 SDLC*DOWNLOAD NOW $497 | ||
|
|
SOP 1052: Information Security
| Objective: |
| The objective of this Standard Operating Procedure (SOP) is to provide an overview of the identification and protection of proprietary information. |
| Scope: |
| This document establishes the procedures used to identify and label proprietary information and protect it from inadvertent or unauthorized disclosure, modification or destruction. |
| Owner: |
| Chief Technology Officer |
Sections:
| i | Definitions |
| 1 | Process Flow Diagrams |
| 2 | Roles and Responsibilities |
| 3 | Metrics |
| 4 | Procedure Activities |
| 5 | Forms |
| 6 | Exceptions |
| 7 | Tools/Software/Technology Used |
| 8 | Attachments |
Related Standard Operating Procedures:
| 1005 1050 1051 1053 1054 1055 |
Release Planning Electronic Information Security Standards Security Administration Appropriate Use of Computer Resources Non-SDLC Use of SDLC Computers Computer Systems Controls |
|
Get
"IT" |
SDLC Standard Operating Procedures:
- SDLC SOP 1000 - Program and Project Management
- SDLC SOP 1001 - Document Governance
- SDLC SOP 1002 - Capacity Management
- SDLC SOP 1003 - Configuration Management
- SDLC SOP 1004 - Procurement and Purchasing
- SDLC SOP 1005 - Release Planning
- SDLC SOP 1006 - Strategic Planning
- SDLC SOP 1007 - Asset Management
- SDLC SOP 1010 - Site Monitoring and Problem Management
- SDLC SOP 1030 - MIS Reporting
- SDLC SOP 1040 - Requirements Definition
- SDLC SOP 1041 - Detail Design
- SDLC SOP 1050 - System Security
- SDLC SOP 1051 - Security Administration
- SDLC SOP 1052 - Protection of Proprietary Information (POPI)
- SDLC SOP 1053 - Appropriate Use of Computer Resources
- SDLC SOP 1054 - Non Company Use of Company Computers
- SDLC SOP 1055 - Computer System Controls
- SDLC SOP 1060 - Service Level Agreement (SLA)
- SDLC SOP 1061 - Incident Tracking
- SDLC SOP 1100 - Documentation of Training
- SDLC SOP 1101 - Training and Documentation
- SDLC SOP 1200 - Development
- SDLC SOP 1210 - Quality Function
- SDLC SOP 1220 - Deployment
- SDLC SOP 2002 - Control of Quality Records
SDLC Framework:
SDLC Gates:
- SDLC Gate 12 - Project Start
- SDLC Gate 11 - Project Strategy Lock-Down
- SDLC Gate 10 - Requirements Scope Lock-Down
- SDLC Gate 9 - Definition Phase Plan Approval
- SDLC Gate 8 - Systems Requirements Definition Approval
- SDLC Gate 7 - Lock-Down Level Estimate Complete
- SDLC Gate 6 - Project Lock-Down
- SDLC Gate 5 - Detailed Plan Complete
- SDLC Gate 4 - Begin Validation
- SDLC Gate 3 - Begin System Certification
- SDLC Gate 2 - Begin First Office Application
- SDLC Gate 1 - Begin Controlled Rollout
- SDLC Gate 0 - General Availability
SDLC Roles and Responsibilities:
- Contracting Organization
- Customer
- OCE - Office of the Chief Executive
- Owner
- Performing Organization
- Program Manager
- PMO - Project Management Office
- Project Manager
- Review Board
- Service Organization
- Training Organization
SDLC Forms:
- AdHoc Reporting
- Application Development Strategy
- Asset Change
- Application Request
- Business Process Performance Framework
- Business Unit Budget
- Business Unit Incentive Reward Profile
- Business Unit Performance Framework
- Business Unit Services Profile
- Capacity Management Procedure
- Capital Equipment Justification
- Change Management Request
- Change Action Summary
- Checklist
- Compensation Criteria
- Conceptual Data Model
- Configuration Management Procedure
- Continuous Improvement Framework
- Cost Benefit Analysis
- Cost Summary Matrix
- Critical Performance Matrix
- Current Information System Description
- Current Information System Support for Business Objectives
- Current Information System Support for Business Processes
- Current Infrastructure Strengths and Weaknesses
- Customer Requirements
- Data Entry Usage By Location Target Application
- Document List
- Document Governance
- Document Template
- Electronic Information Security Systems Self Assessment
- Electronic Information Security Standards
- Engineering Component Costs
- Engineering Component Inventory
- Engineering Infrastructure to Information System Cross Reference
- Enterprise Competitors
- Enterprise Customers
- Enterprise Performance Framework
- Enterprise Suppliers
- Envisioned Cultural Elements
- Equipment Facility Requirements
- Equipment Improvement Matrix
- Event List
- Facility Improvement Matrix
- Feed Modification
- Functional Decomposition Model
- Gap Analysis
- SDLC Gates Checklist
- Business SDLC Gates
- Information System Audit Grid
- Information System Strategic Grid
- Information System Strengths and Weaknesses
- IT Component Costs
- IT Component Inventory
- IT Infrastructure to Information System Cross Reference
- Job Definition
- Job Level Matrix
- Job to Task Cross Reference
- Lessons Learned
- Market Share Market Growth Model
- Meeting Agenda
- Meeting Minutes
- MIS Reporting
- Mission Characterization
- New Feed Release Information
- Organization Map
- Package Comparison Matrix
- Protection of Proprietary Information Flyer
- Potential Target Application Benefits and Risks
- Preliminary Functional Requirements List
- Process Dependency Diagram
- Process Design List
- Process Elimination List
- Procurement Procedure
- Product Defect Reporting
- Program Project Management
- Project Team Membership List
- Purchase Requisition
- Purchasing
- Relationship Matrix
- Release Planning
- Report Request
- Report Template
- Requirements Definition
- Scope of Work
- Security Change Request
- Security Profiles
- Security Administration
- Service Level Agreement (SLA)
- Service Request
- Site Monitoring and Problem Management
- Site Visit Worksheet
- Strategic Planning
- Strategy Characterization Market Segment Approach
- Strategy Characterization Market Segment Selection
- Strategy Implementation Plan
- Target Application Estimated Costs
- Target Application Support for Business Processes
- Target Application Support for Critical Success Factors
- Target Application to IT Component Cross Reference
- Target Environment Definition Summary
- Technical Design
- Test Plan
- Training and Documentation
- Training Evaluation
- Training Evaluation
- Vendor Selection Summary
- Vision Performance Measures Targets
- WEB Application Management Change
- Weighted Requirements Ranking
SDLC Templates:
- Bill of Materials
- Business Architecture
- Business Case
- Business Glossary
- Business Modeling Guidelines
- Business Rules
- Business Use Case Realization Specification
- Business Use Case Specification
- Business Vision
- Configuration Management Plan
- Control of Quality Records
- Deployment Plan
- Design Guidelines
- Development Case
- Development Organization Assessment
- Glossary
- Hardware Architecture
- Hardware Requirements Specification
- Integration Build Plan
- Iteration Assessment
- Iteration Plan
- Measurement Plan
- Product Acceptance Plan
- Problem Resolution Plan
- Programming Guidelines
- Quality Assurance Plan
- Release Notes
- Requirements Management Plan
- Risk List
- Risk Management Plan
- Software Architecture
- Software Development Plan
- Software Requirements Specification
- Software Requirements Use-Cases
- Software Use Case Realization Specification
- Stakeholder Requests
- Status Assessment
- Supplementary Business Specification
- Supplementary Specification
- Systems Architecture
- System Requirements Specification
- Target Organization Assessment
- Test Evaluation Summary
- Test Plan
- Testing Guidelines
- Use Case Modeling Guidelines
- Use Case Realization Specification
- Use Case Specification
- Vision
SOP 1052 - Protection of Proprietary Information (POPI) Definitions
Proprietary Information: information useful in the business which:
- SDLC keeps confidential to establish legal rights, that is, property rights;
- Is not generally known outside SDLC (unless subject to a confidentiality agreement or the terms of a contract with the U.S. Government)
· Gives the company a competitive advantage if it is used in the business and therefore, has economic value and benefit to the company.
Such types of information include technical and personnel information; sensitive business information such as plans, strategies, financial data; and trade secrets such as techniques, processes, compilations, formulas and patterns. Further included is proprietary information of others in the possession of SDLC.
POPI Controlled Access Area -Any enclosed floor space that conforms to the requirements specified in Section 4 of this SOP.
SDLC's policy is to keep secure within the company non-public
information which it possesses, except in the case of normal
business pursuits, e.g., where the company promotes
products, makes announcements or transfers such information in a
selective manner under an agreement.
Some information possessed by the company is of a sensitive nature such that divulging it to outsiders, for example, competitors, would make SDLC less competitive or cause damage. On the other hand, the company does not want to inhibit sharing of information among employees for those who need to know such information to perform their jobs. If information is properly handled it can remain proprietary to the company, and safeguarded for competitive benefit, while at the same time it is being shared for company use.
The purpose of protection is to prevent inadvertent or wrongful disclosure. The procedures for accomplishing this must be standard throughout the company so that information from one part of the company can be transferred to another part of the company with assurance of protection expected by the organization originating the information.
All computer and network users, including non-SDLC staff accessing SDLC computers, will be held strictly accountable for their activities while using SDLC information processing resources. Actions, including details of files accessed, will be subject to recording and subsequent audit review. Individual users shall be uniquely identified, with explicit authorization to access non-public information enforced at the host system that stores the data. Additional requirements are specified in the Standards of Internal Control and the Electronic Information Security Standards, which provide guidance relating to specific technologies or services, such as E-Mail or EDI.
The exhibit that follows sets forth minimum safeguards to use. SDLC staff with a question should seek an answer from Corporate Security, Corporate Information Security or the Intellectual Property Department, but in any event, take steps to secure sensitive and valuable information, just as one would safeguard one's own valuable property.
Proprietary information may, on occasion, be provided to the U.S. Government. In that event, the words "Confidential" and "Secret" may be omitted. Instead, the proprietary information will be marked either "SDLC Proprietary" or SDLC Registered Proprietary". In addition and in order to protect the proprietary information in a manner recognized by the U.S. Government legends as set out in the relevant U.S. Government Regulations (e.g., ASPR, FAR, DFAR, etc.) will also be placed on the information being provided.
SECTION 1: PROCEDURE DIAGRAM
- None at this time
SECTION 2: ROLES AND RESPONSIBILITIES
|
Role |
|
Responsibility |
|
Managers and Directors |
|
Implement and enforce this policy and procedure within their respective business entities. They will cause standards to be set for use of the procedures to protect information originating in their organizations. They will cause training of their people to protect that information and also information their people receive from other organizations within the Company. |
|
Employees |
|
Each employee has a responsibility not to use, or to publish, or to otherwise disclose to others, any proprietary or confidential information of SDLC or its customers or suppliers or other contractors, except as SDLC duties may require. Each employee should report information security breaches to the Corporate Security Department and the local Security Department. |
|
Auditors |
|
Monitor compliance with this procedure and determine that suitable tools and training are available in audited departments. |
SECTION 3: METRICS
· None at this time
SECTION 4: PROCEDURE ACTIVITIES
An area properly designated as POPI access controlled is subject to less stringent physical
storage requirements than those specified elsewhere in this policy. The use of this policy exemption is meant to be very rare and should be considered only for highly unusual and technical functions (i.e., 24-hour engineering labs and design centers), where printed schematics or other shared data cannot be easily removed from view. By definition, individual offices may not be designated as POPI Controlled Access Areas.
The occupants of a POPI Controlled Access Area must adhere to all other SDLC policy requirements. These include but are not limited to requirements regarding POPI document classification, ~, and internal control standards (~) governing loss prevention.
A written plan for each POPI Controlled Access Area which at a minimum addresses the business reason for the designation as well as relevant self-audit and security procedures. Each plan must be approved in writing by the appropriate Sector/Group Security Manager, Internal Controls Manager, Controller and Operations Vice President.
Documented and independent self-audits of the area must be performed at least quarterly to ensure compliance with POPI and security standards. Repeat or serious infractions must result in the temporary revocation of the POPI Controlled Access designation until adequate corrective action can be demonstrated.
A separate and restricted 24-hour security system must be in place that uniquely identifies users and logs their access by date/time. In areas surrounded by false ceilings and/or walls that do not extend to the ceiling, motion detectors must supplement the separate security access system.
Janitorial services within the area must either be accompanied by Security personnel or be performed under supervision during normal working hours.
The following schedule provides information with respect to the treatment to be given to SDLC classified documents. It is organized by type of classification. Within each
classification it is then organized by the type of action and the procedures that must accompany that specific action.
SDLC General Business Information
|
Activity/Responsibility |
|
Description |
|
Classification Basis
(Business entity |
4.1 |
All SDLC information of business relevance not otherwise classified. |
|
Classifier |
4.2 |
Developer or compiler of the information |
|
Marking |
4.3 |
Information is not marked or labelled. |
|
Marking Exception
|
4.4 |
N/A |
|
Access |
4.5 |
All SDLC staff and non-SDLC staff having a legitimate business need for this information. |
|
Handling During
|
4.6 |
No extra precautions |
|
Revisions |
4.7 |
No specific requirements |
|
Copying |
4.8 |
No restrictions. |
|
Distribution Internal |
4.9 |
Any appropriate method. |
|
Distribution External |
4.10 |
Any appropriate method. |
|
Storage |
4.11 |
No specific requirements. |
|
Destruction |
4.12 |
No specific requirements. |
|
Downgrading |
4.13 |
No specific requirements |
SDLC Internal Use
|
Activity/Responsibility |
|
Description |
|
Classification Basis
(Business entity |
4.14 |
Business, technical, financial and personnel information that is written, oral, in electronic media or physical form, and which, if communicated outside SDLC, could benefit competitors at SDLC's expense. |
|
Classifier |
4.15 |
Developer or compiler |
|
Marking |
4.16 |
"SDLC INTERNAL USE" prominently marked on (CIU) at least the top page.
For digital information, application systems must
enforce the marking in all print routines and graphics
Classification expiration date is optional. |
|
Marking Exception
|
4.17 |
N/A |
|
Handling During |
4.18 |
Keep in control. |
|
Revisions |
4.19 |
Revisions to original information require the approval
of the
|
|
Copying |
4.20 |
Permitted by authorized user, but maintain clear |
|
Distribution Internal |
4.21 |
Company mail (folded or in envelop), general mail, approved electronic mail and electronic file transfer systems. |
|
Distribution External |
4.22 |
Public or private mail carrier, approved public E-Mail or electronic file transfer system. |
|
Storage |
4.23 |
Protect from loss to non-SDLC staff.
Digital information must have access control. |
|
Destruction |
4.24 |
No special requirements. Insure that material cannot |
|
Downgrading |
4.25 |
By date stated in the information or at the end of the information retention period per policy, or as designated at the request of the classifier. |
SDLC Confidential Proprietary
|
Activity/Responsibility |
|
Description |
|
Classification Basis
(Business entity |
4.26 |
Business, technical, financial and personnel information which is written, oral, in electronic media or physical form, and which has significant value to the company. It should be limited to persons with a need to know. |
|
Classifier |
4.27 |
Manager or higher of the organization developing the |
|
Marking |
4.28 |
"SDLC CONFIDENTIAL PROPRIETARY" (CCP) prominently marked on the top page and each other page, as reasonable.
For digital information, application systems must
enforce the
Classification expiration date is optional. |
|
Marking Exception
|
4.29 |
“SDLC PROPRIETARY INFORMATION” (CPI)
In place on CCP above. |
|
Access |
4.30 |
SDLC staff with a need to know and non-SDLC staff with a need to know, but subject to a confidentiality agreement and consistent with Corporate/Sector/Group SOP's. |
|
Handling During |
4.31 |
Keep in possession or locked.
|
|
Revisions |
4.32 |
Revisions to original information require the approval of the classifier. |
|
Copying |
4.33 |
Permitted by authorized user, but maintain clear markings, including digital copies. |
|
Distribution Internal |
4.34 |
Printed documents by company mail or approved outside
For digital information, approved electronic mail and
electronic file transfer systems with access
authentication |
|
Distribution External |
4.35 |
Public or private mail carrier with double envelope, MIS
approved public E-Mail or electronic file transfer
system. Files must be encrypted when transmitting over |
|
Storage |
4.36 |
Information must be kept out of view of persons not
having a need to know. When printed information is not
in use, it must be stored in a locked cabinet, desk or
approved POPI Controlled
Digital information should have access control and files should be locked for access only by authorized individuals |
|
Destruction |
4.37 |
Printed materials must be deposited in secure document receptacles or shredded.
Digital files must be erased through MIS approved computerized disk utilities that destroy the data. |
|
Downgrading |
4.38 |
By date stated in the information or at the end of the Information retention period per policy, or as designated at the request of the classifier. |
SDLC Registered Secret Proprietary
|
Activity/Responsibility |
|
Description |
|
Classification Basis
|
4.39 |
Business, technical, financial, trade secret and personnel information which is written, oral, in electronic media or physical form, and which is of a most sensitive nature.
Knowledge must be limited to selected individuals. |
|
Classifier |
4.40 |
Manager or higher of the organization developing the information. |
|
Marking |
4.41 |
"SDLC REGISTERED SECRET PROPRIETARY" on a colored cover sheet and prominently displayed on the top and bottom of each page. The cover sheet should name the individual custodian of that copy and bear a registration number tracked by the Classifier. |
|
Marking Exception
(For information |
4.42 |
"SDLC REGISTERED PROPRIETARY INFORMATION" (CRPI) in
place
|
|
Access |
4.43 |
SDLC staff with a need to know and non-SDLC staff with a
need to know, but subject to a confidentiality
agreement. Approval for access must be at the V.P.
level. Distribution lists maintained by |
|
Handling During |
4.44 |
Keep in possession or locked. Avoid working with or |
|
Revisions |
4.45 |
Revisions to original information require the approval of the classifier. |
|
Copying |
4.46 |
Permitted by authorized user upon permission of originator, but maintain clear markings, including digital copies. All copies must be registered and logged. |
|
Distribution Internal |
4.47 |
Printed documents must be hand-carried, if possible. Double envelope is required, with inner envelope marked "open by addressee only".
Company mail or approved, secure with outside carrier,
For digital information, MIS approved secure electronic systems, with access authentication control and end-to-end encryption. |
|
Distribution External |
4.48 |
Public or private mail carrier with double envelope.
Registered return receipt is required. Any electronic |
|
Storage |
4.49 |
When is use, kept under sight control, and when stored, placed in locked cabinets or desks.
Digital information must be encrypted, with
de-encryption only available to designated, authorized |
|
Destruction |
4.50 |
Material must be returned to the originator.
Digital files must be erased through MIS approved computerized utilities that destroy the data. Records must be kept of destruction. |
|
Downgrading |
4.51 |
Only as authorized in writing by the originator. |
SECTION 5: FORMS
- None at this time
SECTION 6: EXCEPTIONS
· None at this time
SECTION 7: TOOLS/SOFTWARE/TECHNOLOGY USED
|
Tool |
|
Description |
|
TBD |
7.1 |
|
(INTERNAL USE ONLY)
