Information Protection for the BMW Group Partner Portal

Version 1.8 (of July 10, 2003)

Increasing national and international pressure to compete is forcing every company to protect its operating and business confidential information. On the other hand, collaboration with suppliers, system suppliers and designers is inconceivable these days without the exchange of confidential information. It is therefore in our mutual interest that operational and commercial confidential information receives the same degree of protection from both sides.

 

Information protection essentially incorporates the following main areas:

 

1. Security Management

1.1 Senior management must have described a security policy. They must make sure that this is understood, implemented and adhered to on all levels. The following must be defined when the security policy is implemented:

  • clearly defined and measurable security objectives according to confidentiality, integrity, availability, authenticity (CIA²),

  • the scope,

  • the principles and rules of conduct to be implemented,

  • measures to uphold the security process.

The regulations to be implemented must cover the following topics in particular:

  • confidentiality and delimitation of confidential data (e.g. development and design data)

  • integrity, availability of data,

  • access protection to high security areas

  • the ability to restart and

  • the integration of partner companies.

Accordingly, measurable objectives must be described.

1.2 Senior management must make appropriate means and personnel available for managerial and executive tasks in order to achieve security objectives (resource management).

1.3 In order to implement the security policy, a security process must exist which is documented and upheld. This must take into account:

  • Determination of protection requirements of business processes and company data (according to the CIA² criteria described above),

  • Analysis of threats/risks for development projects requiring protection (e.g.: unauthorised photography of designs or innovations; circulation of confidential documents, drawings or data; appropriation of rights/protection of registered designs),

  • Analysis of threats/risks for IT systems, programs and data requiring protection (e.g.: negligent, inappropriate use of IT systems and data, system break-ins, appropriation of rights, denial-of-service attacks, hardware failures, computer viruses),

  • Planning, realisation and maintenance of security measures to reduce the threats/risks determined

  • Training of management and employees, in particular when accepting new projects and introducing new systems,

  • Continuous checking that resources are appropriate.

  • Planning, carrying out and documentation of internal checks (audits) to check whether the security-related activities and measures meet those already determined and whether the security process is effective,

  • Drafting of and training on emergency measures,

  • Tracking, remedying and recording of security-related incidents and emergencies.

Comment 1:
Where there is a high protection requirement / damage potential a systematic risk analysis can be appropriate. This must contain at least the following:

  • a definition of the risk (quantitative association between the extent of the damage and the probability of occurrence),

  • an inventory of the high-security-related security systems, applications, programs, information and their level of risk,

  • allocation of measures to reduce the risk.

Comment 2:
Where necessary, define and document a particular security strategy for external services (cleaning, repair and service personnel) ("Authorization Plan").
This may contain:

  • the dual-control principle,

  • responsibility for keys, particularly security guidelines, access checks and access protocols.

Comment 3:
Where necessary, define and document a particular security strategy for the company's external services (World Wide Web, E-mail, Application Gateway) ("Firewall Design"). This may contain:

  • setting up of a demilitarised zone,

  • articular security guidelines, access checks and access protocols.

Comment 4:
The security process must take into account special threats such as unauthorised access to confidential models, prototypes, parts, data, drawings, images, by:

  • employees or external personnel,

  • attackers during the transmission of data, targeted attacks (break-ins, corruption, social engineering, hackers, virus / trojan corruption, denial of service, etc.) for the purposes of economic espionage or investigative journalism,

  • attackers/photographers during test drives,

  • inadequate access protection.

The indirect transmission of data and new products to third parties must also be considered in this.

1.4 When the security policy is implemented, security incidents, emergency and disaster situations must also be considered. The IT security and conventional security complaints concerned and security related incidents and emergencies must be recorded and the management informed.

1.5 Internal checks (audits) must be aligned not only to IT, but also to conventional security processes, which are exposed to particular threats, and to the evaluation of security incidents.

 

2. Organisation and Personnel

2.1 The responsibility, competence, authorisation, representation and reciprocal relations of personnel, whose activities affect the security process, must be defined and known. Measures derived from the security policy and customer requirements (particularly the SE partners) must contain regulations concerning the responsibilities and competencies of personnel with regards to

  • the establishment, maintenance and organisation of the processes corresponding to partners' business relationships,

  • the content and technical delimitations of these processes for the purposes of secrecy,

  • regular information/training of employees, particularly when new processes or systems are introduced,

  • rules of conduct with regards to communication services (telephone, fax, e-mail, data exchange, use of the BMW Group Partner Portal, etc.)

  • the noting, recording and evaluation of security-related processes,

  • security, emergency and disaster situations,

  • implementation of solutions to problems according to defined processes.

2.2 The position/area responsible (e.g. senior management) must name sufficient information protection delegates (IPDs) who possess the authority to:

  • make sure that a security process meeting the requirements of the protection measures, is defined, realised and maintained;

  • report to the company management on the effectiveness of the security process as a basis for its improvement at least annually.

Regulations on responsibilities, competencies and representatives must be defined in an appropriate form and documented individually, e.g. by means of an organisational chart.

2.3 All employees in the area of the department including external staff and senior management who come into contact with security related and/or confidential information/data must be informed of the sensitivity of this data and must sign in writing their obligation to confidentiality when handling this information/data. These employees must be familiar with confidential or otherwise security-relevant activities and the responsible contact persons.

2.4 This also applies to external partners.

Comment :
Employees who come into contact with personal data through their work must sign to indicate their acceptance of responsibility to data confidentiality in accordance with the Bundesdatenschutzgesetz (BDSG) (German Act for the Protection of Personal Data) and the Teledienstedatenschutzgesetz (TDDSG) (German Teleservices Act for the Protection of Personal Data).
Data protection (protection of personal data) must not be confused with information protection.

2.5 When selecting personnel, in particular external employees, appropriate selection criteria must also be considered in respect of security. Maintenance, management and service of development projects should only be carried out by correspondingly named, authorised personnel who have signed their obligation to confidentiality.

 

3. Employee Responsibility in the Workplace, in Working Areas and in Public Areas

3.1 Where access to confidential data is possible in the office and workplace, the conduct of behavior should be laid down and monitored by senior management or the information protection delegates (IPD). This must cover the following, where applicable:

  • Creation, modification, storage, transfer, copying, printing, backing up, archiving of data and documents,

  • The use of unprotected exchange directories,

  • Virus protection, particularly with e-mails, attachments, data media exchange,

  • Working with passwords,

  • Copying or taking along of data media and documents,

  • Secure postage (reputable courier service or recorded delivery),

  • Leaving the workplace (password protection, locking up, "Clear Desk Policy" (locking away confidential documents, etc.),

  • Working with laptops,

  • Disposal of information and data (use of shredders, secure deletion)

  • Behavior in case of emergencies or during problems caused by lack of availability of resources and virus attacks,

  • Teleworking / home offices,

  • Communication of information via the telephone or answering machines,

  • Effectiveness of confidentiality, for example, in public (trade fairs, airplanes, friends, etc.)

  • Behavior towards enquiries by the media, in academic publications,

  • Uploading/copying of software,

  • Access, monitoring and control of cleaning and external personnel and visitors.

 

4. Technical Infrastructure

4.1 Appropriate access controls must be employed to ensure that only authorised personnel have access to protected areas or direct access to data and confidential products and IT systems. Depending on the protection requirement / risk this can be ensured through:

  • regulations on personal vetting,

  • technical access equipment,

  • suitable structural and organisational measures for access protection,

  • graded protected areas,

  • alarm systems.

4.2 Suitable access regulations must be worked out according to the particular threats and implemented accordingly (e.g. accompaniment of visitors, carrying visible ID cards).

4.3 Necessary vision protection measures must be used. These may be any of the following, depending on the risk:

  • Blinds, shutters,

  • Tinted windows,

  • Partition walls, curtains,

  • Canopies, camouflage netting,

  • Security walls around car parks.

4.4 Depending on the protection requirements / risks, effective, physical protective equipment must be available, which counteracts the following possible threats in particular:

  • Bugging of lines and devices,

  • Power failure,

  • Fire,

  • Water damage,

  • Destruction, terrorist attacks

  • Failure of air conditioning necessary for operation.

 

5. Information and Communication Infrastructure

5.1 All systems which process confidential data (know-how, design plans, bills of material, design studies, etc.) must be equipped with effective measures against the loss of confidentiality according to the classification in the relevant protection requirement class. Data transmission equipment (telephone, fax, e-mail, data exchange system, web portals) must be designed so that strictly confidential information is encoded and can only be transferred over the public network with suitable authorization.

5.2 All data must be classified according to affiliation and protection requirements, in particular with regards to confidentiality.

5.3 The critical technical IT systems for maintaining the business process must be designed in accordance with requirements, the availability desired and the confidentiality arising from protection requirements and data integrity. A comprehensive plan for data backup and archiving as well as disaster recovery must be prepared and its implementation guaranteed. The processes and means are checked regularly.

5.4 There must be a plan for assigning authorizations. A list of employees and their access rights to security-related data has always to be kept up to date (e.g. by means of a database).

5.5 Systems for protecting data, as well as the technical information and communications infrastructure (authorisation setup, firewall, backup equipment, encryption equipment) must be designed and run in accordance with protection requirements and risks.

5.6 A plan for the IT network topology, including the hardware/software inventory register must be maintained.

Comment:
Detailed measures for the installation and operation of various IT systems are described in the basic IT protection manual of the BSI (Bundesamt für Sicherheit in der Informationstechnik, Federal Office for IT Security).

 

6. System Administration

6.1 When central servers are used, appropriate Service Level Agreements (SLAs) must be agreed in respect of the security requirements (CIA² criteria). There must be appropriate regulations and responsibilities with regard to the administration of security-related systems. These must take into account the specific conditions of the various operating systems (midrange/mainframe, Unix, Windows, Novell Netware, etc.) and network infrastructures (LAN, Intranet, Extranet, Internet). These must cover the following, where applicable:

  • Setting up work stations,

  • User administration, management of rights and access control,

  • Central system administration (single sign-on, network management systems),

  • Destruction of data media (hard copy data media, hardware),

  • Operation of RAS access (Remote Access Services),

  • Central database, central applications (host, server),

  • Data backup and archiving,

  • Maintenance,

  • Configuration,

  • Recording and evaluation of system accesses,

  • Management of encryption infrastructure,

  • Operation of data communications equipment: modem, ISDN, radio, fax, telephone, leased line, Internet, Extranet,

  • Setup, management and control of security software (firewall, anti-virus software, authentication systems, etc.).

Comments:
A current listing of all software products must be held. In particular, the management of licenses, user rights for external software or proof for internally created software must be taken into account.
Suggestions for these regulations can be found in the basic IT protection manual of the BSI (Bundesamt für Sicherheit in der Informationstechnik, Federal Office for IT Security).

6.2 There must be a plan for remote management for customers and our own personnel which shall be appropriately implemented according to specified security objectives. Emergency measures must be brought to the management's attention.

 

7. Product Security

7.1 The development or test operation of prototypes or vehicle components and the setup of design models requires particular protection in terms of design and innovations. It is particularly important that the risks are analysed and effective protection measures carried out during these processes. The basis for working with new BMW developments is laid down in the BMW "Handling / protection measures" for new developments (must be made available by BMW contact persons).

7.2 With regard to transport, note that:

  • people / haulage firms are obliged to uphold confidentiality,

  • the driver must always be able to be contacted (e.g. by mobile phone),

  • the type of transport used has suitable locking options and where necessary an alarm system,

  • loading and unloading is carried out in a secure and concealed area (not visible),

  • acceptance/handover is overseen by a responsible person.

7.3 The products must be stored in a secured, monitored area. They should be covered with a canopy and secured with a lock at the end of the working day. A cover is sufficient in secure prototype areas.

7.4 Photographing products is only permitted upon agreement with the client and should be documented . Negatives (if they exist) should be documented and developed in our own laboratories or those of contractual partners. Digital photographs should be handled securely (access authorisation / encryption) and deleted from the original data medium after being transferred.

7.5 In principle, presentations to third parties are prohibited. If these are required in order to fulfill the task, it must be carried out in a secure area and authorised by those responsible for the project.

7.6 Test drives / tests are usually carried out at test sites. Driving on public roads requires approval from the client. Any camouflage on the vehicle may only be removed in agreement with the client / project leader. The information protection representative for the client must be informed.

7.7 After confidentiality has been removed, all relevant sensitive data must be checked for confidentiality requirements (e.g. in another development project).

7.8 After confidentiality has been removed, there are usually further restrictions on the product. These will be defined by BMW project management and must be observed.

7.9 In addition, the persons responsible for the project/product must inform the user of the current status of

  • handling (protection measures)

  • transport (regulations).