Our Constitution & Policy




Our Constitution

The Group follows the provisions of the Companies Act 2001.








Nomination Policy


Introduction
The board of directors of Mammouth Mauritius Limited acknowledges the need for a policy outlining the procedures for the appointment to the Board as recommended in the Code of Corporate Governance forMauritius and is subject to the provisions of the Companies Act 2001, Section 132, 133,134 and 135 and any other applicable law or regulatory provision.
It is recognised that directors should be appointed through a formal and transparent process and should be assisted by the Nomination& Remuneration Committee, subject to shareholder approval. It is in the best interest of the shareholders that the board be properly constituted with the correct mix of skills, knowledge and expertise and that Directors are deemed fit for purpose according to the regulatory framework of Mauritius. The following factors are to be carefully considered:
  • Skills, knowledge and expertise required on the Board
  • Skills, knowledge and expertise of the candidate
  • Previous experience as a director
  • Specific roles required on the Board such as chairman of a committee
  • Balance required on the Board such as gender and age;
  • Independence where required;
  • Reputation of the candidate
  • Amount of time the candidate is able to devote to the business of the Board
  • The fees requested from each candidate and
  • Potential conflicts of interests.
  • A proven track record of acting with integrity

Board Appointments
  • The board will include a chairman and a chief executive officer; these roles will be separate.
  • All non-executive and independent directors to be elected by the shareholders of the company.
  • A minimum of two executive directors should form part of the main board namely the CEO and the CFO.
  • The board of directors will comprise of at least nine directors. In terms of the regulatory framework of Mauritius, the board will observe all compliance factors in considering its optimal composition.A majority of the directors to be independent as assessed by the board.
  • The age limit for non-executive directors is 70 years unless under compelling circumstances and subject to a bill of clean health from an agreed medical practitioner.
  • The age limit for executive directors is 65 years; however, their conditions of employment can be extended depending on the continued value derived from the particular executive director.
  • Non-executive directors are formally appointed for a period of one year and will be
  • available for re-election by rotation yearly, usually at the annual general meeting or as otherwise prescribed.

Performing a needs assessment
A transparent procedure should be in place to vet the candidates according to the stated rubric above. The members of the Nomination and Remuneration Committee will interview each candidate and will make its recommendations to the Board. The Board should agree each appointment. Once the candidate has been selected they will be put forward to the shareholders at the Annual General Meeting by way of ordinary resolution for approval.
  • Each candidate will be cleared for nomination as per the Companies Act 2001 and will be certified that they:
  • Are above the age of 18 years and younger than 70 years (excepting clause above -medical approval).
  • Is not or has not been declared bankrupt.
  • Is judged to be of sound mind.
  • Has not been convicted of any crime.
  • When selecting the appropriateness of a director appointment, a mix of skills and experience will be determined. In addition to their skills and experience, personal style and diversity aspects will also be considered.
  • No single director should be allowed to dominate the board and the majority of directors appointed will be independent and non-executive.
  • The independence of an independent non-executive director who serves more than five years will be reviewed by the board and shareholders on a continuous basis.
  • A potential remuneration package for new directors will be made available to shareholders.
  • A description of the board’s requirements will be made available to shareholders to ensure they are aware of the skills and experience of the potential directors required on the board.

Process for Appointment
A mandate is to be given to the board, for them to locate and consider suitable nomination candidates. All proposals are accompanied by the candidate’s consent to act as a director and a detailed CV, including the candidate’s relevant expertise, experience and qualifications will be submitted to the board of directors. Candidates will be assessed on their CV, background checks and candidate interview undertaken, as well as experience as a previous director, competencies, independence, number and nature of other directorships.
Nominations
The Board will determine and agree on the nominees who will be put forward for election
Voting
The election of directors will be conducted as a series of votes, which will continue until all vacancies are filled. The vacancy is filled only if a majority of the voting rights exercised support the candidate.
Appointment
Once a candidate has accepted a seat on the Board, they are asked to sign a service Contract that carefully outlines the following:
  • Term of office
  • Time commitment expected from each director;
  • Confidentiality
  • Conflicts of Interests
  • Directors liability insurance;
  • Right to independent advice;
  • Mandatory induction program;
  • Training and development program and
  • Board policies & procedures.





Remuneration Policy


Introduction
Pursuant to the requirements of the Code of Corporate Governance in Mauritius, the Board of Directors of a listed company is required to define general guidelines for the company’s remuneration to the Board of Directors and Executive Management, which must be approved by the Board before a specific agreement on incentive pay with any member of the company’s Board of Directors or Executive Management is entered into. According to Recommendations on Corporate Governance, the Board of Directors is also recommended to adopt a Remuneration Policy applicable to the Board of Directors and the Executive Management and that the Policy is tabled for Board’s approval on an annual basis. The recommendations are based on corporate governance best practice and applies to the members of the Board of Directors and Executive Management of Mammouth Mauritius Ltd and its subsidiaries. Any agreements between Mammouth Mauritius Ltd or its subsidiaries and the Board of Directors or the Executive Management concerning fixed remuneration or incentive pay must be subject to this policy.
Board of Directors
The Independent Directors or Non-Executive Directors of the Board of Directors receive a fixed base fee as consideration for their Board duties. Should there be an independent Chairman of the Board of Directors, he or she receives a fixed fee equalling two times the base fee received by the other independent Board members. In addition, the Board members may receive a fixed fee for their work on committees established by the Board of Directors and the Board members may receive separate fees for completion of specific projects, e.g. a sale of the company or material assets. The remuneration of the Board of Directors is determined on the basis of standards in the market and reflects demands to competencies and efforts in light of the scope of their work and the number of Board meetings. Each year the general meeting approves the fees to the Board of Directors.
Executive Management

Fixed salary
Executive managers receive a fixed monthly salary subject to all statutory deductions. The aim with the fixed salary of the Executive Management is to attract and retain the best qualified members to the Executive Management. The elements of the fixed remuneration are determined based on market standards and the Company's specific needs from time to time. As a part of the fixed salary the company may offer other standard benefits, such as a company car scheme and free telephone. The Board of Directors and the Executive Management evaluate the fixed salary annually based on the results from the previous period based on the achievement of key performance indicators set for the year and with due consideration to the trend within the market standards.
Incentives and Commissions
To create alignment of interests between the Executive Management and the company’s shareholders and to consider both short-term and long-term targets, Mammouth Mauritius Ltdconsiders it expedient to set up incentive plans for the members of its Executive Management. Such incentive plans may consist of warrants and non-share-based bonus agreements, which may be continuous, one-off and event-based.The Board of Directors may enter into agreements with the Executive Management about cash bonus plans. Cash bonus plans consist of a maximum bonus fixed annually which the Executive Management will receive if all targets for the relevant year are met and depending on the financial position of the company. The maximum cash bonus shall be equivalent up to 100% the fixed salary of each member of the Executive Management. Payment of bonus depends on whether the conditions and targets based on key performance indicators defined in the agreement have been fully or partly met. The Executive management team will also receive a fixed percentage commission based on the gross profit before tax each year.
Change and phase-out of incentive plan
The Board of Directors may change or phase out one or more incentive plans introduced pursuant to this policy. In the evaluation of whether this should be done, the criteria that formed the basis of the establishment of the plan will be taken into account. However, such changes can only be made within the framework of this policy. More extensive changes must be approved by the shareholders.  





Conflict of interest


What is a conflict of interest?
A situation that has the potential to undermine the impartiality of a person because of the possibility of a clash between the person's self-interest and professional interest as an employee and or representative of the organisation (Mammouth Mauritius Limited) can be construed as a potential conflict of interest.
Directors have an obligation to act in the best interests of the organisation, and in accordance with the regulatory framework of Mauritius with special note of section 143: h, i of the Companies Act 2001. Conflicts of interests may arise where an individual’s personal or family interests and/or loyalties conflict with those of the organisation. It is important to note that Directors in terms of section 143 of the Companies Act 2001 have a duty to act in the best interest of the company at all times, to exercise their powers for the purpose of causing the company to prosper and to not make improper use of either company information, company assets nor powers as directors for their own profit or gain. Such conflicts may create problems; they can:
  • Cause the company to fall into disrepute
  • Result in decisions or actions that are not in the interests of the organisation; and
  • Risk the impression that the board and or its senior management team has acted improperly
  • Cause the company to be subject to civil or criminal prosecution
  • Cause a director to be disqualified
The aim of this policy is to protect both the organisation and the individuals involved from any appearance of impropriety and to fulfil the legal obligations of directors to act in good faith. A conflict of interest is created as follows:
  •  Where a director, officer or employee may derive material benefit from a transaction
  • Where a parent, child or spouse may derive material benefit from a transaction
  • Where a director is directly or indirectly materially involved in the transaction
  • Where a directors family loyalties are put above those of the interest of the company

The declaration of interests
Accordingly, we are asking Board Members and all staff to declare their interests, and any gifts or hospitality received in connection with their role in Mammouth Mauritius Ltd or any of its subsidiaries. A declaration of interest’s form is provided for this purpose, listing the types of interest you should declare. To be effective, the declaration of interests needs to be updated at least annually, and also when any changes occur. If you are not sure what to declare, or whether/when your declaration needs to be updated, please err on the side of caution. If you would like to discuss this issue, please contact the Company Secretary, Mr Ahmad Madarunfor confidential guidance. Interests will be recorded in the Companies register of interests, which will be maintained by the Company Secretary, Mr. Ahmad Madarun.

Data Protection
The information provided will be processed in accordance with data protection principles as set out in the Data Protection Act 1998. Data will be processed only to ensure that Board Members and all staff act in the best interests of Courts Mammouth. The information provided will not be used for any other purpose.

What to do if you face a conflict of interest
If you are a member of the board of directors or a staff member of Mammouth Mauritius Limited, you should not be involved in decisions that directly affect your relationship with the company or would be considered conflictual. You should declare your interest at the earliest opportunity and withdraw from any subsequent discussion. The same applies if you face a conflict for any other reason. You may, however, participate in discussions from which you may indirectly benefit, for example where the benefits are universal to all users, or where your benefit is minimal. If you fail to declare an interest that is known to the Company Secretary and the Board, the secretary or chairman will declare that interest.

Decisions taken where a board member or member of staff has an interest
In the event of the board having to decide upon a question in which a Board Member or member of staff has an interest, all decisions will be made by vote, with a simple majority. A quorum must be present for the discussion and decision; interested parties will not be counted when deciding whether the meeting is quorate. Interested board members may not vote on matters affecting their own interests. They must absent themselves from the discussion. All decisions under a conflict of interest will be recorded by the Company Secretary and reported in the minutes of the meeting. The report will record:
  • The nature and extent of the conflict;
  • An outline of the discussion;
  • The actions taken to manage the conflict.
A de minimis exemption applies to contracts less than MUR 5000 in value. Random checks against the register of interest will be made on the award of contracts below this value. If the cumulative value of a series of small contracts exceeds MUR20 000, the Board Member will operate the policy used for individual contracts over that sum. The de minimis exemption does not apply to contracts of employment with the Company. Independent external moderation will be used where conflicts cannot be resolved through the usual procedures [through an independent arbitration service and or independent consultant appointed by the board for this purpose.

Managing contracts
If you have a conflict of interest, you must not be involved in managing or monitoring a contract in which you have an interest. Monitoring arrangements for such contracts will include provisions for an independent challenge of bills and invoices, and termination of the contract if the relationship is unsatisfactory.





User It Policies & Procedures


1. Purpose
This document states the policies and procedures of COURTS MAMMOUTH Group for the application of IT security management disciplines to protect the corporate data, systems and applications against potential threats which could compromise their confidentiality, integrity and availability and to ensure appropriate technologies and methods are deployed, providing reliable and resilient systems that deliver maximum business benefit. Technologies include hardware and software. Methods are the way we build and use and support our IT systems.

2. Scope
The policies apply to all offices and Users (Directors, Employees, Service Providers and Contractors) of the IT systems within MTL. It applies across all hardware/software platforms to all business units of MTL. Users will be required to sign a statement on a yearly basis acknowledging their understanding of and compliance with the policies.

3. Roles & Responsibilities
CEO / CFO / Directors Release and enforce the policies
IT Manager Originate, review, and implement the policies
All staffs and Service Providers Compliance
All users should be made aware of the following areas of risks and be always compliant with MTL’s policies:
  • Software licensing
  • Employee safety issues
  • Security
  • Data backup and recovery
  • Illegal access to company systems
  • Infringing on privacy
  • Regulatory issues
  • Malware - Email spam, System viruses and others, Ransomware
  • Company confidential information
  • Losing customers
  • Systems downtime
  • Inappropriate use of company assets

(4) Policies
(4.1) Inventory and Equipment
Purpose:Provide management guidelines for managing the use and security of company inventory and equipment
It is the responsibility of all employees and managers to manage thesecurity of company equipment and supplies. All locations containing IT equipment should be known to the IT staffs. All IT equipment (used or unused) must be listed in the fixed asset register and the fixed asset label showing the fixed asset code must be affixed. Periodic inventory audits will be conducted to validate the inventory. Allocating equipment to employees
  • Equipment is assigned to employees based upon their job function.
  • Managers should maintain a list of equipment allocated to each of his/her employees. (See AnnexI for the Staff Inventory Allocation log)
Specific equipment should be tracked by employee includes, but is not limited to:
  • PC's (both desktop and laptop)
  • PC peripherals (scanners, printers, external hard drives, UJSB keys etc.)
  • Mobile devices (mobile phones, tablets, phablets etc.)
  • Access keys and access cards
Employee termination
  • One of the responsibilities of the manager is to collect all allocated equipment issuedto an employee who leaves the company. Maintaining the Employee InventoryAllocation Log makes it a simple process.
  • Employees not able to return allocated equipment are responsible for reimbursingthe companyfor the fair market value of the item.

(4.2) Physical Access Control and Security
Purpose: To provide guidelines on maintaining the highest level of security for our physical office and employees.
The company provides keys and password access (PIN) for use by staff to maintain building and office security and allow access to designated areas for authorized personnel during normal business hours and after hours. Please refer to the official manual forprocedures regarding:
  • appropriate distribution and collection of keys
  • maintenance of accurate security access code logs
  • official business hours
  • adequate fire fighting equipment (CO2 fire extinguishers) to fight electrical fires
For all locations containing an IT equipment or network access to IT systems:
  • Within reason and practical limits, employees having visitors must escort them wheninside the building.
  • Security Officers / Receptionist may issue special permission for individuals to be on the company premises without the presence of a staff member. Such cases will include announcedmeetings held in the company Conference and Meeting Rooms, contractors / service providers wearing official badges and consultants. Please refer to process for notification and confirmation of works to be done by contractors or service providers.
  • After business hours, visitors are subject to being challenged by staff members andrequired to identify themselves and their purpose in the building. Employees mustshare in the responsibility of questioning these unescorted visitors and reporting any unauthorized personnel to their line managers / security officer
  • Each individual assumes responsibility for protecting the security of his/her IT equipment and will report losses or suspicious situations to his/her line manager for appropriate follow up.
  • Transfer of an IT equipment for repairs must be authorised by an IT staff and the appropriate official documents completed

(4.3) Standard Setup
Purpose: Provide guidelines for maintaining a standard PC image

MTL will maintain standard configurations of PCs and laptops. The IT department will establish the standard configuration of PC hardware and software to be run on the PCs and laptops.
Network Access:
  • All PC are network enabled to access the MTL's network.
  • It is the employee's responsibility to maintain appropriate security measures when accessing the network as defined in the Password Security policy.
PC Support
  • The IT Department will maintain all PCs of the company or will direct you to appropriate measures for maintaining your PC.
  • Standard configurations are defined to assist in providing responsive support and to assist in troubleshooting your issue or problem. Deviations from the standards are not permitted except in appropriately reviewed and approved situations.
  • For assistance with your PC or peripheral equipment, contact the IT Support
Backup procedures
  • Network data and programs are backed up daily and archived off site• Data and software on your PC is not backed up. If you want to protect data and files used on your PC, you should after consultation with the IT department take one of the following measures:
  • Save the data onto a CD/DVD drive if you have a RW (Read-Write) CD/DVD drive.
  • Copy the data to the appropriate network server and store it within your personal file folder specifically set up for this purpose. This will ensure yourimportant data is saved and archived daily in our normal backup process.
  • Large amounts of data (over 100MB) should be discussed with the IT Department before uploading to a network server / share. Number of subfolders should also be limited to 25 for 1 top level folder for easy maintenance.
Virus software
  • The company maintains network virus software that will automatically scan your PCfor possible viruses each time you log onto the network.
  • Downloading or copying data files from external systems and the Internet areprohibited without the IT Department's review and approval in order to protect theintegrity of the company network.
Applications software
  • Standard licensed software is maintained on all PCs and laptops.
  • Under no circumstances are additional software programs allowed to be loaded ontoa PC without the review and approval of the IT Department. This is a protectivemeasure to avoid network problems due to viruses and incompatibility issues. No user shall be granted local Administrator rights on his/her PC or laptop

(4.4) Information Security
Purpose: Provide guidelines that protect the data integrity and proprietary nature of MTL's information systems. Information Security is the protection of the company's data, applications, networks, and computer systems from unauthorized access, alteration, or destruction.
Violation of the Information Security Policy will be subject to disciplinary actions, including dismissal and/or such legal action as may be deemed appropriate by management.

Data classification
  • It is essential that all company data be protected. Different types of data require different levels of security. All data should be reviewed on a periodic basis and classified according to its use, sensitivity, and importance.
  • The company classifies data in the following three classes:
High Risk
Information assets for which there are legal requirements for preventing disclosure or financial penalties for disclosure.
  • Data covered by law such as the Data Protection Act
  • Payroll, personnel, and financial information (because of privacy requirements)
  • The company recognizes that other data may need to be treated as high risk because it would cause severe damage to the company if disclosed or modified.
  • The data owner should make this determination. It is the data owner’s responsibility to implement the necessary security requirements.
Confidential
Data that would not expose the company to loss if disclosed, but that the data owner feels should be protected to prevent unauthorized disclosure. It is the data owner’s responsibility to implement the necessary security requirements.

Public
  • Information that may be freely disseminated.
  • All information resources should be categorized and protected according to the requirements set for each classification. The data classification and its corresponding level of protection should be consistent when the data is replicated and as it flows through the company.
  • Data owners must determine the data classification and must ensure that the data custodian is protecting the data in a manner appropriate to its classification level.
  • No company owned system or network can have a connection to the Internet without the means to protect the information on those systems consistent with its confidentiality classification.
  • Data custodians are responsible for creating data repositories and data transfer procedures that protect data in the manner appropriate to its classification.
  • High risk and confidential data must be encrypted during transmission over insecure channels.
  • All appropriate data should be backed up, and the backups tested periodically, as part of a documented, regular process.
  • Backups of data must be handled with the same security precautions as the data itself. When systems are disposed of, or re-purposed, data must be certified deleted or disks destroyed consistent with industry best practices for the security level of the data.
Access control
  • Data must have sufficient granularity to allow the appropriate authorized access.
  • There is a delicate balance between protecting the data and permitting access to those who need to use the data for authorized purposes. This balance should be recognized and addressed appropriately.
  • Where possible and financially feasible, more than one person must have full rights to any company owned server storing or transmitting high risk data.
  • The company will have a standard policy that applies to user access rights.
  • Data owners or custodians may enact more restrictive policies for end-user access to their data.
  • Access to the network and servers and systems will be achieved by individual and unique logins, and will require authentication. Authentication includes the use of passwords, smart cards, biometrics, or other recognized forms of authentication.
  • Users must not share usernames and passwords, nor should they be written down or recorded in unencrypted electronic files or documents. All users must secure their username or account, password, and system from unauthorized use.
  • All users of systems that contain high risk or confidential data must have a strong password, the definition of which will be established and documented in the Password Policy.
  • Passwords must not be placed in emails unless they have been encrypted.
  • Default passwords on all systems must be changed after installation. All administrator or root accounts must be given a password that conforms to the password selection criteria when a system is installed, rebuilt, or reconfigured.
  • Logins and passwords should not be coded into programs or queries unless they are encrypted or otherwise secure.
  • Users are responsible for safe handling and storage of all company authentication devices.
  • If an authentication device is lost or stolen, the loss must be immediately reported so that the device can be disabled.
  • Terminated employee access must be reviewed and adjusted as found necessary. Terminated employees should have their accounts disabled upon suspension or termination.
  • Transferred employee access must be reviewed and adjusted as found necessary.
  • Monitoring must be implemented on all systems including recording logon attempts and failures, successful logons and date and time of logon and logoff.
  • Personnel who have administrative system access should use other less powerful accounts for performing non-administrative tasks.
Virus prevention
  • The wilful introduction of computer viruses or disruptive/destructive programs into the company environment is prohibited, and violators will be subject to prosecution.
  • All desktop systems that connect to the network must be protected with an approved, licensed anti-virus software product that it is kept updated according to the vendor’s recommendations.
  • All servers and workstations that connect to the network and that are vulnerable to virus or worm attack must be protected with an approved, licensed anti-virus software product that is kept updated according to the vendor’s recommendations.
  • Where feasible, system or network administrators should inform users when a virus has been detected.

(4.5) Password Security
Purpose: Provide guidelines in appropriate management of business passwords to maintain adequate security and integrity of all of the company's business systems.
Applies to ALL hardware devices and software applications owned by MTL or employees that have access (local or remote) to MTL’s networks, data and systems.
    • Passwords are assigned to authenticate a user's identity, to protect network users, and to provide security.
    • It is the responsibility of each individual to protect and to keep private any and all passwords issued to him/her by the company.
    • The IT Department will establish guidelines for issuing new passwords, deleting passwords as required, and allowing employees to change their passwords.
    • Although the company strives to manage a secure computing and networking environment, the company cannot guarantee the confidentiality or security of network or e-mail passwords from unauthorized disclosure.
    • New employee passwords and changes must be requested by a Manager. This helps monitor and manage the importance of protecting passwords in their distribution and use in such a way that reinforces the integrity of users accessing company systems.
    • A network manager must approve any password change requested by a user's supervisor. Confirmation will be sent to user when a password change is completed at the request of a supervisor.
    • The IT Department will disable all usernames and passwords of exiting employees upon notificationfrom the Human Resources department
    • System administrators and users assume the following responsibilities:
  • System administrator must protect confidentiality of user’s password.
  • User must manage passwords according to the Password Guidelines.
  • User is responsible for all actions and functions performed by his/her account.
  • Suspected password compromise must be reported to the IT department immediately
Security Notice
It is STRICTLY FORBIDDEN to share and make use of another person's username/password unless you have been formally granted permission in writing by your business unit manager under special circumstances. If you are not currently using your own username and password to start & log-in to your PC or to access a specific application /systems (e.g. CoSACS, Oracle, Windows, MS Outlook, Navision etc), please contact the IT department immediately. You SHOULD NOT share your personal passwords and other codes for accessing the various computer equipment/systems with anyone except when formally instructed to do so in writing by your business unit manager under special circumstances and in which case the IT department needs to be copied on. Please also note that if you believe your username and password is We recommend that your current user names and passwords to access various systems/facilities/files should be written down, put in a sealed envelope and submitted to your business unit manager in case access to these specific systems/files is required under special circumstances if you are absent from work or if you have left the company. This also needs to be updated whenever your usernames or passwords change.

Password Guidelines
Different computing systems place different limitations on password construction. The following applies to all computing systems, whether or not the system enforces these limitations:
  • Do not use dictionary or actual words. Non-English words are no more secure than English words.
  • Do not use words or numbers associated with you. Examples include:
  • Social security numbers
  • Names, family names, pet names
  • Birthdays, phone numbers, addresses
  • Avoid using your login name or any variation of it as your password. Do not use substitution or letter reordering (e.g 3=e and 1= i). Do not write it backwards or add a digit to the beginning or end of the word.
  • When changing a password, change to an entirely new password
  • Do not just rotate through a list of favourite passwords.
  • Use a minimum of 8 characters. Generally, the more characters you can use, the harder a password is to be cracked or guessed.
  • Choose a password that is easy for you to remember but would be hard for another to guess. One useful approach is to use letters from a passphrase or sentence, e.g., “One ring to rule them all, one ring to bind them” results in the password of “1R2rtA,or2Bt” by using the first letter, capitalization, and some substitution.
  • Use mixed case (upper & lower)
  • Use punctuation symbols (Ex :_-+=!@%*&”:,./)
  • Ensure your workstation is reasonably secure in your absence from your office. Consider using a password-protected screen saver, logging off when you leave the room / desk.

(4.6) Email and Instant Messaging
Purpose: The policy is required to reduce the risks of legal actions against both the Company and individual employees, and to contain the costs of operating the service.

The company has established this policy with regard to the acceptable use of company provided electronic messaging systems, including but not limited to email and instant messaging.Email and instant messaging are important and sensitive business tools. This policy applies to any and all electronic messages composed, sent or received by allemployees.
General rules to be followed at all times
    • MTL provides electronic messaging resources to assist in conducting company business.All messages composed and/or sent using MTL provided or non MTL electronic messaging resources must comply with company policies.
    • he company prohibits discrimination based on age, race, gender, sexual orientation or religious or political beliefs. Use of electronic messaging resources to discriminate for any or all of these reasons is prohibited.
    • Never send any messages that
  • are abusive, defamatory, derogatory, or otherwise insulting or contain insinuations, ambiguities andintimations
  • Could be construed as harassing an individual.
  • Upon termination or separation from the company, the company will deny all access to electronic messaging resources, including the ability to download, forward, print or retrieve any message stored in the system, regardless of sender or recipient. Line managers should request the IT department by email to forward the incoming emails to another user for follow-up.
  • Each employee will be assigned a unique email address that is to be used while conducting company business via email.
  • Employees are prohibited from forwarding electronic messages to external (personal) messaging systems.
  • Employees authorized to use instant messaging programs will be advised specifically on which instant message program(s) are permissible.
  • Electronic messages are frequently inadequate in conveying mood and context. Carefully consider how the recipient might interpret a message before composing or sending it. Email cannot totally replace face-to-face meetings or telephone conversations, which may better translate your ideas, thoughts and views to the other party. Thus, if you feel an issue requires discussion, it is best to convey a meeting and sort out the issue rather than having many email correspondences.
  • Any employee who discovers a violation of these policies should immediately notify a manager or the Human Resources Department.
  • Any employee in violation of these policies is subject to disciplinary action, including but not necessarily limited to, termination.
  • Keep the distribution list as short as possible and only copy those who really need to know. Use group addresses (e.g All Users and All Branch Managers) only when necessary, otherwise many users who may have no interest in your message will receive it. This is the electronic equivalent of junk mail and can become very annoying.
  • Avoid sending emails with large file attachments (e.g. graphical images, complex spreadsheets and large PowerPoint presentations). All email messages are queued and whilst the one with a big attachment is being sent to a remote or overseas user (e.gRodrigues), the network traffic is impacted and other systems performance (Navision) is affected.
Ownership
  • The email/electronic messaging systems are company property. All messages stored in company provided electronic messaging system(s) or composed, sent or received by any employee or non-employee are the property of the company. Electronic messages are NOT the property of any employee.
  • The company reserves the right to intercept, monitor, review and/or disclose any and all messages composed, sent or received.
  • The company reserves the right to alter, modify, re-route or block the delivery of messages as appropriate.
  • The unique email addresses and/or instant messaging identifiers assigned to anemployee are the property of the company. Employees may use these identifiersonly while employed by the company.
Confidentiality
  • Messages sent electronically can be intercepted inside or outside the company and as such there should never be an expectation of confidentiality. Do not disclose proprietary or confidential information through email or instant messages.
  • Electronic messages can never be unconditionally and unequivocally deleted. The remote possibility of discovery always exists. Use caution and judgment in determining whether a message should be delivered electronically versus in person.
  • Electronic messages are legally discoverable and permissible as evidence in a court of law. Messages should not be composed that you would not want to read out loud in a court of law.
  • Employees are prohibited from unauthorized transmission of company trade secrets, confidential information, or privileged communications.
  • Unauthorized copying and distribution of copyrighted materials is prohibited.
Security
    • The company employs sophisticated anti-virus software. Employees are prohibited from disabling anti-virus software running on company provided computer equipment.
    • Although the company employs anti-virus software, some malware(viruses, “worms” and other malicious code) infected messages can enter the company’s messaging systems. Malware can spread quickly if appropriate precautions are not taken. Follow the precautions discussed below:
  • Be suspicious of messages sent by people not known by you. Do not follow the links to websites they contain.
  • Do not open attachments unless they were anticipated by you. If you are not sure, always verify the sender is someone you know and that he or she actually sent you the email attachment.
  • Do not open emails that originate from an email address which seems to be familiar but is not spelled correctly.
  • Disable features in electronic messaging programs that automatically preview messages before opening them.
  • Do not forward chain letters. Simply delete them.
  • The company considers unsolicited commercial email (spam) a nuisance and a potential security threat. Do not attempt to remove yourself from future delivery of a message that you determine is spam. These “Remove Me” links are often used as a means to verify that you exist.
  • Do not use company provided email addresses when posting to message boards / internet forums / chat rooms (please also refer to the “Social Media” section in the Internet Usage policy).
  • If you have opened by error an email containing a malware program, please switch off your workstation immediately – do not wait for the pc to shut down automatically. Please inform the IT department immediately.Please ensure you have regular backups of your data files. You will always be able to recover them from one of the backups done previously.
Housekeeping
Disk space on the mail server is limited. Users will receive a warning message when the mail items in their respective mailboxes are approaching the limit size set. Users are responsible to move the mail items to personal folder files which must be included in the backup process. Please contact the IT department if you need help to complete this process. Email Format
    • Use standard font and size. Acceptable fonts and sizeare Verdana 10pt, Arial 10pt, Calibri 11pt and Times New Roman 11pt for the body text.
    • Set Spellchecker to always check spelling before sending.
    • Subject Headers should be meaningful
    • Mandatory to include the email signature when sending an external email. Recommended to include when sending internally for first emails only.Please contact the IT department to obtain your email signature. The format is:
  • Use Out of Office Assistant to automate replies when absent. The replies should simply state when expected back in the office and include an alternate contact e.g. I’m out of the office until date but you can contact ‘name’ in my absence (you can include the email address and telephone details).

4.7 Internet usage
Purpose: Provide appropriate guidelines for accessing and utilizing the Internet through MTL’s network.
Internet access will only be granted to employees whose job functions dictate a business requirement. Internet services will be authorized to designated employees by their immediate manager. The Internet is an excellent tool but also creates security implications that the company must guard against. For that reason, employees are granted access only as a means of providing support in fulfilling their job responsibility. Anyone using a wired or wireless device on the MTL’s network shall connect to the internet only via the firewall. Any departure from this procedure would leave our systems vulnerable to corruption from the Internet which would prejudice the integrity of MTL’s files and systems.Employees must not attempt to disable, defeat or circumvent the Internet security arrangements. To note that MyT line installed in our branch showroomsis not connected to MTL’s internal network and provides Internet access to demo product items on display only. EMPLOYEE RESPONSIBILITIES
    • The use of Internet is ONLY permitted for MTL’s business purposes.
    • Employees must disconnect from the internet when they leave their workstation.
    • Internet access must NOT be made available to unauthorised employees. Each individual is responsible for the account issued to him/her
    • Sharing Internet accounts or User-ID's / Passkeys is prohibited.
    • No information relating to MTL or its personnel is permitted to be disclosed to a third party using the Internet unless required for business purposes.
    • Downloading of any software is strictly prohibited unless authorised by IT department.
    • No data is permitted to be downloaded unless required for business use.
    • The frequent downloading of large files i.e. in excess of 10MB must be avoided as it can affect the performance of other Internet users.
    • Internet usage is monitored and it is possible to track usage of sites visited. Any misuse of the facility will be reported to the employee’s Line Manager.
    • Repeated or serious misuse of the facility may result in withdrawal of the facility, disciplinary action, or prosecution.
    • It is the responsibility of all employees to report any misuse of Internet facilities to their Line Manager.
    • Organizational use of Internet services must reflect the mission of the company and support the company's goals and objectives.These services must support legitimate, mission related activities of the company and be consistent with prudent operational, security, and privacy considerations.
    • The Company has no control over the information or content accessed from the Internet and cannot be held responsible for the content.
    • Any software or files downloaded via the Internet into the company network become the property of the company. Any such files or software may be used only in ways that are consistent with their licenses or copyrights. Any file that is downloaded must be scanned for malware before it is run or accessed.
    • Ensure that while accessing the Internet, browsers should be set for high active contents security.
    • Data uploaded to an Internet site must:
  • Comply with laws and privacy.
  • Use proper notices and disclaimers.
  • Have clearance for copyright and trademarks.
  • Not be confidential to MTL.
  • Be authorised by MTL’s Management
Inappropriate use
The following uses of company provided Internet access are not permitted:
  • To access, upload, download, or distribute pornographic or sexually explicit material
  • Violate law
  • Vandalize or damage the property of any other individual or organization
  • To invade or abuse the privacy of others
  • Violate copyright or use intellectual material without permission
  • To use the network for financial or commercial gain
  • To degrade or disrupt network performance
  • No employee may use company facilities knowingly to download or distribute pirated software or data.
  • No employee may use the company’s Internet facilities to deliberately propagate/install any malware (virus, worm, Trojan horse, or trap-door program code, bots, spyware, ransomware etc)
Social Media
Includes blogs, wikis, microblogs, message boards, chat rooms, electronic newsletters, online forums, social networking sites, and other sites and services that permit users to share information with others.
  • Employees need to know and adhere to the Company’s Code of Conduct, Employee Handbook, and other company policies when using social media in reference to MTL.
  • Employees should be aware of the effect their actions may have on their images, as well as MTL’s image. The information that employees post or publish may be public information for a long time.
  • Employees should be aware that MTL may observe content and information made available by employees through social media. Employees should use their best judgment in posting material that is neither inappropriate nor harmful to MTL, its employees, or customers.
  • Although not an exclusive list, some specific examples of prohibited social media conduct include posting commentary, content, or images that are defamatory, pornographic, proprietary, harassing, libellous, or that can create a hostile work environment.
  • Employees are not to publish post or release customer data, trade secrets or any information that is considered confidential or not public.Whether or not the release is inadvertent, employees will be subject to disciplinary actions including termination of employment. If there are questions about what is considered confidential, employees should check with the Human Resources Department and/or their line manager.
  • Social media networks, blogs and other types of online content sometimes generate press and media attention or legal questions. Employees should refer these inquiries to their line managers.
  • If employees encounter a situation while using social media that threatens to become antagonistic, employees should disengage from the dialogue in a polite manner and seek the advice of their line manager.
  • Employees should get appropriate permission before you refer to or post images of current orformer employees, members, vendors or suppliers. Additionally, employees should getappropriate permission to use a third party's copyrights, copyrighted material, trademarks,service marks or other intellectual property.
  • Social media use shouldn't interfere with employee’s responsibilities at MTL. MTL’s computer systems are to be used for business purposes only. When using MTL’s computer systems, use of social media for business purposes is allowed (ex: Facebook, Twitter, MTL blogs and LinkedIn), but personal use of social media networks or personalblogging of online content is discouraged and could result in disciplinary action.
  • Subject to applicable law, after‐hours online activity that violates the Company’s Code ofConduct or any other company policy may subject an employee to disciplinary action ortermination.
  • If employees publish content after‐hours that involves work or subjects associated with MTL, a disclaimer should be used, such as this: “The postings on this site are my ownand may not represent MTL’s positions, strategies or opinions.”
  • It is highly recommended that employees keep MTL related social media accountsseparate from personal accounts.
(4.8) Mobile Devices
Purpose: This policy describes the rules covering use of MTL mobile computing devices which are used to process information and access the Internet, Intranet and Corporate Email and are intended primarily for the company’s business use.

Devices
Laptops, PDA’s, Tablets, Smart phones, Mobile phones, USB memory sticks, External hard disks. All MTL supplied mobile devices and their contents remain the property of the company and are subject to regular audit and monitoring. These devices should only be connected to a system (network, laptop or desktop) that has been approved by MTL. In some cases where there is a need to attach non-MTL owned devices (e.g. presentation by a third party that requires internet access), the IT department must be contacted before such connections. These third party devices must have their anti-viruses software up to date (and the latest service packs installed if they are on a Windows OS). Same applies to employees’ personal mobile devices. USB memory sticks and external hard disks are provided only for backup purposes and not for extended storage. If a company owned device is lost or stolen, then senior management and the IT department should be contacted immediately as a matter of urgency, so that the data network can be protected from the device and appropriate services disabled. The login password for the concerned user will be reset. Mobile device users will be required to sign an acknowledgment form for each device allocated (See Annex III)

Users Responsibilities
  • Care needs to be taken over their use and of the data that they hold. The user must be aware that the device contains MTL’s data and should take appropriate actions to protect the device from being lost or stolen (please see the Physical Security Controlsfor laptops section). The user must use the device as per the operating instructions set in the manufacturer’s user guide. He/She must keep it clean and in serviceable conditions. The user is responsible to use the device in a safe, cost effective manner consistent with applicable laws and regulations. A protective cover is recommended for mobile phone users.
  • The user is not authorised to change any security device settings (except for the PIN) without reference to the IT department, as they may affect the security of the device or the network, or stop it functioning with the supplied service(s).
  • Each Head of Department is responsible for setting usage guidelines for mobile telecommunications (voice and data) and communicating them to their staff which includes reimbursement of costs for excessive personal usage. Same applies for purchasing ringtones, music, applications and other billable offerings for personal benefit. Do not loan the company’s laptop or allow it to be used by others such as family and friends.
  • Business conversations (mobile phones, chatting, Skype calls) should be held in private and not in public places. Mobile phones should be switched off or put to vibrate mode during meetings, lectures, seminars, training courses etc except in very exceptional circumstances.
  • All SIM cards are on Mauritius Telecom’s network unless otherwise authorized.
  • No company owned equipment shall be used to store/obtain inappropriate materials such as pornographic, racist, defamatory or harassing files, pictures, videos or email messages that might cause offence or embarrassment. Users must acquaint themselves of the legal situation for any content stored.
Replacement
Laptops would be replaced at the end of their useful life, usually 4-5 years.
Data
All sensible information stored in any format on a device should be encrypted (or password protected if the encryption software is not available). Users are requested to consider carefully before storing such information on the device. Please note that free (or low-priced) software is available to crack the password for MS Excel and Word password protected documents. Public keys for encrypted mails will only be installed on laptops after approval from senior management. Note also that smart phones contain confidential information via emails (locking the device when not in use must be enabled). Ensure that you regularly back-up your data on the device to another MTL’s approved equipment (e.g. external storage / server location) to protect the data from damage or loss. The backups must be kept safe and restricted (not kept with the device). Note that when the device is backed up to the server location, this is in turn backed up on tape for offline storage. Users are encouraged to download the important information they would no longer use but kept for reference to a secure device (e.g. network location) for safe keeping and remove them from the mobile device at their earliest opportunity. Device Security Requirement
Passwords
  • Alphanumeric and at least 8 characters long (where possible), please refer to the Password Policy.
  • To be kept absolutely secret. Never share it with anyone, not even members of your family, friends or IT staff. Never store them on the device.
  • Files containing confidential information stored on USB memory sticks, external hard disks and CD/DVD Files should be always password protected and/or encrypted where possible
  • All mobile phones should have the PIN enabled
  • All devices to be locked when not in use (with the password enabled)
Connections
  • Never attempt to use an unapproved device, via any method of communication, with any IT equipment that belongs to MTL
  • Wi-Fi, Bluetooth and Infrared must be enabled only when needed (please see wireless security section)
  • Bluetooth and Infrared must be limited to be used for accessing passive devices such as hands free kits
  • Bluetooth connections must be accepted from other devices with care. Ensure the recipient is known and agree connection security criteria in advance.
  • Users are requested to shutdown and restart their devices after 12 continuous hours of use. Laptops would be restarted after complete cooling.

Software Licenses, Applications and Operating Systems
  • All laptops are to be installed with a Windows OS.
  • All software /application installed on the device must hold a valid software license
  • All laptops with a Windows OS are to be installed with the approved Anti-Virus solution
  • Users to regularly check the antivirus status so that it is always up to date and notify the IT department for any malfunctioning / security incidents / unusual disk activity. Do not forward any files or upload data onto the network if you suspect your device might be infected.
  • All laptops should have their set of rescue CDs safely stored which will be used to easily restore the OS and applications to their default state (manufacturer). Users are requested to create the Windows repair disk and to enable the system restore point feature. An extended disk partition is recommended to store the data files.
  • Only applications provided with the device, or provided/approved by MTL can be run.
Data
  • Obsolete CD-R/DVD-R containing MTL’s data must be physically destroyed and disposed of appropriately
  • Old equipment to be returned or discarded must be sent to the IT department to ensure all data are permanently erased and to initiate removal process from the Fixed Asset Register and Windows Domain
  • Where data is required to be stored on any device for archive/reference purposes, adequate care must be taken to ensure this data does not get disclosed to unauthorised individuals.
Settings
  • No changes to the security settings or configuration of any approved device can be made without prior authorisation from the IT department
  • All hardware / software firewall on any device must be activated unless needed to be opened for a specific task and must be reactivated immediately after.
  • All Windows installations to be patched with the critical patches (MS Windows Update) – Users are requested to review these patches as it may relate to one of their applications which could stop working after installation of the patch.
  • Network bridging must be disabled on all devices (Network Settings)
No employee shall use a mobile device, hands on or hands off while driving, whether the business conducted is personal or company-related. This prohibition includes receiving or making calls, text messaging, surfing the Internet, receiving or responding to email, checking for phone messages, or any other purpose related to his employment; the business; our customers; our vendors; volunteer activities, meetings, or civic responsibilities performed for or attended in the name of the company. He is requested to stop the vehicle in a safe location so that he can safely use his cell phone or similar device.

Physical security controls for laptops
  • The physical security of ‘your’ laptop is your personal responsibility so please take allreasonable precautions. Be sensible and stay alert to the risks.
  • Keep your device in your possession and within sight whenever possible, just as if it were your wallet or handbag. Be extra careful in public places such as airports, railway stations or restaurants. It takes thieves just a fraction of a second to steal an unattended laptop.
  • If you have to leave the laptop temporarily unattended in the office, meeting room or hotel room, even for a short while, use a laptop security cable or similar device to attach it firmly to a desk or similar heavy furniture. These locks are not very secure but deter casual thieves.
  • Lock the laptop away out of sight when you are not using it, preferably in a strong cupboard, filing cabinet or safe. This applies at home, in the office or in a hotel. Neverleave a laptop visibly unattended in a vehicle. If absolutely necessary, lock it out of sight in the trunk or glove box but it is generally much safer to take it with you.
  • Carry and store the laptop in a padded laptop computer bag or strong briefcase to reduce the chance of accidental damage. Don’t drop it or knock it about! Bubble-wrap packaging may be useful.
Wireless Security
  • Avoid sending data in the clear (i.e., unencrypted). Use WPA (Wi-Fi Protected Access) orWEP (Wired Equivalency Privacy) whenever possible. Although WEP is relatively easy to break, it provides some protection. Most wireless networks especially public hotspots don't use WEP.
  • ssh/sftp - avoid telnet and ftp since they send usernames, passwords, and data without encryption. ssh and sftp use SSL, so they are secure.
  • Web browsing is safe, but be aware that unencrypted traffic can be "sniffed" so someone can know what sites you're going to and what you're reading. You should avoid sending personal information - usernames, passwords, account numbers, credit card numbers, etc. If you must send personal data, be sure you're using SSL connections -- look for URLs that begin with https instead of just http (and the locked padlock icon in the lower right corner).
  • In public locations that provide wireless Internet access you should:
  • Watch for over the shoulder viewing of your login, credit card, or other personal information.
  • Properly log out of web sites by clicking log out instead of just closing your browser or typing ina new web address.
  • Avoid using instant messaging (IM). Most instant messaging services transmit clear (unencrypted) text, so it could be sniffed by other wireless users.
  • Turn off file sharing from your device. This prevents other wireless users on the network from accessing local files on your device. You may set this permanently as it is only required if you are sharing files from your device.
  • Turn off Wi-Fi if you are working offline.
Recommendations for a wireless network (at home):
  • Change the Default Administrator Password (and Username) for the access point or router. The default password (sometimes none) is very well known to hackers. Enable its firewall.
  • Enable MAC Address Filtering
  • Change the Default SSID and Disable SSID BroadcastAccess points and routers all use a network name called the SSID. Manufacturers normally ship their products with the same SSID set. Knowing the SSID does not by itself allow your neighbors to break into your network, but it is a start. More importantly, when someone finds a default SSID, they see it is a poorly configured network and are much more likely to attack it. In Wi-Fi networking, the wireless access point or router typically broadcasts the network name (SSID) over the air at regular intervals. This feature was designed for businesses and mobile hotspots where Wi-Fi clients may roam in and out of range. At home, this roaming feature is unnecessary, and it increases the likelihood someone will try to log in to your home network. Fortunately, most Wi-Fi access points allow the SSID broadcast feature to be disabled by the network administrator.
  • Do Not Auto-Connect to Open Wi-Fi Networks Connecting to an open Wi-Fi network such as a free wireless hotspot or your neighbor's router exposes your computer to security risks. Although not normally enabled, most devices have a setting available allowing these connections to happen automatically without notifying you (the user). This setting should not be enabled except in temporary situations.
  • Assign Static IP Addresses to Devices DHCP technology is easy to set up. Unfortunately, this convenience also works to the advantage of network attackers, who can easily obtain valid IP addresses from your network's DHCP pool. Turn off DHCP on the router or access point, set a fixed IP address range instead and then configure each connected device to match. Use a private IP address range (like 10.0.0.x) to prevent computers from being directly reached from the Internet.
  • Position the Router or Access Point Safely Wi-Fi signals normally reach to the exterior of a home. A small amount of signal leakage outdoors is not a problem, but the further this signal reaches, the easier it is for others to detect and exploit. Wi-Fi signals often reach through neighboring homes and into streets, for example. When installing a wireless home network, the position of the access point or router determines its reach. Try to position these devices near the center of the home rather than near windows to minimize leakage.
(4.9) Equipment requests
Guidelines for ordering new technology equipment or making changes to existing equipment are provided to streamline the order process and to assist the IT Department in fulfilling the request. General
  • Capital equipment items over Rs15,000 must be budgeted and approved for purchase.
  • All technology capital requests are reviewed and approved by the IT Department and Accounting Department for appropriate need even when budgeted in the company's annual Capital Budget.
  • Only HODs may submit equipment requests.
  • The Equipment Request Form (Annex IV) must be completed when requesting equipment for employees.
  • Appropriate lead time of at least three work days should be taken into consideration when requesting/ordering new equipment, upgrades, equipment relocations, etc. The IT Department will maintain a small inventory of standard PC's and other heavily used equipment to minimize the delay in fulfilling critical requests/orders.
  • It is the manager's responsibility to provide enough lead time for new orders and change requests in managing his/her department effectively.
Procedures
  • Complete the Equipment Request Formfor the equipment or service you need.
  • Have the HOD review and approve the request.
  • Submit the request to the IT department for review and follow-up.
  • After approval, IT department will transfer from stock or arrange to raise the required Purchase Order.
  • The equipment is prepared as neededand installed for the requesting department.
(4.10) Remote access
Purpose: Provide guidelines on appropriate use of remote access capabilities to MTL's network, business applications, and systems
  • The purpose of this policy is to define standards for connecting to MTL’s network from a remote location outside the company.
  • These standards are designed to minimize the potential exposure to the company from damages that may result from unauthorized use of the company resources.
  • Damages include the loss of sensitive or confidential company data, intellectual property, damage to critical company internal systems, etc.
  • This policy applies to all the company employees, contractors, vendors and agents with a company owned or personally owned computer or workstation used to connect to the company network.
  • This policy applies to remote access connections used to do work on behalf of MTL, including reading or sending email and viewing Intranet web resources.
  • Remote access implementations that are covered by this policy include, but are not limited to ISDN, DSL, VPN, SSH, etc.
  • It is the responsibility of the MTL’s employees, contractors, vendors and agents with remote access privileges to the company's corporate network to ensure that their remote access connection is given the same consideration as the user's on-site connection to the company network.
Remote connection
  • Secure remote access must be strictly controlled. Control will be enforced via onetime password authentication or public/private keys with strong password phrases.
  • At no time should any company employee provide his/her login or email password to anyone, not even family members.
  • MTL employees and contractors with remote access privileges must ensure that their company owned or personal computer or workstation, which is remotely connected to the company's corporate network, is not connected to any other network at the same time.
  • MTL’s employees and contractors with remote access privileges to the company's corporate network must not use non company email accounts (i.e., Yahoo, Gmail), or other external resources to conduct the company business, thereby ensuring that official business is never confused with personal business.
  • Routers for dedicated ISDN lines configured for access to the company network must meet minimum authentication requirements established by the IT Department.
  • All hosts that are connected to the company internal networks via remote access technologies must use the most up-to-date anti-virus software.
  • Third party connections must comply with requirements defined by the IT Department.
  • Personal equipment that is used to connect to the company's networks must meet the requirements of the company-owned equipment for remote access.
  • Organizations or individuals who wish to implement non-standard Remote Access solutions to the company production network must obtain prior approval from the IT Department.
Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment. The IT Department is responsible for monitoring remote access and addressing inappropriate use of remote access privileges.