Acceptable Use Policy

Purpose

The Acceptable Use Policy establishes the requirements regarding the proper use of Tactical Arbitrage systems/data/resources to help maintain a positive work environment and help to reduce the potential of virus attacks, compromise of network systems and services, and potential legal issues. All Tactical Arbitrage employees, contractors, and suppliers are required to adhere to established requirements within this policy when using Tactical Arbitrage computer equipment and/or the Tactical Arbitrage network.

All aspects of this policy, including employee compliance, company rights (including monitoring), and enforcement, are to be performed in accordance with local laws and restrictions. In the event that specific sections, requirements, or company rights contained in this policy are determined to not be applicable or enforceable under local law, all other sections and requirements remain in place.

Statement

Tactical Arbitrage will implement and maintain comprehensive administrative, technical, and physical safeguards to protect all Sensitive Information in the company’s possession. This policy defines the requirement of every employee to ensure appropriate data protection safeguards are implemented in accordance with established standards and. Furthermore, adherence to the Acceptable Use Policy helps ensure that Tactical Arbitrage satisfies regulatory, contractual, and audit compliance requirements as they pertain to safeguarding Sensitive Information.

General Acceptable Use

All Information Technology resources and all information transmitted by, received from or stored in these systems, are the property of Tactical Arbitrage and, as such, are provided for official business. All access to these resources is governed by the Access Control Policy. All messages or information composed, sent, received or stored using the e-mail system, instant messaging tools, network, Internet, Intranet or any other company-provided or approved system or service are and shall remain the property of the company, including passwords. Unless specifically called for by law, none of the items mentioned herein shall be considered to be the private property of any employee and employees should not have an expectation of privacy for any messages or communications transmitted via company provided electronic resources. All aspects of this policy, including employee compliance, company rights, and enforcement, are to be performed in accordance with local laws and restrictions. In the event that specific sections, requirements, or company rights contained in this policy are determined to not be applicable or enforceable under local law, all other sections and requirements remain in place.

Notwithstanding the company’s right to retrieve and read any message or information on a wireless device (e.g. text messages), e-mail, Internet, Intranet or any other company provided or approved system or service, such messages or information should be treated as confidential by other employees and accessed only by the intended recipient. With the exception of those working in security, fraud, investigative, legal or human resources roles when they are acting in furtherance of their official duties, no employee is authorized to retrieve or read any messages or information that is not sent to them, nor should they attempt to gain access to another employee’s messages or information.

1. The use of personal devices to connect to Tactical Arbitrage Network resources, not directly associated with satisfying work obligations, is strictly prohibited.
2. Tactical Arbitrage staff are retained with the understanding that they supply their own computers or other related equipment as whose work requires access to these resources. Tactical Arbitrage may require certain safe configurations or monitoring, but each staff member provides all hardware required to perform their obligations for Tactical Arbitrage.
3. Tactical Arbitrage software is to be installed only on Tactical Arbitrage managed machines. Tactical Arbitrage may require isolated authentication, isolated virtual machines, VPN access and further isolation from the non Tactical Arbitrage on staff devices.
4. VPN access to the Tactical Arbitrage network may be required to restrict and control access to protected company resources.
5. Users are responsible for protecting Tactical Arbitrage IT Resources assigned to them or to which they have access (including, but not limited to, physical devices, user identities, and email messages).
6. Physical devices (i.e. laptops, cell phones, tablets, portable storage media, and other mobile devices) must be securely safeguarded when they are not in use.
7. Lost or stolen Tactical Arbitrage IT Resources must be reported immediately to the appropriate personnel.
8. Confidential or client data cannot be stored on portable devices and/or media unless:

• Specifically required to achieve a business purpose
• Authorized by Tactical Arbitrage office of Chief Information Security Officer
• Such storage is not in violation of regulatory or contractual obligations
• Appropriate controls are put into place to safeguard the data

9. Tactical Arbitrage confidential or client data must be encrypted if stored on portable devices in accordance with the Encryption Standard
10. Authentication information must not be documented and carried with any portable media. This includes being written or stored in any type of electronic form. This also includes saving passwords, scripting logins, or creating macros capable of automatically entering credentials.
11. Tactical Arbitrage IT Resources are to be used in a professional, ethical, and lawful manner at all times.
12. Tactical Arbitrage Employees are required to use approved Tactical Arbitrage communications applications for transmitting and storing company data. If a staff member needs to use a tool that is currently not permitted, they can submit an exception. Requests must be submitted as policy exceptions and will be reviewed appropriately. Review criteria will include:

• Valid business justification
• Benefit to the company
• Availability of more secure options
• Risk to the company

13. Use of client or regulatory body messaging services requires the approval of Information Security
14. Users of Tactical Arbitrage IT Resources should not have any expectation of privacy in connection with the use of these resources or with the transmission, receipt or storage of messages or information utilizing these resources.
15. Tactical Arbitrage reserves the right to monitor, review, audit, and/or disclose use of Tactical Arbitrage IT Resources or information transmitted to/from these resources in order to protect Tactical Arbitrage business objectives. Any such monitoring, review, audit and/or disclosure activities must be consistent with applicable legal/regulatory requirements.
16. Users are only permitted to access/utilize Tactical Arbitrage IT Resources to which they have been explicitly granted permission.
17. Users must never knowingly introduce security risks into the Tactical Arbitrage IT environment. This includes, but is not limited to: Changing the pre-established security configuration of an Tactical Arbitrage IT Resource
18. Installing an unauthorized wireless access point onto the corporate network regardless of the access point’s configuration

Compliant Use of Tactical Arbitrage Resources

Users are responsible for considering whether their use of a Tactical Arbitrage IT Resource is appropriate given this policy.

• If the appropriateness use of an Tactical Arbitrage IT Resource is unclear, the User must consult with their Management to establish whether the use is appropriate prior to using the Resource in that manner.
• Compliance with this policy is the responsibility of each staff member. Decision from the office of the CISO regarding permitted or disallowed use is absolute and not open to appeal.

Internet Usage

The company maintains and operates systems, tools, and processes which monitor and restrict internet traffic and the external websites that can be reached when connected to the corporate network. Additionally, these tools have the ability to monitor and restrict the internet activity performed on company provided equipment while off the corporate network.

This monitoring process actively reviews all internet traffic requests in real time and either approves or blocks access to the requested address. Users will receive a notification page if access to a website has been blocked.

Due to the dynamic nature of the internet and the constantly evolving threats to the company, the monitoring and filtering criteria used to determine if access to a website or category of sites is approved or blocked may be changed at any time by the company for any reason.

Some business groups or user roles may be granted different levels of access, or may request additional access based on proven business need.

Employees are not permitted to manipulate any monitoring or filtering software or install other software for the purposes of bypassing any monitoring or filtering tools.

All monitoring and filtering is to be performed within the boundaries of local law.

Regardless of the level of internet filtering that may be in place, employees are responsible for any internet activity conducted, including ensuring they do not visit websites or download files that could be considered questionable, violate company policy, or pose a risk to the company, even if access to the website was not blocked.

Convenience Internet Access

In certain locations, the company may choose to provide wireless internet access for the convenience of in temporary or permanent Tactical Arbitrage office locations. This internet access does not connect to the corporate network and is not provided for business purposes, but rather for the personal use of employees

while they are away from their work areas. Use of this internet access should be considered a privilege and all users are expected to exercise good judgment and abide by all relevant company policies and on-site guidance when utilizing this internet connectivity.

Social Networking

Access to social networking websites has been restricted. Employees are prohibited from accessing social networking websites for personal use on Tactical Arbitrage owned devices (laptops, desktops, tablets, and smart phones).

All other requests must be submitted as policy exceptions and will be reviewed appropriately.

Any employee access to these websites for personal use must only be done on employee owned devices and must not interfere with employee productivity or be in violation of any other policies.

Access to some professional networking sites has been allowed for some employees based on position and

level and all usage of those sites must be in compliance with other Tactical Arbitrage policies including (but not limited to) policies related to confidentiality, productivity, and security.

Suspected Misuse

Any individual who suspects incidents of misuse, fraud, loss, and/or theft should immediately report the activity to their supervisor, manager, or local Human Resources representative. Below is a partial list of improper usage examples which are in violation with this policy:

• Engaging in any activity in violation of local or applicable law
• Engaging in communications that are in violation of company policies, including but not limited to transmission of defamatory, obscene, malicious, offensive or harassing messages, or messages that disclose personal or confidential information without authorization and appropriate level of security.
• Conducting unauthorized business including but not limited to review, duplication, dissemination, removal, installation, damage or alteration of files, passwords, computer systems or programs, or other property of the Company, or improper use of information obtained by unauthorized means.
• Sending Company proprietary or confidential materials to anyone not entitled to know or possess them.
• Engaging in personal activities that incur additional costs to the company or interferes with an employee’s work performance and/or productivity
• Downloading, installing, distributing or using any software on company computers without the approval by management. Examples include but are not limited to:
• Software, documents and other information protected by copyright laws or licensing.
• Images and screensavers
• Video or audio files not business related (downloading and streaming) o Entertainment-related software or games
• Internet games (gambling, simulations, online-interaction, etc.)
• To view, transmit or download obscene or pornographic materials or materials that violate or encourage others to violate the law.
• Engaging in chat rooms or other forums to release the Company’s confidential or proprietary information, or to purport to represent the Company or its interests without express authorization.
• Manipulating any monitoring or filtering software or installing other software for the purposes of bypassing any monitoring or filtering tools.
• Utilizing another User’s username and password to gain access to an Tactical Arbitrage IT Resource.

Enforcement

Staff members found in policy violation may be subject to disciplinary action, up to and including termination.

All Tactical Arbitrage employees and subcontractors are required to adhere to established policies and standards. Violation of Tactical Arbitrage policies and standards may result in disciplinary action up to and including termination. Any suspected violation of a Tactical Arbitrage policy or standard should be reported to a supervisor, management representative, and Human Resource representative or to the Tactical Arbitrage office of Chief Information Security Officer [email protected]. If you are aware of, or suspect, a security incident you should immediately report the incident to Tactical Arbitrage Security Incident Response Team (INFOSEC) by e-mailing [email protected]. Tactical Arbitrage has a strict no retaliation policy and will not tolerate any kind of retaliation against anyone who, in good faith, reports a violation of Tactical Arbitrage policy or law.