Information Protection for the BMW Group Partner Portal
Version 1.8 (of July 10, 2003) |
Increasing national and international pressure to compete is forcing every company to protect its operating and business confidential information. On the other hand, collaboration with suppliers, system suppliers and designers is inconceivable these days without the exchange of confidential information. It is therefore in our mutual interest that operational and commercial confidential information receives the same degree of protection from both sides.
Information protection essentially incorporates the following main areas:
1.1 Senior management must have described a security policy. They must make sure that this is understood, implemented and adhered to on all levels. The following must be defined when the security policy is implemented:
The regulations to be implemented must cover the following topics in particular:
Accordingly, measurable objectives must be described. 1.2 Senior management must make appropriate means and personnel available for managerial and executive tasks in order to achieve security objectives (resource management). 1.3 In order to implement the security policy, a security process must exist which is documented and upheld. This must take into account:
Comment 1:
Comment 2:
Comment 3:
Comment 4:
The indirect transmission of data and new products to third parties must also be considered in this. 1.4 When the security policy is implemented, security incidents, emergency and disaster situations must also be considered. The IT security and conventional security complaints concerned and security related incidents and emergencies must be recorded and the management informed. 1.5 Internal checks (audits) must be aligned not only to IT, but also to conventional security processes, which are exposed to particular threats, and to the evaluation of security incidents.
2.1 The responsibility, competence, authorisation, representation and reciprocal relations of personnel, whose activities affect the security process, must be defined and known. Measures derived from the security policy and customer requirements (particularly the SE partners) must contain regulations concerning the responsibilities and competencies of personnel with regards to
2.2 The position/area responsible (e.g. senior management) must name sufficient information protection delegates (IPDs) who possess the authority to:
Regulations on responsibilities, competencies and representatives must be defined in an appropriate form and documented individually, e.g. by means of an organisational chart. 2.3 All employees in the area of the department including external staff and senior management who come into contact with security related and/or confidential information/data must be informed of the sensitivity of this data and must sign in writing their obligation to confidentiality when handling this information/data. These employees must be familiar with confidential or otherwise security-relevant activities and the responsible contact persons. 2.4 This also applies to external partners. Comment : 2.5 When selecting personnel, in particular external employees, appropriate selection criteria must also be considered in respect of security. Maintenance, management and service of development projects should only be carried out by correspondingly named, authorised personnel who have signed their obligation to confidentiality.
3. Employee Responsibility in the Workplace, in Working Areas and in Public Areas 3.1 Where access to confidential data is possible in the office and workplace, the conduct of behavior should be laid down and monitored by senior management or the information protection delegates (IPD). This must cover the following, where applicable:
4.1 Appropriate access controls must be employed to ensure that only authorised personnel have access to protected areas or direct access to data and confidential products and IT systems. Depending on the protection requirement / risk this can be ensured through:
4.2 Suitable access regulations must be worked out according to the particular threats and implemented accordingly (e.g. accompaniment of visitors, carrying visible ID cards). 4.3 Necessary vision protection measures must be used. These may be any of the following, depending on the risk:
4.4 Depending on the protection requirements / risks, effective, physical protective equipment must be available, which counteracts the following possible threats in particular:
5. Information and Communication Infrastructure 5.1 All systems which process confidential data (know-how, design plans, bills of material, design studies, etc.) must be equipped with effective measures against the loss of confidentiality according to the classification in the relevant protection requirement class. Data transmission equipment (telephone, fax, e-mail, data exchange system, web portals) must be designed so that strictly confidential information is encoded and can only be transferred over the public network with suitable authorization. 5.2 All data must be classified according to affiliation and protection requirements, in particular with regards to confidentiality. 5.3 The critical technical IT systems for maintaining the business process must be designed in accordance with requirements, the availability desired and the confidentiality arising from protection requirements and data integrity. A comprehensive plan for data backup and archiving as well as disaster recovery must be prepared and its implementation guaranteed. The processes and means are checked regularly. 5.4 There must be a plan for assigning authorizations. A list of employees and their access rights to security-related data has always to be kept up to date (e.g. by means of a database). 5.5 Systems for protecting data, as well as the technical information and communications infrastructure (authorisation setup, firewall, backup equipment, encryption equipment) must be designed and run in accordance with protection requirements and risks. 5.6 A plan for the IT network topology, including the hardware/software inventory register must be maintained. Comment:
6.1 When central servers are used, appropriate Service Level Agreements (SLAs) must be agreed in respect of the security requirements (CIA² criteria). There must be appropriate regulations and responsibilities with regard to the administration of security-related systems. These must take into account the specific conditions of the various operating systems (midrange/mainframe, Unix, Windows, Novell Netware, etc.) and network infrastructures (LAN, Intranet, Extranet, Internet). These must cover the following, where applicable:
Comments: 6.2 There must be a plan for remote management for customers and our own personnel which shall be appropriately implemented according to specified security objectives. Emergency measures must be brought to the management's attention.
7.1 The development or test operation of prototypes or vehicle components and the setup of design models requires particular protection in terms of design and innovations. It is particularly important that the risks are analysed and effective protection measures carried out during these processes. The basis for working with new BMW developments is laid down in the BMW "Handling / protection measures" for new developments (must be made available by BMW contact persons). 7.2 With regard to transport, note that:
7.3 The products must be stored in a secured, monitored area. They should be covered with a canopy and secured with a lock at the end of the working day. A cover is sufficient in secure prototype areas. 7.4 Photographing products is only permitted upon agreement with the client and should be documented . Negatives (if they exist) should be documented and developed in our own laboratories or those of contractual partners. Digital photographs should be handled securely (access authorisation / encryption) and deleted from the original data medium after being transferred. 7.5 In principle, presentations to third parties are prohibited. If these are required in order to fulfill the task, it must be carried out in a secure area and authorised by those responsible for the project. 7.6 Test drives / tests are usually carried out at test sites. Driving on public roads requires approval from the client. Any camouflage on the vehicle may only be removed in agreement with the client / project leader. The information protection representative for the client must be informed. 7.7 After confidentiality has been removed, all relevant sensitive data must be checked for confidentiality requirements (e.g. in another development project). 7.8 After confidentiality has been removed, there are usually further restrictions on the product. These will be defined by BMW project management and must be observed. 7.9 In addition, the persons responsible for the project/product must inform the user of the current status of
|