— Uncontrolled printed Copy. For the latest revision, check UniSea YMS! — Yinson Production YMS-CO-0296 Approved: Revision 03 / 21.09.2023 Corporate governance and support functions • Support functions • IT IT Facility Procedure Table of contents: 1. Purpose 2. Scope 3. Responsibilities 4. Definitions and abbreviations 5. Email 6. Shared drives 7. Back up policy 8. Internet access policy 9. References Attachments ---- 1. Purpose The objective of the document is to describe the IT facilities on the units and general guidelines and policies in using the IT facilities on the units. 2. Scope This applies to all FPSO Units and base offices. 3. Responsibilities The IT Manager is responsible for the IT Policy and Procedures. This policy applies to all employees and contractors who use the company’s IT systems on work time. It applies no matter whether the network access takes place on company premises, while travelling for business or while working from home. 4. Definitions and abbreviations N/A 5. Email General Yinson Production makes e mail available to its employees where relevant and useful for their jobs. This email section describes the rules governing email use at the company. It also sets out how staff members are expected to behave when using email. Email guidelines Business email use Page 1 of 7 Yinson Production recognises that email is a key communication tool. It encourages its employees to use email whenever appropriate. For instance, staff members may use email to: Communicate with customers or suppliers Market the company’s products Distribute information to colleagues Personal use of email The company also recognises that email is an important tool in many people’s daily lives. As such, it allows employees to use their company email account for personal reasons, with the following stipulations: Personal email use should be of a reasonable level and restricted to non-work times, such as breaks and during lunch. All rules described in this policy apply equally to personal email use. For instance, inappropriate content is always inappropriate, no matter whether it is being sent or received for business or personal reasons. Personal email use must not affect the email service available to other users. For instance, sending exceptionally large files by email could slow access for other employees. Users may access their own personal email accounts at work, if they can do so via our internet connection. For instance, a staff member may check their Yahoo or Google Mail during their lunch break. Authorised users Only people who have been authorised to use email at Yinson Production may do so. Authorisation is usually provided by an employee’s line manager or the company IT department. It is typically granted when a new employee joins the company and is assigned their login details for the company IT systems. Unauthorised use of the company’s email system is prohibited. Employees who use company email without authorisation — or who provide access to unauthorised people — may have disciplinary action taken against them. Key Areas Email security Used inappropriately, email can be a source of security problems for the company. Users of the company email system must not: Open email attachments from unknown sources, in case they contain a virus, Trojan, spyware or other malware. Disable security or email scanning software. These tools are essential to protect the business from security problems. Send confidential company data via email. The IT department can advise on appropriate tools to use instead. Access another user’s company email account. If they require access to a specific message (for instance, while an employee is off sick), they should approach their line manager or the IT department. Staff members must always consider the security of the company’s systems and data when using email. If required, help and guidance is available from line managers and the company IT department. Users should note that email is not inherently secure. Most emails transmitted over the internet are sent in plain text. This means they are vulnerable to interception. Although such interceptions are rare, it’s best to regard email as an open communication system, not suitable for confidential messages and information. Inappropriate email content and use The company email system must not be used to send or store inappropriate content or materials. It is important employees understand that viewing or distributing inappropriate content via email is not acceptable under any circumstances. Users must not: Write or send emails that might be defamatory or incur liability for the company. Create or distribute any inappropriate content or material via email. Inappropriate content includes: pornography, racial or religious slurs, gender-specific comments, information encouraging criminal Page 2 of 7 skills or terrorism, or materials relating to cults, gambling and illegal drugs. This definition of inappropriate content or material also covers any text, images or other media that could reasonably offend someone on the basis of race, age, sex, religious or political beliefs, national origin, disability, sexual orientation, or any other characteristic protected by law. Use email for any illegal or criminal activities. Send offensive or harassing emails to others. Send messages or material that could damage Yinson Production’s image or reputation. Any user who receives an email they consider to be inappropriate should report this to their line manager or supervisor. Copyright Yinson Production respects and operates within copyright laws. Users may not use company email to share any copyrighted software, media or materials owned by third parties, unless permitted by that third party. Employees must not use the company’s email system to perform any tasks that may involve breach of copyright law. Users should keep in mind that the copyright on letters, files and other documents attached to emails may be owned by the email sender, or by a third party. Forwarding such emails on to other people may breach this copyright. Contracts and liability Users must be careful about making commitments or agreeing to purchases via email. An email message may form a legally-binding contract between Yinson Production and the recipient — even if the user has not obtained proper authorisation within the company. All questions about email marketing should be directed to the marketing manager. Policy Enforcement Monitoring email use The company email system and software are provided for legitimate business use. The company therefore reserves the right to monitor employee use of email. Any such examinations or monitoring will only be carried out by authorised staff. Additionally, all emails sent or received through the company’s email system are part of official Yinson Production records. The company can be legally compelled to show that information to law enforcement agencies or other parties. Users should always ensure that the business information sent via email is accurate, appropriate, ethical, and legal. Potential sanctions Knowingly breaching this email use policy is a serious matter. Users who do so will be subject to disciplinary action. Employees, contractors and other users may also be held personally liable for violating this policy. Where appropriate, the company will involve the police or other law enforcement agencies in relation to breaches of this policy. 6. Shared drives Yinson Production provides a shared network drive to facilitate information sharing and collaboration among employees. This guideline outlines good practice for managing information on shared staff network drives, throughout the information lifecycle. The guideline aligns with the following principles information resources are managed as valuable assets information should be easy to find, access and use information is created, collected and organized in a manner that ensures its integrity, quality and security. Access to shared drives Yinson Production provides 2 mapped drive for all employees: U: drive. This drive is provided for the personal electronic working files. Page 3 of 7 W: drive. This drive is provided for all electronic working personal file. Access to some folders in W: drive are restricted and will need the Folder’s owner / Line manager approval. Requests to access the restricted folders in W: drive should be submitted to the IT department along with the line manager/folder owner’s approval Key Areas The following are general guidelines when using the shared folders: Do not store personal files (for e.g., pictures and music files) Do not store third party copyrighted files in the shared drives. Examples of copyright files are AutoCAD designs, media files and music files. Be mindful of the folder structure in the shared drive, and follow the convention in storing working files The maximum character length that a file name can accommodate is up to 256 characters. Any folder name that is longer than 256 character have a higher possibility of being corrupted. Policy Enforcement Knowingly breaching this use policy is a serious matter. Users who do so will be subject to disciplinary action. Employees, contractors and other users may also be held personally liable for violating this policy. Where appropriate, the company will involve the police or other law enforcement agencies in relation to breaches of this policy. 7. Back up policy Scope and Purpose The Purpose of the policy is as follows: To provide secure storage for data assets critical to the work of the business To prevent loss of data in the case of accidental deletion / corruption of data, system failure, or disaster To permit timely restoration of archived data in the event of a disaster or system failure. This applies to all the W: share drive and U: share located on all computers (both laptops and desktops) Back up policy are NOT meant for the following purposes: Personal data such as photos, videos, music, and non-Yinson Production e-mail accounts Programs (i.e., applications) of any type (personal or officially supported) Backup and Recovery policy Data The following resources are made available to backup critical files pertaining to official business: U: share drive W: share drive E-mail By default, each user has been given 50GB of e-mail storage space. E-mail is backed up by Veeam back up software. Backup Schedule and retention. The Veeam backup system is utilized to retain data for 4 weeks or 28 days. A combination of incremental and full backups is executed on the dataset. A full backup is performed every Friday with incremental backups thereafter. This creates a scenario where Yinson Production IT can restore a folder to a single point in time in the past up to a maximum of 30 days. Verification If configured properly, Veeam will perform a verification against a backup set after every job to protect against corrupted data. No other form of verification is scheduled or performed. Page 4 of 7 Data Restoration Emergency recovery: IT will make every attempt to recover data within a business day. However, in the event of a catastrophic event such as fire damage, services and data maybe unavailable for an extended period of time. Non-emergency recovery: These restorations will be performed on a time available basis, and will occur within the next five business days. Required information: Employees that needs files restored must contact a member of the IT department. The detail of the request should include information about the file creations date, the name of the file, the last time it was changed, and the date and time it was deleted. 8. Internet access policy General Yinson Production makes internet access available to its employees where relevant and useful for their jobs. This internet use policy describes the rules governing internet use at the company. It also sets out how staff members are expected to behave when using the internet. It serves to: Reduce the online security risks faced by Yinson Production Let employees know what they can and can’t do online Ensures employees do not view inappropriate content at work Helps the company satisfy its legal obligations regarding internet use Internet Guidelines Internet use is encouraged Yinson Production recognises that the internet is an integral part of doing business. It therefore encourages its employees to use of the internet whenever such use supports the company’s goals and objectives. For instance, staff members may use the internet to: Purchase office supplies Book business travel Identify potential suppliers or partners There are many valid reasons for using the internet at work and the company certainly allows its employees to explore and take advantage of the internet’s many advantages. Personal internet use The company also recognises that the internet is embedded in many people’s daily lives. As such, it allows employees to use the internet for personal reasons, with the following stipulations: Personal internet use should be of a reasonable level and restricted to non-work times, such as breaks and during lunch. All rules described in this policy apply equally to personal internet use. For instance, inappropriate content is always inappropriate, no matter whether it is being accessed for business or personal reasons. Personal internet use must not affect the internet service available to other people in the company. For instance, downloading large files could slow access for other employees. Authorised users Only people who have been authorised to use the internet at Yinson Production may do so. Authorisation is usually provided by an employee’s line manager or the company IT department. It is typically granted when a new employee joins the company and is assigned their login details for the company IT systems. Unauthorised use of the company’s internet connection is prohibited. Employees who use the internet without authorisation — or who provide access to unauthorised people — may have disciplinary action taken against them Key Areas Page 5 of 7 Internet security Used unwisely, the internet can be a source of security problems that can do significant damage to the company’s data and reputation. Users must not knowingly introduce any form of computer virus, Trojan, spyware or other malware into the company. Employees must not gain access to websites or systems for which they do not have authorisation, either within the business or outside it. Company data should only be uploaded to and shared via approved services. The IT department can advise on appropriate tools for sending and sharing large amounts of data. Employees must not steal, use, or disclose someone else’s login or password without authorisation. Staff members must always consider the security of the company’s systems and data when using the internet. If required, help and guidance is available from line managers and the company IT department. Inappropriate content and uses There are many sources of inappropriate content and materials available online. It is important for employees to understand that viewing or distributing inappropriate content is not acceptable under any circumstances. Users must not: Take part in any activities on the internet that could bring the company into disrepute. Create or transmit material that might be defamatory or incur liability for the company. View, download, create or distribute any inappropriate content or material. Inappropriate content includes: pornography, racial or religious slurs, gender-specific comments, information encouraging criminal skills or terrorism, or materials relating to cults, gambling and illegal drugs. This definition of inappropriate content or material also covers any text, images or other media that could reasonably offend someone on the basis of race, age, sex, religious or political beliefs, national origin, disability, sexual orientation, or any other characteristic protected by law. Use the internet for any illegal or criminal activities. Send offensive or harassing material to others. Broadcast unsolicited personal views on social, political, religious or other non-business related matters. Send or post messages or material that could damage Yinson Production’s image or reputation Policy Enforcement Monitoring internet use Company IT and internet resources — including computers, smart phones and internet connections — are provided for legitimate business use. The company therefore reserves the right to monitor use of the internet, to examine systems and review the data stored in those systems. Any such examinations or monitoring will only be carried out by authorised staff. Additionally, all internet data written, sent or received through the company’s computer systems is part of official [company name] records. The company can be legally compelled to show that information to law enforcement agencies or other parties. Users should always ensure that the business information sent over or uploaded to the internet is accurate, appropriate, ethical, and legal. Potential sanctions Knowingly breaching this internet use policy is a serious matter. Users who do so will be subject to disciplinary action, up to and including termination of employment. Employees, contractors and other users may also be held personally liable for violating this policy. Where appropriate, the company will involve the police or other law enforcement agencies in relation to breaches of this policy. 9. Business Applications Page 6 of 7 Yinson Production makes use of applications to maintain operational efficiency for the operational processes. The following applications are available for offshore personnel: S/N Application Name Purpose 1 IFS (CMMS) Maintenance System 2 Microsoft Office 365 Office productivity software 3 Unisea Management System for Offshore Units 4 Seagull Computer Based Training System 5 IFS (Document Control) Document Management System Attachments N/A No references Exported by: DCS Technician OCTP/Yinson @ 2024-05-10T18:45:04.558Z Page 7 of 7