Supplier Information Security Addendum for GE Restricted Data

Transcription

1 Supplier Information Security Addendum for GE Restricted Data This Supplier Information Security Addendum lists the security controls that GE Suppliers are required to adopt when accessing, processing, transmitting, and/or storing GE Restricted Data. Part A: Definitions Part A applies to all Suppliers. GE Restricted Data means any data that GE identifies as being restricted data in a statement of work, attachment, schedule, or other similar document under this Agreement. Incident means any actual or suspected compromise of GE Restricted Data. Mobile Devices means tablets and smartphones running mobile operating systems (e.g. ios, Blackberry OS, Android, or Windows Mobile operating systems). Laptops and voice-only devices with no smartphone functionality are not considered to be Mobile Devices. Information Systems mean Supplier s operating systems, infrastructure, applications, and software used with respect to GE Restricted Data. Highly Privileged Account or HPA means accounts with system level administrative or super-user access to devices, applications or databases, administration of accounts and passwords on a system, or ability to override system or application controls. Supplier Personnel means those Supplier employees, contractors, sub-contractors and agents provided access to the GE Restricted Data. Workstations mean any desktop computer, laptop computer, or mobile device used with respect to GE Restricted Data. Part B: Core Information Security Requirements Part B applies to Suppliers that access, process, transmit, and/or store GE Restricted Data. B.1 Supplier must maintain formal written policies and procedures for the administration of information security throughout its organization. B.2 Supplier must have an IT security organizational function with clearly defined information protection roles, responsibilities and accountability. B.3 Prior to providing access to any GE Restricted Data to any of its own suppliers that were not prequalified by or otherwise disclosed to GE at the time of engagement, Supplier must obtain GE s advanced written approval and perform information security due diligence on the supplier. Supplier shall require its suppliers to comply with the same level of security required herein this Addendum, and Supplier shall take reasonable steps to ensure continuing compliance by its suppliers. Page 1 of 7

2 B.4 Supplier must maintain an inventory of Supplier Information Systems (including owner and location). B.5 Supplier Personnel with access to GE Restricted Data or systems from which GE Restricted Data is accessible must, prior to obtaining access to GE Restricted Data, participate (or have participated) in information security awareness training provided by the Supplier and, thereafter, on a periodic basis (no less frequently than annually). B.6 No later than the date of separation, Supplier shall terminate any separating Supplier Personnel s access, whether physical or logical, that may provide access to GE Restricted Data. For its separating Supplier Personnel with a GE single sign-on (SSO) ID, Supplier must notify GE no later than the date of separation. B.7 Supplier must maintain up-to-date information security Incident plan and processes consistent with the guidance provided in the current version of SANS Incident Response and Management as it may be updated from time to time by SANS. B.8 In the event of an Incident: Supplier must notify GE without unreasonable delay (expectation is within two hours of discovery and mutually agreed upon updates) of any Incident. Supplier must perform a forensic investigation to determine if there was any unauthorized access to GE Restricted Data, and implement a remediation plan to prevent a similar event in the future. In the event that Supplier does not have the internal capabilities or does not designate a third party to perform such a forensic investigation on its behalf, Supplier shall notify GE in writing and Supplier must provide access to data or equipment required for GE to perform forensic analysis to ascertain potential or actual data loss or compromise. Supplier will promptly provide GE the results of any forensic investigations conducted by Supplier or its designee pursuant to the Agreement, including detailed Incident log, root cause analysis, and remediation plan. Supplier must take reasonable actions, at its own (or its relevant supplier s) expense, to mitigate and reduce the impact of the Incident. Supplier may not make or permit any statements concerning any such Incident to any thirdparty without the explicit written authorization of GE. Part C: Additional Information Security Requirements Part C applies to Suppliers that electronically store GE Restricted Data and/or have direct and persistent connectivity (excluding individual, user-based VPN access) to the GE internal network with access to GE Restricted Data. Information Systems audit C.1 Supplier will monitor the effectiveness of its security program by conducting self audits and risk assessments against Supplier Information Systems at minimum every 12 months. Page 2 of 7

3 C.2 Supplier must perform vulnerability assessments on Supplier Information Systems at least annually. For Supplier Information Systems that are internet facing, Supplier must engage an independent external party to perform the vulnerability assessment. C.3 Upon request, Supplier must provide to GE formal reports for any audits and assessments conducted on Supplier Information Systems, which shall include at a minimum the scope of the audit and/or assessment and any vulnerabilities/issues/findings/concerns/recommendations. Such formal reports provided by Supplier to GE shall be considered Confidential Information under the Agreement. C.4 Supplier must use its best efforts to remediate any items rated as high or critical (or similar rating indicating commensurately similar risk) in any audits or assessments of Supplier Information Systems within 30 days. If such items are not remediated within 30 days, Supplier must notify GE. Communications and Operations Management C.5 Supplier must implement and maintain controls to prevent and detect unauthorized access, intrusions, computer viruses and other malware on its Information Systems. At a minimum these must include: Client and server-side antivirus programs that includes the latest antivirus definitions; A process that would install for production, within 30 days, any critical patches or security updates; and Hardening and configuration requirements meeting industry best practices, such as SysAdmin Audit Network Security (SANS) Institute, National Institute of Standards Technology (NIST), and Center for Internet Security (CIS). C.6 Cryptographic and hashing algorithm types, strength, and key management processes consistent with industry practices as defined by NIST. C.7 Security-relevant events on Suppliers Information Systems must be logged, reviewed on a periodic basis (minimum quarterly), secured, and maintained for a minimum of 12 months. Access Control C.8 Supplier Personnel are to be given no more privilege than is required for Supplier Personnel to perform their respective duties in support of the obligations set forth in the applicable Agreement with Supplier and are given access to GE Restricted Data only for as long as such access is required for the performance of Supplier Personnel s duties hereunder. C.9 Supplier must ensure each account is attributable to a single individual. C.10 In addition to Supplier assigning a unique ID, all Supplier Personnel must be required to authenticate their identity (e.g. password) prior to accessing GE Restricted Data. C.11 Supplier must implement processes to support the secure creation, modification and deletion of accounts and HPAs. Supplier must review and update access rights at least annually (at minimum quarterly for HPAs). Page 3 of 7

4 C.12 All HPA access must be encrypted during transmission and HPA usage must be reviewed at minimum weekly. C.13 Supplier Information Systems must enforce the following password requirements: Temporary passwords must be given to Supplier Personnel in a secure manner, with expiration on first use. Passwords must be encrypted or hashed when transmitting over networks and in storage. User account credentials (e.g. password) must not be shared. Strong password practices must be enforced that include minimum password length (at least 8 characters), lockout (maximum 6 incorrect attempts), set expiration period (maximum age of 90 days unless an exception has otherwise approved by GE in writing), and complexity consistent with industry practices. Default passwords are prohibited. C.14 Workstations must not be left authenticated when unattended and must be password or PIN protected when not in use. C.15 Mobile Devices used to access GE Restricted Data (including s) must have strong mobile device security controls enforced that include required passcode, minimum passcode length (at least 4 digits), inactivity lock after maximum 30 minutes of inactivity, device wipe capabilities, and encryption. The Supplier must have a process in place to immediately wipe the device when notified that a Mobile Device is lost. C.16 Supplier Personnel must not store GE Restricted Data on personally-owned Workstations. C.17 In shared environments, Supplier must implement physical and/or logical access controls to prevent unauthorized access to GE Restricted Data. Change Management C.18 Supplier must maintain documented change management procedures that provide a consistent approach for controlling and identifying changes (including emergency changes) for Supplier Information Systems which includes segregation of duties. C.19 Development and testing environments for Supplier Information Systems must be physically or logically separated from production environments and must not contain GE Restricted Data. Production changes must be approved by the appropriate system owner and such changes must not be made by any Supplier developers. Network Access Control C.20 Supplier networks used to access or store GE Restricted Data must have security controls that can detect and prevent attacks by making use of network layer firewalls and intrusion detection/prevention Systems (IDS/IPS) in a risk based manner (e.g. between the Internet and DMZ, and between DMZ and internal servers containing GE Restricted Data). IDS/IPS high and critical priority alerts (or similar alerts Page 4 of 7

5 indicating commensurately similar risk) must be continuously monitored and responded to as soon as reasonably practicable. C.21 Any Supplier Personnel accessing Supplier s internal network remotely must be authenticated using a minimum two-factor authentication method and such transmissions must be encrypted. C.22 Network layer security devices must allow only authorized connections and rulesets must be reviewed at minimum semi-annually. C.23 If Supplier has a trusted connection as identified by GE, then Supplier must use only GE managed network devices to connect to the trusted connection and the network architecture must be approved by the GE Network team. Part D: Data Security Requirements Part D applies to Suppliers that electronically store GE Restricted Data on Supplier Information Systems. D.1 while backup tapes containing GE Restricted Data are kept onsite, they must be kept in a secure location (e.g. locked office or locked file cabinet). If off-site tape storage is used, then Supplier must have a tape check-in/check-out process with locked storage for transportation. Back-up information must be given an appropriate level of physical and environmental protection consistent with the level of control applied at the main site. D.2 GE Restricted Data must not be stored on removable media (e.g. thumb drives or external hard drives) other than physically secured retention media expressly used for the purpose of backup or data retention for business continuity planning/disaster recovery purposes which must be encrypted. D.3 Supplier must use an auditable process (e.g. certification of destruction) to remove GE Restricted Data from Supplier Information Systems prior to disposal or re-use in a manner that ensures that the information may not be accessed or readable. D.4 GE Restricted Data must be encrypted when transferred (including s) over public networks (such as the Internet). D.5 At a minimum, GE Restricted Data must be stored in a directory or folder with controlled access, (e.g., password protection). Where technically feasible, GE Restricted Data must be stored in encrypted form (except where encryption in storage is mandatory in such cases of removable media and Mobile Devices as set forth in D.2 and D.8). D.6 Supplier must gain approval from GE prior to moving GE Restricted Data from its GE approved physical location or jurisdiction to a different physical location or jurisdiction. D.7 Supplier must identify and implement risk based data loss prevention controls (e.g. disabling of USB ports, DLP software, URL/Web filtering) to protect GE Restricted Data. Page 5 of 7

6 D.8 Mobile Device storage drives and laptop hard drives used to store or access GE Restricted Data must be encrypted. Part E: Basic Physical Security Part E applies to Supplier facilities (including its suppliers) that physically or electronically store GE Restricted Data and/or have direct and persistent connectivity (excluding individual, user-based VPN access) to the GE internal network with access to GE Restricted Data. E.1 Supplier facilities must have physically secure perimeters, and external entry points must be suitably protected against unauthorized access. Access to all locations must be limited to Supplier Personnel and authorized visitors. Reception areas must be either manned or have other means to control physical access. E.2 Access to areas where GE Restricted Data is stored or can be accessed must be restricted to authorized Supplier Personnel. Such areas must restrict access using reasonable access controls and authentication mechanisms. Access must be monitored, recorded and controlled with physical access rights reviewed at minimum annually. Logs detailing access must be stored for a period of one year to the extent permitted by local law. If not staffed 24x7, alarms and entry point security cameras must be installed for off-hours access monitoring with recordings retained for at least 30 days. E.3 All Supplier Personnel and authorized visitors must be issued identification cards. Identification cards must be visibly displayed at all times while on the premises. Visitor identification cards must be easily distinguishable from Supplier Personnel identification cards and must be retrieved and inventoried daily. E.4 Visitors must be required to sign a visitors register (maintained for at least one year) and be escorted or observed at all times, upon each entry to and exit from the premises. E.5 A clear desk policy must be enforced throughout the Supplier facilities. Documents that contain GE Restricted Data must be kept secured (e.g. locked office or file cabinet) when not in use. E.6 All servers and/or network equipment used to store or access GE Restricted Data must be kept in a secure room with the following controls; Additional access control mechanisms are required on entry doors in order to further restrict access to only authorized Supplier Personnel. Rooms must be located on the interior of the building with no windows unless safeguards are in place to prevent shattering. Telecommunications equipment, cabling and relays receiving data or supporting services must be protected from interception or damage. Part F: System Availability Part F applies to any Supplier as identified by GE, if its Information Systems were to have an outage, such outage would likely significantly adversely impact GE or overall GE operations, financial position, regulatory compliance, and/or reputation. Page 6 of 7

7 F.1 Suppliers must maintain a disaster recovery (DR) program for all Supplier Information Systems locations used to provide services to GE. The program must be designed to ensure that Supplier Information Systems can continue to function through an operational interruption and that Supplier can continue to provide services as specified in the applicable Agreement. At a minimum, the DR program should include the following elements: Supplier s operational procedures must verify the successful completion of backups and the backup media must be tested regularly (at minimum quarterly) to ensure that it will operate in the event of an emergency. Maintain inventories that list all critical Supplier Information Systems. The inventories must be updated at minimum annually. DR plans must be developed for all Supplier Information Systems and facilities that are used to provide services to GE and reviewed/approved at minimum annually. Supplier must conduct full scale DR tests annually against DR plans (unless otherwise agreed with GE) for Supplier Information Systems that Supplier reasonably believes are critical for providing services to GE to ensure that such Supplier Information Systems can be recovered in a matter that meets the applicable contractual service level agreements. A summary of DR results sufficient for GE to exercise its oversight responsibilities must be documented and provided to GE upon request. F.2 For rooms containing servers and/or network equipment used to provide services to GE, controls must be implemented to mitigate the risk of power failures (e.g. surge protectors, uninterruptible power supplies (UPS), and generators), and environmental conditions (e.g. temperature and humidity). Part G: Software Development Part G applies to Suppliers that either perform code development services for GE, or host Information Systems that store, process, or transmit GE Restricted Data. G.1 Supplier must have a documented software development lifecycle process which includes requirements gathering, system design, integration testing, user acceptance testing, and system acceptance. G.2 Supplier must provide all developers application security training and information regarding vulnerabilities discovered along with prevention and remediation measures for those vulnerabilities. G.3 Information security checkpoints following industry best practice, such as The Open Web Application Security Project (OWASP), must be incorporated into the software development lifecycle including but not limited to risk assessments, documented security requirements, secure coding guidelines and checklists, source code review, and security testing prior to moving to production. All confirmed high/critical vulnerabilities found during testing must be remediated and retested prior to moving to production. Page 7 of 7