Policy Rules for Business Partners of Siemens

Transcription

1 Information Security Policy Rules for Business Partners of Siemens Basic rules regulating access to Siemens-internal information and systems

2 Policy Rules for business Partners of Siemens Edition P-RBP E Corporate Information Security Guide valid from , replaces previous releases. Siemens AG, All Rights Reserved Table of Contents 1 Goals Responsibilities Risks Range of application 5 2 Target groups 6 3 Rules General rules for all business partners of Siemens Handling information System access and admission authorizations Termination of activity Deficiencies and incidents Statutory regulations Rules for business partners with a workplace at Siemens Rules for business partners working on their own systems Rules for business partners with a connection to resources on the Siemens intranet 13 Published by: Corporate Information Office Governance Information Security (CIO G IS) 2/13 No. P-RBP E No. P-RBP E 3/13

3 1 Goals This policy regulates access to Siemens-internal information and Siemens systems for business partners of the Siemens group. Information of all kinds, e.g. documents, pictures, drawings, data and programs on paper or magnetic, electronic, optical or other information media, constitutes a major part of the corporate internal know-how for the Siemens group. Together with the information systems required for its processing, this information represents a valuable corporate resource that requires protection. 1.1 Responsibilities To mutual benefit and as a means of enhancing the efficiency of business processes we grant our business partners access to corporate internal information, facilitating the use of Siemensinternal systems and networks. It is in the interests of the Siemens group that this information and the associated information systems and networks be effectively protected against unauthorized access and manipulation. To this end it is necessary that our business partners and their employees adhere to the rules described here. The present document is intended for business partners and their employees who enjoy access to Siemens systems and Siemens-internal information. The business partner (or the local project manager with special responsibility) issues these regulations to the employees concerned, places them under an obligation (if possible formulated in writing) to comply with these rules, and monitors such compliance in a suitable manner. In this policy, the term business partners is used throughout to refer to business partners and their employees. 1.2 Risks Within Siemens, comprehensive measures have been introduced to protect information and information systems, for example involving the protection of confidentiality, and the protection of systems against computer viruses and the attentions of hackers. If business partners do not adequately support these measures, there is the risk of the protective measures introduced being circumvented. 1.3 Range of application This policy is the section of the Siemens Corporate Information Security Guide that is intended for business partners. If it is not possible to carry out individual rules to the letter, appropriate methods aimed at attaining the desired level of security must be discussed and put in practice. Adherence to information security measures within the Siemens group is subject to monitoring. If business partners disregard the present regulations, this may result in their being prohibited from entering Siemens sites or accessing Siemens systems, or may involve legal consequences and claims for damages. 4/13 No. P-RBP E No. P-RBP E 5/13

4 2 Target groups This policy is directed towards all business partners working with Siemens. There are various specific target groups, depending on the nature of the interoperation All business partners, Business partners with a workplace at Siemens, Business partners working on their own systems (e.g. PC, notebook), Business partners with a link to resources within the Siemens intranet (e.g. online access operations from their own systems). 3 Rules 3.1 General rules for all business partners of Siemens Handling information Regardless of the form in which it appears or the information medium employed, all information belonging to the Siemens group must be protected in accordance with its level of classification. For information not in the public domain summarized as "corporate proprietary information", there are three protection classes: For internal use only, Confidential and Strictly confidential. In relation to the following activities, the protection class calls for measures that can be made more stringent as the need for protection increases Identification/creation, Distribution, Dispatch and transmission, Retention and storage, Disposal/destruction/deletion. In consultation with your contact at Siemens, you should define the level of confidentiality of the information entrusted to you or created by you. 6/13 No. P-RBP E No. P-RBP E 7/13

5 Take account of the relevant measures drawn to your attention within the framework of your activities or contractual agreements. Corporate proprietary information must not be allowed to come into the possession of unauthorized parties, be passed on to others in the course of discussions or eavesdropped upon by those for whom it is not intended. Bear in mind that exporting or otherwise transshipping Siemens information may be subject to the need for approval as per US, EU or national export provisions. If necessary, clarify this with the Siemens branch office concerned, and obtain the appropriate permits in good time. Take account of the fact that the export regulations also apply if the information is transferred abroad via communication networks (e.g. via e- mail or file transfer). Discuss with the relevant partner at Siemens the possible need to furnish documents and data media with an additional Copyright mark in the form Copyright (C) Siemens AG, YYYY All Rights Reserved or Siemens AG, YYYY All Rights Reserved as a means of documenting proprietary rights. (YYYY here always indicates the year of first publication). In the case of updates, this label can be complemented as follows Copyright (C) Siemens AG, YYYY - UUUU All Rights Reserved or Siemens AG, YYYY - UUUU All Rights Reserved (UUUU specifies the year in which the information was last updated) System access and admission authorizations Insofar as you have received system access and admission authorizations, these are to be exercised in person and exclusively within the framework of agreed tasks or activities Termination of activity You must return the following to the Siemens branch office concerned upon completion of the cooperation (unless otherwise agreed): The documents and resources passed on to you, Any information and data media you have created, including copies and draft versions, The admission or system access authorizations granted to you Deficiencies and incidents Any deficiencies and incidents with information security implications must immediately be reported to the appropriate contacts at Siemens. 8/13 No. P-RBP E No. P-RBP E 9/13

6 3.1.5 Statutory regulations Take account of the appropriate data protection legislation, the associated local export provisions and other statutory regulations independently of the rules described here. 3.2 Rules for business partners with a workplace at Siemens Take account of the relevant information security measures drawn to your attention within the framework of your activities or contractual agreements. Desks and filing cabinets must be locked before leaving work for the day if they contain confidential or strictly confidential documents/data media. Take account of the protective measures employed locally when telephoning, sending and receiving faxes and when copying. The removal from the company premises of documents handed over to you, the results of work, data media or IT systems is only permissible subject to appropriate agreement and compliance with the relevant rules. Use the information systems (e.g. PCs, workstations) only for the allotted tasks. Bear in mind that the use of Siemens systems for private purposes is prohibited. Make use of the available protective mechanisms when accessing information systems (e.g. PCs, workstations), individual applications or files requiring protection, for example by employing userids in conjunction with passwords, PINs or chipcards. Treat the protection mechanisms with due care. Resources such as passwords and chipcards must not be passed on to others or published. By means of appropriate system settings, the definition and changing of passwords must be made subject to rules that cannot be circumvented. Insofar as you determine the quality of passwords, follow the rules below: If possible, formulate passwords from combinations of uppercase and lowercase alphabetic characters, numerals and special characters. Use at least 8 characters, if not applicable the maximum possible number of characters. Change the password at least every 90 days. Do not reuse old passwords. Change the password immediately if there is any suspicion it has been divulged. Deposit passwords if requested to do so by contacts at Siemens. If leaving your workstation, even if only briefly, block any open points of access, for example by employing a screen saver or removing the chipcard from the card reader. Security settings, system features or precautionary measures against computer viruses or other malicious software installed on the systems must not be disabled, modified or circumvented. Where use of the internet is possible, local regulations, for example German Internet acceptable use policy, must be complied with. 10/13 No. P-RBP E No. P-RBP E 11/13

7 In the event of suspected infection by computer viruses that are not automatically detected or eliminated, or if there are problems running virus protection programs, the local Siemens contacts must be informed without delay. Use only as instructed. The use of encryption is only possible subject to appropriate written agreement and compliance with the relevant regulations. The automatic forwarding of incoming to external mailboxes, e.g. private address, external providers, is not permitted. The initiation or forwarding of chain letters is not permitted. For data archiving purposes, use secure file servers within the network (e.g. central network drives) that are subject to regular data backup. 3.3 Rules for business partners working on their own systems Protect your systems against the loss of confidentiality, integrity and availability of all data or information created, processed or stored for Siemens, or which is important to Siemens. Perform your own suitable measures for the purposes of Data backup Virus protection System and data access protection. Hand over data using the agreed procedures only after performing virus checks Upon completion of the cooperation, delete and dispose all data, documents and data media generated in the course of the cooperation, along with associated copies or data backups, in a proper manner. To ensure the secure disposal of corporate proprietary documents and data media, use Siemens-internal facilities if you have no suitable options of your own. The direct connection of business partners own systems to Siemens-internal networks is not permitted. 3.4 Rules for business partners with a connection to resources on the Siemens intranet Operate the connection only using the technical configuration agreed with Siemens, and on the systems provided for the purpose. Treat as confidential all information about structures and access possibilities (e.g. dialup line numbers, network addresses) and security precautions relating to Siemens-internal systems and networks. 12/13 No. P-RBP E No. P-RBP E 13/13