Security Policies Group 1 - Week 8 policy for use of technology

Overview of Lockheed Martin Operations  Lockheed Martin (LM) provides solutions for “Aeronautics, Electronic Systems, Information Systems & Global Solutions, and Space Systems.” They utilize EASIstar  “External Access Secure Infrastructure (EASIstar) is a Lockheed Martin Information Systems & Global Solutions (IS&GS) Extranet” providing “customers, partners, teammates, subcontractors, and employees access to a virtual collaborative workspace with capabilities ranging from web access to application and file sharing all in a secure, reliable and cost -- effective manner”.

Information Security Policy Policy is a plan or course of action that influences and determine decisions.  EISP: Enterprise Information Security Policy sets the strategic direction, scope, and tone for all of an organization’s security efforts. assigns responsibilities for the various areas of information security. guides the development, implementation, and management requirements of the information security program.  ISSP: Issue Specific Security Policy Articulates the organization’s expectations about how the technology-based system in question should be used Documents how the technology-based system is controlled and identifies the processes and authorities that provide this control Serves to indemnify the organization against liability for an employee’s inappropriate or illegal system use  SysSP: System Specific Security Policy They are often created to function as standards or procedures to be used when configuring or maintaining systems. SysSPs can be separated into two general groups, management guidance and technical specifications

Parties Involved CISO of a medium sized IT company Contract for information exchange will use

Policy guidelines for use of EASIstar Requirements that are to be complied with when doing business with LM through EASIstar.

Lockheed Martin Information Assets Usage Policies Passwords

Virus Viruses and other malicious code pose a serious threat to Lockheed Martin users and customers. Virus prevention measures as guided by policy  virus protection software be installed and maintained on all Lockheed Martin managed, maintained or leased computing systems  all users of EASIstar must agree to acquire, install, utilize and maintain a current version of anti-virus software on any computer used to access the EASIstar Lockheed Martin Extranet  The following actions are strongly encouraged:  Virus signature files to be updated at lease every 7 days with the recommendation that virus signature files be installed within 24 hours of notification  Complete scans performed weekly  Virus Scan engine updates scheduled for at least once per month.  The downloading, installation, and/or use of freeware/shareware products on EASIstar assets is not permitted without prior Lockheed Martin Intellectual Property Law attorney approval.

Information Protection  Sensitive information (LM Proprietary Information, Third Party Proprietary, and Export Controlled) assets (data, systems, documentation, etc.) must be properly classified, labeled and protected. Data/Information owners are responsible for determining the sensitivity of all information to be electronically transmitted in accordance with these policies.  Protective Legends, Labels and other Markings. As appropriate, each item of Sensitive Information will bear a legend, label or other marking which serves to advise the holder that the information requires a specific degree of protection.  Export Controlled Information will be labeled as necessary to comply with the applicable US or foreign government laws and regulations and local procedures.  Lockheed Martin Proprietary Information will be labeled in accordance with approved labeling conventions.  Third Party Proprietary Information will be managed in accordance with the contractual arrangements under which it was received. Such information should not be accepted unless an appropriate written contractual arrangement, which establishes the requirements for protecting the information (e.g., a Proprietary Information Agreement), is in place between Lockheed Martin and the third party. Third Party Proprietary Information will bear the markings applied by the third party, and/or markings prescribed by the contract between Lockheed Martin and the third party. The markings will not be removed without authorization from the third party and/or cognizant Lockheed Martin Legal Counsel.

Disclosure  Lockheed Martin policies and the laws of the US and foreign governments impose specific requirements upon the disclosure of Sensitive Information. Failure to comply with these requirements is a violation of policy and may lead to a violation of law. Accordingly, the individual providing access to the Sensitive Information must take the following steps before any disclosure is made: Ensure that the Sensitive Information bears the legend, if any, as identified.  Determine the status of the intended recipient(s) (for example, whether he or she is an employee or a non-employee; a US Citizen or a Foreign Person). Obtain required documentation and approvals, if any, based upon this status (for example, a Proprietary Information Agreement or similar arrangement is required before LMPI is disclosed to a non- employee, and US government approval is required before Export Controlled Information is disclosed to a Foreign Person).

Other factors to consider  Transmission: Ensure that the selected transmittal method is secure and complies with this policy and the laws of the recipient country (for example, encryption is prohibited by some foreign countries)  Storage: When not in use, Sensitive Information in databases, desktop hard drives or local area networks will be protected by unique userID and password at a minimum.  Encryption is recommended for Sensitive Information stored in non-US locations, except where prohibited by law. Sensitive Information stored on an asset that is not controlled and managed by Lockheed Martin (e.g., a personally-owned computer) will be protected by unique userID and password at a minimum.  Disposition: Sensitive Information will be retained as required by law, regulation, contract, policy, or, if none of these applies, until no longer useful. Electronic information will be deleted or overwritten using overwriting software approved by Lockheed Martin Enterprise Information Systems. Overwriting is required if Sensitive Information will be disposed of in a non-US location

General usage  If a EASIstar Information Technology user suspects or has actual knowledge that the protection of Sensitive Information has been compromised in a manner that appears to be a violation of law, the individual must report such suspicion or actual knowledge to the appropriate Lockheed Martin EASIstar administrator  Ensure Assets connected to EASIstar systems are properly locked or otherwise protected when unattended (e.g., through use of a Power-on password, Password-secured screen saver, etc.)  Carefully Assess all received software or Information (for malicious code) before Execution or Storage  A Lockheed Martin policy prohibiting the use of split tunneling (i.e. simultaneous network access to two or more networks) is in effect when 1) connecting into EASIstar over a Virtual Private Network (VPN) connection, and 2) connecting out of EASIstar over a VPN connection to a remote network.

Reference