EMEA Information Technology Code of Practice

August 2011

Date of Issue: March 2009

Version No. 2.0

Document Revisions
Document Version Revisions By Date

1.0

Susan Shyllon

2004

2.0

Theresa Murray

March 2009

2.1

Theresa Murray

May 2011

2.2

Theresa Murray

August 2011

Revision History

2.1 Updated to align with management of confidential information on removable/portable hardware.

2.2 Updated to include Social Media Guidelines.

Page 2 of 10

EMEA IT Code of Practice v. 2.2

Contents
1 2 3 4 5 6 7 8 9 Introduction................................................................................................................................................... 4 Information Security .................................................................................................................................... 5 IT Hardware ................................................................................................................................................... 5 Software......................................................................................................................................................... 6 Electronic mail and the Internet ................................................................................................................. 6 Use and Protection of Data......................................................................................................................... 8 Anti-Virus Protection ................................................................................................................................... 8 Sustainability ................................................................................................................................................ 9 User Acknowledgement ............................................................................................................................ 10

Page 3 of 10

EMEA IT Code of Practice v. 2.2

1 Introduction
This document details user responsibilities for maintaining the security, integrity and confidentiality of Jones Lang LaSalle IT systems (hardware, software and data). Telecoms e.g. (Mobile and Blackberry), voicemail, email, computers and the data/documents stored on them are and remain at all times Jones Lang LaSalle property. As such all voicemail, email messages or Internet messages and related data/documents created, sent and received are and remain Jones Lang LaSalle property. All business processes and software remain the intellectual property of Jones Lang LaSalle. Compliance with the policies and procedures detailed below is mandatory for all Jones Lang LaSalle Group employees in EMEA (including LaSalle Investment Management), and for contractors, subcontractors and anyone else who has access to our IT systems and data. Failure to comply with these policies could lead to the instigation of disciplinary measures, up to and including termination of employment or and/or legal action. User Accounts and access to IT systems
From the date of issue of this document, written agreement to comply with the policies contained

herein is required in advance of user account creation.

The sharing of user accounts or passwords is strictly prohibited and users will be held responsible for

all actions taken using their accounts. A user account will be provided to everyone who is required to have access to Jones Lang LaSalles IT systems, including temporary staff or authorised third parties.
Unauthorised access to complete systems, programs, files or messages is strictly prohibited. Unauthorised review, duplication, dissemination, removal, damage or alteration of files, passwords,

computer systems, programs, voicemail message or other company property is strictly prohibited, as is the use of information obtained by unauthorised means. You must:
Change your password from the default provided by the IT Helpdesk or local IT personnel the same

day as advised.
Select a secure password, which you change on a regular basis (at least every 3 months), even if

you arent prompted to do so.

Change your password immediately if it is believed that the password has been compromised. Use different passwords for each account, if multiple accounts are owned for any reason.

You must not:

Disclose your password to anyone, under any circumstances. Write passwords down and leave them where others could discover them.

Page 4 of 10

EMEA IT Code of Practice v. 2.2

2 Information Security
Users of the companys IT systems are expected to remain vigilant for possible fraudulent activity and any actual or suspected information security incidents or breaches must be reported immediately to your manager and to the IT Helpdesk or local IT personnel. A security incident or breach exists:
If sensitive, confidential, and/or private information is or is believed to be lost or disclosed to

unauthorised parties (including IT equipment containing data).

If unauthorised use of Jones Lang LaSalle information systems has taken place or is suspected. Whenever passwords or other system access control mechanisms are lost or are believed to be lost,

stolen or disclosed.
Unusual systems behaviour, such as missing files, frequent system crashes, misrouted messages,

or other similar activates occur or are suspected to have occurred.

3 IT Hardware
You are responsible for all IT and telecom equipment assigned to you, the company will be entitled to make a claim against you for any damage to or loss of IT equipment through your own carelessness. Do not:
Leave laptops visible and unattended when not in use (e.g. in parked cars, on public transport, or in

public places).
Leave your machine unattended when you are logged onto the companys systems, unless your

machine is locked (using Ctrl-Alt -Del).

Move or disconnect desktop computers without prior consultation with the IT Helpdesk or local IT

personnel.
Allow anyone not employed by or contracted to Jones Lang LaSalle to use any IT equipment

including telecoms assigned to you by the company.

Reassign any IT equipment including telecoms allocated to you to another user without prior

agreement with IT Procurement or Telecoms.

Connect IT hardware not issued or authorised by IT to the companys networks. Leave laptops visible and unattended for long periods of time including overnight. Laptops must be

kept out of sight in a secure location, this includes when at home or in the office.
Store sensitive employee / personal data on hard drives. Leave laptops unattended / unsecured while travelling.

Do:
Minimise the use of thumb drives or CDs/DVDs for confidential data. Erase data from portable devices such as memory sticks / thumb drives after intended use.

Page 5 of 10

EMEA IT Code of Practice v. 2.2

 Consider the use of password protection and encryption software for portable devices such as

memory sticks / thumb drives.

Log off / switch off PCs / laptops after use. Avoid working on confidential material in public places. Ensure no confidential information is left on / by printers. Manage confidential information as per policy No.39 of the Corporate Governance and Compliance

Policy Manual, which can be found on Jones Lang LaSalle Connect site: Policy 39 Lost, stolen or damaged equipment
Lost, stolen or damaged IT and telecoms equipment must be reported to your manager and to the IT

Helpdesk or local IT personnel. Loss due to theft should also be reported to the police and a crime number obtained so that a claim can be made against the companys insurance policy.
Loss of confidential or sensitive data must be reported immediately to your manager and to the IT

Helpdesk or local IT personnel.

4 Software
The use of unlicensed software constitutes a breach of the software suppliers copyright, and both the company and the individual responsible can be prosecuted where unlicensed software is discovered. Do not:
Load software from any source on to a Jones Lang LaSalle PC without prior authorisation from the IT

Helpdesk or local IT personnel. This includes software needed to fulfil a specific business requirement, clients software, and software downloaded from the Internet.
Remove software licensed to Jones Lang LaSalle from the companys premises, without the express

permission of the IT Helpdesk or local IT personnel.

Copy software licensed to Jones Lang LaSalle on to another PC (including home PCs), without prior

authorisation from the IT Helpdesk or local IT personnel.

Alter the settings on software provided by the company e.g. email software. Install or play computer games on the companys IT equipment.

5 Electronic mail and the Internet

Jones Lang LaSalle is ultimately responsible for all material transmitted via email and the Internet using company owned systems, and could be liable to prosecution for illegal, offensive or defamatory material contained in email messages or transmitted via the Internet. Thus, while Jones Lang LaSalle permits limited personal use of the companys Internet (for example accessing social networking sites) and electronic mail facilities, users are expected to act sensibly and Page 6 of 10 EMEA IT Code of Practice v. 2.2

responsibility and are advised not to send email messages, or access any Internet sites that they would not wish to be seen by other members of the company. Email and Internet Monitoring Users should be aware that:
Access to specific categories of Internet sites is blocked. Access to individual Internet sites blocked

under this policy will require approval by the Business Unit Head, IT Manager or IT Business Systems Manager (BSM).
Email traffic is monitored to ensure optimum delivery, and to protect our systems from viruses and

Trojans.
Individual email and Internet use is not normally monitored, however the company reserves the right

to monitor an individuals Internet and email use where such use is believed to: o Be detrimental to the users job responsibilities, o Risk compromising the companys reputation and business interests, or o Expose the individual, the company or its clients to prosecution for illegal activities.
Monitoring of an individuals account will only be carried out at the request of a Business Unit or

Country Head, and after approval by the regional Chief Information Officer. Email and Internet Use Policies Jones Lang LaSalles Internet and electronic mail facilities must never be used to access, download or distribute material of a pornographic, defamatory, derogatory, racist, sexist or otherwise discriminatory , illegal or offensive nature. Furthermore, Internet and electronic mail systems must never be used to solicit for non-job related commercial ventures, religious or political causes, or any other cause not related to the companys business. Do not:
Append your scanned signature to any document you send electronically. Launch emailed attachments if you do not usually correspond with the sender, if the subject header

or attachment name is vague or non-business related, or if the attachment has an unusual extension such as .exe, .vbs or .bat. If a message you receive falls into any of these categories, contact the IT Helpdesk or local IT personnel immediately for advice.
Use distribution list for non-business related communication. Send unsolicited email messages (junk mail or spam), or forward or propagate chain letters. Send virus warnings to other members of staff. Contact the IT Helpdesk or local IT personnel who

will verify its authenticity and take appropriate action.

Download or forward computer games or screen savers via the electronic mail system. Subscribe to any service, or commit the company to purchase any product or service, without prior

written appropriate level of authorisation.

Transmit copyrighted materials belonging to entities other than Jones Lang LaSalle on the Internet,

without actual or implicit consent.

Publish any information on the Internet, on behalf of Jones Lang LaSalle, without prior written

consent. Page 7 of 10 EMEA IT Code of Practice v. 2.2

Social Media Guidelines Even when you are communicating your personal opinion, if your audience can associate you with Jones Lang LaSalle, you are acting as a spokesperson for the company (whether you intend to or not). Guidelines have been issued for use of Social Media Internet Sites (Appendix A) and forms part of the Information Technology Use Policy (Corporate Governance Policy No 14). Policy No 14 can be found on the Jones Lang LaSalle Connect Technology EMEA site under Global Security Policies. For access to Appendix A Social Media Guidelines follow the link below. Appendix A - Social Media Guidelines

6 Use and Protection of Data

Data you are entrusted with must be kept safe from corruption or loss, or in the case of all clients and confidential information safe from disclosure. It is also your responsibility to ensure that only current, up-to-date versions of the data are retained, or appropriate change control records are maintained. Do not:
Save client or other confidential information, or any of the information which requires backing-up onto

your Desktop or to your C drive.

Leave your computer or terminal logged on to and unattended, unless your machine is locked (using

Ctrl-Alt -Del).
Have your screen visible to other people when working on confidential or classified material in public

places.
Alter or delete data owned by another user, without their prior knowledge and consent. Leave confidential material lying unattended at a printer, photocopier or fax machine.

Do:
Utilise password to protect documents containing confidential or business sensitive documentation.

Data Protection Legislation Be aware that legislation covering the retention and transfer of data in particular, personal data varies from country to country. In accordance with data protection requirements, personal data must not be unfairly obtained or used for a purpose other than that for which it was provided. Please see local country data protection and retention policies for further details.

7 Anti-Virus Protection
Page 8 of 10 EMEA IT Code of Practice v. 2.2

Do Not:
Personally install any new software on to a Jones Lang LaSalle computer. Contact the IT Helpdesk

or local IT personal for approval and installation of any new software

Download software or program files from the public domain (the Internet) onto Jones Lang LaSalle

machines, without prior authorisation from the IT Helpdesk or local IT personnel

Launch emailed attachments if you are not expecting the message, if you do not usually correspond

with the sender, if the attachment has an extension such as .exe, .vbs or .bat, of if the message header or attachment name if vague or non-business related. If you suspect that your machine is infected with a virus, report it to the IT Helpdesk or local IT personnel.

8 Sustainability
As part of Jones Lang LaSalle's Sustainability Policy you have a role in reducing the environmental impacts of our business operations.

Do:
Switch off IT equipment when not required for long periods of time, for example overnight. This

includes monitors and printers.

Consider the use of audio or video or internet conferencing, (Live Meeting), for meetings instead of

travel
Return equipment no longer used or required for distribution elsewhere, for example this includes

mobile telephones, Blackberrys, PDAs and laptops For further information concerning the above please contact the IT department via your local IT Helpdesk.

Page 9 of 10

EMEA IT Code of Practice v. 2.2

9 User Acknowledgement
I hereby confirm that I have read, understood and agree to the EMEA Information Technology Code of Practice. I realise that Jones Lang LaSalles security software records any Internet site that I visit and any network activity in which I transmit or receive any kind of file or message. I acknowledge that any email I send or receive will be recorded and stored in an archive file. I understand that compliance with the policies and procedure detailed above is mandatory for all Jones Lang LaSalle Group employees in EMEA (including LaSalle Investment Management), and for contractors, sub-contractors and anyone else who has access to their IT systems and failure to comply with these policies could lead to the instigation of disciplinary measures, up to and including termination of employment and/or legal action.

Signature: Date: Print Name: Position:

COPYRIGHT JONES LANG LASALLE IP, INC. 2011. This publication is the sole property of Jones Lang LaSalle IP, Inc. and must not be copied, reproduced or transmitted in any form or by any means, either in whole or in part, without the prior written consent of Jones Lang LaSalle IP, Inc. The information contained in this publication has been obtained from sources generally regarded to be reliable. However, no representation is made, or warranty given, in respect of the accuracy of this information. We would like to be informed of any inaccuracies so that we may correct them. Jones Lang LaSalle does not accept any liability in negligence or otherwise for any loss or damage suffered by any party resulting from reliance on this publication.

Page 10 of 10

EMEA IT Code of Practice v. 2.2