Acceptable Use Policy

Legal

Market-prizm

1. Purpose

The Acceptable Use Policy has been formulated in order to encourage the responsible use of Colt's information, networks, systems, services, websites and products (collectively "Colt Information Systems") by our vendors, suppliers and other third parties (collectively "Users"), and to enable Colt to provide secure, reliable and productive services.

This Acceptable Use Policy sets out:

  1. The minimum standards of behavior required from users when they use Colt Information Systems.
  2. Prohibited actions by the user.
  3. Action to be taken by Colt in case the user fails to meet those minimum standards.
  4. Protection to both user and Colt from any claims from third parties that your use of Colt's services is inappropriate or damaging to such third parties.

Note that the actions prohibited, and the minimum standards set out in the policy are not a complete list.

By using the Services you agree to be bound by our policy.

2. Scope & Eligibility

Acceptable Usage Policy – External document provides the guideline for the external users including Colt vendors, suppliers and other third parties, on the acceptable levels usage of Colt information systems and ensuring protection to those assets.

The security policies defined in this document have been established to cover the information, data, software, hardware and network used by Colt at all its locations and sites. All staff directly employed and those working on all forms of contract for Colt.

The policy statement, detailed below, is to be included on all Colt external corporate websites. It is also to be referenced in all new or updated customer contracts.

Any person who knows of or suspects a breach of this policy may report it to their manager, or to Colt’s security team via email to [email protected].

3. Policy statement

Colt Information Systems shall be used in a manner that is consistent with their intended purposes and may be used only for lawful purposes. User shall not use Colt Information Systems in order to transmit, distribute or store material:

  1. In violation of any applicable law or regulation;
  2. In a manner that will infringe the copyright, trademark, trade secret or other intellectual property rights of others or the privacy, publicity or other personal rights of others;
  3. That is fraudulent, obscene, defamatory, libelous, threatening, abusive or hateful or contains a virus, worm, Trojan horse, ransomware or other harmful component;
  4. Containing fraudulent offers for goods or services or any promotional materials that contain false, deceptive or misleading statements, claims or representations; or
  5. In a manner that may expose Colt or any of its personnel to criminal or civil liability.

4. Acceptable usage

1. Lawful use of resources

1. Colt requires its USERS to comply with Colt's instructions and all legal and regulatory requirements relevant to their system, network and any services they may provide within the countries in which they operate.

2. Where a customer fails to meet such legal and regulatory requirements the customer agrees to indemnify Colt against all losses, expenses, costs (including legal costs) or damages which may be suffered or incurred by Colt in relation thereto.

3. It is Colt's policy to assist police and law enforcement bodies in any practicable way when required by applicable law.

4. Colt reserves the right to disclose information to such bodies or highlight any concern of potential illegal activities being carried out via Colt's networks or systems.

2. Usage of Electronic messaging

1. Users shall ensure that its resources are not used to transmit unsolicited bulk email of any kind or permit the usage of unsolicited bulk email to advertise any site located on the Colt network.

2. Any mail server connected to the Colt network shall be configured to protect from open relay, which could be used for the unauthorized transmission of bulk email, should this occur the transmission would be considered to have originated from the user.

3. Users shall use the Colt network or systems to transmit email with information which are not modified, false, inaccurate or purposefully erroneous headers information.

4. Recording of meetings will be only authorized under the following circumstances where the content of the meeting needs to be referred to at a later date:

  • If there is a business need to do it
  • To explain procedures/process.
  • For Training/Educational purposes.

Recording a session for any of the above purposes, ensure that the participants are giving their consent prior to starting the session.

3. Use of Material

1. Users shall accept that Colt cannot control and is not responsible for the content on the Internet. Any concerns regarding the content of systems or networks not located on the Colt network should be directed at the relevant system or network owners and not at Colt.

2. Users shall conform to Internet protocols and standards.

3. Users shall not use Colt networks or systems to distribute copyright material unless they are authorized to do so by the copyright owner. Users must adhere to the Colt’s authorization process to obtain the correct access rights and privileges to Colts information and information systems.

4. User shall use the Colt networks or systems for proper and lawful purposes or to receive or send messages which are, in reasonable opinion, non- offensive, decent, non-obscene, non-malicious or non-defamatory, or which shall not infringe any intellectual property right (including, without limitation, trademarks, copyright, or rights relating to domain names), nor allow others to do so.

5. Colt shall take no responsibility for any material created or accessible on or through Colt Information Systems that is not posted by or at the request of Colt. Colt shall not monitor nor exercise any editorial control over such material but reserves the right to do so to the extent permitted by applicable law. Colt is not responsible for the content of any web sites other than Colt's web sites, including for the content of web sites linked to such Colt's web sites. Links are provided as Internet navigation tools only.

4. Personnel Security

1. Users shall conduct background verification checks for their personnel who are provided with access to the Colt Information Systems. Security awareness contents shall be reviewed and updated at least annually.

2. Personnel who are having physical and logical access to the Colt Information Systems shall sign a Non-Disclosure agreement.

3. The personnel shall be provided with security awareness training prior to accessing the Colt Information Systems.

5. System Security

1. Users shall only access data which are intended for their use and shall not log into a server or account which is not authorized to access.

2. User shall not attempt to probe, scan or test the vulnerability of Colt systems without proper authorization.

3. Users shall not attempt to interfere with, disrupt or disable services to any user, host or network, including, without limitation, via means of overloading, "flooding", "mail bombing" or "crashing".

4. Users shall not forge any TCP/IP packet header or any part of the header information in any email or newsgroup posting.

5. Users shall not take any action in order to obtain services to which such user is not entitled.

6. Violations of Colt system or network security by the user shall result in civil or criminal liability. Colt will investigate occurrences that may involve such violations and may involve, and cooperate with, law enforcement authorities in prosecuting users who are involved in such violations.

7. Users shall take all reasonable organizational and technical measures to prevent the
unauthorized disclosure of any usernames, password or security certificates.

8. Users shall implement and maintain controls that detect, prevent, removes and remediate any malware attack that could impact Colt information and Information assets.

6. Network Security

1. User shall not utilize Colt information systems to gain or attempt to gain unauthorized access to any system.

2. Actions considered unacceptable include, but are not limited to:

  • network probing
  • network mapping

3. Vulnerability scanning or the exploitation of vulnerabilities or misconfigurations in systems or networks, without prior authorization with the intention of gaining unauthorized access or for any other purpose is prohibited.

4. Any packets transmitted onto or across the Colt network by the user shall contain the correct source address of the emanating system. Any packets for which this is not the case may be prevented from traversing the Colt network without additional notice.

5. Users networks shall be configured so as not to accept external broadcast traffic.

6. Users shall not utilize any protocol or service with the intent of disrupting or preventing the legitimate use of any service by others.

7. Users shall not use Colt networks or systems to transmit viruses.

8. Users shall not use Colt networks or systems to install directly or indirectly any unauthorized software or other system modification on any system without prior authorization of the system owner.

9. Users shall not intercept or attempt to intercept or modify any traffic traversing the Colt network.

10. Users shall not collect any personal information of Colt users without a business need and the consent of those users.

11. Colt does not make any guarantee about the security of data travelling over its networks. While Colt takes every practical step to protect such data it remains the responsibility of the communicating parties to ensure the security and integrity of their data.

12. Colt accepts no responsibility for the security of user systems connected to the Colt network. Such security remains the responsibility of the user, unless there is a contract to provide such services.

7. Information / Data Security

1. Users shall be responsible for the protecting the Colt information handled by the them.

2. Users shall ensure that Colt personal data are protected against unlawful or unauthorized access, accidental loss or destruction, damage, unlawful or unauthorized use or disclosure.

3. Users shall follow all the application regulatory and compliance requirements related to Colt personal data protection.

4. Users shall follow a retention policy for the Colt personal data that are in line with the legal and regulatory requirements.

5. User shall contractually agree to protect the information to the same level that is required by Colt.

6. Users shall familiarize themselves with the following Colt Information Classifications

  1. Highly Confidential: Information that are intended only for restricted internal Colt users whose access, use and management must be based on significant business requirements and would therefore attract strict access control mechanism.
  2. Confidential: Information that are intended for restricted to broad internal Colt users whose access, use and management must be based on significant business requirements and would therefore attract strict access control mechanism.
  3. Internal: Information requiring low restriction to access and managed by internal and external users .
  4. Public: Information that are publicly available and does not require any restriction to its access and management.

7. Information classified as Highly Confidential and Confidential shall be shared or communicated with the user where there is a clear business need and with necessary approval from the information owner.

8. Users shall sign an NDA with Colt for access and management of the Highly Confidential and Confidential information.

9. Users having access to Highly Confidential and Confidential information shall ensure that the information is encrypted while storing and during transit.

10. Users shall be responsible to take all necessary steps to prevent unauthorized parties accessing Colt personal and classified information in any manner or purpose not authorized by Colt.

8. Access Control

1. Users shall ensure that Colt information is separated either by using individual physical server or alternatively using logically access control from other customer information.

2. Users shall ensure a secure authentication process with unique IDs and secret authentication key is followed for the users requiring access to the systems which hold Colt information.

3. Users shall ensure there are limited number of privileged users having access systems holding Colt information.

4. Users shall identify and require appropriate owners to review and approve the access to systems used to access, process, manage Colt information at least quarterly to remove unauthorized access.

5. Users shall enforce the rule of least privilege to the user requiring access to the systems managing Colt information.

6. Users shall ensure required technical and process security measures are in place to protect Colt personal information from being copied, moved or stored onto local hard drives.

7. Users shall be provided access to Colt Information Systems based on the business requirements.

8. Users shall ensure that the Colt access control requirements are followed while access the Colt Information Systems.

9. Users having access to Colt Information Systems shall ensure that password requirements defined by Colt is followed for their respective accounts.

10. Users providing Software as a Service shall ensure that the software meets the security requirements defined by Colt including the authentication requirements.

9. Vulnerability and Patch Management

1. User shall have a well-defined vulnerability and patch management process in place.

2. User shall take appropriate actions (e.g. scanning) of the systems managing Colt information to identify potential security vulnerabilities.

3. User shall monitor all applicable vendors for patch releases.

4. User shall ensure all applicable patches are deployed within the standard specific timeline according to the criticality rating of the vulnerability and Colt business severity of the application as mentioned below:

  • Critical patches : CVSS rating 9.0-10.0
  • Important patches : CVSS rating 7.0-8.9
  • Other patches : CVSS rating below 7.0
Internet facing 1 week 2 weeks 1 month
Colt mission critical internal applications 1 month 45 days 90 days
Colt businesses supporting internal applications 1 month 90 days 180 days

5. User shall test the vendor patches on a non-production environment to ensure there are no unintended outcomes.

10. Secure Monitoring

1. Users shall ensure that logs are maintained for the access and management of Colt information.

2. Users shall have the mechanism to monitor the logs to detect any malicious events impacting Colt Information Systems.

3. Users shall ensure that all the logs are secured from authorized access and retained as per the legal and regulatory requirement.

4. Users shall have a defined security incident management process.

5. Users shall immediately inform Colt where they become aware of:

  • Any security breach has occurred in connection with the service;
  • Any fraud that has occurred in connection with the user, Colt equipment or the service; or
  • Any of the password issued by Colt to the user having become known to any
    unauthorized user.

6. Users shall ensure that any security breach to Colt personal information stored and managed at their end, shall be reported to the relevant authority as per the regulatory requirement.

11. Risk Management and Service Continuity

1. User shall have a defined risk management process to assess and mitigate risks to the services provided to Colt.

2. User shall ensure resiliency, including backup and recovering measures, contingency and disaster recovery plans are in place to provide services at a level that meets the agreed SLA as per the contractual agreement.

3. User shall share the SLA report and information to Colt on a monthly basis.

4. User shall ensure security best practices are followed for all the projects and activities that are taken up as part of the contract with Colt.

5. User shall ensure that it has proper mechanism in place to monitor any security incident affecting the Colt Information Systems.

6. User shall have the duty to inform Colt immediately about any security incidents which they become aware about and could impact Colt Information Systems.

7. User shall ensure that any security breach to Colt personal information stored and managed at their end, shall be reported to the relevant authority as per the regulatory requirement.

12. Information removal, destruction and retention

1. Upon termination of the contract, user shall physically destroy or securely delete all Colt information to the point that it cannot be read, deciphered or reconstructed, unless specifically authorized by the contractual agreement.

2. All Colt information on the user systems, storage media and paper documents, including electronically saved copies on copy-machines, printers and other technical equipment shall be destroyed.

3. User shall certify in writing to Colt that all information has been destroyed and securely deleted.

13. Information removal, destruction and retention

1. User may have access through Colt Information Systems to search engines, subscription web services, chat areas, bulletin boards, web pages, Usenet, or other services that promulgate rules, guidelines or agreements to govern their use.

2. User shall adhere to any such rules, guidelines and agreements.

3. User who post messages to Usenet newsgroups shall be responsible for becoming familiar with any written charter or FAQ governing use of such newsgroups and complying therewith.

4. Regardless of such policies,

  • Usenet facilities shall be used only in accordance with relevant Usenet group rules.
  • Binaries shall only be posted to binary Usenet groups.
  • Commercial or advertising messages shall not be posted to multiple news groups.

14. Use of Usenet News Facilities

1. User may have access through Colt Information Systems to search engines, subscription web services, chat areas, bulletin boards, web pages, Usenet, or other services that promulgate rules, guidelines or agreements to govern their use.

2. User shall adhere to any such rules, guidelines and agreements.

3. User who post messages to Usenet newsgroups shall be responsible for becoming familiar with any written charter or FAQ governing use of such newsgroups and complying therewith.

4. Regardless of such policies,

  1. Usenet facilities shall be used only in accordance with relevant Usenet group rules.
  2. Binaries shall only be posted to binary Usenet groups.
  3. Commercial or advertising messages shall not be posted to multiple news groups

15. Right to Audit

1. All Colt reserves the right to “Audit” the user and their subcontractors on failure to provide assurance on the security practices followed.

2. Colt shall provide a written notice to the user prior to performing the audit.

3. The audit can include review of the user policies, processes, procedures, on-site assessment of the physical security controls, network, systems, data privacy and vulnerability assessment (in case of Software as a Service).

5. Policy Compliance Requirement

This standard shall take effect upon publication. It shall be reviewed at least once every two years to ensure relevance. Compliance shall be assessed periodically, and information requests may be made to relevant operating teams. If compliance is not feasible, an exception must be requested through the Security Policy Exception process.

6. Version History & Control

2.0 28.09.2020 Security & Resilience Venkatesh Ravindran, VP Security & Resilience Updated the format and included additional security domains
3.0 28.06.2022 Security & Resilience Venkatesh Ravindran, VP Security & Resilience Updated the document as per new policy template
3.1 24.07.2025 Security & Resilience VP, Enterprise Security & Resilience 2 yearly review - removed reference to meeting recordings