FedEx Guide for. Information Security. Version 5.0

FedEx Guide for Information Security Version 5.0

FedEx Guide for Information Security Version 5.0 Revised June 2013 The FedEx Guide for Information Security provides the general user with an introduction to the Information Security Standards adopted by FedEx Corporation and its operating companies. The Standards are available on the FedEx intranet at http://www.infosec.fedex.com For reference only. Copyright 2013 FedEx Corporation

FedEx Guide for Information Security Contents Your Role in Information Security 5 Acceptable Use of Computer and Storage Devices 6 User ID and Password 7 Computer Devices 8 Portable Devices 9 Remote Access 10 Email 11 Internet 12 Virus and Malware Defense 13 Instant Messaging 14 Software 15 Data Security 16 Vendor Security 17 Telephone 18 Video and Web Conferencing 19 Fax 20 Modems 21 Physical Security 22 Information Security Data Classification 23 FedEx Key Policy for Information Security 26 Information Security Policy and Standards 26 Additional Resources 27 FedEx Confidential ISO 9001 Controlled cument Printed and other static representations of this document are classified for reference only. 3

4

Your Role in Information Security FedEx is committed to providing a safe and secure environment in which to conduct business and deliver a superior experience to our customers, shareowners and employees. To that end, FedEx Information Security has published the FedEx Information Security Policy and Standards to help reduce risk for FedEx and FedEx customers. The FedEx Guide for Information Security provides an overview of the Information Security Policy and Standards adopted by FedEx Corporation and its operating companies. This guide should be used as a supplement only as it is not a comprehensive source for all controls addressed within the Policy and Standards. Information Security is technology, but it s also people and processes. Whenever and wherever you connect to the FedEx network or access FedEx information, you must accept the responsibility of protecting it. How? Review this guide now and refer to it frequently to refresh your knowledge. Read and comply with emails and announcements from Information Security. Reference the FedEx Information Security Policy. Keyword: InfoSec Policy Direct any questions concerning the Policy and Standards to: http://www.infosec.fedex.com/standards/secure/questionform.phtml Immediately report any potential information security incident. Keyword: incident Visit the FedEx Information Security website for more information, including the all_secure@fedex e-newsletter. Keyword: InfoSec Ignorance is no excuse. FedEx Confidential ISO 9001 Controlled cument Printed and other static representations of this document are classified for reference only. 5

Acceptable Use of Computer and Storage Devices FedEx allows limited personal use of its computer resources provided such use doesn t interfere with your job duties, the business needs of other employees or serving our customers, and does not expose the Corporation to security risks. Know that it s okay to look up something on the Internet as long as it s not offensive. Know that it s okay to send an occasional personal email or instant message. Realize that your use of FedEx computer resources may be monitored. Understand that you are responsible for notifying FedEx Information Security should you observe a possible information security incident. Keyword: incident n t Visit indecent or illegal websites. Participate in peer-to-peer file-sharing on your FedEx device. Illegally download copyrighted material to your FedEx device. Solicit or conduct a side business using FedEx computer resources. wnload FedEx business email to any unauthorized device. Connect unauthorized devices to the FedEx network. 6

User ID and Password User IDs and passwords identify you and enable your access to FedEx networks, email, systems and applications. Although some systems may have more stringent requirements, at a minimum you must follow these guidelines. Remember long to be strong. Create a strong password that includes these characteristics: o Minimum of eight characters. o Contains at least one numeral. o Contains at least one upper case and one lower case letter. Keep all passwords confidential. Never share them with anyone else. Change passwords if given indication that your system or password has been compromised. Change passwords every 90 days or even more frequently. n t Use proper names or words found in the dictionary as passwords because they are easily detected by computer hackers. Include passwords in automated logon processes. Use your name, title or job function as a password. Use your FedEx ID number as a password. Write down your password. FedEx Confidential ISO 9001 Controlled cument Printed and other static representations of this document are classified for reference only. 7

Computer Devices We use many kinds of computer resources at FedEx: desktop and laptop computers, mobile email and Internet devices, to name a few. The media might differ, but all must be configured and used securely. Use screensavers that are password-protected and set to lock after 15 minutes of inactivity. Install and enable antivirus software approved by FedEx. Keyword: antivirus Keep client management software installed and running properly on your computer. Use a personal firewall when connecting to the FedEx network from a remote location. Remote connection requirements and downloads are available at: http://www.infosec.fedex.com/vpn/download.phtml Disconnect computers from the FedEx network when you no longer need access to the network remotely. Install anti-theft equipment, such as laptop security cables, when the device cannot be stored in a secure area. Report a lost or stolen device to your manager immediately. You or your manager should report the loss or theft to FedEx Information Security. Keyword: lost Follow your opco s IT asset disposal procedures for computer devices that are no longer needed. n t Turn off or disable antivirus, personal firewall or client management software. Use unauthorized remote-control software. Keyword: ETS Connect unauthorized devices directly to the FedEx network. Install personally-owned software or freeware on any FedEx computer resource without management approval. 8

Portable Devices More and more FedEx employees practice mobile computing by using portable devices such as BlackBerry devices, USB devices and other types of handheld devices. These devices yield great convenience but pose their own brand of security challenges. Purchase FedEx-approved devices only, following the order and approval process in place at your FedEx opco. Protect your portable device with a password-enabled screen saver set to lock after inactivity. Encrypt Sensitive and Internal data (see page 24) prior to saving on a portable device. See page 27 for options to encrypt data. Keep your portable device out of sight if you are leaving it in a vehicle or publicly accessible area. Report a lost or stolen portable device to your manager immediately. You or your manager should report the loss or theft to FedEx Information Security. Keyword: lost n t Connect unauthorized portable devices to the FedEx network. Route FedEx business email or data to an unauthorized device. Store unencrypted passwords, user IDs or other access information on portable devices. Use the video or camera feature in secured or sensitive areas to transmit Sensitive or Internal data. Use the audio feature to record FedEx conversations or meetings. FedEx Confidential ISO 9001 Controlled cument Printed and other static representations of this document are classified for reference only. 9

Remote Access Remote access has become an essential service for FedEx, making the FedEx network available to you when traveling or at home. Follow these guidelines to create a secure connection. Obtain management approval for remote access. Use the VPN remote access method approved for your opco. Keyword: VPN Install and enable FedEx-approved antivirus software on your computer, available at: http://www.infosec.fedex.com/antivirus/pcsoftware.phtml Perform Windows Update before connecting remotely to the FedEx network to download and install critical patches. Windows Update is available at: http://www.windowsupdate.com n t Store your password in an automated login process. Store your egrid credentials on an unencrypted laptop or any computing device on which multiple VPN users share a common logon ID. Disclose Sensitive or Internal information in public places. Use unauthorized remote-control software. Keyword: ETS Leave a remote computer logged into the FedEx network when not in use. 10

Email FedEx handles millions of email messages daily. We depend on email to conduct business, so it s critical that you know how to avoid the associated risks. Be professional and courteous when composing and replying to email. If you wouldn t print it on letterhead and sign it, don t put it in FedEx email. Limit recipients to only those individuals who have a need to know. Forward spam to Information Security following instructions provided online. Keyword: Spam Delete unexpected or unsolicited emails and any that look like spam. Understand that email use may be monitored. Use encryption when sending Sensitive data in email. See the Information Security Data Classification on page 23 for details; see page 27 for options for encrypting data. n t Use email in place of meetings or phone calls. Use another employee s email account without delegated authority. Forward FedEx business email or data to a personal email account or unauthorized device. Forward chain letters, jokes or inappropriate images or files. Open suspicious attachments or emails. Distribute lists of email addresses to anyone who doesn t have a business need to know. Solicit or conduct a side business using FedEx email. FedEx Confidential ISO 9001 Controlled cument 11 Printed and other static representations of this document are classified for reference only.

Internet The Internet offers a wealth of information but is notoriously unsecured. Not all websites offer confidentiality or provide integrity of data. Use common sense - and follow these guidelines - when using the Internet. Understand that Internet use may be monitored. Limit personal use. Properly configure your browser following instructions provided online. Keyword: proxy Be mindful of what personal information you share online, especially on social networking sites. Social engineers use this type of information to create credible but fraudulent phishing campaigns. n t Visit indecent or illegal websites. Participate in peer-to-peer file-sharing. wnload copyrighted material to your work PC. Store company data on third-party websites without Information Security approval. Connect to the Internet from a FedEx location via an Internet service provider not provided by FedEx. 12

Virus and Malware Defense Blacole, Flame, Koobface... The list of threats goes on and on. You must stay on guard against computer viruses, malware and other exploits. Keep your FedEx-approved antivirus software current and enabled at all times. Keyword: antivirus Adhere to antivirus update processes. Clean or delete viruses as soon as they are discovered. Delete any unexpected or unsolicited emails and attachments as they are sometimes used to transmit viruses to computers. Report a potential virus infection. Keyword: antivirus n t Turn off or disable virus protection software. Fall for email hoaxes. FedEx Confidential ISO 9001 Controlled cument 13 Printed and other static representations of this document are classified for reference only.

Instant Messaging FedEx provides instant messaging so employees can benefit from its use while reducing potential security issues related to unapproved commercial software. Before you use instant messaging, please remember the following guidelines. Use only FedEx-approved instant messaging software to conduct business and to transfer files. Understand that IM usage can be logged and reviewed to determine appropriate use. Use AOL, Yahoo, MSN or other IM clients for limited personal use only. n t Use AOL, Yahoo, MSN or other IM clients for FedEx business use. Use AOL, Yahoo, MSN or other IM clients to transmit or receive files. Transfer Sensitive data via instant messaging. 14

Software Only authorized software is permitted on FedEx computer resources. If you have questions concerning software permitted for your opco, ask your manager. Use only FedEx-approved software. Keyword: ETS n t wnload software from the Internet without management approval. Install unauthorized software on any FedEx computer resource without management approval. Use unauthorized open source software. Keyword: IT OSSM Distribute, obtain or attempt to obtain pirated, stolen, copyrighted, trademarked or protected information such as software, video or audio using FedEx computer resources. FedEx Confidential ISO 9001 Controlled cument 15 Printed and other static representations of this document are classified for reference only.

Data Security We lock the doors to our homes when we leave, but what about our computers and desks? We secure important personal papers in a safety deposit box, but what about critical business documents? your part to protect FedEx data by following these guidelines. Enable password-protection on all FedEx-owned devices that could potentially contain Sensitive or Internal data. This includes, but is not limited to, laptops, workstations, BlackBerry devices, etc. Place Sensitive files in a secure location. Cleanse or destroy data when it is no longer needed for business or legal purposes. Lock your PC whenever you are away from your computer. Shred or use authorized bins for all excess copies of proprietary business documents instead of disposing them in unsecured trash bins. Protect your information assets in the event of a disaster. Keyword: BCDR n t Write down your passwords. Leave Sensitive or Internal information on your desk. Store Sensitive data on unauthorized devices. 16

Vendor Security As more business owners utilize 3rd party vendors to supplement their business needs, it is critical that FedEx data remains secure. Information Security works with business owners to ensure vendors comply with FedEx requirements for handling FedEx data. Following these guidelines will help protect FedEx data. Select the most secure vendor during proof of concept by ensuring they can comply with FedEx Security Compliance Requirements: http://www.fedex.com/us/supplier/requirements.html Understand the types of data your vendor will be accessing. Keyword: data classification Register your vendor at the Vendor Compliance website for an assessment of the vendor s security posture. Keyword: Vendor Compliance Register each vendor engagement, regardless if a vendor has been previously approved. Complete the vendor registration process prior to requesting connectivity for your vendor. n t Assume your vendor has been approved by Information Security. Confirm approval at: VendorCompliance@corp. ds.fedex.com Send FedEx Sensitive data to a vendor without approval from Information Security. Provide your vendor with more access than needed. FedEx Confidential ISO 9001 Controlled cument 17 Printed and other static representations of this document are classified for reference only.

Telephone Security protocol also applies to FedEx telephone use. Be cautious of unsolicited callers requesting Company information. Scammers can use seemingly insignificant information to conduct fraud or gain unauthorized access to systems. Regularly change dial-in codes to maintain confidentiality of conference calls. Use teleconference providers approved by FedEx to conduct teleconferences. Know that regularly scheduled teleconferences that cover Sensitive or Internal information must have an access code. n t Leave a voicemail message if using collect or third-party bill-to calls. Leave a voicemail message containing Sensitive information. Return a page to a 1-900 telephone number. Distribute internal phone numbers to those outside FedEx without authorization from that person. 18

Video and Web Conferencing Conferencing via video or the Internet is a relatively low-cost way to bring employees together. Following the guidelines below will maintain security. Use for business purposes only. Use only FedEx-approved Web conference providers. Turn off video conferencing equipment when not in use. Keep video conferencing equipment in a physically secure location. Verify Web conferencing participants to ensure they are authorized to participate before starting a conference. n t Publish or provide a link to Web conferencing passwords. FedEx Confidential ISO 9001 Controlled cument 19 Printed and other static representations of this document are classified for reference only.

Fax For most business purposes, use of facsimile is acceptable. However, if you transmit Sensitive or Internal information via fax, follow these secure practices. Notify the recipient before sending. Ensure that both you and the recipient are at the designated fax machines during transmission of Sensitive or Internal documents. Utilize a machine in a restricted area to prevent unauthorized use. Use a fax server maintained by FedEx or an approved fax service provider for desktop faxing. n t Send Sensitive information unless absolutely necessary. Use desktop fax unless through a fax server maintained by FedEx or a fax outsourcing service under contract with FedEx. 20

Modems Modems connected to computers within the FedEx network pose a major security risk and can only be used if an exception is obtained from FedEx Information Security. Obtain an exception request from Information Security for modem use. Keyword: exception n t Attach analog phone lines or modems to your desktop without approval from your manager and Information Security. Connect directly to a FedEx computer resource without approval from FedEx Information Security. Leave modem in auto-receive mode. FedEx Confidential ISO 9001 Controlled cument 21 Printed and other static representations of this document are classified for reference only.

Physical Security Securing information extends beyond the virtual world and into the physical space because tangible items oftentimes provide or contain Sensitive information, or the means to obtain information, related to our professional or personal lives. Display your employee ID badge at all times while on FedEx property on the outermost garment, on the upper torso of the body. Ask for verification. Non-employees should be approved by FedEx Security, accompanied by a FedEx employee and wear a visitor s badge. Keep FedEx computer devices properly secured when not in use. Store or properly dispose of all items printed, faxed, or left in your mailbox at mid and end of business day. Shred or use authorized bins for all excess copies of Sensitive or Internal business documents instead of disposing them in unsecured trash bins. n t Allow tailgating or piggybacking at facility entrances. Leave Sensitive or Internal information unsecured (e.g. hardcopies of current projects, disks, CDs, BlackBerry devices, executive itineraries). 22

Information Security Data Classification The FedEx Information Security Data Classification applies to FedEx company, customer and employee data. All information at FedEx - be it documents, files, worksheets, emails or conversations - should be managed according to the FedEx Information Security Data Classification. Review the three categories of data classification on pages 24-25. Securely dispose of Sensitive and Internal information via shredder or secure disposal container. n t Leave Sensitive or Internal information on your desk. Forward unencrypted Sensitive or Internal information to an outside company. FedEx Confidential ISO 9001 Controlled cument 23 Printed and other static representations of this document are classified for reference only.

Data Classification FedEx Information Security has classified three categories of FedEx data: Sensitive Internal Public This section describes these three categories and identifies the type of data within each classification. The FedEx Information Security Data Classification is also available at Keyword: data classification Sensitive Description: FedEx company, customer and employee data that requires an additional level of protection using stringent controls as required by law or as deemed necessary by FedEx. Data Elements: PCI Data Cardholder Data - Primary Account Number (PAN) and Expiration Date Sensitive Authentication Data - Magnetic Stripe data, Card Validation Code (a.k.a. CVV,CVV2) Passwords, Cryptographic Key, Session ID that can be associated to a user, application ID, or other resource. HR Data (HIPAA) - SSN, DOB, Healthcare ID in combination with name or biometric data PII Data - Name in combination with one of the following: Government issued ID, employee performance or salary data, personal phone number Bank account (Company and Individual) in combo with Routing # or entity name Trade Secrets/Strategic Project Data Unannounced acquisitions/organizational changes Consolidated Revenue, Expense, Debt, & Equity Data prior to regulatory disclosure 24

Data Classification - cont. Internal Description: FedEx company, customer and employee data that requires protection from being used for unintended purposes. All FedEx data not identified as Sensitive or Public. **Note that lists are not considered exhaustive for Internal and Public. For any clarification please contact the InfoSec Standards Organization. Data Elements: Post-acquisition cuments FedEx Account Number in combination with customer name and/or address Employee work contact information Project & planning information Pricing information Compensation information In-house developed code Public Description: Data that has been publicly distributed external to FedEx. **Note that lists are not considered exhaustive for Internal and Public. For any clarification please contact the InfoSec Standards Organization. Data Elements: Publicly posted press releases Published Annual Reports Marketing materials FedEx Confidential ISO 9001 Controlled cument 25 Printed and other static representations of this document are classified for reference only.

Congratulations! Now that you have finished reading this guide, you have been introduced to many key security practices that help keep FedEx secure. Continue reading for additional resources that provide more direction on protecting FedEx data. FedEx Key Policy for Information Security The Key Policy explains your role as it relates to protecting customer, employee, and company information and resources: Keep corporate information confidential, regardless of how it is created, distributed, stored, or discarded (including, but not limited to, whether it is typed, handwritten, printed, filmed, computer-generated, or spoken). Access only the information, resources, and locations necessary for your job. Limit personal use of FedEx resources so as not to impact the business. Information Security Policy and Standards Information Security has defined the FedEx Information Security Policy and Standards. Their scope is to reduce risk for FedEx and FedEx customers. The FedEx Information Security Policy and Standards apply to everyone at FedEx, not just system administrators or other IT employees. They extend beyond technology to advance safe computing practices and secure processes across the enterprise. The Policy defines your role, responsibility and accountability to protect FedEx information. Keyword: InfoSec Policy The Standards define the minimum level of security you must implement. Non-compliance to a Standard must be reported. Keyword: Standards 26

Additional Resources Information Security Website The Information Security website has resources available to help you stay current on cyber threats and to learn best practices for safe computing. Keyword: InfoSec Reporting Information Security Incidents An Information Security incident is any activity that indicates an actual or possible breach of data or information security policy has occurred. If you detect a potential Information Security incident, immediately report it. Keyword: incident Encrypting Data The Enterprise Encryption Support Site offers multiple, standard encryption solutions for all opcos and regions. Keyword: enterprise encryption WinZip Encryption http://itg.prod.fedex.com/sf/docman/do/downloadcument/projects. bestpractices/docman.root.security/doc1074 GPG http://itg.prod.fedex.com/sf/docman/do/downloadcument/projects. bestpractices/docman.root.security/doc1075 Sending Encrypted Data on CD http://itg.prod.fedex.com/sf/docman/do/downloadcument/projects. bestpractices/docman.root.security/doc1076 Customer Protection FedEx strives to provide a safe, secure online environment for our customers. Sadly, we regularly witness and receive reports on cybercriminals exploiting the trusted FedEx brand to increase the likelihood someone will fall victim to a phishing email. Take an active role in raising customer awareness about scams and phishing campaigns by telling customers about the FedEx Customer Protection Center. This site provides online safety tips, examples of actual phishing scams, and a dedicated email to which customers can report potential scams. Visit the FedEx Customer Protection Center at: http://www.fedex.com/us/security/index.html Report any suspected FedEx-branded phishing email to: abuse@fedex.com FedEx Confidential ISO 9001 Controlled cument 27 Printed and other static representations of this document are classified for reference only.

Visit www.infosec.fedex.com for full Information Security Standards FedEx Guide for Information Security Version 5.0 Revised June 2013 The FedEx Guide for Information Security provides the general user with an introduction to the Information Security Standards adopted by FedEx Corporation and its operating companies. The Standards are available on the FedEx intranet at http://www.infosec.fedex.com For reference only. Copyright 2013 FedEx Corporation FedEx Confidential ISO 9001 Controlled cument Printed and other static representations of this document are classified for reference only.