted provided it does not conflict with business objectives, policies and guidelines of the Company and provided it is not an abuse of the Company’s time or resources. User Personal Files: Users may keep a reasonable amount of personal files and data on Company Equipment (in particular a laptop or desktop or server space allocated for data backup). All such files shall be clearly marked as personal. Users may not store large repositories of photographs or audiovisual materials such as music (mp3 files) or movies. The Company reserves the right to periodically sweep Company Equipment for improper storage of personal files and delete any files deemed to exceed this Policy with no notice to Users, and the use of Company Equipment for storing personal files constitutes consent to such action by the Company. Users are encouraged to minimize any such storage and to have another backup for their personal files. It is also each User’s responsibility to ensure that their personal files stored on Company Equipment do not contain any illegal, inappropriate or offensive materials. Any such material found on Company Equipment may result in disciplinary action even if contained in a folder marked ―personal‖, all subject to local laws and regulations. Policy Owners: GECC Chief Information Officer and Chief Privacy Leader Policy Contact: GECC Chief Privacy Leader GE Internal Page 10 of 24 GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY Subject: Original Issue Date: May 1, 2009 Acceptable Use of Company Information Sources Policy (V 2.0) Revision Dates: October 10, 2011; January 31, 2012 Effective Date: U.S. - November 17, 2011 RoW – by March 15, 2012 Policy No.: IT-5 5.5 Identity Management and Passwords Accounts, IDs, and passwords are issued to individuals and are personal to that User and may not be shared with anyone. Passwords must be kept strictly confidential. Password selection requirements are specified in the GE Capital Information Security Policy. Users shall be responsible for all actions taken in their accounts, under their ID or with their passwords unless they have promptly reported the loss, theft or compromise of their account and/or password to the Company. 5.6 Protection of Company Equipment and Company Data Users shall protect Company Equipment and Company Data residing on it by following the GE Capital Information Security Policy as well as any other guidelines or rules of the Company, their business unit, or applicable local laws and regulations. Users may not tamper with or remove any security protections or settings on Company Equipment without the approval of the IT team. 5.7 Backup of Company Data Users are responsible for ensuring that all Company Data on Company Equipment in their possession and control is properly backed-up by approved methods and to approved storage locations. If in doubt as to the proper backup methods, contact your Help Desk. 5.8 Inappropriate Use Prohibited Users shall not use Company Equipment to perform an act that is illegal, abusive, or otherwise inconsistent with or in violation of this Policy, GE’s Spirit and Letter Policy or any other policy of the Company or GE (e.g., conducting outside business ventures - even if declared on a conflicts of interest statement, or excessive personal use of Company Equipment). 5.9 Return of Company Equipment At the end of life, or end of use by a User (e.g., upon resignation, termination of employment or assignment or any end of status as an authorized User), all Company Equipment needs to be returned to the Company. Where the Company Equipment needs to be sent offsite for disposal, storage or other use, the appropriate procedures need to be followed to ensure Company Data is kept secure while in transit and where applicable, the Company Data should be destroyed in accordance with guidelines issued by the Information Security Team and the EHS team. Managers are responsible for ensuring that all Company Equipment is returned to the Company prior to a User’s departure from the Company. 5.10 Compliance with Other Rules Users shall adhere to all other applicable asset management and physical security rules, guidelines and procedures communicated to them with respect to Company Equipment. Policy Owners: GECC Chief Information Officer and Chief Privacy Leader Policy Contact: GECC Chief Privacy Leader GE Internal Page 11 of 24 GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY Subject: Original Issue Date: May 1, 2009 Acceptable Use of Company Information Sources Policy (V 2.0) Revision Dates: October 10, 2011; January 31, 2012 Effective Date: U.S. - November 17, 2011 RoW – by March 15, 2012 Policy No.: IT-5 6. Acceptable Use of Online Services 6.1 Use of Online Services Online Services are provided to approved Users for legitimate business purposes only and in accordance with applicable policies, guidelines and instructions of the Company. Not all Users will have access to all Online Services and the Company reserves the right to limit or revoke such access. Users may not circumvent access controls imposed by the Company whether done via Company Equipment or via Company Software (e.g., proxy and security settings in Web browsers). 6.2 Use of Third Party Online Services for Company Business Users may not use Online Services offered by third parties (e.g. online email or calendar services offered by companies like Google, Yahoo, or Facebook) to conduct Company business unless such tools are offered to Users by the Company or are expressly approved by the Company for business use. 6.3 Reasonable Non-business Use Reasonable or occasional non-business use of Online Services is permitted provided it does not conflict with business objectives, policies and guidelines of the Company, and provided it is not an abuse of the Company’s time or resources. Users may not use Online Services to run a personal business, even if such a personal business is declared in a conflicts of interest statement. 6.4 Protecting the Company’s Online Services The Company will employ appropriate controls, through a combination of processes and technologies, to protect its Information Resources from misuse, data theft and other harm to the Company, its Users and Company Data. Elements of this protection may include, for example, restricting User access to the Internet or certain sites or categories of sites, or placing controls on the transfer of Company Data, as well as deploying certain monitoring and logging capabilities. Users may not circumvent these controls. 6.5 Company Email The Company email is an asset of the Company and as such it may only be used to conduct Company business (subject to Section 6.3 above). Users may not use the Company email address (i.e., FirstName.LastName@ge.com) to subscribe to external services (e.g., Facebook, LinkedIn, Twitter) unless such use is allowed under the GE Capital Social Media Guideline in Appendix A of this Policy. Users also may not use the Company email to promote their own personal services or business activities to co-workers (offering any products or services) other than incidental uses. For example, offering tickets to a show or a game to a select group of employees is allowed; having a side business of selling tickets to shows or games and regularly emailing employees with offers is not allowed. Policy Owners: GECC Chief Information Officer and Chief Privacy Leader Policy Contact: GECC Chief Privacy Leader GE Internal Page 12 of 24 GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY Subject: Original Issue Date: May 1, 2009 Acceptable Use of Company Information Sources Policy (V 2.0) Revision Dates: October 10, 2011; January 31, 2012 Effective Date: U.S. - November 17, 2011 RoW – by March 15, 2012 Policy No.: IT-5 6.6 Identity Management and Passwords - Protecting Security of Online Services See Section 5.5 above. 6.7 Inappropriate Use Prohibited Users may not use Online Services to access, send, forward, download, import, create or display material that is inappropriate, offensive or otherwise in violation of any applicable law or regulation, or of any policies, procedures, guidelines or instructions of the Company – including but not limited to those uses described below. Examples of Inappropriate Use: The following are examples of unauthorized and/or inappropriate uses of Online Services which, subject to local law, can subject a User to discipline, up to and including termination of employment or work assignment: - Using an Online Service to access data of another User or of a third party outside of the Company or GE, unless done in compliance with Section 7 below. - Streaming movies, music, radio, and other multimedia content from the Internet (excluding content transmitted or broadcasted by the Company or GE) unless done for approved business uses or when connected to a non-GE network. Content played directly from the hard drive of a laptop or computer is not covered by this rule. - Sending out communications to multiple clients, customers or suppliers and listing them in the ―to‖ or ―cc‖ lines rather than ―bcc,‖ thereby exposing their email and relationship with the Company, unless done with their consent or other appropriate authorization. - Accessing, downloading, printing, creating, displaying, transmitting, sending, forwarding or otherwise conveying unprofessional, inappropriate, offensive, intimidating or harassing material or communications internally or externally, including materials that are inconsistent with the Fair Employment Practices Policy contained in the Spirit and Letter Policy (e.g., information that may be considered pornographic, offensive or defamatory or may constitute harassment or create a hostile working environment on the grounds of age, sex, race, disability or other protected class). - Copying or downloading Software in a manner that is inconsistent with or in violation of any applicable law or regulation, or any relevant licensing agreement or contract. Users are referred to the GE Software Use Guidelines. - Downloading or uploading any copyrightable material or anything else that is deemed proprietary or subject to a license fee without paying the license fee, including music, images, videos or subscription material. Any such conduct may expose both the User and the Company to civil and criminal liability. Possession of copyright-infringing materials on Company Information Resources is also prohibited. - Sending "chain letters‖, solicitations, spam or other mass mailings (whether done by text, voice, fax or email) without a legitimate and approved business purpose. - Sending, forwarding, downloading, uploading or disclosing any nonpublic information about GE, the Company, or the Company’s customers or suppliers, or personal data of employees, or any other information that is marked as GE Confidential or GE Restricted or is otherwise of a sensitive nature, unless done with proper justification. Policy Owners: GECC Chief Information Officer and Chief Privacy Leader Policy Contact: GECC Chief Privacy Leader GE Internal Page 13 of 24 GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY Subject: Original Issue Date: May 1, 2009 Acceptable Use of Company Information Sources Policy (V 2.0) - Revision Dates: October 10, 2011; January 31, 2012 Effective Date: U.S. - November 17, 2011 RoW – by March 15, 2012 Policy No.: IT-5 Excessive personal use that impacts Company Information Resources or a User’s ability to perform their job. Use that – if made public – could expose the Company to reputational harm. Using Online Services to perform any act that is inconsistent with or in violation of this Policy, GE’s Spirit and Letter Policy or any other policy of the Company or GE. 6.8 Public Comment on Behalf of Company or GE is Restricted Users should remember that use of Online Services or Company Equipment may identify them as employees and/or representatives of GE or the Company and as such their comments on Online Services may appear to represent the positions and views of the Company or GE. Users shall therefore ensure that all communications using Online Services are professional and business-related. When Online Services are used for reasonable personal use, Users need to clearly indicate that the opinions expressed are their own and not necessarily those of GE and/or the Company. 6.9 Social Media Users may have access to some Social Media at work. Any such access is subject to the Company’s discretion and access may be restricted or revoked at any time based on a User’s role or conduct. The use of Social Media by Users for their own personal benefit is subject to Sections 6.7 and 6.8 above as well as the GE Capital Social Media Guideline in Appendix A to this Policy. Users shall be familiar with the relevant rules for use of Social Media and follow them. Users should be aware that many of the Social Media rules apply to them even if they are not using Company Equipment and are using the Social Media from their home or the road. Failure to comply with the Social Media rules may result in disciplinary action, up to and including termination, subject to local laws and regulations. The use of Social Media by Users acting on behalf of the Company is subject to their business unit rules and any guidelines of the Company that may exist. 6.10 Use of New Technologies and Services The Internet offers a wealth of new online technologies and services that Users may believe will enhance their ability to perform their job or otherwise deem to be useful. However, the use of untested and unapproved technology or services poses a serious risk to Company Data and Company Equipment as the use of such technology or service may create legal liability or expose Company Data and Company Equipment to security vulnerabilities. Users who wish to explore use of a new technology or service for business purposes should contact their IT team to ask for a review and approval before downloading, installing or using a new technology or service. Policy Owners: GECC Chief Information Officer and Chief Privacy Leader Policy Contact: GECC Chief Privacy Leader GE Internal Page 14 of 24 GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY Subject: Original Issue Date: May 1, 2009 Acceptable Use of Company Information Sources Policy (V 2.0) Revision Dates: October 10, 2011; January 31, 2012 Effective Date: U.S. - November 17, 2011 RoW – by March 15, 2012 Policy No.: IT-5 7. Monitoring of Users The Company reserves the right, subject to local laws and regulations, to review, audit, monitor, intercept, access and disclose all uses of its Information Resources, and in particular, email, voicemail, Instant Messaging Services (e.g. Webex), Internet use and all files or information stored on Company Equipment, without prior notification to the User(s) concerned, provided that such monitoring is done for legitimate business reasons, including: 1. To protect the security of the Company/GE, its customers, suppliers and employees; 2. To protect and maintain proper operation and use of the assets of the Company/GE; 3. To investigate unauthorized access to or use of Information Resources; 4. For an urgent, legitimate business need (e.g. employee unavailable and timing critical, or to access Company Data after an employee has left the Company); or 5. To investigate a reasonable suspicion of violation of law or policy of the Company/GE by a User or ex-User; 6. To respond to a subpoena or government investigation or otherwise comply with applicable laws or regulations; or 7. To monitor quality and to assure compliance with regulatory requirements and customer obligations. A failure to monitor in a particular situation shall not be deemed a waiver of the right to monitor in other similar situations. The Company reserves the right to carry out other forms of monitoring of use of or access to its Information Resources, such as the use of data loss prevention tools (e.g., Digital Guardian), closed-circuit television, video monitoring, building access and security systems, email scanning, web content filtering, network content monitoring, etc., all subject to applicable legal requirements and restrictions on such monitoring. If the Company discovers any User misconduct (including any violation of this or any other policy or guideline of the Company) or criminal activity involving Company Information Resources, the files or information related to such conduct may be used to document the conduct and, subject to local laws and regulations, may be disclosed to appropriate authorities - civil and criminal, both inside and outside the Company. The User may be subject to disciplinary action up to and including termination of employment or work assignment, subject to local laws and regulations, as well as any applicable civil/criminal penalties. The Company also reserves the right, subject to local law, to consent to a valid law enforcement request to search Company Equipment for evidence of a crime stored on the equipment. Policy Owners: GECC Chief Information Officer and Chief Privacy Leader Policy Contact: GECC Chief Privacy Leader GE Internal Page 15 of 24 GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY Subject: Original Issue Date: May 1, 2009 Acceptable Use of Company Information Sources Policy (V 2.0) Revision Dates: October 10, 2011; January 31, 2012 Effective Date: U.S. - November 17, 2011 RoW – by March 15, 2012 Policy No.: IT-5 The Company does not use any monitoring devices or other means to attempt to discover the identity of anyone using an Ombuds hotline or any other Ombuds/complaint reporting tool advertised as allowing anonymous reporting, and will not do so unless required by law or court order. The Company also does not intend to monitor, review or disclose communications between employees and their personal attorneys, however, the Company disclaims any and all liability for any inadvertent access to or disclosure of such communications. All requests for a User’s personal data in connection with an investigation, litigation or other situation requiring access to such data without the consent of a User shall be handled in accordance with the Company’s Procedure for Review and Approval of Requests for Indirect Access and Collection of Certain Types of Employees’ and Contractors’ Records, which is issued under this Policy. 8. Reporting of Violations and Incidents Inappropriate Use: Users shall immediately notify their IT helpdesk or the Local Security Leader of any unusual behavior pertaining to Company Information Resources, subject to local law and any legal restrictions on such reporting. To the extent a User encounters any offensive or harassing materials on Online Services used by another User, he or she should contact his or her manager, Human Resources, Compliance or Ombudsperson, again subject to local law and any legal restrictions on such reporting. Users should also consider whether it is appropriate to notify the sender not to send such material in the future (however, as a reminder, Users should never reply to spam messages). Failure to report inappropriate use of Company Information Resources may, subject to local law, result in disciplinary action up to and including termination of employment or work assignment. As a reminder, retaliation against employees who report policy violations is in itself a violation of GE’s Spirit & Letter policy and will subject the violator to disciplinary action, up to and including termination. Theft, Misappropriation or Other Incidents: The theft, loss or accidental destruction of any Company Information Resources must be promptly reported in accordance with the Company’s procedures for reporting such incidents. Users shall be familiar with the proper channel for reporting such matters. Policy Owners: GECC Chief Information Officer and Chief Privacy Leader Policy Contact: GECC Chief Privacy Leader GE Internal Page 16 of 24 GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY Subject: Original Issue Date: May 1, 2009 Acceptable Use of Company Information Sources Policy (V 2.0) Revision Dates: October 10, 2011; January 31, 2012 Effective Date: U.S. - November 17, 2011 RoW – by March 15, 2012 Policy No.: IT-5 9. Suppliers, Contractors and other Third Parties This Policy applies to use of Company Data, Company Equipment and Online Services by suppliers, contractors and other third parties, subject to any particular contractual arrangement in place with such third parties and any other external legal obligation that may exist under the local law of the third party. Company Users who work with suppliers, contractors and other third parties must comply with Section 4.4 above. 10. Questions about this Policy For questions about this Policy, please contact your local, regional or global Information Security Leader, Privacy Leader, Human Resources Manager, or Compliance Officer. 11. Document Change History Versions and Review Version Comments Dates V 1.1 Amended sections 1.2 and 4.9 January 31, 2012 Policy Owners: GECC Chief Information Officer and Chief Privacy Leader Policy Contact: GECC Chief Privacy Leader GE Internal Page 17 of 24 GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY Subject: Original Issue Date: May 1, 2009 Acceptable Use of Company Information Sources Policy (V 2.0) Revision Dates: October 10, 2011; January 31, 2012 Effective Date: U.S. - November 17, 2011 RoW – by March 15, 2012 Policy No.: IT-5 APPENDIX A GE Capital – Social Media Guideline This Guideline of GE Capital (―GE Capital‖ or ―Company‖) for access to and use of Social Media is meant to supplement and clarify The GE Capital Acceptable Use Policy (―AUP‖) and in particular Section 6 – Acceptable Use of Online Services. The Guideline applies to all GE Capital employees who access the Internet – whether from work, while traveling, or from home, including if the access is from a Personal Device or an Exempt Personal Device, as well as to all other Users who use Company Equipment to access the Internet. INTRODUCTION Social Media sites allow members to network and communicate with each other as well as share data, photos and other user generated content, or to provide updates about themselves, play games or interact with other members, to name some of the more common social media uses. Social media sites come in many flavors including social networking sites (such as Facebook, LinkedIn, Twitter, Google+ and Yammer), peer-to-peer networks, content posting sites (such as YouTube, Wikipedia and other wikis, and sites like Scribd and SlideShare), as well as various online communities (such as virtual worlds like SecondLife). The use of Social Media can be a great way for Company workers to connect and interact customers or potential customers, colleagues and potential employees, and friends and family around the globe or down the street. However, you should remember that whatever you do or say online reflects not only on your reputation, but can reflect on the Company as well. It is therefore very important that you pay attention to situations where your personal life and your GE life become co-mingled, and that you always follow this Guideline – even if you’re engaging in Social Media activities at home on your personal computer – as the rules below will help keep both you and the Company safe. In short, before posting information on or interacting with Social Media sites, it’s important that you understand the risk, reward and reach involved, and the expected behaviors. Recognize that there are various ways in which your online activity can establish a connection to the Company or your workplace, and as a result may impact the Company: (i) (ii) (iii) If you identify your affiliation with the Company (either directly or indirectly), anything you do or say – even if unrelated to the Company - may be perceived as an official position of the Company; If you discuss matters related to the Company, even if you don’t identify yourself as affiliated with the Company, if your connection to the Company is revealed, you may be perceived as a knowledgeable insider; also hiding your Company connection may be illegal in some cases; Anything you do or say, even if totally unrelated to the Company and where you haven’t identified yourself as a Company employee, may be viewed and/or disseminated in the workplace. Policy Owners: GECC Chief Information Officer and Chief Privacy Leader Policy Contact: GECC Chief Privacy Leader GE Internal Page 18 of 24 GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY Subject: Original Issue Date: May 1, 2009 Acceptable Use of Company Information Sources Policy (V 2.0) Revision Dates: October 10, 2011; January 31, 2012 Effective Date: U.S. - November 17, 2011 RoW – by March 15, 2012 Policy No.: IT-5 Due to various legal, policy or jurisdictional concerns, not all Company employees will have access to Social Media sites from work. The Company routinely reassesses what sites to allow and what sites to block and some decisions depend on your country, business, and even your role. Regardless, this Guideline applies even when accessing Social Media sites while traveling or from home. Bottom line – you have two brands to protect in your Social Media activity– the Company brand and your own. GENERAL GUIDANCE o ONLINE RULES ARE NOT DIFFERENT: The rules for acceptable behavior on Social Media sites don’t change just because you’re online; only the speed with which information can be shared—intentionally or accidentally—does, and as a result, the impact of mistakes or improper behavior can be greatly magnified. Anything that would be prohibited in the ―real world‖ doesn’t become permissible just because you’re online. For example, posting comments that are offensive, discriminatory or threatening; similarly offering recommendations or endorsements of ex-employees, suppliers and others who interact professionally with the Company may not be acceptable on Social Media sites where you appear in your Company capacity, as that may be considered a prohibited endorsement; last, communications with the media on Social Media sites must also follow the real world procedures governing such contact – refer all such inquiries to the media and communications team at your business. These are just three examples of situations that may arise in the online space that are no different than the ―real world.‖ o FOLLOW EXISTING POLICIES: Any use of Social Media sites that violates any Company policy, including the Acceptable Use Policy, and The Spirit & Letter, even when done with personal resources, on the road or from home, is prohibited. o POSTING ANY GE CONFIDENTIAL, RESTRICTED OR OTHER PROPRIETARY INFORMATION, CONTENT OR FILES, OR ANY MATERIAL-NONPUBLIC INFORMATION ON SOCIAL MEDIA SITES IS PROHIBITED. Similarly, don’t post any non-public or proprietary information about any Company competitor. o DON’T MISUSE COMPANY RESOURCES: You may not create, host or maintain a Social Media sites using Company resources unless you’re authorized to act for the Company. You may however access and post to Social Media sites from work (subject to this Guideline). o AVOID SOCIAL MEDIA SITE ACTIVITY THAT INTERFERES WITH YOUR WORK COMMITMENTS: Don’t allow workplace access to Social Media sites to become a distraction to you or your co-workers. This includes excessive personal use or any personal-business use of Social Media sites. Remember that such access, where granted, is a privilege, and it may be revoked or restricted. Policy Owners: GECC Chief Information Officer and Chief Privacy Leader Policy Contact: GECC Chief Privacy Leader GE Internal Page 19 of 24 GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY Subject: Original Issue Date: May 1, 2009 Acceptable Use of Company Information Sources Policy (V 2.0) o Revision Dates: October 10, 2011; January 31, 2012 Effective Date: U.S. - November 17, 2011 RoW – by March 15, 2012 Policy No.: IT-5 WHEN IN DOUBT – ASK BEFORE YOU ACT: You’re responsible for your actions. Whatever you do or say on Social Media sites may be viewed by work colleagues, customers, regulators or the media. Think before you act or post. If you’re not sure if certain conduct online is appropriate or legal, consult your business Compliance, Legal, Information Security, Privacy or Communications Leader, HR manager or direct manager. KEEPING YOURSELF AND THE COMPANY SEPARATE, EXCEPT WHERE APPROVED o DON’T SPEAK FOR THE COMPANY UNLESS IT’S YOUR JOB: Each business has guidelines for speaking on the Company’s behalf and responding to media inquiries. Unless it’s your job to speak on behalf of the Company, you may not create an appearance that you’re doing so. When in doubt, consult your Communications Leader for further guidance. o DON’T MAKE PREDICTIVE OR FORWARD LOOKING STATEMENTS: You should not say anything that may reveal the Company’s business strategy or future performance. Don’t discuss financial performance or litigation/legal proceedings or Company business-related rumors. GE is a publicly traded company with designated professionals who are authorized to comment on such matters. Your comments, especially if perceived to come from a ―knowledgeable insider‖ could create exposure. o DON’T USE THE GE EMAIL: Using your GE email account to join or interact with any Social Media sites isn’t permitted unless: (i) you have a formal role in using the site as a Company communicator or spokesperson; (ii) you’re using the site on behalf of the Company with your manager’s approval; or (iii) this is expressly required by a site which has a professional use (e.g., Yammer). All other activities that are conducted in your personal capacity require that you use a personal email. Adhering to this rule will reduce the appearance of personal activities being sponsored by or pertaining to the Company and also reduces the likelihood of phishing attempts against Company workers. o MAKE SURE THAT IT’S ALWAYS CLEAR THAT YOUR VIEWS ARE PERSONAL: Unless it’s your job to represent the Company, avoid using GE indicators (like a GE email or your title) when posting comments on Social Media sites. You may, however, use your Company relationship and title in your profile when using a professional Social Media site such as LinkedIn. Where possible, speak in the first person (―I‖). If you find a need to identify yourself in any way as affiliated with the Company, or are known as such (for example on LinkedIn, or by joining a Company Facebook group), exercise care before discussing anything related to the Company; if you find that you must say something concerning the Company use a prominent disclaimer Policy Owners: GECC Chief Information Officer and Chief Privacy Leader Policy Contact: GECC Chief Privacy Leader GE Internal Page 20 of 24 GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY Subject: Original Issue Date: May 1, 2009 Acceptable Use of Company Information Sources Policy (V 2.0) Revision Dates: October 10, 2011; January 31, 2012 Effective Date: U.S. - November 17, 2011 RoW – by March 15, 2012 Policy No.: IT-5 indicating that your comments represent your personal views and don’t represent the Company’s views. o AVOID MISUSE OF GE’S BRAND: Don’t use any GE logos or trademarks to create the impression that your communication is attributable to or approved by the Company unless specifically authorized to do so. This includes use of the GE email (see above), use of the GE Monogram in connection with any online group you form (e.g., on LinkedIn or Facebook), or use of a GE brand in your online name or handle. o USE OF SOCIAL MEDIA AS A BUSINESS TOOL: Social Media sites can be effective outreach and marketing tools when used thoughtfully. If you have a business need to create a presence on Social Media sites for which you identify your Company affiliation (e.g., a Facebook page or a LinkedIn group) you must contact your Communications Leader, and in some cases, business legal counsel, to get their advice; always follow any business specific rules or procedures that apply. o USE OF SOCIAL MEDIA SITES FOR COVERT MARKETING OR PUBLIC RELATIONS: If it’s not your job to engage in marketing or public relations on behalf of the Company then don’t. Even if it’s your job, don’t engage in such activities that do not identify the Company or you as a Company worker. If you discuss a Company product or service, or one offered by a competitor, you must clearly disclose your relationship with the Company. PARTICIPATE INTELLIGENTLY AND SECURELY o BEHAVE SECURELY: Be cautious about clicking on links embedded in Social Media sites or downloading applications. Sites like Facebook and Twitter have sometimes unwittingly displayed links to malicious applications that can damage computers and/or steal information. Beware of imposters pretending to be someone else, and individuals who post comments using only pseudonyms. Don’t accept friend requests from strangers and don’t befriend anyone whom you don’t know. Avoid anything that sounds too good to be true – it probably is. Remember that Social Media sites have become a prime target for cybercriminals; don’t become a victim. o KNOW WHO OWNS THE SITE: Before participating in any Social Media site, make sure you understand if this is a Company or GE owned site or external; what the access and security controls are, and what content is appropriate for posting/sharing. Some Social Media sites may have a dedicated GE area, or what appears to be a GE sponsored area (e.g., Yammer), but that area may not be a safe place to post Company content. When your main goal is to share data internally, always use resources that are approved for business use (e.g., GE Connect). o RESPECT YOUR AND OTHERS’ PRIVACY: Avoid sharing your personal information or that of others beyond what’s absolutely necessary; in general, identifying Policy Owners: GECC Chief Information Officer and Chief Privacy Leader Policy Contact: GECC Chief Privacy Leader GE Internal Page 21 of 24 GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY Subject: Original Issue Date: May 1, 2009 Acceptable Use of Company Information Sources Policy (V 2.0) Revision Dates: October 10, 2011; January 31, 2012 Effective Date: U.S. - November 17, 2011 RoW – by March 15, 2012 Policy No.: IT-5 information posted online should be extremely limited. Remember that cybercriminals search for personal information online, and may use it for identity theft and other types of fraud. o CONNECTING WITH CO-WORKERS: Before inviting or accepting an invitation from a co-worker to connect with you on a Social Media site, ask yourself if that online connection is appropriate. Employees may not feel comfortable with a ―friend request‖ from a manager and managers may feel uncomfortable with requests from members of their teams. While you may have meaningful friendships that lead to such connections, exercise good judgment in initiating or accepting them. When in doubt consult HR, Legal, or Compliance. o CONNECTING WITH CUSTOMERS AND SUPPLIERS: Before inviting or accepting an invitation from a Company Customer or Supplier to connect with you on a Social Media site, ask yourself if that online connection is appropriate. While you may have meaningful friendships that lead to such connections, exercise good judgment in initiating or accepting them. When in doubt consult Compliance, Legal, Sourcing, or your direct manager. o SPECIAL RULES FOR HIRING: GE has special guidelines on the use of Social Media sites for screening/hiring employment candidates. Consult those guidelines before acting, and when in doubt, always consult HR and Labor & Employment counsel in your jurisdiction. GUIDANCE FOR SMART COMMUNICATIONS o EXERCISE GOOD JUDGMENT AND USE COMMON SENSE when posting, blogging, chatting or communicating on Social Media sites or through any electronic means like email: don’t say anything that you wouldn’t say in writing and don’t post or upload anything you might not want the world to see. Don’t assume that your post will remain private amongst your friends or not find its way into the workplace. There’s no online ―recall‖ button – removing content isn’t always easy and even if you succeed, Internet search engines never forget anything and your deleted post may live on in search engines. And remember, you may have personal liability for comments that are defamatory, libelous, obscene or violate a law. o BE RESPECTFUL of GE, its officers, employees, shareholders, customers, suppliers, partners and competitors. Posts that malign individuals or other businesses, or which expose Company proprietary information can create legal exposure for the Company, and for those who post such comments. Uploading compromising photographs of co-workers is inappropriate. Be respectful of others when you reply to their posts or comments. Avoid divisive issues such as religion, politics or social/political advocacy your comments might be perceived to be an official Company position or opinion. Do not disparage Company products or services. Policy Owners: GECC Chief Information Officer and Chief Privacy Leader Policy Contact: GECC Chief Privacy Leader GE Internal Page 22 of 24 GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY Subject: Original Issue Date: May 1, 2009 Acceptable Use of Company Information Sources Policy (V 2.0) Revision Dates: October 10, 2011; January 31, 2012 Effective Date: U.S. - November 17, 2011 RoW – by March 15, 2012 Policy No.: IT-5 Remember that what you post can migrate into the workplace and/or come to the attention of customers and other Company partners. To be clear, this rule doesn’t seek to prohibit any honest and accurate comments you may have about the Company or GE – you’re free to express your views (even if negative). Nothing herein precludes any discussion covered by the NLRA or equivalent foreign laws covering concerted activity or revoke any rights granted to you by local law. o BE ACCURATE AND TRANSPARENT: If you make a mistake, promptly correct it. Avoid posting comments that include rumors, or misleading information. Stay timely and keep posted information up to date. Indicate changes when altering a previous post or comment. Remember that the Internet has a long memory, and that even deleted postings may be searchable. Never post intentionally inaccurate information about the Company or its officers, employees, shareholders, customers, suppliers, partners or competitors. Policy Owners: GECC Chief Information Officer and Chief Privacy Leader Policy Contact: GECC Chief Privacy Leader GE Internal Page 23 of 24 GECC ACCEPTABLE USE OF COMPANY INFORMATION SOURCES POLICY Subject: Original Issue Date: May 1, 2009 Acceptable Use of Company Information Sources Policy (V 2.0) Revision Dates: October 10, 2011; January 31, 2012 Effective Date: U.S. - November 17, 2011 RoW – by March 15, 2012 Policy No.: IT-5 APPENDIX B LINKS TO OTHER POLICIES MENTIONED IN THIS POLICY The GECC Information Security Policy and other Information Security guidelines and information can be found on the GECC Information Security Portal: http://supportcentral.ge.com/products/sup_products.asp?prod_id=120895 The GECC Sourcing Policy, Records Retention Policy and other GECC policies can be found on the GECC Policy Portal: http://corp.home.ge.com/portal/site/gecfinsidecompliance/menuitem.bff63188bc18a07fc5 e793104ecda730 GE’s EDPS and other information on data privacy policies rules and information can be found on the GECC Privacy Portal: http://supportcentral.ge.com/products/sup_products.asp?prod_id=26719 All Spirit & Letter policies can be found on the GE Compliance Portal: http://integrity.ge.com/ The GE Software Use Policy/Guide can be found here: http://data.supportcentral.ge.com/upload/37462/doc_1612873.pdf Other helpful links: GE’s Global Security Website is here: http://security.ge.com Policy Owners: GECC Chief Information Officer and Chief Privacy Leader Policy Contact: GECC Chief Privacy Leader GE Internal Page 24 of 24