SOP 1052 -
Protection of Proprietary Information (POPI)
Definitions
Proprietary Information: information useful in the business
which:
-
SDLC keeps confidential to establish legal rights, that is,
property rights;
-
Is not generally known outside SDLC (unless subject to a
confidentiality agreement or the terms of a contract with
the U.S. Government)
·
Gives the company a competitive advantage if it is used in the
business and therefore, has economic value and benefit to the
company.
Such types of information include technical and personnel
information; sensitive business information such as plans,
strategies, financial data; and trade secrets such as
techniques, processes, compilations, formulas and patterns.
Further included is proprietary information of others in the
possession of SDLC.
POPI Controlled Access Area -Any enclosed floor space that
conforms to the requirements specified in Section 4 of this SOP.
SDLC's policy is to keep secure within the company non-public
information which it possesses, except in the case of normal
business pursuits, e.g., where the company promotes
products, makes announcements or transfers such information in a
selective manner under an agreement.
Some information possessed by the company is of a sensitive
nature such that divulging it to outsiders, for example,
competitors, would make SDLC less competitive or cause damage.
On the other hand, the company does not want to inhibit sharing
of information among employees for those who need to know such
information to perform their jobs. If information is properly
handled it can remain proprietary to the company, and
safeguarded for competitive benefit, while at the same time it
is being shared for company use.
The purpose of protection is to prevent inadvertent or wrongful
disclosure. The procedures for accomplishing this must be
standard throughout the company so that information from one
part of the company can be transferred to another part of the
company with assurance of protection expected by the
organization originating the information.
All computer and network users, including non-SDLC staff
accessing SDLC computers, will be held strictly accountable for
their activities while using SDLC information processing
resources. Actions, including details of files accessed, will be
subject to recording and subsequent audit review. Individual
users shall be uniquely identified, with explicit authorization
to access non-public information enforced at the host system
that stores the data. Additional requirements are specified in
the Standards of Internal Control and the Electronic Information
Security Standards, which provide guidance relating to specific
technologies or services, such as E-Mail or EDI.
The exhibit that follows sets forth minimum safeguards to use.
SDLC staff with a question should seek an answer from Corporate
Security, Corporate Information Security or the Intellectual
Property Department, but in any event, take steps to secure
sensitive and valuable information, just as one would safeguard
one's own valuable property.
Proprietary information may, on occasion, be provided to the
U.S. Government. In that event, the words "Confidential" and
"Secret" may be omitted. Instead, the proprietary information
will be marked either "SDLC Proprietary" or SDLC Registered
Proprietary". In addition and in order to protect the
proprietary information in a manner recognized by the U.S.
Government legends as set out in the relevant U.S. Government
Regulations (e.g., ASPR, FAR, DFAR, etc.) will also be placed on
the information being provided.
SECTION 1:
PROCEDURE DIAGRAM
Role |
|
Responsibility |
Managers and Directors |
|
Implement and enforce this policy and procedure within
their respective business entities. They will cause
standards to be set for use of the procedures to protect
information originating in their organizations. They
will cause training of their people to protect that
information and also information their people receive
from other organizations within the Company. |
Employees |
|
Each employee has a responsibility not to use, or to
publish, or to otherwise disclose to others, any
proprietary or confidential information of SDLC or its
customers or suppliers or other contractors, except as
SDLC duties may require. Each employee should report
information security breaches to the Corporate Security
Department and the local Security Department. |
Auditors |
|
Monitor compliance with this procedure and determine
that suitable tools and training are available in
audited departments. |
SECTION 3: METRICS
·
None at this time
SECTION 4:
PROCEDURE ACTIVITIES
An area properly designated as POPI access controlled is subject
to less stringent physical
storage requirements than those specified elsewhere in this
policy. The use of this policy exemption is meant to be very
rare and should be considered only for highly unusual and
technical functions (i.e., 24-hour engineering labs and design
centers), where printed schematics or other shared data cannot
be easily removed from view. By definition, individual offices
may not be designated as POPI Controlled Access Areas.
The occupants of a POPI Controlled Access Area must adhere to
all other SDLC policy requirements. These include but are not
limited to requirements regarding POPI document classification,
~, and internal control standards (~) governing loss prevention.
A written plan for each POPI Controlled Access Area which at a
minimum addresses the business reason for the designation as
well as relevant self-audit and security procedures. Each plan
must be approved in writing by the appropriate Sector/Group
Security Manager, Internal Controls Manager, Controller
and Operations Vice President.
Documented and independent self-audits of the area must be
performed at least quarterly to ensure compliance with POPI and
security standards. Repeat or serious infractions must result in
the temporary revocation of the POPI Controlled Access
designation until adequate corrective action can be
demonstrated.
A separate and restricted 24-hour security system must be in
place that uniquely identifies users and logs their access by
date/time. In areas surrounded by false ceilings and/or walls
that do not extend to the ceiling, motion detectors must
supplement the separate security access system.
Janitorial services within the area must either be accompanied
by Security personnel or be performed under supervision during
normal working hours.
The following schedule provides information with respect to the
treatment to be given to SDLC classified documents. It is
organized by type of classification. Within each
classification it is then organized by the type of action and
the procedures that must accompany that specific action.
SDLC General Business Information
Activity/Responsibility |
|
Description |
Classification Basis
(Business entity
provides for examples
for its personnel) |
4.1
|
All SDLC information of business relevance not otherwise
classified. |
Classifier |
4.2
|
Developer or compiler of the information |
Marking |
4.3
|
Information is not marked or labelled. |
Marking Exception
(For information
revealed to US
government employees
under an NDA or US
Gov. Regs.) |
4.4
|
N/A |
Access |
4.5
|
All SDLC staff and non-SDLC staff having a legitimate
business need for this information. |
Handling During
Travel
|
4.6
|
No extra precautions
necessary. |
Revisions |
4.7
|
No specific requirements |
Copying |
4.8
|
No restrictions. |
Distribution Internal |
4.9
|
Any appropriate method. |
Distribution External |
4.10
|
Any appropriate method. |
Storage |
4.11
|
No specific requirements. |
Destruction |
4.12
|
No specific requirements. |
Downgrading |
4.13
|
No specific requirements |
SDLC Internal Use
Activity/Responsibility |
|
Description |
Classification Basis
(Business entity
provides for examples
for its personnel) |
4.14
|
Business, technical, financial and personnel information
that is written, oral, in electronic media or physical
form, and which, if communicated outside SDLC, could
benefit competitors at SDLC's expense. |
Classifier |
4.15
|
Developer or compiler
of the information. |
Marking |
4.16
|
"SDLC INTERNAL USE" prominently marked on (CIU) at least
the top page.
For digital information, application systems must
enforce the marking in all print routines and graphics
displays, and where practical, embedded in files.
Classification expiration date is optional. |
Marking Exception
(For information
revealed to US
government employees
under an NDA or US
Gov. Regs.) |
4.17
|
N/A |
Handling During
Travel |
4.18
|
Keep in control. |
Revisions |
4.19
|
Revisions to original information require the approval
of the
classifier.
|
Copying |
4.20
|
Permitted by authorized user, but maintain clear
markings, including digital copies. |
Distribution Internal |
4.21
|
Company mail (folded or in envelop), general mail,
approved electronic mail and electronic file transfer
systems. |
Distribution External |
4.22
|
Public or private mail carrier, approved public E-Mail
or electronic file transfer system. |
Storage |
4.23
|
Protect from loss to non-SDLC staff.
Digital information must have access control. |
Destruction |
4.24
|
No special requirements. Insure that material cannot
be acquired by non-SDLC staff. |
Downgrading |
4.25
|
By date stated in the information or at the end of the
information retention period per policy, or as
designated at the request of the classifier. |
SDLC Confidential Proprietary
Activity/Responsibility |
|
Description |
Classification Basis
(Business entity
provides for examples
for its personnel) |
4.26
|
Business, technical, financial and personnel information
which is written, oral, in electronic media or physical
form, and which has significant value to the company. It
should be limited to persons with a need to know. |
Classifier |
4.27
|
Manager or higher of the organization developing the
information. |
Marking |
4.28
|
"SDLC CONFIDENTIAL PROPRIETARY" (CCP) prominently marked
on the top page and each other page, as reasonable.
For digital information, application systems must
enforce the
marking in all print routines and graphics displays and
where
practical, embedded in files.
Classification expiration date is optional. |
Marking Exception
(For information
revealed to US
government employees
under an NDA or US
Gov. Regs.) |
4.29
|
“SDLC PROPRIETARY INFORMATION” (CPI)
In place on CCP above. |
Access |
4.30
|
SDLC staff with a need to know and non-SDLC staff with a
need to know, but subject to a confidentiality agreement
and consistent with Corporate/Sector/Group SOP's. |
Handling During
Travel |
4.31
|
Keep in possession or locked.
|
Revisions |
4.32
|
Revisions to original information require the approval
of the classifier. |
Copying |
4.33
|
Permitted by authorized user, but maintain clear
markings, including digital copies. |
Distribution Internal |
4.34
|
Printed documents by company mail or approved outside
carriers, opaque envelope. Double envelope used in
judgment of sender.
For digital information, approved electronic mail and
electronic file transfer systems with access
authentication
control. |
Distribution External |
4.35
|
Public or private mail carrier with double envelope, MIS
approved public E-Mail or electronic file transfer
system. Files must be encrypted when transmitting over
unprotected communications systems. |
Storage |
4.36
|
Information must be kept out of view of persons not
having a need to know. When printed information is not
in use, it must be stored in a locked cabinet, desk or
approved POPI Controlled
Access Area.
Digital information should have access control and files
should be locked for access only by authorized
individuals |
Destruction |
4.37
|
Printed materials must be deposited in secure document
receptacles or shredded.
Digital files must be erased through MIS approved
computerized disk utilities that destroy the data. |
Downgrading |
4.38
|
By date stated in the information or at the end of the
Information retention period per policy, or as
designated at the request of the classifier. |
SDLC Registered Secret Proprietary
Activity/Responsibility |
|
Description |
Classification Basis
(Business entity
provides for examples
for its personnel) |
4.39
|
Business, technical, financial, trade secret and
personnel information which is written, oral, in
electronic media or physical form, and which is of a
most sensitive nature.
Knowledge must be limited to selected individuals. |
Classifier |
4.40
|
Manager or higher of the organization developing the
information. |
Marking |
4.41
|
"SDLC REGISTERED SECRET PROPRIETARY" on a colored cover
sheet and prominently displayed on the top and bottom of
each page. The cover sheet should name the individual
custodian of that copy and bear a registration number
tracked by the Classifier. |
Marking Exception
(For information
revealed to US
government employees
under an NDA or US
Gov. Regs.) |
4.42
|
"SDLC REGISTERED PROPRIETARY INFORMATION" (CRPI) in
place
of CRSP above.
|
Access |
4.43
|
SDLC staff with a need to know and non-SDLC staff with a
need to know, but subject to a confidentiality
agreement. Approval for access must be at the V.P.
level. Distribution lists maintained by
originator. |
Handling During
Travel |
4.44
|
Keep in possession or locked. Avoid working with or
exposing material while on public transportation. |
Revisions |
4.45
|
Revisions to original information require the approval
of the classifier. |
Copying |
4.46
|
Permitted by authorized user upon permission of
originator, but maintain clear markings, including
digital copies. All copies must be registered and
logged. |
Distribution Internal |
4.47
|
Printed documents must be hand-carried, if possible.
Double envelope is required, with inner envelope marked
"open by addressee only".
Company mail or approved, secure with outside carrier,
same packaging requirements.
For digital information, MIS approved secure electronic
systems, with access authentication control and
end-to-end encryption. |
Distribution External |
4.48
|
Public or private mail carrier with double envelope.
Registered return receipt is required. Any electronic
transmission, including file transfer or E-Mail,
must be encrypted end to-end with MIS approved systems |
Storage |
4.49
|
When is use, kept under sight control, and when stored,
placed in locked cabinets or desks.
Digital information must be encrypted, with
de-encryption only available to designated, authorized
individuals. All computer systems must have access
control. |
Destruction |
4.50
|
Material must be returned to the originator.
Digital files must be erased through MIS approved
computerized utilities that destroy the data. Records
must be kept of destruction. |
Downgrading |
4.51
|
Only as authorized in writing by the originator. |
SECTION 5:
FORMS
·
None at this time
(INTERNAL USE ONLY)
|