Borets Group

Requirements for Information Security

When Connecting Remote Automated Workstations
to Borets’ Corporate Data Transmission Network

Document Information:
1. Developed by Borets’ information security service on June 10, 2015
2. Revision 1.0
Introduction

These guidelines contain organizational and technical requirements for Information Security
relating to Borets’ protected assets when connecting remote automated workstations to the
Company’s corporate data transmission network.

Confidentiality

If these guidelines come into your possession by accident or by error, please delete them from all
storage media or network resources and immediately contact the Borets Information Security
Service.

Requirements

1. Scope and Application

1.1. These guidelines set out the requirements for Information Security for participants of
information exchanges when connecting remote automated workstations to the
Borets’ corporate network.

1.2. Borets and its structural units shall comply with these guidelines upon their adoption.

1.3. These guidelines are required to be used by Borets subsidiaries and affiliated
companies and can be recommended for use by other organizations connected to the
Borets corporate network.

2. Terms and Abbreviations

The following terms and abbreviations are used in these guidelines:

Access to Information Resources - familiarization with information and its processing

(copying, modification, or destruction).

Authentication - verification of Identification presented by the access subject (authenticity

confirmation).

AW - automated workstation.

CDTN (corporate data transmission network) - is an integration of the Company’s (and its units)
information systems, computer, telecommunications and office equipment by connecting them to
a single computer data transmission network using a variety of physical and logical channels.

Company – Borets

Identification – an identifier assigned to access subjects and objects and (or) comparison of the
identifier presented with a list of assigned identifiers.

Information Resources - separate documents and document collections to be processed in the

INFOS.

Information Security (IS) - a set of organizational and technical measures to protect

information when collecting, processing, storing, delivering and distributing it.
Information System (INFOS) - an aggregation of software and hardware used to store, process
and transmit information to solve the Company’s business problems.

LAN - local area network.

Organization connected to the corporate network (OCCN) - a Company subsidiary or

affiliate or an independent organization that is connected to the CDTN for the purpose of
accessing the INFOS and resources of the Company.

3. General Provisions

These guidelines are designed to ensure the security of the Company’s information in terms of
requirements and regulations imposed when connecting remote AWs to the Company’s corporate
network.

The initial requirement to connect to the OCCN shall be the execution of a non-disclosure
agreement with the Company.

The following areas should be considered for purposes of ensuring Information Security in the
OCCN:

- Organizational aspects;
- Assets management;
- Personnel-related security;
- Physical security;
- Communications and works management;
- Access control;
- Acquisition, development and operation of INFOS;
- Information Security incidents management; and
- Compliance with the requirements stated herein.
-
The foregoing issues should be addressed in the OCCN by organizational and technical
measures.

Compliance with the requirements of these guidelines shall be controlled by the Company’s
information security service when auditing the OCCN.

4. Organizational Aspects

4.1. Information Security in the OCCN shall be organized and administered by the person
with overall responsibility for IS at the OCCN.

4.2. Taking into account the specific features for purposes of instituting protection in the
OCCN, the following actions shall be undertaken:

- determination of staff authorities in relation to the protected objects;

- administration and control of security tools and mechanisms; and
- monitoring how employees comply with Information Security requirements.
 4.3. Built-in security mechanisms for processing, storage and information transmission
facilities, as well as additional security equipment, shall be administered by the staff
of responsible subdivisions.

4.4. The operation and configuration of security mechanisms, as well as compliance with
the requirements for Information Security, shall be monitored by the IS division
personnel of the OCCN or by its director.

4.5. IS administration in the OCCN shall be aimed at providing established rules for
access to the information infrastructure object and procedures for treating protected
information when processing, storing and transmitting it.

4.6. Employees who operates AWs connected to the CDTN shall be responsible for
preventing unauthorized access to protected information.

4.7. When arranging access for third-party organizations to the Company’s protected
Information Resources, the following IS measures shall be taken:

- determining the Information Security risks associated with providing access for
third party organizations to the protected Information Resources;
- forming an IS measures list based on INFOS risk assessment to ensure
Information Security in providing access for any third party to the protected
Information Resources and their implementation; and
- executing a non-disclosure agreement with the third-party organizations that are
being provided with access to confidential information.

5. Assets Management

5.1. The OCCN shall identify protected objects (AWs, removable media, etc.), determine
the degree of their confidentiality and classify and assign persons responsible for
their secure use.

5.2. Security measures in relation to the protected objects shall be developed on the basis
of the classification of the protected objects and the INFOS risk assessment carried
out.

6. Personnel-Related Security

6.1. In connection with employment, the OCCN must enter into a non-disclosure
agreement with each employee and preserve a copy of such agreement.

6.2. Employees of the OCCN who disclosed protected information or who violate the
procedures for dealing with protected objects, as well as employees through whose
fault there was a loss or corruption of protected information, shall bear responsibility
pursuant to applicable law.

6.3. In case of a dismissal or modifications in the terms and conditions of an employee’s

employment in the OCCN, the OCCN shall exercise control over the return of any
hardware for processing, storing and transmitting information and terminate in a
timely manner the employee’s access to the protected objects.
 6.4. The IS division shall remind discharged employees of their commitments to keep
protected information confidential and bring to their attention the term for
maintaining the confidentiality of data familiar to them.

6.5. In case of dismissal of an employee (or modification in the terms and conditions of
his or her employment), the employee’s right of Access to Information Resources
must be canceled immediately (or be adjusted in accordance with their new
employment conditions).

6.6. The personnel department of the OCCN shall promptly notify the company’s IS
division regarding any dismissed employees (or modifications in the terms and
conditions of their employment).

7. Physical Security

7.1. The OCCN shall establish access control to prevent uncontrolled access to its
protected areas, buildings and premises.

7.2. Hardware for information processing (AWs), storage and transmission of

information (removable media, communications equipment) shall be placed in
specialized areas with limited access for unauthorized persons.

7.3. When a third party is carrying out work in the protected areas of the OCCN, their
carrying out of the works must be controlled.

7.4. When using mobile AWs, measures must be taken for the prevention of loss or theft
of equipment or Authentication data.

8. Communications and Works Management

8.1. Before connecting to the information infrastructure of the CDTN all remote AWs
shall be checked for installed antivirus software and security updates for the
operating system.

8.2. The OCCN shall install protection against malicious software used by the Company.

8.3. Anti-virus software must be installed on all information processing means of the
OCCN exposed to viruses (in particular AWs and server hardware and software
platforms).

8.4. Anti-virus software shall also detect and protect against other forms of malicious
code, including spyware and adware.

8.5. Anti-virus mechanisms shall be current, actively running, and event logs shall be
maintained.

8.6. In order to ensure the recovery of Information Resources in the event of their loss or
corruption, the OCCN shall maintain backup files.

8.7. In order to ensure the smooth functioning of the information infrastructure, the
OCCN shall perform the backup of critical features for information processing,
storage and transmission.
 8.8. Network security shall be achieved by protecting the CDTN, LAN and OCCN
network infrastructure.

8.9. Network access control shall include:

- CDTN (LAN) external information flows control;

- LAN internal information flows control; and
- LAN remote connection control.

8.10. If users connect to the protected objects remotely, the remote connection shall be
controlled, including the use of strong Authentication facilities and cryptographic
information protection facilities (virtual private networks).

8.11. Any disposal of unused media should be carried out only with the assured
destruction of all of the Company’s information contained on them.

8.12. The OCCN shall use only licensed software purchased officially.

8.13. All system components and software used in the OCCN shall have the most recent
security updates released by the manufacturer. Security updates must be installed
within one month after the manufacturer releases them.

8.14. When transmitting restricted access information outside controlled areas, including
the use of wireless networks, cryptographic information protection facilities must
be applied. Data transmitted in wireless networks must be encrypted using WPA2
technology, IPSEC VPN, or SSL/TLS.

8.15. Sending clear data containing protected information by e-mail is strictly prohibited.

8.16. To control the movement of protected information, it is prohibited to store and

process the protected data on any removable storage media, except for cases
stipulated by the processing technology.

8.17. When using mobile AWs, restricted access information processed on them must be
protected using cryptographic protection facilities.

9. Access Control

9.1. Users shall be vested with the minimum of access rights and privileges they need to
perform their tasks. Vesting of the users with access rights and privileges must be
based on a formal procedure for granting access rights established in the OCCN.

9.2. The users and administrators shall account for their actions in the corporate data
transmission network.

9.3. Users shall be responsible for complying with the regulations established by the
Company regarding the selection and use of their passwords.

9.4. Users shall not be permitted to work under a different person’s accounts or to provide
their passwords and pass Authentication facilities to other users. When leaving the
AWs, users should take measures to protect them from unauthorized access.
 9.5. Users shall work in operating systems under accounts with limited privileges. Access
to the operating system must be provided to users only after passing Identification
and Authentication procedures.

9.6. Access to the applications and the Information Resources shall be provided to users
only after they pass Identification and Authentication procedures. If it is technically
possible, it is advisable to carry out a unified Authentication in the application
systems and operating systems.

10. Acquisition, Development and Operation of Information Systems

10.1. The OCCN shall undertake measures to ensure that information processing,
storage and transmission facilities are used only for their intended purpose.

10.2. Development, testing and software operation frameworks must be separated from
each other.

10.3. Confidential industrial data must not be used for testing and development.

10.4. Program codes for applications that are developed shall be examined for potential
vulnerabilities before transferring them in production mode, such as, in particular:

- Lack of input data validation;

- Bypassing the access control system (i.e., the possibility of using someone else's
accounts);
- Bypassing Authentication and session management (the ability to use someone
else's Authentication data and cookie);
- XSS-type attacks;
- Buffer overflow;
- Injections (e.g., SQL-injection);
- Incorrect error handling;
- Insecure data storage;
- Denial of service; and
- Unsecure configuration management.

10.5. Change management procedures shall be developed and implemented, including:

- Documenting the impact of changes on the system;

- Coordinating the changes with persons responsible for operating the information
systems;
- Testing the industrial functionality; and
- Back-out procedures.

11. Information Security Incidents Management

11.1. The employees of the OCCN are obliged to report to the Company's information
security department any security breaches observed or suspected, as well any
vulnerabilities identified.

11.2. In order to respond to Information Security incidents, the OCCN shall register and
analyze them, as well as take necessary measures to eliminate their recurrence.
 11.3. The OCCN shall appoint employees with appropriate qualifications who shall be
responsible for responding to Information Security incidents.

12. Compliance with the Requirements

12.1. The OCCN shall protect the restricted access information by establishing CT
mode and protecting the OCCN employees’ personal data.

12.2. Information infrastructure objects must include information protection facilities

certified in terms of Information Security requirements and approved.

12.3. The IS shall be controlled by carrying out scheduled (unscheduled) internal and
external inspections, as well as by monitoring, to be performed by Borets’
information security service.

13. Responsibilities of the Management and Employees of the Organization Connected to

the Corporate Network

13.1. The director of the OCCN shall:

- be responsible for Information Security in OCCN;

- exercise regular control over compliance with the requirements contained in these
guidelines;
- allocate resources necessary to ensure Information Security; and
- organize Information Security awareness for employees.

13.2. The OCCN shall hold employees responsible for providing Information Security
for the protected objects they use.

13.3. The employees of the OCCN shall be obliged to fulfill the following general
requirements for Information Security:

- to comply with the requirements stated herein, and of other any other Information
Security-related documents of the Company and the OCCN;
- to use information processing hardware for official purposes only; and
- to report to the direct supervisor of the IS department of the OCCN on
Information Security incidents detected.

13.4. The employees of the OCCN are prohibited from violating the rules established to
ensure Information Security and hiding the occurrences of Information Security
incidents.

13.5. The employees of the OCCN who do not fulfill these requirements or the
requirements of any other Information Security-related documents of the Company
and of the OCCN shall be made accountable in the prescribed manner.