Security Policies

Group 1 - Week 8

policy for use of technology

Overview of Lockheed Martin Operations

Lockheed  Martin  (LM)  provides  solutions  for  “Aeronautics, Electronic  Systems,  Information  Systems  &  Global  Solutions, and  Space  Systems.”

They utilize EASIstar “External  Access  Secure  Infrastructure  (EASIstar)  is a Lockheed

Martin  Information  Systems  &  Global  Solutions  (IS&GS)  Extranet” providing  “customers,  partners,  teammates,  subcontractors, and  employees  access  to  a  virtual  collaborative  workspace  with capabilities  ranging  from  web  access  to  application  and  file sharing  all  in  a  secure,  reliable  and  cost -- effective  manner”.

Information Security PolicyPolicy is a plan or course of action that influences and determine decisions.

EISP: Enterprise Information Security Policy sets the strategic direction, scope, and tone for all of an organization’s security efforts. assigns responsibilities for the various areas of information security. guides the development, implementation, and management requirements of the information security

program.

ISSP: Issue Specific Security Policy Articulates the organization’s expectations about how the technology-based system in question should be

used Documents how the technology-based system is controlled and identifies the processes and authorities that

provide this control Serves to indemnify the organization against liability for an employee’s inappropriate or illegal system use

SysSP: System Specific Security Policy They are often created to function as standards or procedures to be used when configuring or maintaining

systems. SysSPs can be separated into two general groups, management guidance and technical specifications

Parties Involved

CISO of a mediumsized IT company

Contract

for information exchange will

use

for information exchange will

use

Policy guidelines for use of EASIstar

Requirements  that are to be complied with when doing business with LM  through  EASIstar.

Lockheed Martin Information Assets Usage Policies

Passwords

VirusViruses and other malicious code pose a serious threat to Lockheed Martin users and customers.

Virus prevention measures as guided by policy virus protection software be installed and maintained on all Lockheed Martin managed,

maintained or leased computing systems

all users of EASIstar must agree to acquire, install, utilize and maintain a current version of anti-virus software on any computer used to access the EASIstar Lockheed Martin Extranet

The following actions are strongly encouraged:

Virus signature files to be updated at lease every 7 days with the recommendation that virus signature files be installed within 24 hours of notification

Complete scans performed weekly Virus Scan engine updates scheduled for at least once per month.

The downloading, installation, and/or use of freeware/shareware products on EASIstar assets is not permitted without prior Lockheed Martin Intellectual Property Law attorney approval.

Information Protection Sensitive information (LM Proprietary Information, Third Party Proprietary, and Export Controlled) assets

(data, systems, documentation, etc.) must be properly classified, labeled and protected. Data/Information owners are responsible for determining the sensitivity of all information to be electronically transmitted in accordance with these policies.

Protective Legends, Labels and other Markings. As appropriate, each item of Sensitive Information will bear a legend, label or other marking which serves to advise the holder that the information requires a specific degree of protection.

Export Controlled Information will be labeled as necessary to comply with the applicable US or foreign government laws and regulations and local procedures.

Lockheed Martin Proprietary Information will be labeled in accordance with approved labeling conventions.

Third Party Proprietary Information will be managed in accordance with the contractual arrangements under which it was received. Such information should not be accepted unless an appropriate written contractual arrangement, which establishes the requirements for protecting the information (e.g., a Proprietary Information Agreement), is in place between Lockheed Martin and the third party. Third Party Proprietary Information will bear the markings applied by the third party, and/or markings prescribed by the contract between Lockheed Martin and the third party. The markings will not be removed without authorization from the third party and/or cognizant Lockheed Martin Legal Counsel.

Disclosure Lockheed Martin policies and the laws of the US and foreign

governments impose specific requirements upon the disclosure of Sensitive Information. Failure to comply with these requirements is a violation of policy and may lead to a violation of law. Accordingly, the individual providing access to the Sensitive Information must take the following steps before any disclosure is made: Ensure that the Sensitive Information bears the legend, if any, as identified.

Determine the status of the intended recipient(s) (for example, whether he or she is an employee or a non-employee; a US Citizen or a Foreign Person). Obtain required documentation and approvals, if any, based upon this status (for example, a Proprietary Information Agreement or similar arrangement is required before LMPI is disclosed to a non-employee, and US government approval is required before Export Controlled Information is disclosed to a Foreign Person).

Other factors to consider Transmission: Ensure that the selected transmittal method is secure and complies with

this policy and the laws of the recipient country (for example, encryption is prohibited by some foreign countries)

Storage: When not in use, Sensitive Information in databases, desktop hard drives or local area networks will be protected by unique userID and password at a minimum.

Encryption is recommended for Sensitive Information stored in non-US locations, except where prohibited by law. Sensitive Information stored on an asset that is not controlled and managed by Lockheed Martin (e.g., a personally-owned computer) will be protected by unique userID and password at a minimum.

Disposition: Sensitive Information will be retained as required by law, regulation, contract, policy, or, if none of these applies, until no longer useful. Electronic information will be deleted or overwritten using overwriting software approved by Lockheed Martin Enterprise Information Systems. Overwriting is required if Sensitive Information will be disposed of in a non-US location

General usage

If a EASIstar Information Technology user suspects or has actual knowledge that the protection of Sensitive Information has been compromised in a manner that appears to be a violation of law, the individual must report such suspicion or actual knowledge to the appropriate Lockheed Martin EASIstar administrator

Ensure Assets connected to EASIstar systems are properly locked or otherwise protected when unattended (e.g., through use of a Power-on password, Password-secured screen saver, etc.)

Carefully Assess all received software or Information (for malicious code) before Execution or Storage

A Lockheed Martin policy prohibiting the use of split tunneling (i.e. simultaneous network access to two or more networks) is in effect when 1) connecting into EASIstar over a Virtual Private Network (VPN) connection, and 2) connecting out of EASIstar over a VPN connection to a remote network.

Reference

https://easistar.external.lmco.com/

www.sis.pitt.edu/jjoshi/is2820/spring06/chapter04.doc