CCRC Information Security Policies Internal Use Only

Introduction
As a CCRC employee, you are obligated to comply with CCRC Information Security policies and
regulatory controls for the protection of Company and private information. As a CCRC employee,
you are best means of protecting Company and private information through both your adherence
to policy and your diligence to report information security infractions. This Information Security
Policy Awareness Summary is meant to provide you with the following:

1. Summary description of each Information Security policy, its guidelines, and associated
security standards.
2. The location of all published Information Security policies and standards.
3. Who to contact for further security advice and the proper channels for reporting
information security incidents.

CCRC requires your acknowledge of this information prior to the provisioning of your network
access as a CCRC employee.

Information Security Policy Awareness Summary

This section provides a summary description of each Information Security policy, its guidelines,
and associated security standards. The policies are as follows:

Asset Identification and Classification Policy

This policy defines the objectives for establishing standards for the identification,
ownership, classification, and labeling of CCR’s information assets. All information
assets, whether generated internally or externally, must be categorized into one of the
information classifications defined in the Information Classification Standard. All
information classified as being Confidential Restricted, Confidential, and Internal Use
Only must be labeled or marked with the appropriate information classification
designation as detailed in the Information Labeling Standard.

Asset Management Policy

This policy defines the objectives for establishing specific standards for the management
of the networks, systems, and applications that store, process and transmit the CCR’s
information assets. The Configuration Management Standard provides the specific
requirements for maintaining baseline protection standards for CCR network devices,
servers and desktops. All production systems and applications developed by the
Company or on behalf of the Company must adhere to the appropriate level of security
controls provided in the System Development Lifecycle Standard. All systems, networks
and applications used in the Company’s production environment must follow the specific
instructions for change control provided in the Change Control Standard.

Acceptable Use Policy

This policy defines the objectives for specific standards on appropriate business use of
the CCR’s information assets. The Internet Acceptable Use Standard details the rules for
appropriate business use of the Internet. The Electronic Mail Acceptable Use Standard
provides requirements for appropriate business use of CCR’s email systems.
Requirements for appropriate business use of CCR’s hardware such as servers, laptops,
handhelds, blackberries, and PDAs are provided in the Hardware Acceptable Use
Standard.

Asset Protection Policy

This policy defines the objectives for specific standards to protect the confidentiality,
integrity, and availability of CCR’s information assets. The Access Control Standard
provides the rules for user accounts, passwords, and access / logon processes to CCR’s

pg. 1
 applications and information systems. The Remote Access Standard is intended to help
mitigate potential damage exposure to CCR that might occur from unauthorized access
using remote access connections. The Encryption Standard details the cryptographic
controls which should be used to protect sensitive information classified as Confidential
and Confidential Restricted. The requirements and user obligations for helping to prevent
infections by computer viruses and other types of malicious software is provided in the
Malicious Software Protection Standard.

Security Awareness Policy

This policy details the objectives for CCR’s security awareness program and specific
standards for the education and communication of the policies, standards, guidelines,
and procedures relating to information security.

Threat Assessment & Monitoring Policy

This policy defines the objectives for establishing specific standards for the assessment
and ongoing monitoring of threats to CCR’s information assets by assessing, identifying,
prioritizing, and monitoring threats as a central aspect of the information security risk
management program. The Incident Response Standard defines how formal plans for
responding to assessed information security intrusions and incidents must be developed
and exercised. The Threat Monitoring and Detection Standard details the requirements
for computers, networks, and data to be regularly monitored. This monitoring includes
real-time intrusion detection activities as well as periodic, more in-depth intrusion
detection and misuse analysis.

Vulnerability Assessment & Management Policy

This policy defines the objectives for the assessment and management of vulnerabilities
in CCR’s information systems environment. Vulnerability assessment activities are a
central element of CCR’s risk management approach and specific instructions for
assessing vulnerabilities are provided in the Vulnerability Assessment Standard. CCR
strives to eliminate or mitigate vulnerabilities and vulnerability management activities will
be conducted with established risk management principles. Specific instructions for
managing vulnerabilities are provided in the Vulnerability Management Standard.

Contact Information
All published Information Security policies and standards are located on the MyCCR Intranet at
the following location:

MyCCR > BIS > Information Security Policies > Security Awareness

You may also email Security Governance/CCR.

You may obtain hard copies of the Information Security policies and standards by submitting a
request to:
Security Governance, Compliance, and Risk Management
CCR BIS
3200 Windy Hill Road, East Tower
Atlanta GA 30339

For further security advice and for reporting information security incidents, contact Security
Governance, Compliance, and Risk Management as follows:
Email Security Governance/CCR
Call 770-370-6940

pg. 2
Acknowledgement of Receipt of Information Security Policies

I acknowledge that I have been provided a copy of the Company's Information Security Policies. I
understand that as a part of my job, I am expected to know and follow these policies. I further
understand I have an affirmative obligation to promptly report any misconduct in violation of these
policies, including making reports to the Corporate Office, should misconduct not be fully
corrected by local / Business Unit management.

In addition, I understand that the Company policy prohibits any retaliation against those making
good faith complaints under these policies. I also understand that if I engage in conduct
prohibited by these policies, I will be subject to disciplinary action, up to and including discharge.

Print Name

Signature

Date

Note:
The Information Security Policies of the Company will be applied to all employees including those
who may not have signed the above acknowledgement of receipt.

pg. 3