|
1.
|
Make sure you have all of the facts.
|
In order to reach the right solutions, you must be as fully informed as possible.
|
2.
|
Ask yourself what you are specifically being asked to do.
|
This analysis will enable you to focus on the specific issues that are raised and the available alternatives. Use your judgment and common sense. If something seems unethical or improper, it probably is.
|
3.
|
Clarify your responsibility and role.
|
In most situations, there is shared responsibility. Are your colleagues informed? It may help to get others involved and to discuss the problem.
|
4.
|
Discuss the problem with your supervisor.
|
This approach is best in most if not all situations. Your supervisor may be more knowledgeable about the issue and will appreciate being brought into the process. It is a supervisor’s responsibility to help you to solve problems.
|
5.
|
Seek help from Company resources.
|
In the rare instance in which it may not be appropriate to discuss an issue with your supervisor, or in which you feel uncomfortable approaching your supervisor, discuss the problem with the Company’s Corporate Secretary. If you prefer to write, address your concerns to the Company’s Corporate Secretary or the Chief Executive Officer.
|
6.
|
You may report ethical violations in confidence and without fear of retaliation.
|
If your situation requires that your identity be kept secret, the Company will protect your anonymity. The Company does not permit retaliation of any kind against Company Personnel for good faith reports of ethical violations. An officer or employee who retaliates against someone who has reported an ethical violation in good faith is subject to discipline up to and including termination of employment. These procedures are intended to encourage and enable Company Personnel and others to raise serious concerns within the Company rather than seeking resolution outside the Company.
|
7.
|
Ask first.
|
If you are unsure of the proper course of action, seek guidance before you act. If you do not feel comfortable discussing the matter with your supervisor, please call the Company’s Corporate Secretary or call the Compliance Hotline for anonymous reporting that will be directed to the Chairman of the Audit Committee or other appropriate persons. The Compliance Hotline is answered by an outside service provider and is available to all Company Personnel. If you require an interpreter, every reasonable effort will be made to provide you with one. We strive to ensure that all questions or concerns are handled fairly, discreetly and thoroughly.
|
1.
|
Act with honesty and integrity, including the ethical handling of actual or apparent conflicts of interest between personal and professional relationships. A "conflict of interest" exists when an individual's private interests interfere or conflict in any way (or even appear to interfere or conflict) with the interests of the Company.
|
2.
|
When disclosing information to constituents, provide them with information that is accurate, complete, objective, relevant, timely and understandable. Reports and documents that the Company files with the B.C. Securities Commission, the U.S. Securities and Exchange Commission or other regulatory authority, or releases to the public shall contain full, fair, accurate, timely and understandable information. The principal executive officer and principal financial officer shall review the annual and quarterly reports, certify and file them with the appropriate regulatory authorities.
|
3.
|
Comply with the laws, rules and regulations of Canadian and U.S. federal, state, provincial and local governments, and other appropriate private and public regulatory agencies including any stock exchanges upon which the Company’s securities are traded.
|
4.
|
Act in good faith, responsibly, with due care, competence and diligence, without misrepresenting material facts or allowing their independent judgment to be subordinated.
|
5.
|
Protect and respect the confidentiality of information acquired in the course of their work except when authorized or otherwise legally obligated to disclose. Confidential information acquired in the course of their work shall not be used for personal advantage.
|
6.
|
Achieve responsible use of and control over all assets and resources employed by or entrusted to them.
|
7.
|
Promptly report Code violations to the Company's Chairman of the Board and Audit Committee Chairman.
|
1.
|
Overview
|
Then intention of this document is to provide a framework that offers an environment that users can work together. The framework is designed to prevent security breaches and protect the company and users from illegal or damaging actions whether intentional or unintentional.
|
There are countless threats that could damage the network. It is impossible to list all the actions that could pose a threat. Users of the network are required to exercise good judgment and act in good faith.
|
All the rules are based on best security practices and are implemented for a very good reason.
|
2.
|
Considerations
|
When defining an “Acceptable Use and Security Policy” several factors need to be taken into account. The key questions that need to be asked in defining a framework:
|
a.
|
What happens if the network security is breached?
|
b.
|
What are the financial implications?
|
c.
|
What are the public relation implications?
|
d.
|
What are the trust implications in the market place?
|
e.
|
Who is accountable should the network be breached?
|
f.
|
How does one determine who is responsible?
|
g.
|
How can a security policy be enforced?
|
h.
|
What type of work environment users can operate in?
|
Crosshair Exploration is a publically listed company trading on Stock Exchanges in both Canada and the United States. A listed company has many statutory requirements to keep information confidential until it is officially made available to the broad public. An information leak could have serious consequences in the market place including financial losses, unnecessary market turmoil and ill founded rumours.
|
Crosshair Exploration is also a company that would like to create a work environment that is pleasant to work in, and which allows some flexibility to use the corporate technology infrastructure for necessary personal use.
|
To ensure that Crosshair Exploration meets its statutory requirements of keeping information confidential until it is officially made public, Crosshair Exploration has decided to enforce a high level of security.
|
3.
|
Scope
|
This document scope covers any device or piece of equipment that connects directly or indirectly to the Crosshair Exploration network. The devices include, but are not limited to:
|
·
|
Crosshair Exploration workstations
|
·
|
Crosshair Exploration servers
|
·
|
Crosshair Exploration network devices
|
·
|
User’s personal computers that directly or indirectly connect to the corporate network
|
·
|
Networking services provided both internally by Crosshair Exploration and externally by third party suppliers
|
This policy also applies to all users that connect directly or indirectly to the Crosshair Exploration network. The users include, but are not limited to:
|
·
|
Management
|
·
|
Employees
|
·
|
Partners and investors
|
·
|
Suppliers
|
·
|
Devices that use the network
|
|
4.
|
Terminology
|
For the purpose of this policy, the following convention will be used:
|
·
|
“Network” refers to the Crosshair Exploration network and any device that is directly on indirectly connected to it.
|
·
|
“Systems administrator” refers to the organization/person(s) who has been appointed by management to administer and manage the network.
|
·
|
“Users” refers to any user or device that is directly or indirectly connected to the network.
|
·
|
“Information” refers to, but is not limited to, any data, piece of thereof, documents, programmes, software
|
|
5.
|
Enforcement
|
Those in violation of the standards set forth in this policy will be subject to disciplinary action up to and including dismissal
|
6.
|
Policies
|
6.1
|
General policies
|
6.1.1
|
Responsibility: Users are responsible for all actions that they perform on the network or devices connected directly or indirectly to the network. Where a policy is not in place, users are required to request written permission from the systems administrator before performing any actions outside the scope of this document. In addition users are required to exercise sound judgement and good faith when using and accessing the Crosshair Exploration network.
|
6.1.2
|
Use of the network: The network may only be used to the benefit of Crosshair Exploration. Any activities that do not benefit the Crosshair Exploration are prohibited.
|
6.1.3
|
Netiquette: Users are required to exercise good netiquette, and use the network and Internet in way that is responsible, considerate and fair to all concerned in order to preserve a positive company image. Examples include, but not limited to: blogs, forums, newsgroups and email.
|
6.1.4
|
Personal use: Crosshair understands that there may be times when the network, internet and email resources may be needed and utilized for personal reasons. Crosshair expects that personal use is kept to a minimum and that employees utilize good and appropriate judgment at all times. All activities must conform to the acceptable use specified in this is document. The user assumes all risks in the use of Crosshair Exploration’s network for personal use.
|
6.1.5
|
Illegal use: The network may not be used for any illegal or fraudulent activities whether directly on indirectly.
|
6.1.6
|
Labour laws: The network may not be used for any activities which are in contravention to the labour laws including, but not limited to, sexual harassment laws and jurisdictional industry labour laws, etc.
|
6.1.7
|
Harassment: The network may not be used for harassment of any kind whether using unprofessional language and high frequency communication.
|
6.1.8
|
Disrupting services: No process or activity may be performed that is intended to disrupt network services.
|
6.1.9
|
Permissions: No activity that changes the permissions on the network may be performed without the written consent of the security administrator.
|
6.2
|
Information and proprietary information policy
|
6.2.1
|
Ownership: All information on the network is the property of Crosshair Exploration.
|
6.2.2
|
Storage: Only information that is owned by Crosshair Exploration may be stored on the network.
|
6.2.3
|
Storage location: All information must be stored on the Crosshair Exploration servers. No information is to be stored locally on the workstations.
|
6.2.4
|
Deletion of information: No information that belongs to Crosshair Exploration may be deleted.
|
6.2.5
|
Copying and dissemination: No unauthorized information may be copied or distributed by any means including, but not limited to: digital copying, digitizing, photocopying, photography, showing/telling someone the information on the screen.
|
6.2.6
|
Software: Only software that is owned by Crosshair Exploration and has the appropriate active licenses may be installed and used. No personal software or licenses may be used on the network.
|
6.2.7
|
Exporting software: Exporting software, encryption algorithms, technology, and designs to countries that are restricted by export laws is illegal and prohibited.
|
6.2.8
|
Warranty statements: No warranty statements may be made without the written permission of management. Examples include, but not limited to stock price speculations and public information releases.
|
6.2.9
|
Providing information on the network: No information may be communicated or hinted upon in any way regarding:
|
·
|
Suppliers for hardware and software
|
·
|
Configuration
|
·
|
Installation and set up
|
·
|
Time frames, including release of new and updated network services
|
·
|
Service providers
|
·
|
Support and system administration staff
|
·
|
Contracts
|
·
|
Passwords
|
6.2.10
|
Communication of confidential information: No confidential information may be communicated to any party or organization without the use of secure communication process that has been approved by the system administrator. Confidential information includes, but not limited to passwords, financial statements, pre-public information, pre-news releases, designs and engineering drawings.
|
6.2.11
|
Information transportation: Information may only be transported on removable media with the written authorization of management and using encryption tools authorized by the systems administrator.
|
6.2.12
|
Postings: When, as part of the job function, users post information onto newsgroups, forums, email lists and alikes, they must include a disclaimer stating that it is strictly their own opinion and not of Crosshair Exploration.
|
|
6.3
|
Device policies
|
Scope: Any device that connects to the network. Examples include, but are not limited to: workstations, servers and network devices
|
6.3.1
|
Administrative control: Users may not remove or change the ability for system administrators to fully control and administer the device.
|
6.3.2
|
Disabling of services: No device service or application may be disabled that is designed to protect the network and administer the network without the written permission of the system administrator. Examples include, but are not limited to: Antivirus, firewall, and administrative control applications.
|
6.3.3
|
Communication: While using the network, no communication with any device, whether direct or indirect, may be performed without the written permission of the systems administrator. Examples include, but are not limited to: messaging programmes (e.g. MSN Messenger, Yahoo Messenger, Skype), web servers, FTP servers, iPods, USB drives, etc.
|
6.3.4
|
Software installation: No software may be installed without the written permission from the systems administrator.
|
6.3.5
|
Running applications: No unauthorized application may be run on the network without the written approval from the system administrator. This includes, but not limited to: scripts, programmes, ActiveX controls, packages and executables of any kind.
|
6.3.6
|
Screen savers: A password protected screen saver must be activated within 5 minutes of leaving the device unattended.
|
6.3.7
|
Core services: All workstations must have the corporate antivirus scanner and corporate security software installed. In addition a root scan must be run before the machine can become active on the network.
|
6.3.8
|
Internet browsing: Only websites that are business related and are related to the business of Crosshair Exploration. Visiting websites such as, but not limited to: illegal content, pornographic content and racial slanted content; is strictly prohibited.
|
6.4
|
Email communication policies
|
6.4.1
|
Email Use: Corporate email may only be used for business purpose and for the benefit of Crosshair Exploration.
|
6.4.2
|
Language: Only professional business language may be used in correspondence.
|
6.4.3
|
Advertising: No advertising of any sorts may be performed. This includes, but is not limited to: stock touting (even to the so called “benefit” of Crosshair Exploration), selling or promoting goods and services, promoting persons, unsolicited email, communicating with someone that is legally not allowed to receive correspondence etc.
|
6.4.4
|
Chain letters: The creation and or forwarding of chain letters. Examples include: chain letters, pyramid, ponsy schemes and jokes.
|
6.4.5
|
Spam: The creation and/or response to Spam email are strictly prohibited.
|
6.4.6
|
Stationery, fonts and signatures: Only the standard email stationery, fonts and signatures may be used.
|
6.4.7
|
Email address: Only the email address supplied by the system administrator to the user may be used to conduct Crosshair Exploration email communication.
|
6.4.8
|
Spoofing email addresses: No emails may be sent out through impersonation of another email address. This includes, but not limited to, changing email headers and tampering with the email message.
|
6.4.9
|
Confidential information: No confidential information may be emailed. Confidential information includes, but is not limited to passwords, financial statements, pre-public information, pre-news releases, designs and engineering drawings, drilling locations, customer information. (Email is not secure)
|
6.4.10
|
Email client: Only the approved email client may be used. Currently this is Outlook 2007 and webmail.
|
6.4.11
|
Opening attachments: No executable attachment may be opened. Examples include not limited to: files with executable extensions (exe, com, bat, cmd, vbs, pl), mdb, xla, macro files embedded in Word, Excel and PowerPoint. All attachments must be saved first to disk to allow for examination by the user and antivirus.
|
6.4.12
|
Opening email from unknown senders: Extreme caution must be applied to opening email messages from unknown senders. If in doubt, please contact the systems administrator who will use the necessary precautions.
|
6.5
|
Privacy and monitoring
|
6.5.1
|
Access to information: The system administrator has access to all information. Particular discretion will be applied to aspects that are deemed private. Examples included, but are not limited to: salary, compensation packages, financial statements, pre-release public press releases, email, strategies, designs and anything that appears to be confidential.
|
All information on the corporate network is public only to employees. Management at their discretion have the right to monitor and/or make any of the information available to any user of choice.
|
6.5.2
|
Monitoring of networking activities: The system administrator monitors the network to get an advance warning of impending threats and to enhance the network for the benefit of all users. The following is a non limitative list of services and information that may be monitored at any time:
|
·
|
Website browsing including Internet and Intranet
|
·
|
File Transfer Protocol activities (FTP)
|
·
|
Communication with internal and external devices
|
·
|
Services that are critical to the security of the network e.g. antivirus and security software
|
·
|
Monitoring of activities on a computer, including everything that a user sees on the screen
|
·
|
|
·
|
File access, creation and, modification
|
·
|
Network services
|
·
|
Remote access connections
|
·
|
Messaging applications
|
·
|
Unauthorized use of the network, especially applications that either use unusual ports or unusual communication protocols on ports that are designed for other protocols or applications that are known offenders on the network.
|
·
|
File scanning
|
·
|
Applications installed on a device
|
·
|
Processes running on the device
|
·
|
The use of encryption or lack thereof
|
·
|
Sniffing for specific network traffic “keywords”
|
·
|
Changing permissions
|
·
|
Analysis of network traffic
|
6.6
|
Network policies
|
6.6.1
|
Malicious software: It is prohibited to introduce any malicious software onto the network. Examples include, but are not limited to, Trojans, viruses, malware, email bombs
|
6.6.2
|
Hacking: Hacking into a network both internal and external to Crosshair Exploration’s network is illegal and prohibited. Users may only access information that they have been assigned permission to access. Examples include, but are not limited to
|
·
|
Circumventing authentication systems
|
·
|
Trying different user names and passwords to gain unauthorized access to systems or information whether manually, using software, scripts and alike.
|
6.6.3
|
Prohibited networking activities: The following network activities are strictly prohibited on the network:
|
·
|
Network sniffing and monitoring
|
·
|
Port scanning
|
·
|
Flooding the network including, but not limited to, socket dumps, ping floods, multiple socket connects and disconnects and multiple hanging connects and protocol dumps not specified for a device
|
·
|
Any form of denial of service (DOS) attacks
|
·
|
Packet spoofing
|
·
|
Spoofed routing
|
·
|
IP spoofing
|
·
|
Routing
|
·
|
Dual homing
|
·
|
Security scanning
|
·
|
Network service scanning
|
·
|
Any form of information spoofing
|
·
|
Any network activity that has a malicious intent
|
·
|
Intercepting any data that is not specifically intended for the user
|
6.6.4
|
File sharing: No peer-to-peer file sharing is allowed. This includes creating local shares on workstations to share files with other users. Using peer-to-peer software such as, but not limited to, Limewire and Kazaa, is prohibited.
|
6.6.5
|
Connecting equipment: No equipment may be connected to the network without the written permission of the system administrator. This includes, but is not limited to: computers, Blackberries and network enabled devices.
|
6.7
|
Password polices
|
6.7.1
|
Secrecy: Passwords must be kept secret at all times. Only the user who has authorized access may have the credentials to log in to authorized systems and devices. Passwords may not be shared with anyone and includes any method whereby a password can be derived.
|
6.7.2
|
Storage of password: Passwords may not be noted anywhere. This includes, but not limited to notepads, books, documents, files, filenames, online and websites. Passwords must be remembered or stored in a software password safe authorized by the system administrator.
|
6.7.3
|
Responsibility: All actions from a specified user that damage or impact the network negatively are the responsibility of the specified user.
|
6.7.4
|
Password complexity: Password used on the network must conform to the following:
|
·
|
At least 8 characters longs
|
·
|
Contains at least one upper case (A to Z)
|
·
|
Contains at least one lower case (a to z)
|
·
|
Contain at least one number (0 to 9)
|
6.7.5
|
Password content: The contents of a password must conform to the following:
|
·
|
May not be a password example used in this document
|
·
|
May not contain the personal information such as names of users, family, pets, cities, countries, friends, telephone numbers and birthdates
|
·
|
May not contain the words God, password and username
|
·
|
May not be words in any language to prevent dictionary attacks
|
Strong password example: uTwe2f24Hr
|
Weak password example: DonalDuck1234
|
6.7.6
|
Password changes: Passwords must be changed every 45 days to a new password that has not been used in the last year.
|
6.7.7
|
Reusing passwords: The same passwords may not be used to access different sites.
|
6.8
|
Remote access policy
|
6.8.1
|
Secure tunnel: All access from users outside of the corporate must go through a secure tunnel. The only authorized secure tunnel is the to Crosshair Exploration VPN tunnel
|
6.8.2
|
Information access: Crosshair Exploration may only be accessed via remote desktop. No information may be copied to the local machine. This does not include personnel required to travel.
|
6.8.3
|
Drive mapping: No drive of any sort may be mapped to the remote desktop connection.
|
6.8.4
|
Clearing temporary files: After the remote session is complete, all temporary files and unused space must be cleared using secure delete program authorized by the system administrator.
|
6.8.5
|
Security: Devices connecting remotely must have an active and current antivirus and firewall that is approved by the systems administrator. The network that the remote device is connecting from must adhere to the same policies described in this document.
|
6.8.6
|
Dual homing: The device that is remotely connecting to the Crosshair Exploration may not be connected to another network for dual homing and/or routing purposes.
|
6.9
|
Laptop users
|
6.9.1
|
Backup: Staff that has corporate data on their laptop, and in the absence of an automated backup process; are responsible for backing up their data to the server on a weekly basis. The data includes, but not limited to: corporate data and email.
|
Date:
|
Signature:
|
Name: