Policy Overview

This policy provides minimum standards for:

1. Acceptable usage of e-mail, voicemail, AI Engines, cell phone, cameras and PCX systems connected to the PCX network.
2. Maintaining the security of PCX’s information systems
3. Protection of PCX’s internal and confidential information.

It is the responsibility of every PCX employee who handles Controlled Unclassified (CUI) to comply with the PCX Acceptable Use Policy and the PCX IT/Cybersecurity Policies and Procedures as required by DFARS clause 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting).  All PCX Employees must comply with this policy.  PCX Employees who are noncompliant with any part of this policy is subject to disciplinary action by PCX and may also be exposed to other civil and criminal liabilities.

Any questions regarding this Policy or the use and handling of PCX information systems, or any violation of this Policy, should be addressed to the PCX IT Director.

Acceptable Use of PCX Systems

Prior to granting access to any PCX systems or applications, approval must be granted by a user’s manager and the system application owner. Certain systems, for example, LAN access, e-mail, voice mail and expense reporting may be granted by default to all employees to allow them to properly function.

Employee access and termination procedure is documented in the “New Hire/Termination Process and Security Access Policy” located within the PCX Help Desk Forms and Policies section.

Acceptable usage of e-mail and voice-mail systems:

E-mail Systems have allowed us to transmit more information in less time and with less formality. However, PCX employees and affiliated persons must ensure that accuracy, security and control of the information are maintained, and that communications are appropriate and professional.

General

The e-mail and voice mail systems are owned by PCX and are provided for business use. All messages and other information communicated through the e-mail systems are also the property of PCX. Occasional use of the e-mail systems for personal purposes is permissible, as long as the personal use does not, in PCX’s sole judgment, interfere with the user’s or any PCX recipient’s ability to perform his or her duties, or adversely impact the operation of the e-mail or voicemail systems.  Personal information within PCX email and voicemail systems will be treated as company owned data.  No special accommodation is made by PCX to provide employees access to personal information in the event of termination.

Use Good Judgement

No messages should be sent except those you would be comfortable putting in a letter or memo for general distribution. Once a message leaves PCX, there is no way to control the number of copies made, or whether those extra copies will be saved. Send messages only to people who have a need to know. Remember that someone included on the list of recipients may get all the responses generated if the “Reply to All” feature is used.

Representing PCX

E-mail sent from the PCX Network contains PCX’s name. Care must always be taken in formulating your messages with recognition messages represent PCX.

Harassment or Defamation

Do not use e-mail to transmit any form of offensive or harassing statements or images, including those based on age, race, sex, sexual orientation, national origin, or disability, or that others may reasonably consider to obscene, profane, or offensive. Also, do not use e-mail to make statements that could be construed as defamatory.

Violations of Copyright, Trade Secret, etc.

Do not use e-mail in violation of the copyright, trade secret rights or other rights of PCX or third parties. In order to ensure copyrights are not violated (and to protect the system from viruses), do not use e-mail to receive, transmit or store privately owned software programs. Also, remember that distributing an article electronically is the same as copying it using a copy machine. Care must be taken not to copy protected material inadvertently. Users should pay particular attention to avoid forwarding copyrighted materials to others or printing them for later distribution. Users should look for copyright notices on any document or program received, but be aware that even if there is no copyright notice, the material may still be protected by copyright. If you are unsure as to the copyright status of a document, don’t copy it.

E-mail Confidentiality Legends

An approved Confidentiality Legend will automatically appear on each e-mail message that you send via the Internet.  All use of external e-mail on behalf of PCX must bear the Confidentiality Legend below:

The information contained in this electronic mail transmission is intended by PCX Aerosystems, LLC for the use of the named individual or entity to which it is directed and may contain information that is confidential or privileged. If you have received this electronic mail transmission in error, please delete it from your system without copying or forwarding it, and notify the sender of the error by reply email so that the sender’s address records can be corrected.

E-mail Signature Block

To maintain a consistent and professional image of the PCX brand, a standard email signature block has been set up for employees performing external communications.  Employees are not permitted to change the signature block without prior approval from the PCX Marketing team.  Only members of the IT department should change the email signature block in order to maintain consistency.

Acceptable usage of other PCX information systems:

Maintaining the confidentiality, integrity and availability of PCX information systems is essential.  PCX employees and affiliated personnel are responsible for exercising good judgment when using PCX information systems. PCX information systems, including workstations, servers and other resources, are intended for PCX business use. However, reasonable occasional personal use is allowed only so long as such use does not, in PCX’s sole discretion, interfere with the ability of the employee or affiliated person to perform his or her duties for PCX or conflict with any other PCX company policy. Where use of an information system is questionable, the individual should seek advice from his or her immediate manager.

As a general rule, the following uses of PCX information systems are not considered reasonable, and such uses are not allowed without prior written approval from an appropriate manager prior to the activity:

• Sending Controlled Unclassified Information without using encryption as described in “PCX IT/Cybersecurity Policies and Procedures”.
• Installing software, applets, utilities, code or content not owned or authorized by PCX. This includes, but is not limited to, peer-to-peer (P2P) file sharing programs such as DropBox, LimeWire, BearShare, KaZaA and Morpheous, anonymous proxies, screen savers, games, and commercial instant messaging (IM) systems.
• Use of non-business related streaming audio or video whether from the Internet or private sources
• Participation in external chat rooms, discussion groups, blogs or social networking websites such as – or similar to – Facebook, Instagram and Twitter.
• Playing games not included in authorized configurations, whether alone, against other individuals, or against automated systems.
• Seeking employment, whether for the individual or another person, outside of PCX.
• Activities to produce income for, advertise, or further the interests of individuals, for-profit or not-for-profit organizations not approved in writing by PCX.
• Activities not legal under prevailing local, state, federal, or international laws.
• Creation, communication (such as uploading, downloading, displaying on a screen or sending e-mail), or storage of materials, audio files or images that could be considered sexually explicit or suggestive, racist, hateful, offensive, or discriminatory. Any such materials violate PCX’s harassment and discrimination policies.
• Originating or forwarding unsolicited e-mail, fax, or automated voice messages, including the sending of “junk mail” or other advertising material to individuals who did not specifically request the material.
• Unauthorized use, forging, or alteration of e-mail header information.
• Solicitation of e-mail, or any marketing materials, for an e-mail address, phone number, or mailing address, other than that of the originator, with the intent to harass or to collect replies.
• Creating or forwarding “chain letters”, “Ponzi” or other “pyramid” schemes of any type.
• Engaging in disruptive, deceptive, or unauthorized computer activities, such as, but not limited to:
  • Accessing, or attempting to access, information not required to perform official job functions.
  • Accessing, or attempting to access, any computer system, service, or device (or any part thereof) by any means other than an authentication (e.g., login account) that has been explicitly provided by PCX (or the system owner) to the employee or affiliated person for the purpose of access.
  • Using (or causing to be used) PCX computer systems or network communications to cause the disruption or slowing of any computer system, service, connection or network communications, whether owned by PCX or not (e.g., denial of service or distributed denial of service).
  • Altering identifying information in messages or network packets, such as packet spoofing or altered routing information.
  • Use of utilities or code that enables the interception, viewing or collection of network traffic (network sniffing) or data not intended for the users system.
  • Introduction of specifically crafted or previously collected network packets onto the PCX network system.
  • Use of software or code that identifies systems, devices, protocols, services, or ports available on the PCX network that hasn’t been approved by the PCX IT Staff.
  • Intentional introduction of malicious programs, or programs that may have a malicious effect, into any computer or network system, whether owned by PCX or not.
• Disabling, preventing or interfering with computer systems audit, monitoring, or protection, including, but not limited to, turning off or deleting files collected by the following utilities:
  • System security audit, activity, or maintenance logs;
  • Personal firewalls,
  • Virus and/or spyware protection utilities; and
  • System inventory utilities.
• Engaging in activities that violate the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to:
  • Installation or distribution of software products that have not been licensed for use and distribution by PCX.
  • Unauthorized copying or duplication of copyrighted material including digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music or software.
  • Altering or removing notices of proprietary rights (e.g., copyright notices, trademark notices, etc.).

Employees with a potential business need to engage in any of the above activities must have written approval from a member from the PCX IT Steering Committee. The approval must include the business purpose for the activity, a detailed description of the activity (including host names or network identification, where possible), and the period of time (beginning and ending date) for which the approval is granted.

Systems monitoring and privacy expectation:

PCX provide information systems and supporting services for use by employees and affiliated persons. There should be no reasonable expectation of privacy while using any systems within the PCX network.  For example, authorized individuals within PCX monitor equipment, systems, network traffic, and the content of messages communicated or stored on PCX equipment for security, compliance and network maintenance purposes, and may release information that is stored or communicated on PCX systems to comply with requests from external authorities, such as law enforcement or regulatory agencies, or for other purposes.

System Monitoring Approval:

Approval to view email accounts, employee PCs and employee home drives by anyone other than the active employee assigned to the resource must receive approval from the Chief Human Resources Officer or designee.  All requests will be made by creating a Zendesk Change Record by an IT Staff member and assigned to the Chief Human Resources Officer.  The President is required to approve access to PCX employee resources when the requestor is the Chief Human Resources Officer.  PCX System Administrators will provide the Chief Human Resources Officer audit reports of who has non-owner access of resources upon request.

Use of Instant Messaging Services:

PCX provides internal instant messaging via the Microsoft Teams app. PCX discourages the use of external or public IM systems and their use is permitted only so long as it does not interfere with the PCX network or interrupt normal work and advanced written permission is granted by appropriate management. Instant messages should not be used for or considered a business record.

Acceptable Usage of AI Engines on PCX Information Systems

PCX employees and affiliated personnel are responsible for exercising good judgment when using AI engines and related technologies on PCX information systems. AI engine usage, including but not limited to large language models, machine learning platforms, and artificial intelligence tools (i.e. ChatGPT, Claude, Copilot, etc.), is permitted for PCX business purposes only. Due to ITAR and DFARS 252.204-712 requirements, entering ITAR controlled or CUIs (Controlled Unclassified Information) within any AI engine is prohibited. Where use of an AI engine is questionable, the individual should seek advice from his or her immediate manager.

AI Prohibited Activities

Generally, the following uses of AI engines on PCX information systems are not considered reasonable, and such uses are not allowed without prior written approval from an appropriate manager:

• Data Security and Export Control Violations
  • Inputting, uploading, or sharing Controlled Unclassified Information (CUI) with any AI engine without prior written approval from PCX IT team.
  • Using AI engines to process, analyze, or store information subject to International Traffic in Arms Regulations (ITAR), Export Administration Regulations (EAR), or Defense Federal Acquisition Regulation Supplement (DFARS) without explicit written authorization.
  • Sharing proprietary PCX or Customer technical data, designs, software code, engineering specifications, or other technical information with AI engines that may be subject to export control regulations.
  • Using AI engines hosted outside of approved secured environments (defined as behind PCX managed Firewall).
• Software and System Integrity
  • Installing unauthorized AI software, plugins, or extensions not approved by PCX IT Staff.
  • Using AI engines to generate malicious code, exploits, or security vulnerabilities.
  • Deploying AI-generated code or configurations into production systems without proper security review and testing.
  • Using AI engines to bypass, circumvent, or disable security controls, audit logs, or monitoring systems.
• Intellectual Property and Legal Compliance
  • Using AI engines to reverse engineer, analyze, or reproduce competitor products or technologies that may violate intellectual property rights.
  • Having AI engines generate content that infringes on copyrights, patents, trade secrets, or other intellectual property protections.
  • Using AI engines to create false attributions, forge documents, or generate misleading technical documentation.
• Operational Security Violations
  • Providing AI engines with PCX confidential information (defined below).
  • Providing AI engines with authentication credentials, system access tokens, or other sensitive authentication information.
  • Using AI engines to analyze network traffic, system configurations, or security information without explicit IT Security approval.
  • Sharing organizational charts, employee information, contract details, or other sensitive business information with unauthorized AI platforms.
  • Using AI engines to automate social engineering attacks or information gathering against PCX systems or personnel.

General Guidelines for Permitted Use

• When using approved AI engines for authorized business\business learning purposes:
  • Ensure all inputs comply with data residency requirements and export control regulations.
  • Verify that AI-generated outputs are reviewed for accuracy, security implications, and compliance before implementation (Always double-check AI responses with reliable sources— they are helpful, not infallible!)

Failure to comply with this policy may result in disciplinary action up to and including termination of employment and may have legal consequences under federal export control laws.

Maintaining Confidentiality of PCX Information Systems

Password Protection

PCX information systems, services, and resources require some form of authentication (e.g., a login ID and password, smart cards and/or biometrics) prior to allowing access to the system. The purpose is to ensure that only those persons who have a verified need and are properly authorized are provided access. Within PCX information systems, each individual is uniquely identified by a login ID and a password. While the login ID may be known to others (such as part of an e-mail address), the password must be kept confidential and known only to the person that it identifies. PCX employees and affiliated persons who are provided passwords to PCX information systems, services or resources are required to treat the passwords as PCX Confidential information that is only to be known to the individual identified by the login ID and password.

When selecting a password, individuals should select strong passwords using the following guidelines:

Do NOT select passwords that:

• Are a word found in a dictionary.
• Are a common usage or easily guessed word such as:
  • Names of family, pets, friends, co-workers, fantasy characters, etc.
  • Computer terms and names.
  • Birthdays and other personal information.
  • Word or number patterns like aaabbb, zyxwvuts, 123321, etc.
  • Any of the above spelled backwards.
  • Any of the above preceded or followed by a digit (e.g., aaabbb1)

DO select strong passwords with the following characteristics:

• Are at least eight alphanumeric characters long.
• Contain both upper and lower case characters (e.g., a-Z, A-z).
• Have digits e.g., 0-9
• Have punctuation characters as well as letters, !@#$%^&*()_+|~-=\`{}[]:”;'<>?,./).

PCX employees and affiliated persons should not use the same password for PCX accounts as for other non-PCX access (e.g., personal ISP account, personal e-mail, benefits, etc.). Where possible, PCX employees and affiliated persons should not use the same password for various PCX access needs. PCX employees and affiliated individuals should never:

• Reveal passwords to anyone other than the IT Staff.
• Write down passwords.
• Store passwords in a file on ANY computer system without encryption.
• Permit others to use systems that are logged in under your password.

Security Violations

PCX employees and affiliated persons are required to report the following to the Information Technology Director, IT staff or immediately:

• Anyone other than authorized PCX IT personnel attempting to obtain or “verify” a password.
• Any account or password suspected to have been compromised.
• Suspected phishing attacks of any form. Employees should particularly pay attention to the address they are communicating with to verify it corresponds to the persons expected domain.

When logging onto PCX information systems, be alert for indications that someone is attempting to guess your password. Logins at a time when you know you were not using the system indicates that someone has guessed or knows your password. PCX employees and affiliated persons should report any failed logon attempts (when the user did not make a mistake) or any user ID logon at a time when the user knows he or she was not using the system immediately. If your account is locked out when you have not had five failed login attempts (e.g. it is locked out when you first try, or after only one attempt), this may be a sign that someone has been attempting to guess your password and should be reported immediately.

If an authorized PCX IT staff member requires access to your password to assist you with a problem you are having with an application or your PC or laptop, change your password immediately after the IT staff member has finished with his or her assistance.

Windows Accounts:

All accounts within the PCX domain should have an owner and a manager that is authorized to change account access for the owner.  Accounts should be reviewed monthly by HR to validate that account owners and their managers match active employees and contractors. The PCX system administrators should disable accounts that are not assigned to active employees or contractors. (CSC 16-10).

Any Computer or User accounts that have not been used within 45 days will be disabled unless the IT Director, CHRO or GM indicate a business requirement to keep the ID/Computer Account active.  The IT Director will verify monthly that only active user accounts are being used within the domain.

Protecting PCX Information

Ownership of Information

All proprietary rights to information created or accumulated using PCX systems should be presumed to be the property of PCX. Information, like any other property belonging to PCX, has value and must be protected. Unlike physical property that can be recovered when lost or stolen, once information has been released (e.g. made public by talking about in a chat room or e-mail), it cannot be recovered (made private) again. Accordingly, where there is any doubt, assume the information you are working with is owned by PCX and must be kept private.

Classification of Information

Different types of information require different levels of protection according to the sensitivity of the information. The sensitivity of information can be characterized in three ways within PCX:

• Public Information
• PCX Internal Use Only
• PCX Confidential

Public Information

Public information includes (a) information from external sources that is not subject to restrictions on disclosure and (b) PCX information that can reliably be considered public knowledge, such as press releases, or that has been declared public information by a person with the authority to do so. There are no special requirements for marking or handling public information, except that certain materials from third parties may be subject to copyright or other restrictions. You should check with your manager before any such materials are copied, distributed or used in other formats, such as web site content.

PCX Internal Use Only

PCX Internal Use Only information includes most of business information with which we work, and consists of any information, or accumulation of information, that would not be otherwise available to persons not employed by PCX but that is not sensitive enough to qualify as PCX Confidential information (described below). If practical, PCX Internal Use Only information in print or electronic media should be marked as “PCX Internal Use Only”. When PCX Internal Use Only information is electronically transmitted to others, the transmittal should note that the information is intended for PCX business use only and should provide a point of contact to report any misdirected, lost, or erroneous information. PCX Internal Use Only information should only be disclosed internally except that, if appropriate written approval and contractual protections are secured, certain PCX Internal Use Only information may be provided to PCX affiliated persons who have a need to know the information under their business with PCX.  Briefcases, thumb drives, notebooks and handheld computers, containing PCX Internal Use Only information should not be left unattended in public areas. PCX Internal Use Only information should be destroyed in a manner that prevents easy recovery, such as shredding paper or formatting drives, where possible.

PCX Confidential

PCX Confidential information consists of any information, or accumulation of information, where unauthorized disclosure of the information:

• Would violate an obligation to protect the information, such as license restrictions, nondisclosure requirements, or other contractual requirements,
• Would violate individual privacy rights or lead to identity theft
• Could result in the loss of intellectual property rights,
• Could result in loss of PCX competitive advantage, financial loss to PCX, or potential embarrassment or damage to public confidence in PCX.

PCX Confidential information in printed or electronic format must be marked as “PCX Confidential”. When PCX Confidential information is conveyed orally, the speaker should notify listeners that the information is considered PCX Confidential, and considering providing a follow-up, written confirmation of the PCX Confidential status of the information.

PCX Confidential information may only be disclosed to PCX employees with a business need to know the information and, if appropriate written approval and contractual protections are secured, to select third parties who have signed a written nondisclosure agreement and have a legitimate business need to know the information. The release of information that is PCX Confidential due to an obligation to a third party, such as information obtained through a non-disclosure agreement or contract for services, must only be done in a manner consistent with PCX’s agreement with the originating third party. The greater the sensitivity of the information the more restricted the access to it should be.

PCX Confidential information may not be left unattended in public areas, nor in unprotected business areas, such as, but not limited to, whiteboards, printers and unattended desks. PCX Sensitive information may not be communicated in public forums, such as mailing lists, or via public services, such as instant messaging. PCX Confidential information may only be made available for on-demand electronic distribution to persons who have been previously identified and approved for access and who are required to authenticate prior to access.

PCX Confidential information should be stored in locked file cabinets or within locked rooms. When stored off-site, PCX Sensitive information must be contained or encrypted in a manner that prevents access by non-employees. PCX Confidential information may not be directed to or stored in home computers or other personal devices. When PCX Confidential information is exchanged with or stored on systems maintained by contracted third parties, the contracting process must include a security review and the contract must include clauses that protect PCX’s right to ensure continued adequate security and to terminate the contract for the lack of adequate security controls.

PCX Confidential information must be destroyed in a manner that reliably prevents access by unauthorized persons, such as destruction of the media (e.g., paper shredding, de-gauzing magnetic media, or physical destruction of CDs) or expunging/clearing data in a manner that makes it irretrievable. Devices that have been used to process PCX Confidential information must be cleared of all information or the storage media removed prior to releasing the device from PCX controls for maintenance, replacement, or disposal.

Protecting PCX Equipment

Many PCX employees use laptops, iPhones and other portable devices containing PCX information. These devices need to be protected to preclude loss of the information contained in them. The following steps need to be taken as a minimum level protection for portable devices:

• Do not leave laptops in a visible location when in a vehicle. Lock them in the vehicle’s trunk.
• When staying at a hotel, use the hotel’s room safe, if available, to lock up your laptop when away from the room.
• Do not put laptops or other portable devices in checked luggage
• Do not let portable devices out of your sight in public areas
• Use a privacy filter if working on your laptop while in public places to prevent others from viewing what is on the laptop’s screen.

Camera Usage

To maintain compliance with ITAR and DFARS 252.204-7012 (Safeguarding covered defense information and cyber incident reporting) PCX must maintain controls on data collected, developed, received, transmitted, used, or stored in support of the performance of a contract.  Cameras usage (including cameras on Smart Phones) within the PCX facility are limited to devices that meet these security controls.  PCX employees must only use devices with PCX approved device management software to take pictures and/or video within the PCX facility.  Camera usage should be to improve the quality or capability of producing parts.  No personal cameras should ever be used within the PCX facility as those devices can’t be verified to have the proper controls in place.

Camera usage by non-PCX employees are permitted by individuals that maintain compliance with the security controls for DFARS 252.204-7012.  A PCX employee of manager level or above must provide verbal authorization to any non-PCX employee prior to taking pictures or video within any PCX facility.

Storage of PCX Information

Best practices specify corporate information should be stored in secure locations such as on local area Network (LAN) drives or on the hard drive of an appropriately secured PC or laptop. However, PCX recognizes advancements in technology and the expanded use of flexible and portable storage devices including, but not limited to: memory sticks, removable USB hard drives, PDAs, cell phones.

All data copied from PCX Systems onto these flexible media is the property of PCX and is auditable by internal and/or external sources at any time.  PCX information of any classification is not authorized to be copied to or stored personal cell/mobile devices.

Controlled Unclassified Information and documents classified as PCX Confidential must be protected using two factor authentication and encrypted.

Document Control Information

Policy Owner:  John Capozza – IT Director

Summary of Changes:

Document Change Approvers:

Document Location:

The latest copy of this document is located within the PCXaero website under the AUP page.