Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
INFORMATION SECURITY GUIDELINES FOR SUPPLIERS
Review No: 0
Date: 04-04-2019
Page: 1 of 21
COMPANY: GRUPO ANTOLIN
I-P114-F Level - 0 04 / 04 / 19 PUBLIC
GRUPO ANTOLIN
INFORMATION SECURITY GUIDELINES FOR
SUPPLIERS
INFORMATION SECURITY GUIDELINES FOR SUPPLIERS
Review No: 0
Date: 04-04-2019
Page: 2 of 21
COMPANY: GRUPO ANTOLIN
I-P114-F Level - 0 04 / 04 / 19 PUBLIC
INDEX
I. INTRODUCTION ..................................................................................................... 4
1. TARGET AND DEFINITIONS ....................................................................................................................... 4
2. SCOPE ....................................................................................................................................................... 4
3. THIRD PARTIES AND SUPPLIER’S SUBCONTRATORS ................................................................................ 5
II. ORGANIZATIONAL SECURITY ................................................................................. 6
4. INFORMATION SECURITY MANAGEMENT SYSTEM ................................................................................. 6
5. ROLES AND RESPONSIBILITIES ................................................................................................................. 6
III. ASSET MANAGEMENT AND INFORMATION CLASSIFICATION ................................ 7
6. ASSETS MANAGEMENT ............................................................................................................................ 7
7. INFORMATION CLASSIFICATION .............................................................................................................. 7
8. RETURNING AND DELETING INFORMATION ............................................................................................ 8
9. INFORMATION SECURITY INCIDENTS MANAGEMENT ............................................................................. 8
10. BUSINESS CONTINUITY MANAGEMENT FROM AN INFORMATION SECURITY POINT OF VIEW .......... 9
11. COMPLIANCE........................................................................................................................................ 9
IV. HUMAN RESOURCES SECURITY ........................................................................... 10
12. ADEQUATE PROFILES ......................................................................................................................... 10
13. CONFIDENTIALITY .............................................................................................................................. 10
14. TRAINING AND AWARENESS .............................................................................................................. 10
V. PHYSICAL SECURITY ............................................................................................. 11
15. ZONING CONCEPT – AREAS DEFINITION ............................................................................................ 11
16. AREAS SEPARATION ........................................................................................................................... 11
17. ACCESS CONTROL ............................................................................................................................... 12
18. BUILDING PERIMETER AND FENCE .................................................................................................... 12
19. FIRE PROTECTION AND EXTINCTION ................................................................................................. 13
20. SPECIFIC MEASURES FOR SERVER ROOM .......................................................................................... 13
21. GLOBAL ALARM .................................................................................................................................. 13
22. VISITORS AND UNAUTHORIZED PERSONNEL IN RESTRICTED ZONES ................................................ 13
23. VIDEO AND PHOTOGRAPHY ............................................................................................................... 14
VI. IT SECURITY ......................................................................................................... 15
24. ACCESS CONTROL ............................................................................................................................... 15
25. ENCRYPTION ...................................................................................................................................... 16
INFORMATION SECURITY GUIDELINES FOR SUPPLIERS
Review No: 0
Date: 04-04-2019
Page: 3 of 21
COMPANY: GRUPO ANTOLIN
I-P114-F Level - 0 04 / 04 / 19 PUBLIC
26. DISPOSAL OF DATA MEDIA ................................................................................................................ 16
27. WORKING OFF-PREMISES .................................................................................................................. 16
28. BRING YOUR OWN DEVICE ................................................................................................................ 17
29. EXCHANGE OF INFORMATION ........................................................................................................... 17
30. IT OPERATIONS .................................................................................................................................. 17
31. COMMUNICATIONS SECURITY ........................................................................................................... 18
32. CLOUD ................................................................................................................................................ 18
VII. PROTOTYPES HANDLING ..................................................................................... 19
VIII. ANNEXES ............................................................................................................. 20
ANNEX 1 – DAMAGE CAUSED TO THE COMPANY ......................................................................................... 20
ANNEX 2 – ALLOWED USES FOR GRUPO ANTOLIN’S INFORMATION ............................................................ 21
INFORMATION SECURITY GUIDELINES FOR SUPPLIERS
Review No: 0
Date: 04-04-2019
Page: 4 of 21
COMPANY: GRUPO ANTOLIN
I-P114-F Level - 0 04 / 04 / 19 PUBLIC
I. INTRODUCTION
1. TARGET AND DEFINITIONS
Grupo Antolin is aware of the importance of the information and works to preserve its confidentiality,
integrity and availability for both, own information and information received from other parties.
The target of this document is protect the information sent to or shared with Grupo Antolin Suppliers.
With Grupo Antolin we make reference to all subsidiary companies belonging to Grupo Antolin.
Supplier means the service provider supplying goods or services, including the Supplier’s employees and
Supplier’s subcontractors. If information is shared with subcontractors, same security measures and
requirements must be applied for those subcontractors, being Grupo Antolin’s Supplier responsible for it.
Third parties means any other party than Supplier and Grupo Antolin.
2. SCOPE
This document applies to all Grupo Antolin Suppliers handling Grupo Antolin’s information, or using
information technology resources on behalf of Grupo Antolin.
Grupo Antolin’s information includes any kind of information supplied from Grupo Antolin, owned by Grupo
Antolin or owned by third parties. Information created by Supplier from Grupo Antolin’s information is
affected as well by these guidelines.
Some of the measures are applicable depending on the kind of information handled by the Supplier. As
examples given:
- Section talking about prototypes handling: if Supplier is not handling prototypes, Supplier doesn’t
need to apply this part of the Guidelines.
- Section talking about Server Room: if Supplier has not a Server Room involved in the services supplied
to Grupo Antolin, specific measures for Server Room are not applicable.
For applicable measures, all of them are mandatory. If some of the mandatory measures required through
this document are not implemented, Supplier must report the situation to Grupo Antolin explaining why
(i.e.: risk analysis has been done and measure has been considered no needed, explaining why).
When Grupo Antolin’s liaison for Supplier sends other requisites defined by Grupo Antolin’s Customers or
Grupo Antolin’s interested parties, Supplier must comply those requirements as well.
Grupo Antolin reserves the right to audit supplier if it is considered needed.
Supplier must be able to demonstrate that all security controls required in this document are effective and
auditable.
For any kind of communication regarding information security: doubts, suggestions, events, complains or
any other report, Supplier can contact through [email protected]
INFORMATION SECURITY GUIDELINES FOR SUPPLIERS
Review No: 0
Date: 04-04-2019
Page: 5 of 21
COMPANY: GRUPO ANTOLIN
I-P114-F Level - 0 04 / 04 / 19 PUBLIC
3. THIRD PARTIES AND SUPPLIER’S SUBCONTRATORS
When a supplier needs to send or share information owned by Grupo Antolin with third parties, it is a must
to get permission from its Grupo Antolin business liaison before do nothing.
When a Grupo Antolin Supplier send or share information with third parties, the scope of this document
must be extended, so Grupo Antolin Supplier must require to those third parties the same requirements
explained in this document.
In any case, for Supplier’s subcontractors or for third parties accessing Grupo Antolin’s information, an initial
risk assessment must be done to avoid future security breaches affecting Grupo Antolin’s information. One
of the requirements to be observed during this risks assessment is the acceptance for Non-Disclosure-
Agreement and the Security Measures compliance, being both mandatory.
As part of the risks assessment, while collaboration with third parties and/or subcontractors is in place,
performance and security compliance for these requirement must be verified regularly.
INFORMATION SECURITY GUIDELINES FOR SUPPLIERS
Review No: 0
Date: 04-04-2019
Page: 6 of 21
COMPANY: GRUPO ANTOLIN
I-P114-F Level - 0 04 / 04 / 19 PUBLIC
II. ORGANIZATIONAL SECURITY
4. INFORMATION SECURITY MANAGEMENT SYSTEM
Supplier must count with a documented framework for Information Security, supported from Supplier’s
management body.
Supplier must count with a risk management process ensuring that all the risks for Grupo Antolin’s
information are taken into account and treated according to risk level, for every project involving the
handling of Grupo Antolin’s information, including any department (Engineering, IT, etc.).
Security controls defined to protect the information must be effective.
5. ROLES AND RESPONSIBILITIES
A responsible for Information Security Management must be identified by Supplier, and the contact e-mail
for this position must be reported to Grupo Antolin. This position must be communicated as well to
Supplier’s employees.
As part of the information security management system, all the relevant positions with activities to preserve
the information security must be defined and communicated to Supplier’s employees when needed.
INFORMATION SECURITY GUIDELINES FOR SUPPLIERS
Review No: 0
Date: 04-04-2019
Page: 7 of 21
COMPANY: GRUPO ANTOLIN
I-P114-F Level - 0 04 / 04 / 19 PUBLIC
III. ASSET MANAGEMENT AND INFORMATION CLASSIFICATION
6. ASSETS MANAGEMENT
All the assets involved in the information handling must be identified in order to help during the process for
risk management, avoiding forget important assets that could conduct to a security breach.
Identified assets, together with the dependencies between them, must be inventoried as a need to evaluate
properly every asset according to the impact caused to information security.
7. INFORMATION CLASSIFICATION
Grupo Antolin’s information handled by the Supplier must be classified according to Grupo Antolin’s criteria.
This classification is required for an adequate risk assessment, conducting to define and apply a proper set
of security measures to protect the information, depending on its classification, and respecting the uses
allowed from Grupo Antolin.
Classification must be done from 3 points of view: confidentiality, integrity and availability.
For each one of these categories, Grupo Antolin defines 4 classes based on the damage that Company can
suffer if information security is violated (damage definition can be read in the annex number 1).
Confidentiality.
Information must be accessible only to those persons authorized to access it (“need to know” principle).
- Public: no restrictions, only those defined from Marketing and Communication department.
- Internal: for internal usage, must not be distributed to people out of its scope. Confidentiality loss
should not cause more than a minor damage.
- Confidential: accessible to a limited group of people needing of this information to perform their
work. Confidentiality loss can cause a serious damage.
- Secret: accessible to a very limited and strictly defined group of people, with strong security
measures. Confidentiality loss can cause a severe damage.
Integrity.
Completeness and error-free information, protected against unauthorized modifications.
- Low: integrity violation should not suppose a business damage.
- Medium: integrity violation should not mean a damage bigger than minor.
- High: integrity violation could suppose a serious damage for Company.
- Very high: integrity violation could cause a severe damage to the Company.
INFORMATION SECURITY GUIDELINES FOR SUPPLIERS
Review No: 0
Date: 04-04-2019
Page: 8 of 21
COMPANY: GRUPO ANTOLIN
I-P114-F Level - 0 04 / 04 / 19 PUBLIC
Availability.
Information must be available for use according to agreed requirements. Classification is defined according
to table shown below.
UNAVAILABILITY TIME TOLERATED BY INFORMATION OWNER
1 hour 4 hours 24 hours 3 days > 3 days
DAMAGE OR IMPACT CAUSED BEYOND
TOLERATED DOWNTIME
Severe very high very high very high high high
Serious very high high high medium medium
Minor high high medium low low
No damage
low low low low low
Suppliers must map the classification of Grupo Antolin’s information handled by them according to the
classification provided by Grupo Antolin. If that classification is not defined by Grupo Antolin, the supplier
must ask about it to its Grupo Antolin business liaison.
In any case, if classification is not clear, Grupo Antolin’s information must be considered as confidential and
treated according to that class.
Information owner at Supplier is responsible for classifying and labelling the information.
The annex number 2 shows a table with the allowed uses for the information depending on its
confidentiality classification, including the rules for labelling. Supplier must respect these usages.
Grupo Antolin’s information must be separated from the information of third parties (i.e. applying rights
management) and especially from data belonging to other customers of the Supplier.
8. RETURNING AND DELETING INFORMATION
At the end of the contract or when is required by Grupo Antolin, information must be properly returned or
deleted from devices and storage media of the Supplier.
Retention periods agreed with Grupo Antolin or legally required must respected.
9. INFORMATION SECURITY INCIDENTS MANAGEMENT
Any information security event concerning Grupo Antolin’s information must be reported to Grupo Antolin.
Any suspected loss of the confidentiality for confidential or secret information, must be reported to Grupo
Antolin marking the e-mail as “high priority”.
Supplier must collect and properly treat any information security event or incident for protecting Grupo
Antolin’s information.
INFORMATION SECURITY GUIDELINES FOR SUPPLIERS
Review No: 0
Date: 04-04-2019
Page: 9 of 21
COMPANY: GRUPO ANTOLIN
I-P114-F Level - 0 04 / 04 / 19 PUBLIC
10. BUSINESS CONTINUITY MANAGEMENT FROM AN INFORMATION SECURITY POINT OF VIEW
A Business Continuity Plan must be in place to ensure the service level agreed with Grupo Antolin, from an
information security point of view, considering especially availability and integrity.
11. COMPLIANCE
Legal regulations applying to Supplier must be observed: intellectual property rights, personal data
protection or any other applying from an information point of view.
Contractual requirements must be observed as well, implementing the security measures needed to cover
Grupo Antolin’s requisites.
INFORMATION SECURITY GUIDELINES FOR SUPPLIERS
Review No: 0
Date: 04-04-2019
Page: 10 of 21
COMPANY: GRUPO ANTOLIN
I-P114-F Level - 0 04 / 04 / 19 PUBLIC
IV. HUMAN RESOURCES SECURITY
12. ADEQUATE PROFILES
People selected for every position must have an adequate profile to perform their activities without
degrade the effectiveness of the information security controls.
For those positions where a big risk for information security is detected, Human Resources must consider
the risks taking the measures needed to avoid an information damage or leakage.
13. CONFIDENTIALITY
Every Supplier’s employee with access to Grupo Antolin’s information must sign an internal confidentiality
agreement covering at least the same points appearing in the confidentiality agreement required by Grupo
Antolin to the Supplier.
This confidentiality agreement must protect the secret of the information even when employee leaves the
company, by default 5 years more, except if applicable laws and regulations require a different time.
14. TRAINING AND AWARENESS
Supplier’s employees must be trained and informed about their obligations and responsibilities to protect
the information. The attendance and the adherence to the obligations explained in this training must be
recorded for every employee, being a requirement before grant the access for handling Grupo Antolin‘s
information.
An awareness and refresh training program must be in place to guarantee staff is aware of the relevance of
the information security.
INFORMATION SECURITY GUIDELINES FOR SUPPLIERS
Review No: 0
Date: 04-04-2019
Page: 11 of 21
COMPANY: GRUPO ANTOLIN
I-P114-F Level - 0 04 / 04 / 19 PUBLIC
V. PHYSICAL SECURITY
15. ZONING CONCEPT – AREAS DEFINITION
Supplier must identify and classify the different zones in its buildings according to the information located in
that zones and the risks associated.
From the point of view of Grupo Antolin’s information located in every zone and bearing in mind the
damage that Grupo Antolin can suffer (according to annex number 1), we have the following definitions:
- Class 1 Restricted Zones (red zones): violations of information security (confidentiality, integrity or
availability) can suppose a severe damage.
- Class 2 Restricted Zones (yellow zones): violations of information security (confidentiality, integrity or
availability) can suppose a serious damage.
- Internal Zones (green zones): violations of information security should not suppose more than a
minor damage.
- Public Zones (white zones): normally there is no information in these areas or violations to
information located here can’t cause any kind of damage.
16. AREAS SEPARATION
Different type of areas (red, yellow, green and white) must be physically separated by walls or similar
measures, depending on risk assessment, and preventing the free access at least to yellow and red zones.
Access to red zones must not be directly available from white or green zones, unless it is justified and
mitigating security measures are in place to avoid unauthorized access.
Confidential and secret content must not be visible from the outside. Measures to be applied could be
organizational (i.e. information placement) or physical (i.e. windows or glass-doors fitted with anti-spy films,
screens, etc.). This requirement applies as well while windows and doors are opened for entrance, exit or
other reasons.
Surveillance cameras or similar taking images (video or photo) of any confidential or secret information are
forbidden. These cameras can be located to help in the surveillance activity, but avoiding confidentiality
breaches.
Restricted areas must never be used as a passage zone to other areas: that would force to give access to
people no needing the access to these confidential or critical zones.
Logistics zone, where normally courier companies access to do the deliveries or to collect the sends, must
be separated from red and yellow zones, with no direct visibility to confidential/secret information. If
separation is not possible, confidentiality must be kept through other security measures and courier
companies must be escorted all the time.
For confidential sends and deliveries, while confidential parts are in logistic area waiting to be collected by
recipient (during a delivery process) or courier company (during a send process) must be kept out of risk of
theft, damage or confidentiality violation. It is recommended a locked room with restricted access.
INFORMATION SECURITY GUIDELINES FOR SUPPLIERS
Review No: 0
Date: 04-04-2019
Page: 12 of 21
COMPANY: GRUPO ANTOLIN
I-P114-F Level - 0 04 / 04 / 19 PUBLIC
Rooms where IT equipment (like servers, storage boxes, PCs, etc...) are hosting or processing confidential or
secret information are considered restricted zones and must be treated according to this class.
Networking equipment must be considered as well, because it is a risk point to access to the internal
network and could cause an availability, so they must be located in a locked room or at least in a locked
rack.
17. ACCESS CONTROL
Any restricted zone must be locked and the access must be restricted, controlled and if needed, recorded
through ID card readers or similar in order to enable monitoring processes.
Access to restricted areas must be limited to the people needing to access the information inside, no more
and no less (this means the implementation of the “Need to Know Principle”).
An access rights management process must be in place, considering registration, grant, modification and
removal when a there is a role/position change or departure. An inventory of the accesses allowed must
exist, and regular reviews to ensure a management free of errors must be implemented.
These are other security measures to be implemented, unless alternative security measures are in place or
unless risk assessment justify these measures are no needed:
- It is recommended to implement a double factor of authentication to enter in class 1 restricted zones,
mandatory for Server Room if it hosts secret information.
- It is recommended to install an intrusion detection system for restricted areas, monitor it and connect
it to a global alarm system according to risk analysis.
- It is recommended to install surveillance cameras to monitor and record passage areas inside the
building to help and improve the security patrols, according to risk analysis and always respecting
the confidentiality.
18. BUILDING PERIMETER AND FENCE
According to risk assessment, following measures must be considered and implemented. Only when a
reasonable justification exists, these measures can be avoided:
- Solid fence around the building, with access restricted and controlled for both cars and pedestrian.
- Solid outer-skin for building, avoiding an easy entrance.
- Perimeter monitored by video-surveillance.
- Intrusion detection and monitoring system for the perimeter or for the entrance to relevant areas.
- A security guard booth or reception area, controlling the accesses and registering properly the visits.
- Exterior doors and windows must be kept locked (or at least under surveillance if they are opened,
like could happen with reception entrance), being possible their opening only from inside of the
building or from outside of the building by ID card readers, remote controls, keys or similar.
INFORMATION SECURITY GUIDELINES FOR SUPPLIERS
Review No: 0
Date: 04-04-2019
Page: 13 of 21
COMPANY: GRUPO ANTOLIN
I-P114-F Level - 0 04 / 04 / 19 PUBLIC
19. FIRE PROTECTION AND EXTINCTION
Fire detection must be implemented for the complete building and connected to global alarm system.
Fire extinction means must be installed:
- At least manual extinguishers.
- It is recommended an automatic extinction system (water sprinklers or similar).
20. SPECIFIC MEASURES FOR SERVER ROOM
It is recommended to install air conditioner (not located over any IT equipment to avoid water dripping) to
avoid IT equipment outages or malfunctioning (if possible double unit to give high availability).
Flood protection is a must: Server Room should be located upstairs if possible or at least on an enough
raised floor in the case it is located at ground floor.
Fire detection and extinction as stated in the “Fire protection and extinction” section.
Temperature and humidity monitoring must be installed and monitored at least during working hours. It is
recommended to be monitored 24x7x365.
Power loss prevention must be implemented:
- At least UPS for critical equipment in Server Room.
- It is recommended a power generator or similar additionally to the UPS.
21. GLOBAL ALARM
All monitored systems where exists a risk for Grupo Antolin’s information must be connected to a global
alarm monitored 24x7x365.
This global alarm must count with a programmed answer depending on the detected situation, with an
adequate answer time depending on impact (i.e. for class 1 restricted zones we need to implement an
answer time shorter than for class 2 restricted zones).
22. VISITORS AND UNAUTHORIZED PERSONNEL IN RESTRICTED ZONES
Visitors in general.
All visitors must be registered at the entrance, keeping a record of the entry and departure time (according
to local regulations for personal data, these records should be deleted after a time). They must be identified
and escorted, avoiding risks for Grupo Antolin’s information. An information security policy for visitors must
be in place: visitors must be informed and they must accept a confidentiality agreement and respect the
rules and policies explained.
INFORMATION SECURITY GUIDELINES FOR SUPPLIERS
Review No: 0
Date: 04-04-2019
Page: 14 of 21
COMPANY: GRUPO ANTOLIN
I-P114-F Level - 0 04 / 04 / 19 PUBLIC
Visitors in restricted zones.
When for business reasons visitors must access to restricted zones where Grupo Antolin’s information is
located, this information must be properly protected. A policy or instruction must exist for these cases.
Services staff.
Service staff need to access protected rooms for some maintenance activities, but this kind of access must
be considered in the risk assessment to avoid confidentiality problems. Security measures must be applied
to protect properly the information.
Security staff.
If security staff need to access restricted areas where Grupo Antolin’s information is located (i.e. out of
working time to verify a possible security event), a control and record of that access must be kept (as
example given: the keys to access these zones can be enclosed in a sealed envelope that security staff must
break in case of need, reporting the situation to facilities manager and/or information security responsible).
23. VIDEO AND PHOTOGRAPHY
A regulation about how to proceed with video and photography must be in place, protecting Grupo Antolin’s
confidential and secret information from unauthorized captures and from a wrong management of the
captured information.
INFORMATION SECURITY GUIDELINES FOR SUPPLIERS
Review No: 0
Date: 04-04-2019
Page: 15 of 21
COMPANY: GRUPO ANTOLIN
I-P114-F Level - 0 04 / 04 / 19 PUBLIC
VI. IT SECURITY
Security controls defined here apply to those Suppliers handling Grupo Antolin’s information in electronic
format through information technology resources.
24. ACCESS CONTROL
Access control and rights assignation must be restricted and controlled.
When assign credentials following rules, between others, must be observed:
- User credentials are personal and nobody must use the ID or account assigned to another person.
- Common accounts shared by more than one person must not be used in general, only for justified
cases where there is not another solution and there is not risks for information.
- Temporary passwords or PINs must be changed at the first log-on.
- Passwords or PINs must be protected against disclosure, and never must be shared.
- When appear any suspect of compromise for passwords or PINs, they must be immediately changed.
- Passwords or PINs must be changed at first use and regularly, at least every 90 days.
- User accounts must be locked after a reasonably defined number of wrong log-on attempts.
- Accounts don’t used during more than 6 months must be locked.
An access assignation process must be defined and in place ensuring:
- Registration.
- Rights grant and modification, approved by information owner.
- Removal on role/position changes and departures.
Regular reviews must be done to correct the lack of efficiency in the process for permissions removal and
changes.
Privileged access rights must be specially treated, increasing the security measures as needed (i.e. regular
monitoring for administrator activities, with higher review frequency than standard accounts).
Secret authentication must be properly managed, including creation and distribution to the users.
Authentication.
Authentication measures to access information must be established according to information classification,
as defined in annex number 2.
- Weak authentication: only a password is required for log-on.
Password must be enough secure:
o At least 10 characters.
INFORMATION SECURITY GUIDELINES FOR SUPPLIERS
Review No: 0
Date: 04-04-2019
Page: 16 of 21
COMPANY: GRUPO ANTOLIN
I-P114-F Level - 0 04 / 04 / 19 PUBLIC
o At least 3 of the 4 groups listed here: lower case letters, upper case letters, numbers and
special characters.
o Don’t use trivial combinations, like typical passwords (“Test123456”) or personal
environment information (name, birth date, etc.).
o Don’t use identical passwords for accessing Grupo Antolin systems and repositories, and
for accessing other systems provided by third parties.
- Strong authentication: in this case a 2 factor authentication (2FA) is required. This means that 2 of 3
factors must be supplied for log-on:
o Knowledge factors, i.e. a password or a PIN.
o Possession factors, i.e. and ID card or a PIN supplied from a token or a smartphone.
o Inherence factors (biometrics), i.e. fingerprint, face, voice.
For remote access to the network where Grupo Antolin’s information is located, strong authentication is a
requirement.
25. ENCRYPTION
Local storage at office (network repositories or any other kind of electronic storage) containing Grupo
Antolin’s information classified as secret must be encrypted, unless other security measures with the same
protection level would be in place. For information classified as confidential, encryption is recommended.
For remote access, traffic involving confidential or secret information must be always secured and
encrypted.
Mobile devices (Smartphones, laptops, etc.) and removable data media (hard disks, DVDs, tapes, memory
stocks, etc.) susceptible to be used off-premises and/or easily stolen, and containing confidential and/or
secret information, must be always encrypted.
In general, when during risk assessment is detected a high risk for confidential or secret information, data
must be encrypted
26. DISPOSAL OF DATA MEDIA
Disposal of data media with confidential or secret information must be done ensuring information can’t be
read. In this sense, the guidelines shown in annex number 2 must be respected.
27. WORKING OFF-PREMISES
When working off-premises is allowed, a policy must be in place regulating this activity and ensuring,
according to a proper risk assessment, risks for Grupo Antolin’s information are properly treated, in
particular:
- Supplier’s employees know working-off premises policy and accept to comply with it.
- Only IT devices complying Supplier’s regulations must be used to manage Grupo Antolin’s
information, and those devices must be used only for professional purposes.
INFORMATION SECURITY GUIDELINES FOR SUPPLIERS
Review No: 0
Date: 04-04-2019
Page: 17 of 21
COMPANY: GRUPO ANTOLIN
I-P114-F Level - 0 04 / 04 / 19 PUBLIC
- Special care is taken to avoid credentials could be stolen.
- All data media and devices storing Grupo Antolin’s information or enabling access to Grupo Antolin’s
information must be under personal surveillance, avoiding they can be stolen. These devices must
be properly encrypted as has been explained in “encryption” chapter in this document.
- Original information must remain at protected repositories at Supplier’s premises, only in case of
need temporal copies will be extracted from those premises.
- Information must be protected from eavesdropping and view.
- Special care must be taken when documents are printed, avoiding to print Grupo Antolin’s
confidential and secret information if possible.
- When travelling abroad, country specific regulations must be observed, avoiding risks for Grupo
Antolin’s information (e.g. encryption).
28. BRING YOUR OWN DEVICE
A policy about the possibility for employees to bring their own device to access information must be in
place. On this regard, security measures must be applied independently of personal or corporate devices.
29. EXCHANGE OF INFORMATION
Data exchanged through electronic means must be done through the following tools:
- Confidential information:
o DAXS.
o E-mail: confidential content must be encrypted with a secure method (AES256 or similar).
o Other means specifically informed by Grupo Antolin.
- Secret information:
o DAXS.
o Other means specifically informed by Grupo Antolin.
Confidential or secret information shared through phone calls, video or web conference, etc. must be
protected against spying, eavesdropping or unintentional disclosures.
For transport of IT devices, confidentiality must be protected, encrypting the information for confidential
and secret data, and respecting the guidelines detailed in annex number 2.
Authenticity of data/information recipients must be ensured before start the exchanging or sharing process.
30. IT OPERATIONS
IT Changes.
Supplier must approve, schedule, test and validate any change avoiding affectation to Grupo Antolin
supplied services and CIA security principles (confidentiality, integrity and availability).
INFORMATION SECURITY GUIDELINES FOR SUPPLIERS
Review No: 0
Date: 04-04-2019
Page: 18 of 21
COMPANY: GRUPO ANTOLIN
I-P114-F Level - 0 04 / 04 / 19 PUBLIC
Development, test and production environments must be properly separated to avoid outages or any other
affectation to Grupo Antolin’s information security.
In the same manner, acquisition, development and maintenance processes for IT systems must be
programmed to avoid affectation to CIA information security principles for Grupo Antolin assets.
Backup.
Supplier must define and deploy a backup policy for ensuring the business continuity and the retention
periods agreed with Grupo Antolin. Together with this requirement must be considered the need to keep
information stored in repositories where backup is applied.
Backup process must be monitored to guarantee a successful operation, testing and verifying restoration
process.
Protection against malware.
Supplier must enable systems avoiding infections of the information, that could damage Grupo Antolin’s
information or that can be forwarded to Grupo Antolin or other interested parties.
Logging and monitoring.
Users, systems and administrator activities must be properly logged and monitored, to detect events and
treat them to avoid the impact of the associated incidents.
These logs must be regularly reviewed, especially for IT administrators’ activity.
Vulnerabilities management.
IT systems must be properly patched, avoiding vulnerabilities that could enable or make easier an attack
from existent threats.
31. COMMUNICATIONS SECURITY
Internal networks must be protected by firewalls, avoiding that external attacks could affect security for
Grupo Antolin’s information. As part of this protection, intrusion prevention and intrusion detection systems
should be implemented.
Network segmentation to separate Grupo Antolin information from other environments is a need.
Exchange systems must count with authentication, transport encryption and access control measures.
32. CLOUD
If CLOUD services are in use for storing Grupo Antolin’s information, these services must be reported
previously to Grupo Antolin’s liaison to be approved.
INFORMATION SECURITY GUIDELINES FOR SUPPLIERS
Review No: 0
Date: 04-04-2019
Page: 19 of 21
COMPANY: GRUPO ANTOLIN
I-P114-F Level - 0 04 / 04 / 19 PUBLIC
VII. PROTOTYPES HANDLING
Physical measures are defined and implemented according to the classification of the prototypes, the
measures listed in the “Physical Security” section of this document and the risk assessment done.
A policy or similar document must be in place, explaining to employees how to handle prototypes.
Compliance with this prototypes policy is mandatory and employees’ adherence to it must be
demonstrable.
Prototypes policy must include, between other, how to handle the prototypes in a secure way from the
following points of view:
- How to camouflage prototypes avoiding confidentiality events while working, during breaks, at the
end of the day or while unauthorized persons enter in restricted areas in a programmed manner.
- How to manufacture prototypes, including protection when subcontractors or third parties are
included in the prototypes management cycle.
- How to pack and identify the packages containing prototypes prior to be sent.
- How to store prototypes.
- How to internally move/transport prototypes.
- How to send and deliver prototypes.
- How to dispose prototypes (for prototypes and for any other physical part containing Grupo Antolin’s
confidential or secret information): must be properly destroyed, ensuring confidentiality is kept
along the complete process.
- How to manage tests and validations in an agreed manner with Grupo Antolin.
- How to act in case of no described situations and how to treat events and incidents.
INFORMATION SECURITY GUIDELINES FOR SUPPLIERS
Review No: 0
Date: 04-04-2019
Page: 20 of 21
COMPANY: GRUPO ANTOLIN
I-P114-F Level - 0 04 / 04 / 19 PUBLIC
VIII. ANNEXES
ANNEX 1 – DAMAGE CAUSED TO THE COMPANY
To classify the information, Grupo Antolin defines the damage that the Company can suffer, distinguishing
between the following 4 levels:
- No damage: information security breach shouldn’t cause any damage to the Company.
- Minor damage: a damage for the Company can appear, though its present or future business effect
should be negligible or easily assumable, don’t affecting any relevant objective.
- Serious damage: Company would be affected seriously, either by an economic direct impact, by a
potential impact in future business or by a damage of the good image of the Company. There is not
risk affecting the main Company objectives or the Company existence.
- Severe damage: opposite to serious damage, in this case there is a risk for main Company objectives
and/or even for Company existence.
INFORMATION SECURITY GUIDELINES FOR SUPPLIERS
Review No: 0
Date: 04-04-2019
Page: 21 of 21
COMPANY: GRUPO ANTOLIN
I-P114-F Level - 0 04 / 04 / 19 PUBLIC
ANNEX 2 – ALLOWED USES FOR GRUPO ANTOLIN’S INFORMATION
Allowed uses based on confidentiality classification:
PUBLIC INTERNAL CONFIDENTIAL SECRET
LABELLING Optional Optional
Confidentiality level in
national language and in
English on each page of the
document
Confidentiality level in
national language and in
English on each page of the
document.
Additionally pages must be
numbered in format “page
x of y”.
DUPLICATION AND
DISTRIBUTION No restrictions
Only to authorized group
of employees,
subcontractors and third
parties according to need-
to-know principle
Only to authorized group
of employees,
subcontractors and third
parties according to need-
to-know principle and with
approval of information
owner
Only to an extremely
limited and authorized
group of employees,
subcontractors and third
parties according to need-
to-know principle and with
approval of information
owner
STORAGE No restrictions Protection against
unauthorized access
Only accessible to an
authorized group of
employees, subcontractors
and third parties according
to need-to-know principle
and with approval of
information owner (for
electronic and physical
formats)
Only accessible to an
extremely limited and
authorized group of
employees, subcontractors
and third parties according
to need-to-know principle
and with approval of
information owner (for
electronic and physical
formats)
DELETION No restrictions Data no longer needed
must be deleted
Data no longer needed
must be deleted
Data no longer needed
must be deleted
DISPOSAL No restrictions Recommendable through
an shredder
Destruction class 5
according to DIN 66399
Destruction class 5
according to DIN 66399
AUTHENTICATION No restrictions Weak authentication Weak authentication Weak authentication
TRANSPORTATION No restrictions No restrictions
Closed neutral envelope
with inner envelope
labelled as confidential
Closed neutral envelope
with inner envelope
labelled as secret, with
delivery confirmation from
recipient
If other requirements supplied by Supplier’s liaison at Grupo Antolin are more restrictive, must be respected
(as example given, requirements defined by Grupo Antolin’s Customers when information shared belongs to
those Customers).