Policy Rules for Business Partners of Siemens



Similar documents
Supplier IT Security Guide

Information Technology (IT) Security Guidelines for External Companies

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

How To Protect Decd Information From Harm

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

Information Security Policy

The supplier shall have appropriate policies and procedures in place to ensure compliance with

HIPAA Security Training Manual

All Users of DCRI Computing Equipment and Network Resources

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Information Security Management Criteria for Our Business Partners

Information Security Policy

INFORMATION SECURITY POLICY

Index .700 FORMS - SAMPLE INCIDENT RESPONSE FORM.995 HISTORY

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

INFORMATION TECHNOLOGY SECURITY POLICY COUNTY OF IMPERIAL

PCI Data Security and Classification Standards Summary

Peace Corps Office of the OCIO Information and Information Technology Governance and Compliance Rules of Behavior for General Users

Astaro Services AG Rheinweg 7, CH-8200 Schaffhausen. Supplementary data protection agreement. to the license agreement for license ID: between

Information Security: Business Assurance Guidelines

Information Technology Acceptable Use Policies and Procedures

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

SUBJECT: Effective Date Policy Number Security of Mobile Computing, Data Storage, and Communication Devices

RECORDS MANAGEMENT POLICY

Responsible Access and Use of Information Technology Resources and Services Policy

Information Security

2. Begin gathering necessary documents for student (refer to Record Acknowledgement Form)

'Namgis Information Technology Policies

MEMORANDUM INFORMATION TECHNOLOGY SERVICES DEPARTMENT

DEALERSHIP IDENTITY THEFT RED FLAGS AND NOTICES OF ADDRESS DISCREPANCY POLICY

Declaration of Conformity 21 CFR Part 11 SIMATIC WinCC flexible 2007

Network Security Policy

RSA SecurID Software Token Security Best Practices Guide

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

Mike Casey Director of IT

2.0 Emended due to the change to academy status Review Date. ICT Network Security Policy Berwick Academy

INFORMATION TECHNOLOGY Policy 8400 (Regulation 8400) Data Security

Newcastle University Information Security Procedures Version 3

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

Guide to INFORMATION SECURITY FOR THE HEALTH CARE SECTOR

Payment Card Industry Compliance

Hengtian Information Security White Paper

Estate Agents Authority

Information Technology Security Policies

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

1. The records have been created, sent or received in connection with the compilation.

Password Expiration Passwords require a maximum expiration age of 60 days. Previously used passwords may not be reused.

How To Protect The Time System From Being Hacked

ELECTRONIC INFORMATION SECURITY A.R.

MANAGED SERVICE PROVIDER (MSP) PROGRAM

EAA Policy for Accepting and Handling Credit and Debit Card Payments ( Policy )

A Guide to Information Technology Security in Trinity College Dublin

Somerset County Council - Data Protection Policy - Final

Information Security Code of Conduct

The Internet and 2 Acceptable use 2 Unacceptable use 2 Downloads 3 Copyrights 3 Monitoring 3. Computer Viruses 3

Version: 2.0. Effective From: 28/11/2014

Procedure Title: TennDent HIPAA Security Awareness and Training

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

Document Management Plan Preparation Guidelines

PROPOSED PROCEDURES FOR AN IDENTITY THEFT PROTECTION PROGRAM Setoff Debt Collection and GEAR Collection Programs

Information Security Policy

Dartmouth College Merchant Credit Card Policy for Processors

Document Type Doc ID Status Version Page/Pages. Policy LDMS_001_ Effective of 7 Title: Corporate Information Technology Usage Policy

security policy Purpose The purpose of this paper is to outline the steps required for developing and maintaining a corporate security policy.

INSTITUTE FOR SAFE MEDICATION PRACTICES CANADA

Information Security Plan effective March 1, 2010

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Policy Of Government of India

Policy # Related Policies: Computer, Electronic Communications, and Internet Usage Policy

Seven Requirements for Successfully Implementing Information Security Policies and Standards

Supplier Information Security Addendum for GE Restricted Data

Transcription:

Information Security Policy Rules for Business Partners of Siemens Basic rules regulating access to Siemens-internal information and systems

Policy Rules for business Partners of Siemens Edition P-RBP-2007-02-05-E Corporate Information Security Guide valid from 2007-02-05, replaces previous releases. Siemens AG, 2002-2007 All Rights Reserved Table of Contents 1 Goals 4 1.1.1 Responsibilities 4 1.1.2 Risks 5 1.1.3 Range of application 5 2 Target groups 6 3 Rules 7 3.1 General rules for all business partners of Siemens 7 3.1.1 Handling information 7 3.1.2 System access and admission authorizations 9 3.1.3 Termination of activity 9 3.1.4 Deficiencies and incidents 9 3.1.5 Statutory regulations 10 3.2 Rules for business partners with a workplace at Siemens 10 3.3 Rules for business partners working on their own systems 12 3.4 Rules for business partners with a connection to resources on the Siemens intranet 13 Published by: Corporate Information Office Governance Information Security (CIO G IS) 2/13 No. P-RBP-2007-02-05-E No. P-RBP-2007-02-05-E 3/13

1 Goals This policy regulates access to Siemens-internal information and Siemens systems for business partners of the Siemens group. Information of all kinds, e.g. documents, pictures, drawings, data and programs on paper or magnetic, electronic, optical or other information media, constitutes a major part of the corporate internal know-how for the Siemens group. Together with the information systems required for its processing, this information represents a valuable corporate resource that requires protection. 1.1 Responsibilities To mutual benefit and as a means of enhancing the efficiency of business processes we grant our business partners access to corporate internal information, facilitating the use of Siemensinternal systems and networks. It is in the interests of the Siemens group that this information and the associated information systems and networks be effectively protected against unauthorized access and manipulation. To this end it is necessary that our business partners and their employees adhere to the rules described here. The present document is intended for business partners and their employees who enjoy access to Siemens systems and Siemens-internal information. The business partner (or the local project manager with special responsibility) issues these regulations to the employees concerned, places them under an obligation (if possible formulated in writing) to comply with these rules, and monitors such compliance in a suitable manner. In this policy, the term business partners is used throughout to refer to business partners and their employees. 1.2 Risks Within Siemens, comprehensive measures have been introduced to protect information and information systems, for example involving the protection of confidentiality, and the protection of systems against computer viruses and the attentions of hackers. If business partners do not adequately support these measures, there is the risk of the protective measures introduced being circumvented. 1.3 Range of application This policy is the section of the Siemens Corporate Information Security Guide that is intended for business partners. If it is not possible to carry out individual rules to the letter, appropriate methods aimed at attaining the desired level of security must be discussed and put in practice. Adherence to information security measures within the Siemens group is subject to monitoring. If business partners disregard the present regulations, this may result in their being prohibited from entering Siemens sites or accessing Siemens systems, or may involve legal consequences and claims for damages. 4/13 No. P-RBP-2007-02-05-E No. P-RBP-2007-02-05-E 5/13

2 Target groups This policy is directed towards all business partners working with Siemens. There are various specific target groups, depending on the nature of the interoperation All business partners, Business partners with a workplace at Siemens, Business partners working on their own systems (e.g. PC, notebook), Business partners with a link to resources within the Siemens intranet (e.g. online access operations from their own systems). 3 Rules 3.1 General rules for all business partners of Siemens 3.1.1 Handling information Regardless of the form in which it appears or the information medium employed, all information belonging to the Siemens group must be protected in accordance with its level of classification. For information not in the public domain summarized as "corporate proprietary information", there are three protection classes: For internal use only, Confidential and Strictly confidential. In relation to the following activities, the protection class calls for measures that can be made more stringent as the need for protection increases Identification/creation, Distribution, Dispatch and transmission, Retention and storage, Disposal/destruction/deletion. In consultation with your contact at Siemens, you should define the level of confidentiality of the information entrusted to you or created by you. 6/13 No. P-RBP-2007-02-05-E No. P-RBP-2007-02-05-E 7/13

Take account of the relevant measures drawn to your attention within the framework of your activities or contractual agreements. Corporate proprietary information must not be allowed to come into the possession of unauthorized parties, be passed on to others in the course of discussions or eavesdropped upon by those for whom it is not intended. Bear in mind that exporting or otherwise transshipping Siemens information may be subject to the need for approval as per US, EU or national export provisions. If necessary, clarify this with the Siemens branch office concerned, and obtain the appropriate permits in good time. Take account of the fact that the export regulations also apply if the information is transferred abroad via communication networks (e.g. via e- mail or file transfer). Discuss with the relevant partner at Siemens the possible need to furnish documents and data media with an additional Copyright mark in the form Copyright (C) Siemens AG, YYYY All Rights Reserved or Siemens AG, YYYY All Rights Reserved as a means of documenting proprietary rights. (YYYY here always indicates the year of first publication). In the case of updates, this label can be complemented as follows Copyright (C) Siemens AG, YYYY - UUUU All Rights Reserved or Siemens AG, YYYY - UUUU All Rights Reserved (UUUU specifies the year in which the information was last updated). 3.1.2 System access and admission authorizations Insofar as you have received system access and admission authorizations, these are to be exercised in person and exclusively within the framework of agreed tasks or activities. 3.1.3 Termination of activity You must return the following to the Siemens branch office concerned upon completion of the cooperation (unless otherwise agreed): The documents and resources passed on to you, Any information and data media you have created, including copies and draft versions, The admission or system access authorizations granted to you. 3.1.4 Deficiencies and incidents Any deficiencies and incidents with information security implications must immediately be reported to the appropriate contacts at Siemens. 8/13 No. P-RBP-2007-02-05-E No. P-RBP-2007-02-05-E 9/13

3.1.5 Statutory regulations Take account of the appropriate data protection legislation, the associated local export provisions and other statutory regulations independently of the rules described here. 3.2 Rules for business partners with a workplace at Siemens Take account of the relevant information security measures drawn to your attention within the framework of your activities or contractual agreements. Desks and filing cabinets must be locked before leaving work for the day if they contain confidential or strictly confidential documents/data media. Take account of the protective measures employed locally when telephoning, sending and receiving faxes and when copying. The removal from the company premises of documents handed over to you, the results of work, data media or IT systems is only permissible subject to appropriate agreement and compliance with the relevant rules. Use the information systems (e.g. PCs, workstations) only for the allotted tasks. Bear in mind that the use of Siemens systems for private purposes is prohibited. Make use of the available protective mechanisms when accessing information systems (e.g. PCs, workstations), individual applications or files requiring protection, for example by employing userids in conjunction with passwords, PINs or chipcards. Treat the protection mechanisms with due care. Resources such as passwords and chipcards must not be passed on to others or published. By means of appropriate system settings, the definition and changing of passwords must be made subject to rules that cannot be circumvented. Insofar as you determine the quality of passwords, follow the rules below: If possible, formulate passwords from combinations of uppercase and lowercase alphabetic characters, numerals and special characters. Use at least 8 characters, if not applicable the maximum possible number of characters. Change the password at least every 90 days. Do not reuse old passwords. Change the password immediately if there is any suspicion it has been divulged. Deposit passwords if requested to do so by contacts at Siemens. If leaving your workstation, even if only briefly, block any open points of access, for example by employing a screen saver or removing the chipcard from the card reader. Security settings, system features or precautionary measures against computer viruses or other malicious software installed on the systems must not be disabled, modified or circumvented. Where use of the internet is possible, local regulations, for example German Internet acceptable use policy, must be complied with. 10/13 No. P-RBP-2007-02-05-E No. P-RBP-2007-02-05-E 11/13

In the event of suspected infection by computer viruses that are not automatically detected or eliminated, or if there are problems running virus protection programs, the local Siemens contacts must be informed without delay. Use e-mail only as instructed. The use of e-mail encryption is only possible subject to appropriate written agreement and compliance with the relevant regulations. The automatic forwarding of incoming e-mail to external mailboxes, e.g. private e-mail address, external e-mail providers, is not permitted. The initiation or forwarding of chain letters is not permitted. For data archiving purposes, use secure file servers within the network (e.g. central network drives) that are subject to regular data backup. 3.3 Rules for business partners working on their own systems Protect your systems against the loss of confidentiality, integrity and availability of all data or information created, processed or stored for Siemens, or which is important to Siemens. Perform your own suitable measures for the purposes of Data backup Virus protection System and data access protection. Hand over data using the agreed procedures only after performing virus checks Upon completion of the cooperation, delete and dispose all data, documents and data media generated in the course of the cooperation, along with associated copies or data backups, in a proper manner. To ensure the secure disposal of corporate proprietary documents and data media, use Siemens-internal facilities if you have no suitable options of your own. The direct connection of business partners own systems to Siemens-internal networks is not permitted. 3.4 Rules for business partners with a connection to resources on the Siemens intranet Operate the connection only using the technical configuration agreed with Siemens, and on the systems provided for the purpose. Treat as confidential all information about structures and access possibilities (e.g. dialup line numbers, network addresses) and security precautions relating to Siemens-internal systems and networks. 12/13 No. P-RBP-2007-02-05-E No. P-RBP-2007-02-05-E 13/13

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information