NOTICE: Paper copies of this Procedure should NOT be used for decision making purposes.

Only use the electronic LAN based copy at

u:\common\Policies and Procedures\Assoc Relations\.

Subaru of Indiana Automotive, Inc.

Policy

Policy No.
40-05

Effective Date: COMPUTER SYSTEM SECURITY POLICY

01/01/09

Supercedes: 3/26/98

I. PURPOSE

To establish an SIA compliance regulation with regard to use of computer hardware

(including personal computers), software and data files/databases. This policy applies
to all SIA Associates and Temporary Workers.

II. GENERAL

Use of SIAs computer system, including all hardware, software and data
files/databases, is limited to SIA approved and business related purposes only. An
Associates use of SIAs computer system constitutes the Associates agreement to
abide by all SIA policies and legal restrictions applicable to such use. All use of
SIAs computer system is subject to audits and monitoring, with or without advance
notice, by SIA to ensure compliance with this policy and applicable law, and to
protect SIA and its Associates. Any Associate who violates this policy or applicable
law is subject to corrective action under SIAs policies, up to and including
termination of employment, and possible personal civil and criminal liability.
Information Systems (IS) is responsible for the administration of this policy. Section
Managers are responsible for explaining this policy to all Associates under their
supervision and monitoring its administration. The policy shall be administered so
that:

(1) The integrity and security of SIAs computer hardware, software and related
resources are maintained.

(2) Software and data files/databases are used in a manner consistent with copyright
law, any existing contract pertaining to the software or data files/databases and the
proprietary rights of the software publisher or data file owner.

(3) Software developed by or data collected within SIA is used and protected as the
proprietary and confidential property of SIA.

(4) Computer hardware, software and data files/databases are used only for approved
SIA business.
NOTICE: Paper copies of this Procedure should NOT be used for decision making purposes. Only use the electronic LAN based copy at
u:\common\Policies and Procedures\Assoc Relations\.

III. ASSOCIATE RESPONSIBILITIES

In furtherance of SIAs objectives, and in compliance with this policy, each Associate
who uses or has access to SIAs computer hardware, software or data files/databases
shall comply with the following:

(1) Associates shall not purchase, install, modify, or delete software on SIAs
computer system without the prior approval of the IS Technical Services
Manager or his/her designee. (Software, for the purpose of this policy,
includes both the operating system and all application software. The
configuration and setup of the operating system is considered part of the
operating system and should be modified only by IS or IS approved Associates
or vendors.)

(2) Associates shall not copy all or any part of any software program or package, any
software manual or documentation, or any computer data files/databases licensed
from third parties without the prior approval of the IS Technical Services
Manager or his/her designee. Associates should become familiar with the use
and copying restrictions of each software program or package used (by reading
user manuals, labels or notations, or by asking their supervisor or IS).

(3) Associates are to use all software only on designated SIA computers or networks
and are not permitted to remove any copy of computer software or corporate
controlled data files/databases from SIA premises except with the prior approval
of the IS Technical Services Manager or his/her designee. Associates shall not
remove Section-controlled data files/databases except with the prior approval of
the Section Manager.

(4) Associates shall not purchase, install, remove, modify or connect any hardware
to SIAs computer system without the prior approval of the IS Technical
Services Manager or his/her designee. No computers are to be connected to
SIAs Local Area Network (LAN) without the prior approval and involvement of
IS. (Hardware, for the purposes of this policy, includes internal devices i.e.,
adapters, drives, memory modules, cards and peripherals i.e., printers, modems,
drives, CRTs.)

(5) Associates shall ensure that removable media which has originated from outside
SIA or which have been used on non-SIA personal computers do not contain a
computer virus or have been checked by authorized IS personnel for the presence
of computer viruses prior to use on SIAs computer system.

(6) Associates shall use computer hardware, software and data files/databases for
SIA approved and business related purposes only. All information contained in
NOTICE: Paper copies of this Procedure should NOT be used for decision making purposes. Only use the electronic LAN based copy at
u:\common\Policies and Procedures\Assoc Relations\.

computer data files/databases is the sole property of SIA and is subject to

inspection and monitoring, with or without advance notice, by SIA at anytime.

(7) Associates shall not share their user IDs and passwords with any individual; all
passwords should be kept confidential. Each Associate is responsible for the use
of his Network, Mainframe or other assigned account.

(8) Associates are required to strictly comply with all SIA security procedures
including maintaining the confidentiality of assigned IDs, codes or passwords.
All Local Area Network passwords must be changed every 60 days, minimum
password length is 8 characters, password history is set to remember 5
passwords, and the account is locked after 4 invalid logon attempts. Mainframe
passwords must be changed every 30 days, password length is between 3 and 8
characters, password history is set to remember 2 passwords, and the account is
locked after 5 invalid logon attempts. All J-Sox compliance in-scope
Financial Applications follow the Password Policy for the Local Area Network.
Any additional Application passwords will be changed as deemed necessary for
the application. Note: When an Associates account becomes locked or when
his password must be reset, the Associate must call the Help Desk (HELP or
X4357). Associates may be asked to verify their identity in one of 3 ways: 1.)
verify the numbers on the back of their Badge. 2.) have their Information
Systems Coordinator, Group Leader, or Manager send an email to the E-Mail
distribution group HelpDesk requesting the Associates password be reset. or
3.) bring their badge to the computer room for verification.

(9) All personal computers, laptops and workstations should be configured with a
password protected screensaver set at 10 minutes or less. Associates should lock
their computer, laptop or workstation when leaving their desk. (Press
CTRL+Alt+Delete and select the Lock Computer button).

(10) Associates shall refrain from accessing or subscribing to outside networks or

services (i.e. CompuServe, Suppliers Help Desks, Bulletin Boards, outside
companies, proxy servers) without the prior written approval of their Section
Manager and prior written notification to IS.

(11) Associates shall use only computer hardware which has been designated for their
use, unless prior approval has been granted by their Section Manager or the IS
Technical Services Manager or his/her designee.

(12) Associates shall not connect any device to SIAs network without the prior
written approval of the IS Technical Services Manager or his/her designee.

(13) Associates shall not circumvent any authentication or security of any computer,
network or account.
NOTICE: Paper copies of this Procedure should NOT be used for decision making purposes. Only use the electronic LAN based copy at
u:\common\Policies and Procedures\Assoc Relations\.

(14) When an Associate needs different access to an area on the Local Area Network,
they will fill out the LAN Permission Request or Login Id Request form (which
ever is needed), and obtain the appropriate signatures on the form prior to
submitting to the IS LAN Administration Group.

(15) Call the Help Desk (HELP or X4357) when the Associate experiences any
problems or issues with her computer, laptop or workstation.

IV. INFORMATION SYSTEMS RESPONSIBILITIES

(1) Supervise and manage the acquisition, procurement, installation, relocation,

modification, copying and deletion of all SIA computer, hardware, software and
data files/databases.

(2) Review all software licensing, with the assistance of the SIA Legal Department
if necessary, prior to installation, modification or deletion of software.

(3) Maintain records of purchased or licensed computer software packages

including, but not limited to, proof of purchase and original media provided by
manufacturer.

(4) Make and supervise the storage of all permitted backup copies of licensed
software and corporate data files/databases.

(5) Maintain connections to the LAN and make all LAN hardware and software
installations, modifications and deletions.

(6) Monitor adherence to this policy through the periodic conduct of audits and other
inquiries and report all violations to SIA Management, as appropriate.

(7) Notify Section Managers of any special situations involving use of particular
hardware or software which would deviate from this policy.

(8) Ensure that all computer systems connected to SIAs Network are continually
running virus scanning software and that the virus definitions are up to date.

(9) Insure that all computer systems attached to SIAs Network have the appropriate
Operating System Patches and updates applied.

(10) Each month, contact the respective Section Managers to confirm associate status
for those accounts that have not logged in for 60 days.
NOTICE: Paper copies of this Procedure should NOT be used for decision making purposes. Only use the electronic LAN based copy at
u:\common\Policies and Procedures\Assoc Relations\.

(11) When a new software system is needed, Information Systems will provide the
Software Evaluation Matrix and help the requesting department complete the
Matrix. Information Systems will complete the in-house portion of the form.

(12) When new computer hardware is required to be used at SIA, Information

Systems is responsible for providing the specifications for the needed hardware,
based on the then current hardware standard. This would include any standard
software such as Operating System, Virus Protection and Backup Software.