SDLC SOP 1052 - Protection of Proprietary Information (POPI)

From OpenSDLC

Jump to: navigation, search

Contents

SOP 1052 - Protection of Proprietary Information (POPI)

Definitions

Proprietary Information: information useful in the business which:

  • SDLC keeps confidential to establish legal rights, that is, property rights;
  • Is not generally known outside SDLC (unless subject to a confidentiality agreement or the terms of a contract with the U.S. Government)
  • Gives the company a competitive advantage if it is used in the business and therefore, has economic value and benefit to the company.

Such types of information include technical and personnel information; sensitive business information such as plans, strategies, financial data; and trade secrets such as techniques, processes, compilations, formulas and patterns. Further included is proprietary information of others in the possession of SDLC.

POPI Controlled Access Area -Any enclosed floor space that conforms to the requirements specified in Section 4 of this SOP.

SDLC's policy is to keep secure within the company non-public information which it possesses, except in the case of normal business pursuits, e.g., where the company promotes products, makes announcements or transfers such information in a selective manner under an agreement.

Some information possessed by the company is of a sensitive nature such that divulging it to outsiders, for example, competitors, would make SDLC less competitive or cause damage. On the other hand, the company does not want to inhibit sharing of information among employees for those who need to know such information to perform their jobs. If information is properly handled it can remain proprietary to the company, and safeguarded for competitive benefit, while at the same time it is being shared for company use.

The purpose of protection is to prevent inadvertent or wrongful disclosure. The procedures for accomplishing this must be standard throughout the company so that information from one part of the company can be transferred to another part of the company with assurance of protection expected by the organization originating the information.

All computer and network users, including non-SDLC staff accessing SDLC computers, will be held strictly accountable for their activities while using SDLC information processing resources. Actions, including details of files accessed, will be subject to recording and subsequent audit review. Individual users shall be uniquely identified, with explicit authorization to access non-public information enforced at the host system that stores the data. Additional requirements are specified in the Standards of Internal Control and the Electronic Information Security Standards, which provide guidance relating to specific technologies or services, such as E-Mail or EDI.

The exhibit that follows sets forth minimum safeguards to use. SDLC staff with a question should seek an answer from Corporate Security, Corporate Information Security or the Intellectual Property Department, but in any event, take steps to secure sensitive and valuable information, just as one would safeguard one's own valuable property.

Proprietary information may, on occasion, be provided to the U.S. Government. In that event, the words "Confidential" and "Secret" may be omitted. Instead, the proprietary information will be marked either "SDLC Proprietary" or SDLC Registered Proprietary". In addition and in order to protect the proprietary information in a manner recognized by the U.S. Government legends as set out in the relevant U.S. Government Regulations (e.g., ASPR, FAR, DFAR, etc.) will also be placed on the information being provided.

PROCEDURE DIAGRAM

  • None at this time

ROLES AND RESPONSIBILITIES

Role Responsibility
Managers and Directors Implement and enforce this policy and procedure within their respective business entities. They will cause standards to be set for use of the procedures to protect information originating in their organizations. They will cause training of their people to protect that information and also information their people receive from other organizations within the Company.
Employees Each employee has a responsibility not to use, or to publish, or to otherwise disclose to others, any proprietary or confidential information of SDLC or its customers or suppliers or other contractors, except as SDLC duties may require. Each employee should report information security breaches to the Corporate Security Department and the local Security Department.
Auditors Monitor compliance with this procedure and determine that suitable tools and training are available in audited departments.

METRICS

  • None at this time

PROCEDURE ACTIVITIES

An area properly designated as POPI access controlled is subject to less stringent physical

storage requirements than those specified elsewhere in this policy. The use of this policy exemption is meant to be very rare and should be considered only for highly unusual and technical functions (i.e., 24-hour engineering labs and design centers), where printed schematics or other shared data cannot be easily removed from view. By definition, individual offices may not be designated as POPI Controlled Access Areas.

The occupants of a POPI Controlled Access Area must adhere to all other SDLC policy requirements. These include but are not limited to requirements regarding POPI document classification, ~, and internal control standards (~) governing loss prevention.

A written plan for each POPI Controlled Access Area which at a minimum addresses the business reason for the designation as well as relevant self-audit and security procedures. Each plan must be approved in writing by the appropriate Sector/Group Security Manager, Internal Controls Manager, Controller and Operations Vice President.

Documented and independent self-audits of the area must be performed at least quarterly to ensure compliance with POPI and security standards. Repeat or serious infractions must result in the temporary revocation of the POPI Controlled Access designation until adequate corrective action can be demonstrated.

A separate and restricted 24-hour security system must be in place that uniquely identifies users and logs their access by date/time. In areas surrounded by false ceilings and/or walls that do not extend to the ceiling, motion detectors must supplement the separate security access system.

Janitorial services within the area must either be accompanied by Security personnel or be performed under supervision during normal working hours.

The following schedule provides information with respect to the treatment to be given to SDLC classified documents. It is organized by type of classification. Within each

classification it is then organized by the type of action and the procedures that must accompany that specific action.


'SDLC General Business Information

Activity/Responsibility

Description

Classification Basis

(Business entity

provides for examples

for its personnel)

4.1

All SDLC information of business relevance not otherwise classified.

Classifier

4.2

Developer or compiler of the information

Marking

4.3

Information is not marked or labelled.

Marking Exception

(For information

revealed to US

government employees under an NDA

or US Gov. Regs.)

4.4

N/A

Access

4.5

All SDLC staff and non-SDLC staff having a legitimate business need for this information.

Handling During Travel

4.6

No extra precautions necessary.

Revisions

4.7

No specific requirements


Copying

4.8

No restrictions.

Distribution Internal

4.9


Any appropriate method.

Distribution External


4.10

Any appropriate method.


Storage

4.11

No specific requirements.


Destruction


4.12

No specific requirements.

Downgrading

4.13

No specific requirements

SDLC Internal Use

Activity/Responsibility

Description


Classification Basis

(Business entity

provides for examples

for its personnel)

4.14

Business, technical, financial and personnel information that is written, oral, in electronic media or physical form, and which, if communicated outside SDLC, could benefit competitors at SDLC's expense.

Classifier


4.15

Developer or compiler of the information.

Marking


4.16

SDLC INTERNAL USE prominently marked on (CIU) at least the top page.

For digital information, application systems must enforce the marking in all print routines and graphics displays, and where practical, embedded in files.


Classification expiration date is optional.


Marking Exception

(For information

revealed to US

government employees

under an NDA or US

Gov. Regs.)


4.17

N/A


Handling During Travel

4.18

Keep in control.


Revisions


4.19

Revisions to original information require the approval of the classifier.


Copying

4.20


Permitted by authorized user, but maintain clear markings, including digital copies.

Distribution Internal

4.21


Company mail (folded or in envelop), general mail, approved electronic mail and electronic file transfer systems.

Distribution External


4.22

Public or private mail carrier, approved public E-Mail or electronic file transfer system.


Storage

4.23

Protect from loss to non-SDLC staff

Digital information must have access control.


Destruction

4.24

No special requirements. Insure that material cannot be acquired by non-SDLC staff.


Downgrading

4.25

By date stated in the information or at the end of the information retention period per policy, or as designated at the request of the classifier.

SDLC Confidential Proprietary

Activity/Responsibility


Description


Classification Basis


(Business entity provides for

examples for its personnel)

4.26


Business, technical, financial and personnel information which is written, oral, in electronic media or physical form, and which has significant value to the company. It should be limited to persons with a need to know.

Classifier


4.27

Manager or higher of the organization developing the

information.

Marking


4.28

SDLC CONFIDENTIAL PROPRIETARY" (CCP) prominently marked on the top page and each other page, as reasonable.


For digital information, application systems must enforce the marking in all print routines and graphics displays and where practical, embedded in files. Classification expiration date is optional.

Marking Exception

(For information

revealed to US

government employees

under an NDA or US

Gov. Regs.)

4.29


“SDLC PROPRIETARY INFORMATION” (CPI) In place on CCP above.


Access


4.30

SDLC staff with a need to know and non-SDLC staff with a need to know, but subject to a confidentiality agreement and consistent with Corporate/Sector/Group SOP's.

Handling During Travel


4.31

Keep in possession or locked.

Revision


4.32

Revisions to original information require the approval of the classifier.


Copying

4.33

Permitted by authorized user, but maintain clear markings, including digital copies.


Distribution Internal


4.34

Printed documents by company mail or approved outside carriers, opaque envelope. Double envelope used in judgment of sender.

For digital information, approved electronic mail and electronic file transfer systems with access authentication control.


Distribution External

4.35

Public or private mail carrier with double envelope, MIS approved public E-Mail or electronic file transfer system. Files must be encrypted when transmitting over unprotected communications systems.


Storage

4.36

Information must be kept out of view of persons not having a need to know. When printed information is not in use, it must be stored in a locked cabinet, desk or approved POPI Controlled Access Area.


Digital information should have access control and files should be locked for access only by authorized individuals

Destruction

4.37

Printed materials must be deposited in secure document receptacles or shredded. Digital files must be erased through MIS approved computerized disk utilities that destroy the data.

Downgrading

4.38

By date stated in the information or at the end of the Information retention period per policy, or as designated at the request of the classifier.


SDLC Registered Secret Proprietary

Activity/Responsibility

Description



Classification Basis

(Business entity

provides for examples

for its personnel)

4.39

Business, technical, financial, trade secret and personnel information which is written, oral, in electronic media or physical form, and which is of a most sensitive nature. Knowledge must be limited to selected individuals.


Classifier

4.40

Manager or higher of the organization developing the information.


Marking


4.41

SDLC REGISTERED SECRET PROPRIETARY on a colored cover sheet and prominently displayed on the top and bottom of each page. The cover sheet should name the individual custodian of that copy and bear a registration number tracked by the Classifier.


Marking Exception

(For information

revealed to US

government employees

under an NDA or US

Gov. Regs.)

4.42


SDLC REGISTERED PROPRIETARY INFORMATION (CRPI) in place of CRSP above.

Access


4.43

SDLC staff with a need to know and non-SDLC staff with a need to know, but subject to a confidentiality agreement. Approval for access must be at the V.P. level. Distribution lists maintained by

originator.

Handling During Travel

4.44


Keep in possession or locked. Avoid working with o exposing material while on public transportation.

Revisions

4.45


Revisions to original information require the approval of the classifier.

Copying

4.46


Permitted by authorized user upon permission of originator, but maintain clear markings, including digital copies. All copies must be registered and logged.


Distribution Internal

4.47

Printed documents must be hand-carried, if possible. Double envelope is required, with inner envelope marked "open by addressee only

Company mail or approved, secure with outside carrier, same packaging requirements. For digital information, MIS approved secure electronic systems, with access authentication control and end-to-end encryption.


Distribution External

4.48

Public or private mail carrier with double envelope. Registered return receipt is required. Any electronic transmission, including file transfer or E-Mail,

must be encrypted end­ to-end with MIS approved systems

Storage


4.49

When is use, kept under sight control, and when stored, placed in locked cabinets or desks. Digital information must be encrypted, with de-encryption only available to designated, authorized individuals. All computer systems must have access control.


Destruction


4.50

Material must be returned to the originator. Digital files must be erased through MIS approved computerized utilities that destroy the data. Records must be kept of destruction.

Downgrading

4.51


Only as authorized in writing by the originator.


FORMS

None at this time


EXCEPTIONS

· None at this time

TOOLS/SOFTWARE/TECHNOLOGY USED

Tool

Description


TBD


7.1



Personal tools
SDLC Forms