Third Party Confidentiality and WBEI System ... - Warner Bros. · Warner Bros.’ network resources...

1 Signed document per each user.

1. Read the form 2. Sign the form (Pages 2 and 6 of this PDF) 3. Scan the form and return to: [email protected]

This agreement must be completed for non-WBEI employees before their request(s) for access toWarner Bros.’ network resources or applications can be processed.

The required information at the top of the agreement (name, employer information, project, etc.)may be completed by either the non-employee receiving access or the person requesting accesson his/her behalf.

The non-employee receiving access MUST sign and date the agreement and print his/her namelegibly. Facsimile copies of the signed document are acceptable.

Instructions for completing the

Third Party Confidentiality and WBEI System Access Agreement

confidential

Confidential

DM: # 2093 v.8 THIRD PARTY CONFIDENTIALITY AND WBEI SYSTEM ACCESS AGREEMENT Page 1 of 9 Rev. 3/31/11

THIRD PARTY CONFIDENTIALITY AND WBEI SYSTEM ACCESS AGREEMENT

First Name: Last Name: Nickname or abbreviated name, if used: Employer (e.g. Production Co. or WB

Business Partner):

Employer Address: Project: Phone No.: Fax No.: Effective Date: This Third Party Confidentiality and WBEI Network Access Agreement (the “Agreement”), dated as of the Effective Date, is being entered into by Warner Bros. Entertainment Inc., a Delaware corporation located at 4000 Warner Blvd., Burbank, CA 91522 (“WBEI”), and the individual named above (“You” or “Your”), a non-WBEI employee providing services to WBEI, in connection with WBEI’s grant of access to WBEI’s computer systems and disclosure of certain Confidential Information (as defined below) to You. You and WBEI (each, a “Party” and collectively, the “Parties”) agree as follows: 1. Definition of Confidential Information.

a. “Confidential Information” means any and all proprietary or confidential information of

WBEI that is (i) marked as confidential or proprietary, or (ii) reasonably understood to be confidential given the nature of the information and the circumstances of disclosure, including, but not limited to, intellectual property including without limitation, patents, copyrights, trade secrets and patent and copyright applications pending, any technical or non-technical designs, drawings, plans, formulae, techniques, algorithms, patterns, processes, compilations, methods, systems, new product or technology information, software programs, source code, software source documents, passwords, pass codes, security procedures, price lists, release schedules, manufacturing, development, or marketing techniques, business strategies and development plans, supplier information, all information pertaining to WBEI’s accounting, sales, transactions, finances, customers, suppliers, financial analysis, financial processes, financial reporting, personnel, human resources records, other business information which is not otherwise generally available and which WBEI regards as confidential and/or proprietary and third-party information held in confidence by WBEI and any other information of a similar nature to anything listed above, whether or not reduced to writing or other tangible form.

b. Confidential Information shall not include any information which (i) is or becomes publicly available by other than a breach hereof (including, without limitation, any information filed with any governmental agency and available to the public); (ii) is known to, or rightfully in the possession of, You at the time of disclosure without breach or violation of any confidentiality agreement; (iii) thereafter becomes known to or comes into possession of You from a third party that You reasonably believe is not under any obligation of confidentiality to WBEI and is lawfully in the possession of such information;

Confidential


(iv) is developed by You independently of any disclosures previously made by WBEI to You; or (v) is required to be disclosed by order, or the process, of a court of competent jurisdiction, administrative agency or governmental body, or by subpoena, summons or other legal process, or by law, rule or regulation, or by applicable regulatory or professional standards, provided that prior to such disclosure by You, WBEI is given reasonable advance notice of such order and a meaningful opportunity to object to such disclosure.

2. Nondisclosure Obligations.

a. You shall hold all Confidential Information in strict confidence and shall not disclose, disseminate or publish any Confidential Information to any third party or use any Confidential Information for any unauthorized purpose. Notwithstanding the foregoing, You may disclose the Confidential Information to such of Your Employer's directors, officers, employees, and representatives of its affiliates or agents, including, but not limited to, its auditors, legal advisors and financial advisors (collectively, the “Representatives”) with a need to know such information in order to further the purposes of the Project. You will advise such Representatives that the information is confidential and that by receiving such information such Representatives are agreeing to be bound by this Agreement and not to use such information for any purpose other than for working on the Project. The Confidential Information shall not be used for any purpose or in any manner that would constitute a violation of any laws or regulations, including without limitation, the export control laws of the United States.

b. You agree that You will not use any Confidential Information in any manner, other than solely in connection with the Project named above, for which You are being granted access to WBEI computer systems.

c. You will not reverse engineer, disassemble or decompile any prototypes, software or other tangible objects, which embody Confidential Information provided to, or accessible to You hereunder.

d. In the event that You become legally compelled (by deposition, interrogatory, request for documents, subpoena, civil investigative demand or similar process) to disclose Confidential Information, within three (3) business days of receipt of a subpoena or court order, You shall provide WBEI with written notice of such requirement so that WBEI may seek a protective order or other appropriate remedy and/or waive compliance with the terms of this Agreement.

3. Return of Confidential Information: Term of Agreement. Upon the conclusion of Your direct involvement in the Project, You promptly will return to WBEI all copies of the Confidential Information in Your possession, and You will destroy all copies of any analyses, compilations, studies, memoranda, notes or other documents prepared by You containing or reflecting any Confidential Information. Notwithstanding the return or destruction of the Confidential Information, You shall continue to be bound by the obligations of confidentiality hereunder for a period of three years from the Effective Date of this Agreement.

4. Network and Remote Access. From time to time during the Project, You may have a Project-related need to access WBEI’s computer systems, either directly or remotely. WBEI hereby agrees to provide You with reasonable and necessary access to WBEI’s computer systems directly or through WBEI’s secure VPN system, as applicable, for the

Confidential


limited purpose of providing services to WBEI in connection with the Project. All access shall be provided under WBEI's supervision and subject to the full compliance by You with Time Warner’s Information Technology Security Policy attached as Exhibit 1, WBEI’s Information Security and Privacy Policy attached as Exhibit 2, WBEI’s Information Classification Standard and Handling Guidelines attached as Exhibit 3, WBEI’s Online Social Media Policy attached as Exhibits 4, all of WBEI’s information security standards, criteria and guidelines which are otherwise available on WBEI’s corporate Intranet as such may be modified from time to time, and the terms of this Agreement. You hereby agree that You will not use the access granted hereunder to access any location on WBEI’s computer system or network other than the location(s) needed to perform the services that WBEI authorizes in connection with the Project. You further acknowledge and agree that access to WBEI’s computer systems hereunder is granted to You only and that You will not permit or assist others to gain access (remote or otherwise) to WBEI’s computer systems. This is not a grant of access to any company or individual other than You, whether or not such company or individual also requires access to WBEI’s computer systems in connection with the Project. WBEI has the right to monitor all of Your communications and transactions conducted using the WBEI computer systems or network, and You hereby acknowledge that You have no expectation of privacy regarding any such communications and transactions. Upon completion of Your role in the Project, or at such other time as a WBEI representative may request, You shall promptly return any access control devices (e.g., SecurID tokens) that have been issued to You to access the WBEI systems.

5. Injunctive Relief. You recognize that Your breach of the provisions of this Agreement may cause irreparable damage to WBEI. In such case, money damages may be inadequate to compensate WBEI, and WBEI shall be entitled to seek injunctive relief against such wrongful disclosure of Confidential Information or inappropriate access to or use of WBEI’s computer systems, applications or network, in addition to, and in no way a limitation of, any and all other remedies WBEI may have in law or in equity against You for enforcement of this Agreement.

6. No Announcement or Publicity. You will not issue public statements, press releases or other publicity relating to the Project or any of the terms, conditions or other facts with respect to the Project, including the status thereof or use the name or logos or trademarks or tradenames of WBEI, without the prior written consent of an appropriate officer of WBEI.

7. Ownership of Confidential Information and Other Materials. As between WBEI and You, all Confidential Information remains the property of WBEI, and no license or other rights to Confidential Information is granted to You or other parties or implied hereby other than to use the Confidential Information in connection with the Project. Unless otherwise set forth in a duly executed agreement between WBEI and Your Employer, WBEI shall have the right to use and modify all materials and information created for WBEI in connection with the Project as it desires in its sole discretion without Your consent.

8. Governing Law and Venue. This Agreement has been entered into for the benefit of the Parties, and any Party may institute appropriate proceedings against any other Party to enforce its rights hereunder. Each Party hereto irrevocably and unconditionally consents to submit to the exclusive jurisdiction of the courts of the State of California located in Los Angeles County for any actions, suits or proceedings arising out of or relating to this Agreement and the transactions contemplated hereby (and each Party agrees not to commence any action, suit or proceeding relating thereto except in such courts). Each

Confidential


Party hereby irrevocably and unconditionally waives any objection to the laying of the venue of any actions, suit or proceeding arising out of this Agreement or the transactions contemplated hereby, in the courts of the State of California located in Los Angeles County, and hereby further irrevocably and unconditionally waives and agrees not to plead or claim in any such court that any such action, suit or proceeding brought in any such court has been brought in an inconvenient forum. This Agreement will be governed by and construed in accordance with the internal laws of the State of California excluding only the California body of laws concerning conflicts of law.

9. Miscellaneous. This Agreement will be binding on and inure to the benefit of the Parties and their respective successors and assigns. You agree that service of any process, summons, notice or document by U.S. registered mail to Your Employer’s address set forth above shall be effective service of process for any action, suit or proceeding brought against You in any such court. In the event that any provision of this Agreement or the application of such provision shall be held by a court of competent jurisdiction, for any reason, to be invalid, illegal or unenforceable, then such invalidity, illegality or unenforceability shall not effect any other provision of this Agreement, and such provision shall extend to the maximum extent permissible in accordance with the Parties' intent. This Agreement contains the entire agreement between the Parties with respect to the subject matter hereof. This Agreement may not be amended, nor any obligation waived, except in writing signed by the Parties.

IN WITNESS WHEREOF, the Parties have executed this Agreement as of the Effective Date.

Confidential


Requesting Warner Bros. department/business unit or non-Warner Bros. Company:

Signature of Non-Employee:

By:

Printed Name:

Printed Name:

Title:

Date:

Date:

PLEASE DO NOT WRITE BELOW THIS LINE

Warner Bros. Entertainment Inc.

By:

Printed Name:

Title:

Date:

Confidential


Exhibit 1

Time Warner’s Information Technology Security Policy

See Page 11 of this PDF

Confidential


Exhibit 2

WBEI’s Information Security and Privacy Policy


Confidential


Exhibit 3

WBEI’s Information Classification Standard and Handling Guidelines


Confidential


Exhibit 4

WBEI’s Online Social Media Policy


Exhibit 1

031210v7 Page 1

Information Technology Security Policy

Time Warner CIO Council Modified March 12, 2010

V7

031210v7 Page 2

Time Warner Information Technology Security Policy

Introduction

Time Warner (TW) has established this Information Technology Security Policy (the “Policy”) with the goals of protecting Sensitive Information from unauthorized access, destruction, use, modification, and disclosure, as well as avoiding interruptions to business activities and critical business Processes in the event of major failures or disasters. Information security is of critical importance to Time Warner. The Availability, Confidentiality and Integrity of the information processed and stored is essential to our competitive position, our cash flow, profits, compliance with law and public image.

The overall objective of information Technology security for our organization is protecting the interests of those relying on information and the Systems and communications that deliver information from harm resulting from failures of Availability, Confidentiality and Integrity. Meeting this objective requires that:

• The Systems that provide information are protected from attacks and can recover from failures so that information is available and useable when required.

• Information is available only to those who have a right to access it.

• Information is protected from unauthorized modification.

• Information exchanges between locations and with partners (including those supporting business transactions) can be trusted and are not subject to repudiation.

There is no single set of rules or procedures that will allow us to achieve these goals within all of the businesses that make up the Time Warner companies. Thus, this Policy includes a security Process to be followed in developing specific policies and standards and, in turn, Time Warner Division developed Operating Practices that implement those policies. This approach is designed to implement broad security goals across all of Time Warner while allowing each Division the ability to achieve those goals through Operating Practices they develop. The security Process is an ongoing cycle intended to confirm that our specific policies and Operating Practices are a commercially reasonable approach to meeting both our changing business needs and the information Technology security Threats we confront. Specific policies already developed by TW pursuant to the security Process (“TW policies”) are included in this document. Through the security Process, TW may modify these specific policies and develop additional specific policies. Divisions may, pursuant to the security Process, develop specific policies applicable only to that Division (provided that they do not conflict with TW corporate policies). The TW policies and Division specific policies will be addressed in Operating Practices, which are specific steps and Processes designed by the Divisions to implement the various policies. In sum, this information Technology security policy (the “Policy”) requires that

031210v7 Page 3

Time Warner and each of the Divisions use the security Process to develop specific policies that are implemented through Division developed Operating Practices designed to achieve the overall policy goals of information Availability, Confidentiality and Integrity. Capitalized terms used in this Policy have the meanings set forth in Appendix A: Glossary.

Security Process The security Process required by this Policy is based upon the cyclical approach to information Technology security described in ISO 27002:2005 and related standards. In summary, each cycle of the Process includes the following steps:

1. Define roles and responsibilities.

2. Identify Vulnerabilities and assess risks based on Policy 10.0 Risk Management

3. Develop and/or adjust specific policies, standards, or Operating Practices (as applicable) to address targeted Vulnerabilities and risks.

4. Communicate the specific policies, standards and implement the Operating Practices.

5. Monitor and test Systems to check compliance with policies and standards.

6. This Process will be used by both TW and the Divisions on an ongoing basis. Various specific polices and Operating Practices may be at differing stages in the security Process at any given time, reflecting the fact that both business needs and information Technology security risks evolve at an unpredictable rate.

7. When Systems or Applications impact three or more TW Divisions, the CIO Council Three-Division Rule Process applies.

Policy

It is Time Warner policy to take appropriate, commercially-reasonable steps to provide for the Availability, Confidentiality and Integrity of TW Sensitive Information. The specific policies and Operating Practices that are implemented to achieve these goals will take into consideration:

• The sensitivity of the information

• The risks presented by failure to achieve the three primary information Technology security goals of Availability, Confidentiality and Integrity

• The probability and criticality of those risks

031210v7 Page 4

• Business requirements for use of the information

• The costs of proposed security measures • Time Warner’s technical infrastructure, hardware, and software security capabilities • The size, complexity, and capabilities of Time Warner and each Division

• The need to comply with applicable state and federal rules and regulations including

those pertaining to security, privacy and other consumer protection laws, and disclosure practices

• Other factors identified through our security Process

The TW CIO Council and the TW CIO Council’s Information Technology Security Committee will be responsible for directing implementation of the Policy including development of specific policies and standards applicable to TW corporate and all Divisions. Each Division will establish an information Technology security team and/or appoint a security director as determined by Division management (the “Division Security Team” or “DST”). The DST will be directly responsible for implementing this Policy within its Division. This Policy is applicable to Time Warner corporate operations and all consolidated Divisions. In consultation with Division management, the DST may evaluate joint venture partners and similar entities conducting business with the Division and determine that such entities will be treated as consolidated Divisions for purposes of this Policy. Whether or not such determination is made, the TW policy entitled Third Party Access and Services, will apply to such entities. For purposes of this Policy, Time Warner corporate operations will be treated as a Division with responsibility for compliance to be designated by the Corporate Head of Administration and the Corporate CFO.

Reporting and Communication

The TW CIO Council will communicate with senior TW management as necessary to implement this Policy and should report to the TW CFO and TW Audit and Finance Committee on an annual basis concerning the overall status of the Information Technology Security Program, and compliance with this Policy. Security breaches, suspected security breaches, and other events that may require incident response should be reported on a timely basis and to the appropriate level of management based, in both cases, on the severity and extent of the incident in accordance with the TW policy entitled Incident Management Policy. Generally, matters should be escalated through Division management and through the Division security team to the TW CIO Council and to the TW Chief Security Officer. The TW CIO Council will promptly further escalate matters as appropriate. All such reports and communications may address issues such as: Risk Assessment; Risk Management and Control decisions; Service Provider arrangements; results of testing; security breaches or violations, and management's responses; and recommendations for changes in the Information Technology Security Program.

031210v7 Page 5

Amendments to This Policy Suggestions for amendments or additions to this Policy (including the Division specific policies and Operating Practices adopted pursuant to this Policy) are welcome. Generally, suggestions should be directed to the Division security director or CIO, as determined by the Division. Matters that are of Division only concern generally will be addressed within the Division. Matters of broader concern may be considered by the TW CIO Council’s Security Committee and, where appropriate, changes to this Policy may be proposed and approved using the following Process.

1. The TW CIO Council’s Information Technology Security Committee will periodically assess potential changes or additions to this Policy pursuant to the security Process that is part of this Policy and, as appropriate, develop proposed amendments for consideration.

2. After review and appropriate revisions as necessary, the proposed amendment may be recommended for adoption by the TW CIO Council’s Information Technology Security Committee.

3. The TW CIO Council’s Information Technology Security Committee will then submit the proposed Policy amendment together with any applicable recommendations to the TW CIO Council.

4. The TW CIO Council will review the proposed amendment and consult with the Chairman of the Information Security Council and the Deputy General Counsel with responsibility for data security. To become effective, the proposed amendment must then be approved by the TW CIO Council with concurrence from Time Warner Legal.

Any Policy changes will have a revision date. The current Policy will be available on the Time Warner Intranet site.

Exceptions to This Policy

Exceptions to this policy must be approved using the TW Information Technology Security Policy Exception Process.

031210v7 Page 6

Time Warner Information Technology Security Policy

Specific Policies

Time Warner Information Technology Security Policy .....................................................6

Information Technology Security ......................................................................................7

Third-party Access and Services......................................................................................7

Malware............................................................................................................................8

Authentication and Authorization......................................................................................9

Logging.............................................................................................................................9

Incident Management .....................................................................................................10

Physical Security ............................................................................................................10

Network Security ............................................................................................................11

System Security .............................................................................................................11

Information stored on systems will be protected in accordance with the TW Data Classificaton Standard. Risk Management ....................................................................11

Risk Management ..........................................................................................................11

Application Security ........................................................................................................12

Information Backup ........................................................................................................12

Disposal/Reuse of Computer Equipment .......................................................................13

031210v7 Page 7

Information Technology Security

Policy: Each TW Division will implement policies, standards, and Operating Practices designed to protect TW information as required by law and otherwise in a manner commensurate with its level of business sensitivity and criticality.

Operating Practices:

1. Divisions will designate a DST. The DST is responsible for developing and maintaining (i) knowledge of the Division’s operations, (ii) experience with the Division’s IT operations, (iii) experience with information Technology security issues and (iv) communication with the Division’s legal department with respect to information Technology security.

2. The DST is charged with implementing the Policies in the Division. The DST will report to the Divisional CIO on its plans and the results of its efforts on an annual basis, and will follow the TW policy entitled Policy 6.0 Incident Management in reporting any security breach, suspected security breach, or other issue of which it becomes aware that could have a material impact on the Division or TW.

3. In implementing the Policy, the DST will: a. Adopt Division-specific policies and standards, using the security Process. b. Take steps to inform and train appropriate Division employees about the importance

of information Technology security and the specific Operating Practices adopted by the Division.

c. Take steps to inform vendors and customers about the importance of information Technology security and the specific Operating Practices adopted by the Division.

Third-party Access and Services

Policy: TW information Systems hardware, software, media, or data accessed or serviced by Third Party entities (“Non-TW Entities”) and their personnel shall be approved in advance pursuant to a Division’s implemented Operating Practice. Divisions shall implement specific policies and Operating Practices designed so that the information and Technology Control requirements necessary for compliance with the TW policy are included in an approved legal agreement.

Practices:

1. The DST will develop a program to assess the risks presented by proposed Non-TW Entity access to identify:

031210v7 Page 8

a. The services to be performed and the criticality of data1 b. The methods of access and level of diligence required to properly safeguard the data

and other Division and TW Systems c. The methods of data communication (and communication security) required to

properly safeguard the information transferred d. A business sponsor who is responsible for the relationship.

2. The program will identify the group or individual within the Division to complete the analysis and make a determination about the proposed access.

3. The CIO will review and confirm that access granted to third parties will be reviewed annually.

4. The CIO will take steps so that third parties comply with this Policy when providing services that are subject to this Policy.

5. Backup tapes containing TW Restricted data stored outside of the Services Provider’s managed facilities shall be encrypted.

Malware

Policy: Division systems shall employ mechanisms to address and remediate Malware.

Practices:

1. The DST will develop a strategy to address Malware that takes into the account the risk of introduction to the individual system, the extent of interconnectivity (by Networks or otherwise) of the system to other Division systems, the nature of information stored on the system, the Availability of backups or other redundant sources for the systems, the impact on the Division of the un-Availability of the System, cost, and other factors identified by the DST.

2. The strategy will include identifying those systems upon which anti-Malware software and/or hardware will be installed. Where the strategy calls for anti-Malware software and/or hardware, it will include a Process for updates to such software and hardware. Only technologies approved by the DST shall be installed

3. The strategy will include standards for operational security updates to systems according to risk.

4. The strategy will include a Process to determine that the required hardware/software is in place and functioning.

1 The criticality of data should be considered within the framework of the TW Data Classification Standard or applicable division’s data classification standard.

031210v7 Page 9

Authentication and Authorization

Policy: Access to non-public TW Systems and Applications shall be protected by authentication mechanisms.

Practices:

1. Authentication shall be implemented to protect resources from unauthorized access. Access to Systems and Applications shall conform to the Principle of Least Privilege.

2. Workstations and wireless devices that are not in secured spaces accessible only by authorized personnel will be secured utilizing Applications that, after a period of inactivity not to exceed 30 minutes, require masking the screen and a password for further access.

3. Authentication credentials shall be protected, and logon requirements shall not be bypassed, disabled or otherwise defeated.

4. Controls shall be developed and implemented to mitigate and detect unauthorized modification, manipulation and access to systems and data.

5. Authentication credentials should be kept confidential and shall not be shared by multiple users, except as expressly permitted in this TW policy. Default accounts will not be used, unless required by the hardware/software vendor. Default passwords will not be used. Use of “Group IDs” will be limited to only those services and functions that must have a group ID and, where appropriate, will be combined with other security measures (limitations on physical access, Network isolation, other non-shared access credentials, and so on) as necessary to achieve security and audit capabilities.

Logging

Policy: TW systems will have appropriate logging enabled in accordance with business requirements.

Practices:

1. The DST will have a documented strategy for the use of tools and logs to support the monitoring, reporting and analysis of Security Events, and the retention of system logs.

2. The DST will annually confirm that the devices, tools and logs that support the monitoring, reporting and analysis of Security Events are operational.

031210v7 Page 10

Incident Management

Policy: Divisions will implement an Incident Management Program in response to IT Security Incidents.

Practices:

1. In accordance with the TW IT Security Incident Response Process, Divisions shall implement internal procedures to provide timely notification to Divisional IT Security, IT Management, Legal, Finance and Corporate Communications as appropriate. Division personnel will be informed and educated about how to promptly report Security Events to their supervisors. Supervisors shall promptly report Security Events to IT or other appropriate staff who will appropriately document the Security Event and will promptly report the Security Event to the Division DST or his/her designate. Security Events shall be documented and reviewed for potential preventative actions

2. Divisional DST shall notify TW Legal and TW CSO of any suspected or confirmed Security Event that involves the personally identifiable information of TW employees and/or otherwise raises possible legal or regulatory concerns. Divisional DST should err on the side of notifying TW Legal and TW CSO.

3. The DST will be responsible for Division response unless and until determined otherwise by the TW IT Security Committee, TW CIO Council, TW Legal, TW CSO or senior management.

4. Divisions will develop procedures sufficient to permit them to respond 24x7x365 to a Security Incident.

Physical Security

Policy: Designated IT facilities shall be protected with physical security measures to prevent unauthorized access.

Practices:

1. Divisions will implement commercially reasonable steps to control physical access. 2. Divisions shall implement procedures to control, deactivate and/or validate authorized

person’s access to facilities. 3. Incidents involving theft, loss, or damage of information systems hardware, software,

media, or data shall be reported to appropriate personnel and also assessed under the Incident Management TW Policy.

031210v7 Page 11

Network Security

Policy: Time Warner Networks shall employ technologies and Processes to protect information Assets commensurate with business requirements.

Practices:

1. Networks shall be controlled, to prevent unauthorized access. Boundaries between public and private Networks shall be monitored for security.

2. Processes for administration, change management, and access Control shall be developed and maintained.

3. Boundaries between public and private Networks shall be assessed annually. Network device administration shall be configured around the Principle of Least Privilege.

System Security

Policy: Time Warner shall take commercially reasonable steps to implement Controls over the configuration and operations of systems.

Practices:

1. Divisions shall implement a Change Management Process within their overall life cycle management methodology.

2. DSTs will have a documented System Security Patch Management Process. 3. A System IT Security Standard shall be developed and implemented. Remote wipe

capabilities shall be implemented on PDAs, where Technology allows. 4. Information stored on systems will be protected in accordance with the TW Data

Classificaton Standard.

Risk Management

Policy: TW information and IT risks shall be managed with Controls in accordance with business and legal requirements.

031210v7 Page 12

Practices:

1. Pursuant to the security Process, and as part of a lifecycle methodology, security Risk Assessments shall be performed on Application(s), database(s), Network(s) and system(s).

2. Security Risk Assessments shall include the following: a. Identification of risk. b. Identification of Threats and Vulnerabilities. c. Identification of compensating Controls and safeguards. d. Assessments of potential impact of event relative to security (Confidentiality,

Integrity, and Availability, for example). e. Assessment of disaster recovery requirements. f. Assessment of backup and recovery requirements.

Application Security

Policy: Time Warner shall ensure security Controls over the life cycle of Applications and databases, including those that are developed internally or externally, or purchased.

Practices:

1. Security requirements shall be identified prior to the implementation, development or acquisition of Applications.

2. Access to source code and data shall be limited to authorized users 3. The DST shall have a documented Application Security Patch Management Process. 4. The Software Development Lifecycle shall include IT Security requirements.

Information Backup

Policy: Backup copies of essential business information and software shall be created so that all essential business information and software can be recovered following a disaster or System failure.

Practices:

1. Divisions shall implement offsite backup and information recovery procedures that support business and regulatory requirements.

031210v7 Page 13

2. Divisions shall encrypt data backups to removable media that are transported from TW and/or stored outside of TW managed facilities.

3. Divisions shall implement physical controls to protect backups of restricted data to removable media that are stored in TW managed facilities.

Disposal/Reuse of Computer Equipment Policy: TW electronic information stored on Technology devices must be purged before

that device is reused, disposed of, or when access is no longer authorized. Practices:

1. Remote wipe capabilities shall be implemented where Technology allows. 2. The purging of data shall be performed such that data on the Asset cannot be recovered

by individuals and/or commercially available Technology. 3. The Disposal and reuse Process must be documented.

031210v7 Page 14

APPENDIX A

GLOSSARY

Term Explanation Application A program that gives a computer instructions or interacts with

information.

Asset Anything that has value to the organization.

Availability The property of being accessible and usable upon demand by an authorized entity.

Control An adopted countermeasure taken to address a Vulnerability within a System or Process.

Confidentiality The property that information is not made available or disclosed to unauthorized individuals, entities, or Processes.

Division Means any entity that is a consolidated division of Time Warner Inc.

Disposal Disposition of information, hardware, or software. Activities may include moving, archiving, discarding, or destroying information and sanitizing the hardware and software.

DST Means the Division security director or team that is responsible for implementing the Policy within its own Division.

Information Technology Security Program

The combination of people, Processes, and Technology that support information Technology security initiatives throughout the organization

Integrity The property of safeguarding the accuracy and completeness of Assets.

ISO Means the International Organization of Standardization. The ISO has issued international standards and a code of practice for information Technology security management, including ISO/IEC 27001

Malware Means any virus, worm, spyware, keystroke loggers, Trojan horse or other invasive or harmful instruction, program or code, or any self-propagating instruction, program or code.

Network A network is a group of interconnected computers. Networks may be classified according to a wide variety of characteristics.

Non-TW Entities Means any entities that are not subject to all the provisions of the

031210v7 Page 15

Term Explanation Policy.

Operating Practices Means the written procedures developed by Divisions in order to implement the Policy.

Policy Means the Time Warner Information Technology Security Policy, which includes this document (including the TW policies) and the Division specific policies as well as the Operating Practices adopted pursuant to the Security Process to implement both the TW policies and Division specific policies. The Policy does not include materials that are developed for training or other communications purpose.

Principle of Least Privilege Means that every program and every user of the System should operate using the least set of access to information necessary to complete the job.

Process A series of actions or steps taken in order to accomplish an Information Technology security task(s).

Risk Assessment Overall Process of risk analysis and risk evaluation.

Risk Management Coordinated activities to direct and control an organization with regard to risk.

Security Event An identified occurrence of a System, service or Network state indicating a possible breach of information Technology security policy or failure of safeguards, or a previously unknown situation that may be security.

Security Incident Indicated by a single or a series of unwanted or unexpected information Technology Security Events that have a significant probability of compromising business operations and threatening information Technology security.

Sensitive Information Includes company confidential information, as well as information pertaining to customers, consumers, employees or others contained in electronic form.

Service Provider Means any Third Party that is providing contract services for Time Warner or any of its Divisions.

Specific policies Means both the specific TW policies and the specific security policies that are developed by the Divisions pursuant to this document.

System This refers to all hardware, software, Networks, applications, peripheral equipment, (i.e., all Technology resources) that comprises a computer environment.

031210v7 Page 16

Term Explanation Technology Any equipment or interconnected System or subsystem of

equipment, that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. The term information Technology includes computers, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources.

Third Party That person or body that is recognized as being independent of the parties involved, as concerns the issue in question.

Threat A potential cause of an unwanted incident, which may result in harm to a System or organization.

Three Division Rule TW CIO Council process for Enterprise-wide IT Projects when three or more Divisions are impacted by the scope of the project.

Time Warner or TW Means Time Warner Inc.

TW CIO Council The TW CIO Council includes the CIO of each of the major Divisions of Time Warner.

TW Information Technology Security Committee

Means the sub committee of the TW CIO Council which is responsible for directing implementation of the Policy and reporting to the TW CIO Council.

TW Policies Means the specific policies developed by Time Warner which have been attached to this document and made part of the Policy. TW policies apply to all Divisions of TW.

Vulnerability A weakness of an Asset or group of Assets that can be exploited by one or more Threats.

Exhibit 2

Exhibit 3

Exhibit 4

Warner Bros. Entertainment Group of Companies Online Social Media Policy

As a leading media and entertainment company, Warner Bros. and our employees are embracing social media and other new and emerging means of online communication. This policy has been developed to empower our employees to participate in this new frontier of marketing and communications, represent our Company well, and share the passion we feel for our brands. We recognize the vital importance of online social communities and this policy reflects our commitment to the best possible use of social media. Be smart—approach the online worlds in the same way we do the physical one—by using sound judgment, common sense, and by following Company policies. This policy is divided into two key sections: First up in Section A are the rules and guidelines concerning social media use generally. This is followed by Section B, which covers social media for business purposes. If you have any questions or need assistance, contact your HR representative, the Compliance Office, or the Company’s Helpline at (818) 954-3453. A. General Social Media Use The following applies to all employees, whether you are using social media for personal use or for company-related use: 1. Know and understand Company policies—Follow the Standards of Business

Conduct (SBC) and other relevant Company policies (including policies in the Employee Handbook) at all times. You can find these policies in the Employee Handbook posted on Employee Connection.

2. Remember that the Internet is permanent—Once information is published

online, it is essentially part of a permanent record, even if you “remove/delete” it later or attempt to make it anonymous.

3. Beware what you share—Do not post information about the Company that you

would not otherwise be permitted to share, including:

• Confidential, non-public company information, including non-public financial information, business plans and legal strategy;

• Material protected by copyright and trademarks (unless you have permission and cite to the source);

• Trade secrets or other proprietary information owned by Time Warner Inc. or one of its divisions;

• Predictions about business strategies;

• Company audio/visual content not yet available to the public;

2

• Confidential information about our customers, competitors, business partners or vendors, employees, or information protected by confidentiality agreements or non-disclosure agreements; and

• Other information about meetings or activities involving the Company or its representatives that may be damaging if made public. For example, we have many recognizable and high-profile business people and talent who work for and with the Company. An innocent post about those individuals could have negative consequences and could impact our ability to do business with them.

4. Use good judgment and be truthful—You are responsible for what you post.

You should assume anything you post will be public and permanent, regardless of “privacy settings” or other limits you may try to place on your posting. Remember, anything you post can be saved, forwarded and/or copied. Posting a joke, prank, or phony video may have unintended consequences. If you are about to post something that makes you even the slightest bit uncomfortable or you think you may regret it later, consider whether to post it at all. Also, remember that the Company may have to produce (i.e., provide or share) these communications in legal proceedings.

5. Networking—The Company recognizes that employees may want to use

professional networking sites (e.g., LinkedIn). For such sites, you may identify yourself as a Company employee, but if you do:

• Ensure your posts comply with the Company’s policies, in particular, the Company’s Verification of Employment Policy. For example, “recommendations” of current or former coworkers on LinkedIn would be prohibited by the Verification of Employment policy;

• For networking within the Company, consider using Company platforms (such as Business Resource Groups) instead of external sites. Keep in mind that our Standards of Business Conduct and Company policies apply to communications on internal networking sites as well; and,

• You are not required to accept “friend requests” from work colleagues (including team members, supervisors, and direct reports). If you include work colleagues in your social network, be thoughtful about these decisions, since the personal information you share can impact perceptions of you in the workplace. Also be mindful that Company policies may require management to take disciplinary or other action based on personal information shared in the workplace that has been brought to its attention.

3

6. Be conscious when mixing your business and personal lives – If your posts are personal:

• Because social networking sites may incorporate both personal and business aspects of your life, use good judgment when posting. You should use your personal contact information, not your Company contact information or your Company email address (the exception is for professional networking sites). (See item B.6 below);

• If you chose to identify yourself as an employee of the Company on your personal accounts or blogs, ensure that your profile and content are presented in a manner that is consistent with how you want to be perceived by your colleagues and clients;

• If you are conducting personal online activity during work hours or using Company assets, such use should be limited, lawful, and must not interfere with your job responsibilities; and

• Take great care before posting comments, pictures or videos about work if the posting is not of an entirely personal nature, and always obtain prior permission from your supervisor before doing so. (Think about the potential impact of any posts on co-workers, family, household members or friends that may be the featured in the comments, videos, pictures or other communication before posting.)

7. Protect Privacy—Remember:

• We are privileged to work alongside some of the most respected and recognizable individuals in media and entertainment, many of who are subject to high levels of public scrutiny. The Studio Lot and our offices are their workplaces, and they must be free to concentrate on their work without having their privacy or solitude compromised. Do not reference personal encounters with creative talent that occur on or around the Studio Lot or our offices, without first checking with your supervisor.

8. Be responsible—You must remember that customers, colleagues and supervisors

often have access to the online content you post. In particular:

• Do not post comments about the Company, co-workers, business partners or competitors that may be considered disparaging, defamatory, libelous, discriminatory, harassing, or that infringes on their intellectual property rights. Think of posting a comment the same as saying something face-to-face and use the same discretion.

• Managers and executives should take special care when using social media sites, as comments and postings made by you are more likely to be attributed to the Company. In addition to the guidelines above, it is also suggested that you:

− Use official company channels for official Company communications.

4

− Assume that any co-workers who are in your social network are able to, and will likely, read anything you post.

− As noted in A.5, be careful about providing recommendations for individuals that could be interpreted as endorsements of their work for Warner Bros. See the Company’s Verification of Employment Policy. The Employment Verification Policy is in the Employee Handbook, which is posted on Employee Connection.

− Consult with your HR Representative before using social media sites for any employment-related actions.

9. When in doubt, don’t post—If you find yourself wondering whether you should post something—don’t. Follow this social media golden rule to help protect yourself and Warner Bros.

B. Social Media Use For Business Purposes When using social media for work, you should do so consistent with your professional obligations to the Company. In addition to the general guidelines in Section A, follow these additional guidelines: 1. Company approval—If you plan to use social media for a work-related purpose

(e.g., company recruiting or marketing):

• Ensure you have obtained prior approval from authorized Company personnel and,

• Only cite or reference the Company’s clients, partners or suppliers if you have express permission from them to do so.

2. Follow the Legal Rules of the Road—Before using a social networking site for an approved, work-related project:

• You must read, understand, and comply with the hosting site’s terms of use or service (i.e., read the fine print). For example, if you upload content to certain third party sites, you may be unintentionally granting rights to that content to that third party.

• If the social networking site requires downloading software, make sure to follow the Company’s Information Security and Privacy policy. You must also read and understand the site’s end-user license agreement and refer any questions to the legal department.

• Observe all applicable laws, regulations, and rules, including federal regulations on the use of endorsements and testimonials in advertising and relevant industry ethical codes of practice.

5

• Your business unit may have additional guidelines on social media use that relate specifically to your business activities. You should be aware of and follow those guidelines in addition to these guidelines.

3. You are responsible—When engaged in an online dialogue about issues impacting Warner Bros. or the media and entertainment industry, demonstrate proper respect for your audience and yourself. In particular:

• Do not engage in any conduct that would otherwise be unacceptable in the workplace. Employees who access social media on non-working time with their personal computer equipment should do so in a responsible and professional manner.

• Remember that employees can be held personally responsible for any legal liability (e.g., defamation or copyright infringement) arising from or relating to their use of social media. Racial or ethnic slurs, personal insults, hate speech or other conduct that would not be acceptable in the workplace should not be part of these conversations.

• Disclose your relationships to the Company where appropriate (See item B.5 below).

4. Respect Intellectual Property—Do not use Company names, trademarks, copyrighted material or intellectual property without prior permission from the Corporate Legal Department. This includes using Company names, marks or material: • As account names or identifying titles on social media platforms and blogs;

• Within a domain name (e.g., warnerbrosemployees.com); and

• As an online representation (such as an avatar).

5. Be transparent—If you are talking about a Company product (e.g., writing about

a new show or game): • Identify yourself as a Company employee. Do not post comments

anonymously or use a pseudonym without permission from your supervisor.

• Note that you are not speaking on behalf of the Company (unless you have been authorized to do so). You should include a disclaimer, such as: “These are my own views and do not necessarily reflect the views of Warner Bros.”

• Do not pose as customer, reviewer, blogger, etc., praising or disparaging the products and services of the Company or our competitors, customers or business partners as this is not only unethical but could be illegal.

6. Let the subject matter experts respond to negative posts—Do not address

rumors or inaccurate information you may read about the Company. If you receive inquiries about the Company, direct the person to the Company’s Corporate Communications Department.

6

C. You Are Accountable Employees who violate the SBC or other Company policies, including this social media policy, face disciplinary action up to and including the termination of their employment. The Company reserves the right to monitor social networking sites as well as electronic communications made by employees using the Company’s technology resources. Subject to applicable law, employees have no expectation of privacy while using Company equipment, facilities, and resources for any purpose, including posting on social media. If you have any questions about these guidelines, consult your HR representative or the Compliance Office at (818) 954-4957 or [email protected]. If you see a posting that you think is inappropriate or violates Company policy, you are strongly encouraged to report it through your HR representative or the Compliance Office, or you may call the Company’s Helpline at (818) 954-3453. Nothing in this policy is intended to prevent an employee from making disclosures encouraged or protected under the law, including the National Labor Relations Act (including employees’ rights to discuss the terms and conditions of their employment) and the Sarbanes-Oxley Act. D. References Employees should consult the following Company policies in the Employee Handbook, which is posted on employeeConnection for additional information. • Employee Handbook • Equal Employment Opportunity Policy • Ethical Business Practices Agreement • Information Security and Privacy Policy • Personal Use of Company Resources Policy • Third Party and Media Inquiries Policy • Prohibition of Unlawful Harassment and Retaliation • Verification of Employment Policy • Standards of Business Conduct

Policy Effective Date: March 2011

This policy may be revised as social media/networking technologies evolve and/or to reflect changes in company policies or applicable laws. Employees are responsible for consulting the most recent version of this Policy, which is posted on the company intranet.

Third Party Confidentiality and WBEI System ... - Warner Bros. · Warner Bros.’ network resources...

Documents

Transcript of Third Party Confidentiality and WBEI System ... - Warner Bros. · Warner Bros.’ network resources...