Information Technology (IT) Security Guidelines for External Companies

Transcription

1 Information Technology (IT) Security Guidelines for External Companies Document History: Version Name Org.-Unit Date Comments 1.1 Froehlich, Hafner Audi I/GO VW K-DOK

2 Table of Contents: 1. Goal Scope Organizational security Asset classification and control Personnel security Physical and environmental security Communications and operations management Protection against malicious software Information back-up Media handling and security Exchanges of information and software Security of media in transit Security of electronic mail/internet security Other forms of information exchange Access control Access control policy User responsibilities Network access control Operating system access control Compliance Responsibilities...8 Appendix:...9 Page 2 of 10

3 1. Goal These IT Security Guidelines summarize the IT Security Regulations for External Companies applicable for the usage of information and communication devices (personal computers, workstations etc. as well as mobile computers e. g. notebooks, PDAs or mobile phones). These guidelines are for business management of the external companies, their employees as well as their vicarious agents (below called contractor). These serve to protect confidentiality, integrity and availability of information as well as to uphold the rights and interests of the ordering party and all natural and legal entities, who maintain business relationships with or work for the group company. 2. Scope These guidelines extend to the AUDI AG and are to be applied throughout the whole Audi Group, if necessary with concrete IT regulations. 3. Organizational security All persons under the scope of the company must comply with the respective valid IT security regulations without exception. Group company specific regulations (see Appendix, point 1) are applicable with regard to the use of company provided hardware and software. Group company specific regulations (see Appendix, point 2) are applicable with regard to the connection of communication devices to the internal network. The opening of a communication device and alteration of the hardware (e. g. installation or de-installation of hard disks, diskette drives, memory modules) as well as the manual alteration of the security settings (e. g. browser settings), is only permitted for the responsible units (see Appendix, point 3). Only authorized programs may be used or changed, unless authorized by responsible units (see Appendix, point 3). The procurement and installation of the provided hardware and software may only be conducted in cooperation with the responsible units (see Appendix, point 4). Group company specific regulations (see Appendix, point 5) are applicable for storage, other processing and use of personal data, as well as data underlying secrecy restrictions. The use of communication devices and data from the ordering party by contractors requires the expressed permission by the ordering party. The ordering party may stop the usage at any time. The circle of authorized contractors must be defined by the ordering party or his/her representative and is to be kept as small as possible. Contractors are to oblige for non-disclosure as defined by the valid non-disclosure agreement by the business management of the external companies. The ordering party may look at the agreements at any time. The distribution of data from the ordering party entrusted to third parties is expressly forbidden, unless agreed to in writing by the ordering party. Entrusted data may only be saved and stored temporarily and are to be destroyed/deleted or returned immediately after completion of the assignment. Page 3 of 10

4 4. Asset classification and control Information must be protected according to its sensitivity. For this, classification is necessary. Following levels of confidentiality are defined for this (see Appendix, point 6): Public (e. g. press releases) Internal (e. g. telephone lists) Confidential (e. g. production planning) Secret (e. g. cycle plans, prototypes) The classification is to be conducted by the creator, as instructed by the company. For this, a strict measure is to be used. Printed or electronic information is to be labeled according to the classification above (see Appendix, point 6). The creator is responsible for labeling information. Labeled Information is only allowed to be passed on with the same labeling. If information is unlabeled, then it has to be treated as Internal. Access to information may only be granted to the respective authorized circle of people (see Appendix, point 6). Confidential and secret information requires a higher protection than internal information. As far as technically possible confidential information is to be securely encrypted for electronic distribution (using the ordering parties authorized cryptographic technology). In principal, secret information must be securely encrypted for electronic distribution and storage. Confidential or secret information that are no longer required must be securely deleted or physically destroyed. 5. Personnel security The infringement or the suspected infringement against the IT Security Regulations is to be reported immediately to the ordering party. This is also valid for IT security weaknesses of systems or individual functions and to IT security relevant malfunctions. 6. Physical and environmental security The provided hardware is to be treated appropriately and to be protected against loss or unauthorized manipulation. The manufacturers instructions for device protection are to be followed. Communication devices, which store or process confidential or secret data, are principally to be installed so that unauthorized individuals will not be able to have access to the information stored on the devices. Internal communication devices are to be carried with off company sites only by permission of the ordering party. 7. Communications and operations management 7.1. Protection against malicious software Communication devices, systems and data media are to be checked by the specific user via a current virus scanner, frequently and upon suspicion of infection by malicious software (e. g. computer virus, Trojan horse). Page 4 of 10

5 Before files are distributed electronically (e. g. in the intranet/internet, on network drives) they are to be checked by the provider for malicious software, to prevent the distribution of malicious software. Communication devices suspected of infection are not to be used further. The responsible system support staff responsible must be informed immediately. The removal of malicious software on communication devices of the ordering party must only to be undertaken under the system support or respectively trained employees or Key users Information back-up Data should be principally saved on the allocated network drives and not on the local hard disk, as a central and automatic data back-up is only assured for the network. The user himself/herself is responsible for back-up of data stored on local data media (e. g. hard disks or diskettes) Media handling and security Data media (e. g. CDs, diskettes, tapes, hard disks) are to be protected during operation, processing, transportation and storage against loss, damage and accidental usage as well as against unauthorized access. When not being used, written data media which contains confidential of secret data must be kept locked (e. g. cabinet or drawer which can be locked). These media are to be labeled and catalogued. Data media that are no longer needed are to be disposed of securely after all information has been assured to be removed. Hard disks and other fixed installed data media are to be disposed of by the responsible units (see Appendix, point 3). The distribution of data must remain restricted to the minimum required to fulfill the contractual tasks. Distribution lists and lists of authorized recipients are to be reviewed at regular intervals Exchanges of information and software Security of media in transit It is to be ensured that all necessary and appropriate measures are taken (e. g. encryption) to protect information from being seen, modified and deleted by unauthorized persons also during transport (including family members and friends). The group company specific regulations of Appendix, point 7 applies during transport of IT equipment and data media off company sites Security of electronic mail/internet security The use of the internet is seen as especially insecure area with regard to the confidentiality of data and virus protection, this therefore also applies to communications. The risks of use are largely that it is possible easily to intercept, modify, copy or send data anonymously or with false identity. s and their attachments must be checked for malicious software by current virus scanner before being handled for the first time. The transmission of confidential or secret data via the internet is only permitted in a securely encrypted form. For this the currently utilized encryption software of the company is to be used. The assessment of whether such data is present is to be conducted by the user in line with binding instructions of his/her ordering party. The evaluation should be a strict one. The creation, distribution and the sending of chain letters is forbidden. Page 5 of 10

6 Other forms of information exchange During all conversations of confidential or secret information, including telephone conversations, one must ensure that they are not overheard unauthorized by overleaf persons. External facsimile numbers and addresses are to be taken from the current communication directories or to be requested from the recipient, so as to avoid wrong transmission of data. Secret data may only by principle be transmitted via facsimile in a securely encrypted form. Before transmission of confidential or secret data via facsimile the transmission has to be announced by a telephone call to the communication partner. After the facsimile transmission the receipt of the fax has to be confirmed by a telephone call. A modem for analog or digital (e. g. ISDN, WAP, GPRS) services (below called modem) may only used/operated after coordination with the responsible units (see Appendix, point 8). Unconditional requirement before installing a modem is to adhere to the following security measures: The communication device must not be operated unattended. To start a program to initialize the modem must not be automated but only used when required. During direct data exchange with another communication device only the specifically intended data in the specific folder may be provided for the communication partner. The communication device must be turned off when not needed. The use/operation of a modem at IT systems which are connected with the internal network is forbidden. The use of private modems or those not purchased via the responsible units (see Appendix, point 7) is forbidden. 8. Access control 8.1. Access control policy All users and external contractors are only permitted beside public data to get access to the data which they need to fulfill their defined scope of work. Further data is to be approved in writing by the information owner. The principle of need to know only applies in general. User group IDs are forbidden by principle, unless the user ID starts only applications with their own user administration or which allow only read-only access User responsibilities The use of another individual s user identity is principally forbidden. The distribution of identifications medias (e. g. smartcards, secureid-cards) is forbidden. The following minimum requirements for the password definition are to be followed: A minimum of 6-digit combination of letters and numbers/special characters is to be used. Especially no trivial combinations (e. g. AAAAAA ) or aspects of the personal details, (e. g. names, car registration numbers, birthday, words out of local or English language dictionaries) must be used. Secure passwords can be e. g. an easily remembered term, which has been altered at least at one place by a number/special character. The following minimum requirements for the PIN (PINs are passwords for identifications medias (e. g. secureid-cards)) definition are to be followed: A minimum of 4-digit combination of numbers for secureid-cards as well as a minimum of 5-digit combination of numbers for other medias (e. g. smartcards) is to be used. Especially no trivial combinations (e. g ) or aspects of the personal details (e. g. birthday) must be used. Page 6 of 10

7 The following minimum requirements in the use of passwords or PINs (below called passwords) are to be followed: The distribution of a password is principally not permitted. Saving under programmed function keys is not permitted. A storing of passwords in user files is only permitted in securely encrypted form. The password must be changed principally after the initial use and then at least every 100 days. Passwords for applications in private area are not to be used for company applications (e. g. private internet access must not equal to the company internet access). The password is to be changed immediately, if suspected that other know it. The spying of passwords is not permitted. During the entry on the keyboard and the display on the monitor and printer the spying is to be prohibited. If passwords must be written down, they are then to be placed in a sealed envelope signed by the contractor and deposited in a suitable place (protected from unauthorized access (e. g. safe)) and they are to be updated after each change of the password. The individuals entitled to open the envelope are to be noted in writing on the envelope. Should it be necessary in particular exceptional cases to use the sealed password (e. g. in case of sickness), then this is to be conducted by two individuals ( 4-eye-principle ). Every opening is to be documented and the user concerned is to be informed. After each opening the password is to be changed and to be written down again immediately by the contractor Network access control An internal communication device which is connected to the internal network must not allow a concurrent data exchange to another network Operating system access control When leaving the system during operation (e. g. break, meeting) the user must activate a system lock (e. g. password protected screen saver). Contractors which use their multi functional card for the login to systems have to remove the card when leaving the system. When the work has been completed at the communication device (exception: workstations and network printers), then a correct system shut down should principally be carried out and the system including monitor and all directly attached communication devices (e. g. printer) should be turned off. Processes requiring a long time, which are not to be interrupted, are principally to be protected by a password protected screen saver or a similar working mechanism. 9. Compliance The use of non-licensed software (pirate copies) is forbidden in line with valid legal requirements. License software is subject to legal requirements to protect copyrights (e. g. defines copying of software, apart from back-up creation and archiving, as an infringement of the copyright). Copyright infringement can lead to legal action, which may involve criminal proceedings as well as claims for damages (see Appendix, point 9). License software may only be used for the agreed use and only following the existing regulations and the license agreement with the vendor. The respective national legal regulations for data protection (see Appendix, point 10) are to be complied with. Contractors must be bound to legal regulations for data protection by management of the external company (see Appendix point 10) in principle. The particular responsible units are to be notified immediately by the particular user of user identifications or access rights, which are no longer required, so that these may be deleted. Page 7 of 10

8 Identification medias (e. g. smartcards, secureid-cards) that are no longer required are to be returned immediately to the responsible units. 10. Responsibilities These guidelines are to be followed and complied with by all contractors. Breaches of these guidelines will be individually assessed and may lead to prosecution under prevailing company and legal regulations and agreements. Page 8 of 10

9 Appendix: History: Version Name Org.-Unit Date Comments 1.1 Fröhlich I/GO Every contractor is responsible that information, programs and communication devices are only used in a correct manner and in accordance to assigned tasks and in the company s interests. The use of company owned software and data on private communication devices is not permitted. 2. The connection of communication devices to the internal network is principally only permitted, when these have been provided by AUDI AG, Volkswagen AG or a company, in which AUDI AG, Volkswagen AG or a group company has a majority holding. 3. Responsibility: System Planning and/or User Service, IT-Shop. 4. Responsibility: System Planning and/or User Service, IT-Shop. 5. Storage, other processing, transfer and use of personal data as well as the transport on data medias is not permitted. Exemptions require the permission of the responsible personnel direction. In principle, communication devices and data media, on which personal, confidential or secret data are stored, may only leave the AUDI AG site in an encrypted form. 6. The following conditions apply for the individual confidentiality levels: Public Definition: Example: Labeling: Distribution: Copying: Storage: Destruction: Internal Definition: Example: Labeling: Distribution: Copying: Storage: Destruction: Confidential Definition: Examples: Labeling: Distribution: Information subject to no restrictions and e. g. published in newspapers by the company. Press releases. Public. Labeling may only be carried out by authorized areas e. g. public relations. No restrictions. No restrictions. No restrictions. No restrictions. Information that may only be published inside the company and not intended for the general public. Telephone lists, intranet information. None (or Internal ). Only to authorized persons. Only inside the scope of duty or area of application. Protect against unauthorized inspection. Orderly disposal (e. g. by reliable deletion of the electronic media). Information, the knowledge of which by authorized individuals could threaten the achievement of product and project objectives and therefore may only be made accessible to a limited authorized circle. Production planning, budget plans, quality data, audit reports. Confidential. Labeling on the first page of the document or on the mobile media. Only to authorized persons in encrypted form 1), for voice media unauthorized listening and interception to be prevented. Page 9 of 10

10 Copying: Storage: Destruction: Secret Definition: Examples: Labeling: Distribution: Copying: Storage: Destruction: Only inside the scope of duty or area of application, in addition it requires the approval of the ordering party. Encrypted 1) Storage and protection from unauthorized access. No longer required data media and information must be reliably deleted by overwriting or physically destroyed. Information, knowledge of which by unauthorized individuals could threaten the achievement of company objectives sustainably and must therefore be subject to an extremely restrictive distribution list and strict controls. Strategic plans, new developments, cycle plans, documents for the Board, start-up curves, prototypes. Secret. Labeling on every page of the document or on the mobile media. Additionally on every page the note page x of y has to be marked. Only to authorized persons in encrypted and signed form. Use of voice media to be avoided if possible and/or prevent unauthorized listening or interception by electronic attachments. Not permitted in principle. If necessary, only with the permission of the data owner (publisher). Encrypted filing and protected against unauthorized access. No longer required data media and information must be reliably deleted by being written over or physically destroyed. 1) As far as is technically possible using an encryption technology approved by the ordering party. 7. The transport of communication devices and data media off company sites is only permitted with the corresponding EDV-Gerätebegleitbuch (No ) or Transport-/Versandschein (No ). Exemptions require the approval of Information and Data Protection and the site security services. 8. Responsibility: System Planning and/or User Service, IT-Shop after approval by IT Security Organization. 9. Copyright of the Federal Republic of Germany (only binding on companies in Germany): 97. UrhG claim to omission and damages. Who violates the copyright or another after this law protected law illegally, can be taken up by the violated on removal of the impairment, with repetition danger on omission and if to the violator s intention or negligence is a burden also on damages. At place of the damages the violated can require the delivery of the profit which the violator has achieved by the violation of the law and bill lapping about this profit UrhG unauthorized utilization of works protected by copyright. Who reproduces a work or a treatment or transformation of a work in others than the legally admitted cases without consent of the legitimate, spreads or returns publicly, it is punished with term imprisonment up to three years or with fine. The attempt is liable to penalty. 10. Data protection in the Federal Republic of Germany (only binding on companies in Germany): In the Federal Republic of Germany the respective legal regulations of data protection are to be adhered. Page 10 of 10