Click here to visit the new WIKI version of this site!

SDLC Information Security

Get *ALL* 100+ Editable Word, Visio, HTML & Project Source Documents (500+ Files) Totaling 1000+ Printed Pages for Only $497 - Buy I.T. Now!


SDLC

*DOWNLOAD NOW $497



SOP 1052: Information Security

Objective: 
The objective of this Standard Operating Procedure (SOP) is to provide an overview of the identification and protection of proprietary information.
Scope: 
This document establishes the procedures used to identify and label proprietary information and protect it from inadvertent or unauthorized disclosure, modification or destruction.
Owner: 
Chief Technology Officer

Sections:

i Definitions
1 Process Flow Diagrams
2 Roles and Responsibilities
3 Metrics
4 Procedure Activities
5 Forms
6 Exceptions
7 Tools/Software/Technology Used
8 Attachments

Related Standard Operating Procedures:

1005

1050

1051

1053

1054

1055

Release Planning

Electronic Information Security Standards

Security Administration

Appropriate Use of Computer Resources

Non-SDLC Use of SDLC Computers

Computer Systems Controls

Get "IT"
ScalabilITy - ReliabilITy
Flexibil
ITy - AgilITy
Longev
ITy - QualITy
.doc .xls .ppt .mpp .vsd .htm EdITable; Policies, Processes, Procedures, Projects Tasks, Diagrams, Forms & Files.
DOWNLOAD
Satisfaction Guaranteed.

-->

SDLC Standard Operating Procedures:

SDLC Framework:

SDLC Gates:

SDLC Roles and Responsibilities:

SDLC Forms:

SDLC Templates:

 

SOP 1052 - Protection of Proprietary Information (POPI) Definitions                

Proprietary Information: information useful in the business which:

  • SDLC keeps confidential to establish legal rights, that is, property rights;
  • Is not generally known outside SDLC (unless subject to a confidentiality agreement or the terms of a contract with the U.S. Government)

·         Gives the company a competitive advantage if it is used in the business and therefore, has economic value and benefit to the company.

Such types of information include technical and personnel information; sensitive business information such as plans, strategies, financial data; and trade secrets such as techniques, processes, compilations, formulas and patterns. Further included is proprietary information of others in the possession of SDLC.

POPI Controlled Access Area -Any enclosed floor space that conforms to the requirements specified in Section 4 of this SOP.

SDLC's policy is to keep secure within the company non-public information which it possesses, except in the case of normal business pursuits, e.g., where the company promotes
products, makes announcements or transfers such information in a selective manner under an agreement.

Some information possessed by the company is of a sensitive nature such that divulging it to outsiders, for example, competitors, would make SDLC less competitive or cause damage. On the other hand, the company does not want to inhibit sharing of information among employees for those who need to know such information to perform their jobs. If information is properly handled it can remain proprietary to the company, and safeguarded for competitive benefit, while at the same time it is being shared for company use.

The purpose of protection is to prevent inadvertent or wrongful disclosure. The procedures for accomplishing this must be standard throughout the company so that information from one part of the company can be transferred to another part of the company with assurance of protection expected by the organization originating the information.

All computer and network users, including non-SDLC staff accessing SDLC computers, will be held strictly accountable for their activities while using SDLC information processing resources. Actions, including details of files accessed, will be subject to recording and subsequent audit review. Individual users shall be uniquely identified, with explicit authorization to access non-public information enforced at the host system that stores the data. Additional requirements are specified in the Standards of Internal Control and the Electronic Information Security Standards, which provide guidance relating to specific technologies or services, such as E-Mail or EDI.

The exhibit that follows sets forth minimum safeguards to use. SDLC staff with a question should seek an answer from Corporate Security, Corporate Information Security or the Intellectual Property Department, but in any event, take steps to secure sensitive and valuable information, just as one would safeguard one's own valuable property.

Proprietary information may, on occasion, be provided to the U.S. Government. In that event, the words "Confidential" and "Secret" may be omitted. Instead, the proprietary information will be marked either "SDLC Proprietary" or SDLC Registered Proprietary". In addition and in order to protect the proprietary information in a manner recognized by the U.S. Government legends as set out in the relevant U.S. Government Regulations (e.g., ASPR, FAR, DFAR, etc.) will also be placed on the information being provided.

SECTION 1: PROCEDURE DIAGRAM

  • None at this time

SECTION 2: ROLES AND RESPONSIBILITIES

Role

 

Responsibility

Managers and Directors

 

Implement and enforce this policy and procedure within their respective business entities. They will cause standards to be set for use of the procedures to protect information originating in their organizations. They will cause training of their people to protect that information and also information their people receive from other organizations within the Company.

Employees

 

Each employee has a responsibility not to use, or to publish, or to otherwise disclose to others, any proprietary or confidential information of SDLC or its customers or suppliers or other contractors, except as SDLC duties may require. Each employee should report information security breaches to the Corporate Security Department and the local Security Department.

Auditors

 

Monitor compliance with this procedure and determine that suitable tools and training are available in audited departments.

SECTION 3: METRICS

·         None at this time

SECTION 4: PROCEDURE ACTIVITIES

An area properly designated as POPI access controlled is subject to less stringent physical

storage requirements than those specified elsewhere in this policy. The use of this policy exemption is meant to be very rare and should be considered only for highly unusual and technical functions (i.e., 24-hour engineering labs and design centers), where printed schematics or other shared data cannot be easily removed from view. By definition, individual offices may not be designated as POPI Controlled Access Areas.

The occupants of a POPI Controlled Access Area must adhere to all other SDLC policy requirements. These include but are not limited to requirements regarding POPI document classification, ~, and internal control standards (~) governing loss prevention.

A written plan for each POPI Controlled Access Area which at a minimum addresses the business reason for the designation as well as relevant self-audit and security procedures. Each plan must be approved in writing by the appropriate Sector/Group Security Manager, Internal Controls Manager, Controller and Operations Vice President.

Documented and independent self-audits of the area must be performed at least quarterly to ensure compliance with POPI and security standards. Repeat or serious infractions must result in the temporary revocation of the POPI Controlled Access designation until adequate corrective action can be demonstrated.

A separate and restricted 24-hour security system must be in place that uniquely identifies users and logs their access by date/time. In areas surrounded by false ceilings and/or walls that do not extend to the ceiling, motion detectors must supplement the separate security access system.

Janitorial services within the area must either be accompanied by Security personnel or be performed under supervision during normal working hours.

The following schedule provides information with respect to the treatment to be given to SDLC classified documents. It is organized by type of classification. Within each

classification it is then organized by the type of action and the procedures that must accompany that specific action.

SDLC General Business Information

Activity/Responsibility

 

            Description

Classification Basis

(Business entity
provides for examples
for its personnel)

4.1   

All SDLC information of business relevance not otherwise classified.

Classifier

4.2   

Developer or compiler of the information

Marking

4.3   

Information is not marked or labelled.

Marking Exception


(For information
revealed to US
government employees
under an NDA or US
Gov. Regs.)

4.4   

N/A

Access

4.5   

All SDLC staff and non-SDLC staff having a legitimate business need for this information.

Handling During
Travel

 

4.6   

No extra precautions
necessary.

Revisions

4.7   

No specific requirements

Copying

4.8   

No restrictions.

Distribution Internal

4.9   

Any appropriate method.

Distribution External

4.10           

Any appropriate method.

Storage

4.11           

No specific requirements.

Destruction

4.12           

No specific requirements.

Downgrading

4.13           

No specific requirements

SDLC Internal Use

Activity/Responsibility

 

            Description

Classification Basis

 

(Business entity
provides for examples
for its personnel)

4.14           

Business, technical, financial and personnel information that is written, oral, in electronic media or physical form, and which, if communicated outside SDLC, could benefit competitors at SDLC's expense.

Classifier

4.15           

Developer or compiler
of the information.

Marking

4.16           

"SDLC INTERNAL USE" prominently marked on (CIU) at least the top page.

 

For digital information, application systems must enforce the marking in all print routines and graphics
displays, and where practical, embedded in files.

 

Classification expiration date is optional.

Marking Exception


(For information
revealed to US
government employees
under an NDA or US
Gov. Regs.)

4.17           

N/A

Handling During
Travel

4.18           

Keep in control.

Revisions

4.19           

Revisions to original information require the approval of the
classifier.

 

Copying

4.20           

Permitted by authorized user, but maintain clear
markings, including digital copies.

Distribution Internal

4.21           

Company mail (folded or in envelop), general mail, approved electronic mail and electronic file transfer systems.

Distribution External

4.22           

Public or private mail carrier, approved public E-Mail or electronic file transfer system.

Storage

4.23           

Protect from loss to non-SDLC staff.

 

Digital information must have access control.

Destruction

4.24           

No special requirements. Insure that material cannot
be acquired by non-SDLC staff.

Downgrading

4.25           

By date stated in the information or at the end of the information retention period per policy, or as designated at the request of the classifier.

SDLC Confidential Proprietary

Activity/Responsibility

 

            Description

Classification Basis

 

(Business entity
provides for examples
for its personnel)

4.26           

Business, technical, financial and personnel information which is written, oral, in electronic media or physical form, and which has significant value to the company. It should be limited to persons with a need to know.

Classifier

4.27           

Manager or higher of the organization developing the
information.

Marking

4.28           

"SDLC CONFIDENTIAL PROPRIETARY" (CCP) prominently marked on the top page and each other page, as reasonable.

 

For digital information, application systems must enforce the
marking in all print routines and graphics displays and where
practical, embedded in files.

 

Classification expiration date is optional.

Marking Exception


(For information
revealed to US
government employees
under an NDA or US
Gov. Regs.)

4.29           

“SDLC PROPRIETARY INFORMATION” (CPI)

 

In place on CCP above.

Access

4.30           

SDLC staff with a need to know and non-SDLC staff with a need to know, but subject to a confidentiality agreement and consistent with Corporate/Sector/Group SOP's.

Handling During
Travel

4.31           

Keep in possession or locked.

 

Revisions

4.32           

Revisions to original information require the approval of the classifier.

Copying

4.33           

Permitted by authorized user, but maintain clear markings, including digital copies.

Distribution Internal

4.34           

Printed documents by company mail or approved outside
carriers, opaque envelope. Double envelope used in
judgment of sender.

 

For digital information, approved electronic mail and electronic file transfer systems with access authentication
control.

Distribution External

4.35           

Public or private mail carrier with double envelope, MIS approved public E-Mail or electronic file transfer system. Files must be encrypted when transmitting over
unprotected communications systems.

Storage

4.36           

Information must be kept out of view of persons not having a need to know. When printed information is not in use, it must be stored in a locked cabinet, desk or approved POPI Controlled
Access Area.

 

Digital information should have access control and files should be locked for access only by authorized individuals

Destruction

4.37           

Printed materials must be deposited in secure document receptacles or shredded.

 

Digital files must be erased through MIS approved computerized disk utilities that destroy the data.

Downgrading

4.38           

By date stated in the information or at the end of the

Information retention period per policy, or as designated at the request of the classifier.

SDLC Registered Secret Proprietary

Activity/Responsibility

 

            Description

Classification Basis


(Business entity
provides for examples
for its personnel)

4.39           

Business, technical, financial, trade secret and personnel information which is written, oral, in electronic media or physical form, and which is of a most sensitive nature.

 

Knowledge must be limited to selected individuals.

Classifier

4.40           

Manager or higher of the organization developing the information.

Marking

4.41           

"SDLC REGISTERED SECRET PROPRIETARY" on a colored cover sheet and prominently displayed on the top and bottom of each page. The cover sheet should name the individual custodian of that copy and bear a registration number tracked by the Classifier.

Marking Exception

 

(For information
revealed to US
government employees
under an NDA or US
Gov. Regs.)

4.42           

"SDLC REGISTERED PROPRIETARY INFORMATION" (CRPI) in place
of CRSP above.

 

 

Access

4.43           

SDLC staff with a need to know and non-SDLC staff with a need to know, but subject to a confidentiality agreement. Approval for access must be at the V.P. level. Distribution lists maintained by
originator.

Handling During
Travel

4.44           

Keep in possession or locked. Avoid working with or
exposing material while on public transportation.

Revisions

4.45           

Revisions to original information require the approval of the classifier.

 

Copying

4.46           

Permitted by authorized user upon permission of originator, but maintain clear markings, including digital copies. All copies must be registered and logged.

Distribution Internal

4.47           

Printed documents must be hand-carried, if possible. Double envelope is required, with inner envelope marked "open by addressee only".

 

Company mail or approved, secure with outside carrier,
same packaging requirements.

 

For digital information, MIS approved secure electronic systems, with access authentication control and end-to-end encryption.

Distribution External

4.48           

Public or private mail carrier with double envelope. Registered return receipt is required. Any electronic
transmission, including file transfer or E-Mail,
must be encrypted end­ to-end with MIS approved systems

Storage

4.49           

When is use, kept under sight control, and when stored, placed in locked cabinets or desks.

 

Digital information must be encrypted, with de-encryption only available to designated, authorized
individuals. All computer systems must have access control.

Destruction

4.50           

Material must be returned to the originator.

 

Digital files must be erased through MIS approved computerized utilities that destroy the data. Records must be kept of destruction.

Downgrading

4.51           

Only as authorized in writing by the originator.

 

SECTION 5: FORMS

  • None at this time

 

SECTION 6: EXCEPTIONS

·         None at this time

 

SECTION 7: TOOLS/SOFTWARE/TECHNOLOGY USED

 

Tool

 

                                       Description

TBD

7.1     

 

(INTERNAL USE ONLY)

Purchase Editable Documents Today

 

Creative Commons License
Systems Development Life Cycle (SDLC) by Robert E. Stewart, Sr. is licensed under a Creative Commons Attribution 3.0 Unported License.
Permissions beyond the scope of this license may be available at http://bobstewart.com/.