Southwest Airlines Co. and Subsidiaries Information … Southwest Airlines Executive Planning...

18
Southwest Airlines SWA Information Security Policy Copyright © 2012, Southwest Airlines Co. All Rights Reserved. Southwest Airlines Co. and Subsidiaries Information Security Policy and Standards Name Title Date Reviewed By: EPC 02/01/2012 Approved By: EPC 03/22/2012 Owned By: Randy Sloan CIO Rev. 1

Transcript of Southwest Airlines Co. and Subsidiaries Information … Southwest Airlines Executive Planning...

Page 1: Southwest Airlines Co. and Subsidiaries Information … Southwest Airlines Executive Planning Committee (EPC) is responsible for approval, oversight, and enforcement of the Information

Southwest Airlines

SWA Information Security Policy Copyright © 2012, Southwest Airlines Co. All Rights Reserved.

Southwest Airlines Co. and

Subsidiaries

Information Security

Policy and Standards

Name Title Date

Reviewed By: EPC 02/01/2012

Approved By: EPC 03/22/2012

Owned By: Randy Sloan CIO

Rev. 1

Page 2: Southwest Airlines Co. and Subsidiaries Information … Southwest Airlines Executive Planning Committee (EPC) is responsible for approval, oversight, and enforcement of the Information

SWA Information Security Policy Copyright © 2008-2012, Southwest Airlines Co.

All Rights Reserved.

2

Policy Information

PROTECTING INFORMATION

We know how important it is to protect the security of our People, airplanes, and facilities—in fact it is second

nature. However, the information that we deal with on a daily basis is equally at risk, and if confidential information winds up in the wrong hands, our Culture, reputation, and our livelihoods are at risk. Information is

an asset, just like a building or an aircraft, and it should be guarded at all times. In today’s web-driven society,

every individual is a potential reporter, anxious for inside information. Like the harm in Pandora’s Box, it is impossible to undo the damage that is caused when confidential information winds up in the wrong hands.

Whether we work in a station, are a Mechanic, a Crew Member, an RSA, or work at Headquarters, we all handle sensitive information on a daily basis. Protecting the security of information is every Employee’s duty, and in turn,

we want to help you fulfill this important obligation. Much of what you are about to read is a reinforcement of

common sense and longstanding procedures, and although, it may seem a bit ―dry,‖ we have a duty to look at this important subject in some detail.

GENERAL

As trusted members of the Southwest Team, we make numerous daily decisions using information that is

important to our Customers, Business Partners, our Company, and Coworkers. It is important that each of us make the best possible decisions to ―do the right thing‖ given each specific situation. When handling information,

we should continually strive to exercise common sense and good judgment.

Protecting our information requires consideration of a number of basic principles that are covered in this document. These basic principals are grouped by topic. Each topic within this document includes a statement of

Purpose and Policy expressing Southwest Airlines high-level Leadership intent and links to the related Information Security Standards that provide additional clarification and how-to detail:

A Deeper Dive – This link provides additional clarification and ―how to‖ assistance for all users.

Attention All Leaders – This link provides any special guidance to Southwest Leaders above and beyond the

information in A Deeper Dive.

Technically Speaking – This link provides special guidance to individuals with technology administration

responsibilities and specifications for implementing specific information security practices.

SCOPE

This Policy and the related Information Security Standards applies to all individuals and groups, including Third

Parties, who are entrusted with Southwest Airlines and all Subsidiaries information. This policy may be made

available to any Southwest Airlines Employee, Contractor, or trusted Third Party, as needed. If you have any questions or need further clarification, feel free to discuss any issues with your Leader or Southwest Corporate

Sponsor.

The Southwest Airlines Executive Planning Committee (EPC) is responsible for approval, oversight, and enforcement of the Information Security Policy. The EPC has delegated its oversight and enforcement roles and

responsibilities to the Chief Information Officer (CIO). The Information Security Policy is annually reviewed and updated and any material changes to Purpose or Policy statements are brought to the EPC for approval. Material

changes to the Policy include the addition or removal of component sections of the Policy as well as any changes

to the Policy's scope of authority or designations of responsibilities to approve, change, or grant Policy exceptions. It is the responsibility of the CIO to approve and maintain the Information Security Standards. All changes to

Information Security Standards within the Policy will be approved by the CIO annually. Southwest Leadership must read, understand, communicate, and help enforce the Information Security Policy and Standards.

Page 3: Southwest Airlines Co. and Subsidiaries Information … Southwest Airlines Executive Planning Committee (EPC) is responsible for approval, oversight, and enforcement of the Information

SWA Information Security Policy Copyright © 2008-2012, Southwest Airlines Co.

All Rights Reserved.

3

CONTACT

Southwest Airlines Chief Information Officer

COMPLIANCE

Along with the Freedom we enjoy while working at Southwest, come personal responsibility and accountability. Individuals who handle Southwest’s information are expected to use good judgment and to comply in good faith

with the Southwest Information Security Policy and Standards to the very best of their ability. Willful disregard of

the Information Security Policy and Standards could result in disciplinary action, up to and including termination of employment.

EXCEPTIONS

In limited circumstances, business needs may require an exception to this Policy. Exceptions to this Policy must

be documented and approved by the CTO or assigned designee, communicated to the Internal Audit Department, and reviewed annually for continued need.

Information Classification

PURPOSE

Whether it’s verbal, electronic, or on paper, not all information is the same. Some is publicly available and may be shared with the world. Other information is freely sharable within Southwest Airlines, but not outside. Finally,

some information is confidential and/or regulated and must be closely secured, even within the Company. Our information protection responsibilities are linked to the importance and sensitivity of the information. This policy

provides a framework for balancing our responsibility for information security with our need to foster an open

Culture within Southwest.

POLICY

Information within Southwest Airlines should be classified as SWA PUBLIC, SWA INTERNAL ONLY, or SWA CONFIDENTIAL according to how important it is to keep the information private. Individuals given access to

Southwest information should know or have the ability to determine the classification level of the information they hold and exhibit the behaviors that are defined in ―A Deeper Dive‖.

SWA PUBLIC

Information classified as SWA PUBLIC includes information that has been officially released by Southwest Airlines for widespread public disclosure. It covers such things as press releases, public marketing materials, employment

advertising, annual financial reports, published flight schedules, and information managed on Southwest external web sites.

SWA INTERNAL ONLY Information classified as SWA INTERNAL ONLY covers most forms of proprietary information originated or owned

by Southwest Airlines, or entrusted to it by others, and is generally distributable to all Employees within Southwest. It would cover such things as organization charts, policies, procedures, phone directories, training

materials, network diagrams, general content on SWALife, and Employee News e-mails.

SWA CONFIDENTIAL

Information classified as SWA CONFIDENTIAL covers more sensitive business-specific information pertaining to

Southwest Airlines or Business Partner firms such as financial, pricing, scheduling, or staffing information; security measures; fleet, expansion, or marketing plans; information subject to non-disclosure agreements; proprietary

Page 4: Southwest Airlines Co. and Subsidiaries Information … Southwest Airlines Executive Planning Committee (EPC) is responsible for approval, oversight, and enforcement of the Information

SWA Information Security Policy Copyright © 2008-2012, Southwest Airlines Co.

All Rights Reserved.

4

processes and systems; Internal Audit reports; aircraft maintenance records; fraud information; and labor

negotiation plans.

SWA CONFIDENTIAL also includes sensitive Employee and Contractor personal information such as performance plans, compensation data, disciplinary records, driver’s license, social security numbers, and payroll data (i.e.,

salary, deductions, benefits, etc.).

The key to recognizing SWA CONFIDENTIAL information is to assess whether unauthorized disclosure could have

an adverse impact on Southwest’s competitive position, tarnish its reputation, or expose private individual information.

A special subset of SWA CONFIDENTIAL includes exceptionally sensitive information, where a specific legal,

regulatory, or standards body requirement applies or a business contract is in place, mandating implementation of

a specific set of security controls. This classification level may include protected personal information pertaining to Southwest Employees, Contractors, and External Customers, such as credit card or account numbers, those

health/insurance records protected under the Health Insurance Portability and Accountability Act (HIPAA), and personally identifiable information.

Unless otherwise classified, all internal Southwest information records should be treated as SWA INTERNAL ONLY.

MORE INFORMATION

A Deeper Dive Attention All Leaders Technically Speaking

Passwords

PURPOSE

Passwords are the frontline of protection for our information assets; acting as our individual key to the information

we are trusted to protect. Passwords must be protected at a very high level.

POLICY

Passwords must be difficult to guess, kept private, and changed on a regular basis to keep them secure. See ―A Deeper Dive‖ for details on how to select a strong password. Passwords must be treated as SWA CONFIDENTIAL

information.

MORE INFORMATION

A Deeper Dive Attention All Leaders Technically Speaking

Computer & Information Use

PURPOSE

Information and the systems, networks, and tools we use to store and process such information provide us significant freedom to creatively implement our mission within Southwest. Such freedom comes with the

responsibility to use our resources in a safe, legal, and professional manner.

Page 5: Southwest Airlines Co. and Subsidiaries Information … Southwest Airlines Executive Planning Committee (EPC) is responsible for approval, oversight, and enforcement of the Information

SWA Information Security Policy Copyright © 2008-2012, Southwest Airlines Co.

All Rights Reserved.

5

POLICY

Information Users (as defined herein) must use computers and other information processing resources in a safe, legal, and professional manner. All Employees and Third Parties, who handle Southwest Airlines information, must

adhere to relevant legal and regulatory requirements, including respect of copyright and licensing restrictions.

While we respect our Employees' desire to work without "Big Brother" looking over their shoulder, the Company

reserves the right, in its discretion, to review any Employee's electronic files and messages and information

systems usage to the extent necessary to ensure that electronic media and services are being used in compliance with law and all Company policies. Employees should therefore not assume electronic communications are private

and confidential and should transmit highly sensitive information in other ways.

MORE INFORMATION

A Deeper Dive Attention All Leaders Technically Speaking

Network Access

PURPOSE

The Southwest network needs to properly handle inbound and outbound traffic during normal operations. This communication must be secure and should only allow access to Employees, services, and others with a clear

business need. Such access must be treated responsibly by both users and those providing the services.

POLICY

Access to the Southwest network is limited to legitimate business needs only. Users must use appropriate protection to data going into and out of the network. All external machines accessing the network must be kept

safe and up-to-date on anti-virus and other such protection software.

MORE INFORMATION

A Deeper Dive Attention All Leaders Technically Speaking

Third Party Access

PURPOSE

Third Party access to Southwest’s systems and networks is occasionally provided to Third Parties to facilitate

delivery of services.

POLICY

Third Party access to Southwest’s systems and networks must be obtained in a safe and professional manner, where an appropriate contract is in place to protect the interests of both parties and to minimally ensure Third

Party adherence to this Policy.

MORE INFORMATION

Page 6: Southwest Airlines Co. and Subsidiaries Information … Southwest Airlines Executive Planning Committee (EPC) is responsible for approval, oversight, and enforcement of the Information

SWA Information Security Policy Copyright © 2008-2012, Southwest Airlines Co.

All Rights Reserved.

6

A Deeper Dive Attention All Leaders Technically Speaking

IT Development Security

PURPOSE

Development practices for coding, configuration, and testing application security are essential to protect

information assets in the Southwest environment.

POLICY

Application systems deployed in the Southwest environment must be developed and tested to ensure adherence to

Southwest Airlines security practices and principles.

MORE INFORMATION

A Deeper Dive Attention All Leaders Technically Speaking

Risk Assessment

PURPOSE

Southwest Airlines desires to keep accurate track of and identify key financial, operational, and technical risks facing the business.

POLICY

Leadership for the Company is primarily responsible for identifying and managing risk throughout the business. In

addition, the Internal Audit Department will perform an annual risk assessment and develop / execute an annual

Audit Plan to assess the design and effectiveness of Southwest’s control environment.

MORE INFORMATION

A Deeper Dive Attention All Leaders Technically Speaking

Computer Security Incident Response Plan

PURPOSE

Effective and efficient respond to a computer security incident or information security breach essential to protect the information assets and systems in the Southwest Airlines environment.

POLICY

Southwest will maintain a Security Incident Response Plan; a process for receipt, handling, investigation, and

resolution of information and computer security incidents.

MORE INFORMATION

Page 7: Southwest Airlines Co. and Subsidiaries Information … Southwest Airlines Executive Planning Committee (EPC) is responsible for approval, oversight, and enforcement of the Information

SWA Information Security Policy Copyright © 2008-2012, Southwest Airlines Co.

All Rights Reserved.

7

A Deeper Dive Attention All Leaders Technically Speaking

Page 8: Southwest Airlines Co. and Subsidiaries Information … Southwest Airlines Executive Planning Committee (EPC) is responsible for approval, oversight, and enforcement of the Information

SWA Information Security Policy Copyright © 2008-2012, Southwest Airlines Co.

All Rights Reserved.

8

Information Classification

A Deeper Dive

Responsibilities for handling SWA INTERNAL ONLY and SWA CONFIDENTIAL information: 1. SWA INTERNAL ONLY and SWA CONFIDENTIAL information (electronic, paper, etc.) should be clearly and

visibly labeled to show its information classification level. The information classification level assigned must be

the highest level required for any information used in the document. Information not otherwise marked is classified by default as SWA INTERNAL ONLY.

2. Users should store SWA CONFIDENTIAL information in a locked area when not in use after business hours or for extended periods during the workday.

3. Removable media (e.g. floppy disk, CD, DVD, QIC tape, Zipdrive, flash card, USB stick, etc.) storing SWA

INTERNAL ONLY or SWA CONFIDENTIAL information must be removed and secured before a workstation is shutdown or left unattended for an extended period.

4. SWA Information at the SWA INTERNAL ONLY and SWA CONFIDENTIAL levels must be disposed of in a secure manner.

Printed information must be placed in the locked bins that are for secure disposal of secure information.

Fixed hard disks and other such media removed from service in the Company must be erased using a

secure technique to prevent access to any information they contain by future users of the drive. Drives

that cannot be erased must be physically rendered unusable. 5. SWA INTERNAL ONLY information is freely distributable within Southwest, but may only be provided to

external persons having a genuine business need who agree to comply with restrictions at least as protective of such information as this policy.

6. Consumer cloud storage providers (e.g. Dropbox, Google DOCS, 4shared, Yahoo Docs, etc.) should not be used for Southwest data storage. Use of commercial cloud services for data storage should be documented

and approved by the CTO and Information Security Services.

Additional Responsibilities for handling SWA CONFIDENTIAL information:

1. Access to SWA CONFIDENTIAL information (directly or indirectly) may only be provided to persons having a genuine business need who agree to comply with restrictions at least as protective of such information as this

policy.

2. SWA CONFIDENTIAL information can only be taken outside of the SWA environment with Information Owner’s (as defined herein) written approval.

3. SWA CONFIDENTIAL information must not be transmitted or otherwise made available via the Internet or e-mail without written Information Owner approval.

4. Confidential information from Third Parties who have a confidentiality agreement with Southwest Airlines must be treated like information classified as SWA CONFIDENTIAL, unless otherwise required by contract.

5. Backup tapes for disaster recovery purposes must be treated as SWA CONFIDENTIAL unless otherwise

marked.

Regulatory or Contractual responsibilities for handling SWA CONFIDENTIAL information: 1. SWA CONFIDENTIAL credit card number information and Protected Health Information (PHI) must be

encrypted when transmitted outside Southwest on a public network (e.g., email, instant messaging, etc.).

2. SWA CONFIDENTIAL credit card number information must be encrypted, tokenized or masked when stored within a Southwest data storage facility or medium.

3. Flash drives, iPods, CDs, and other such portable storage devices and media may NOT be used to store SWA CONFIDENTIAL credit card number data and PHI.

4. CVV2 and full magnetic stripe data from credit cards may not be stored in any format or location.

5. Printing of credit card number information is highly confidential and should be avoided. These documents should only be created if the Information Owner determines this activity is a critical business need and should

only be kept for as long as necessary.

Page 9: Southwest Airlines Co. and Subsidiaries Information … Southwest Airlines Executive Planning Committee (EPC) is responsible for approval, oversight, and enforcement of the Information

SWA Information Security Policy Copyright © 2008-2012, Southwest Airlines Co.

All Rights Reserved.

9

6. SWA CONFIDENTIAL information should be encrypted, tokenized or masked when stored within a Southwest

data storage facility or medium.

Information Classification Quick Reference Guide

SWA PUBLIC Examples How do I Handle Public Information?

SWA Public Information has been publicly released by Southwest Airlines. Public information is used to inform, promote, sell travel and related items, and sustain our Company. SWA Public Information is a Company asset.

Press Releases Newsbriefs Interviews Public Marketing Materials (Billboards, commercials, print ads, etc.) External Job Postings Annual Reports Published timetables and fares LUV Lines Southwest.com Content Southwest blogs/external web sites Automated FLIFO Airport FIDS

Learn how to recognize and classify SWA Public Information

Only retain SWA Public Information for as long as it is need for business or regulatory requirements.

Through official channels, SWA Public Information is made available to the public without restrictions.

Note: The use of some SWA Public Information is subject to Trade Mark copyright and licensing restrictions.

SWA INTERNAL ONLY

SWA Internal Only information is created for an internal audience, and it serves two basic purposes. One, it informs you, and two, it contains information necessary for you to do your job. This type of material can often have a wide distribution within the Company. SWA Internal Only information is a Company Asset.

Organizational charts Southwest policies and procedures Company phone directories Training materials—online and printed Network diagrams SWALife General Content Today@SWA Reservation information E-mails Internal blogs/social media sites Dispatch information Weight and balance paperwork

Learn how to recognize and classify SWA Internal Only Information.

Where practical, tag and identify material to

show that it is SWA Internal Only information.

Retain only as long as is required for business or

regulatory purposes.

Protect this information by removing and locking portable storage devices (thumb drives, external hard drives, etc.) before computer work stations are shut down or left unattended.

Dispose of printed documents in the blue secure

disposal bins.

Distribute freely within Southwest and to persons approved by the Information Owner who agree to comply with restrictions at least as protective of such information as this policy.

SWA CONFIDENTIAL

SWA Confidential Information is exceptionally sensitive, and if it were to be released, it could have an adverse impact on our ability to compete, our reputation, and even our future. In addition to possibly embarrassing individuals, the unauthorized release of SWA Confidential Information could violate public laws. Besides sensitive business information, this category also includes sensitive personal information. It is also a Company Asset. This category includes both personal and business information.

Non-public financial information Non-public pricing information Future, unpublished schedules Staffing information Security measures Marketing planning Information subject to Non-Disclosure Agreements Proprietary procedures, systems, and programs Internal Audit reports Aircraft maintenance records Fraud information and investigations Labor negotiation plans Social Security Numbers Bank account numbers Credit card numbers Private user data Testing results Health/insurance records Protected Health Information (PHI) Photographs of crash sites and/or

Learn to identify and classify SWA Confidential information

Tag and identify material to show that it is SWA Confidential information.

Store printed materials in locked areas after hours, and take care to secure this information during work hours to prevent unauthorized access.

Protect this information by removing and locking portable storage devices (thumb drives, external hard drives, etc.) before computer work stations are shut down or left unattended.

Dispose of printed documents in the blue secure disposal bins.

Distribute SWA Confidential only to those with a business need-to-know who agree to comply with restrictions at least as protective of such

Page 10: Southwest Airlines Co. and Subsidiaries Information … Southwest Airlines Executive Planning Committee (EPC) is responsible for approval, oversight, and enforcement of the Information

SWA Information Security Policy Copyright © 2008-2012, Southwest Airlines Co.

All Rights Reserved.

10

damaged aircraft Disciplinary records Payroll data including salaries, raises, deductions Rapid Reward personal account information Passenger reservation information Contracts, RFPs, RFQs, RFIs Class One Aircraft situational display data

information as this policy and do not release to the public. Consult the Information Owner with any potential exceptions.

Retain only as long as is required for business or regulatory purposes.

Page 11: Southwest Airlines Co. and Subsidiaries Information … Southwest Airlines Executive Planning Committee (EPC) is responsible for approval, oversight, and enforcement of the Information

SWA Information Security Policy Copyright © 2008-2012, Southwest Airlines Co.

All Rights Reserved.

11

Attention All Leaders

Information Management Roles: Several roles are involved with Southwest Information

1. Information Owners ―own‖ data and are a Southwest Leader at Director-level or above (or appropriate designee) who is responsible for the day-to-day operations of the business unit that creates or most directly

depends upon the information in question.

2. Information Stewards exercise management or administrative control over information systems that create, collect, process, and store Southwest information.

3. Information Users are granted access to Southwest information as authorized by an Information Owner.

Putting Information Classification into practice: 1. Information Owners should be identified for key technologies and data that support business processes

throughout Southwest.

2. Data throughout Southwest should be classified by Information Owners as SWA PUBLIC, SWA INTERNAL ONLY, or SWA CONFIDENTIAL.

3. Information Owners should define the criteria for deciding which individuals or groups are permitted to access that information.

4. Subject to Southwest Enterprise Data Retention requirements, Information Owners should define data

retention and disposal guidance for the information they own. 5. Information Owners are responsible for ensuring their access and retention guidance conforms to regulatory

and contractual requirements. 6. Information Stewards are responsible for protecting information entrusted to them in accordance with the

instructions of the Information Owner and approved standards and control measures associated with the assigned classification level.

7. Information Users are responsible for complying with the access, handling, and retention requirements

specified by Information Owners and Information Stewards.

Technically Speaking

This section is made available for Technology Employees and Contractors upon request. It is also available on SWALife.

SWALife.com > technology > infrastructure and ops > info security services > Security Documentation

Passwords

A Deeper Dive

Making a ―Strong‖ Password?

1. The first rule of strong passwords is that they cannot be easily guessed. If they are, they are likely to be easily compromised.

2. While selecting a strong password can be challenging, doing so is worth the effort. 3. Passwords should not be words found in the dictionary or simple variations. (―skylark‖ or ―skylark01‖ would

not be good passwords, while ―sk1l8rker‖ or ―sk663lar‖ would be ok.) 4. Passwords should vary significantly from those used previously. You need to vary more than just a number,

letter, or other small change.

5. UserID passwords must adhere to the following standards Must have one upper case letter

Must have one lower case letter Must have one number

Cannot begin with a special character

Minimum length of 8

Page 12: Southwest Airlines Co. and Subsidiaries Information … Southwest Airlines Executive Planning Committee (EPC) is responsible for approval, oversight, and enforcement of the Information

SWA Information Security Policy Copyright © 2008-2012, Southwest Airlines Co.

All Rights Reserved.

12

Maximum length of 25

Must not contain your SWA ID Must not contain your first or last name

6. Passwords should not be shared or written down. 7. Passwords should include special characters if the system allows.

8. Passwords must not be based on the user account or user’s name (forwards, backwards, or otherwise).

9. Passwords should not be based on any well-known fact about the user, including their ID, car model, city, pet, family information, company, or anything else that could be easily guessed.

Attention All Leaders

No additional guidance.

Technically Speaking

This section is made available for Technology Employees and Contractors upon request. It is also available on SWALife.

SWALife.com > technology > infrastructure and ops > info security services > Security Documentation

Computer & Information Use

A Deeper Dive

Acceptable Use Rules: 1. Access to data networks, computers, and other Southwest information processing resources may be provided

for users with a valid business need. While casual personal use is acceptable outside of work responsibilities,

Southwest resources are intended to be used for Southwest business. Southwest is not responsible for personal files such as pictures, music, videos, or data that are lost due to reimaging of workstations, laptops

or Mobile Devices. 2. Only Technology Department approved software, firmware, Mobile Devices, and hardware devices may be

installed on Southwest information processing resources. New desktop software installation requests,

including those for free or trial versions should be sent to [email protected]. 3. Software must be properly licensed and certified free from malicious components (e.g., viruses, worms, etc.)

before installation. 4. The unauthorized removal or conversion for personal use or benefit of any information or information systems

belonging to Southwest is prohibited. 5. Users must abide by pertinent copyright and licensing restrictions on all external information or software – free

or otherwise - downloaded, processed, stored, viewed, or distributed using Southwest information processing

resources. 6. Users may not manipulate or abuse the Southwest information resources provided for their use. Examples of

abuse include: Activities intended or designed to cause damage,

Denying access to other Users,

Increase priority or access to services at the expense of other Users,

Attempting to detect or exploit security vulnerabilities,

Bypassing or disabling security access controls.

7. It is the responsibility of all Southwest Airlines Employees to protect the interest and privacy of our Customers

and Coworkers. Information contained in Company records, files, websites or databases must be used for

Southwest business only. 8. Southwest information (or access to such information) must not be provided through or disclosed to Employee

or third party developed sites and/or applications without the express written consent of the CTO.

Page 13: Southwest Airlines Co. and Subsidiaries Information … Southwest Airlines Executive Planning Committee (EPC) is responsible for approval, oversight, and enforcement of the Information

SWA Information Security Policy Copyright © 2008-2012, Southwest Airlines Co.

All Rights Reserved.

13

9. Information systems are not to be used in any ways that are disruptive or offensive to others. Display or

transmission of sexually explicit images, messages, cartoons, or any communication that are in violation of Southwest’s policies is strictly prohibited.

Workstation Rules:

1. Necessary precautions must be taken to prevent the spread of viruses within Southwest Airlines.

Commercially available anti-virus software must be installed on all workstations and the virus signatures or definition files for this software must be kept up-to-date.

2. Laptop users must regularly connect to the Southwest network to obtain current patches and updates. 3. Workstations such as laptops requiring network connectivity that are routinely operated outside the Southwest

network perimeter must be configured with a commercially available personal firewall and virus protection. 4. Workstation users must routinely log out of all applications or lock their workstation before leaving it

unattended.

5. Individual use workstations including laptops must be operated with a password-protected screen-saver configured to activate after no more than 15 minutes of inactivity. Shorter timeout periods should be

configured on workstations storing or processing particularly sensitive information and/or located in areas unauthorized persons frequent.

6. Users operating portable workstations (e.g. laptop, hand-held PC) outside the Southwest secure perimeter

(e.g. maintenance hangar, cockpit, etc.) must use good judgment to ensure the physical security of the device.

7. Loss or Theft of portable workstations must be reported immediately to the Southwest Central Support Desk at 214 792-3300.

8. Laptops must use Encryption software to protect Southwest information.

Internet Usage Rules:

1. All Employees will have access to SWALife, southwest.com, and other web sites as needed. General access to the Internet may be provided for users with a valid business need. While a small amount of casual personal

use is acceptable outside of work responsibilities if time and duties allow, Southwest resources are intended to

be used for Company business. 2. Company News (via e-mail and on SWALife) is designed to educate and inform our Employees so you can

serve our Customers. Articles or audio/video clips that are posted should not be forwarded or shared with anyone outside the Company. Information within Audio and Video posted on SWALife may not be modified,

copied, displayed or distributed without the express written consent of Southwest.

3. Storytelling is a wonderful way to share our Culture. As an Employee of Southwest Airlines, you are best-equipped to tell the ―Southwest Story‖ and there are many communication channels on the Internet. Even if

you are not using work resources to be online, you are still a Southwest Airlines Employee. Thus, whenever you discuss Southwest Airlines, you must include a disclaimer advising that the opinion is your own, and not

that of Southwest Airlines Officers, Directors, or Employees. Additionally, when you make comments or posts to the Internet, you should know that you are representing only yourself. You will be held responsible for any

comment or post you make on the Internet (including, but not limited to, a personal blog, discussion forum,

wiki, photo sharing site, social networking site, or other web site). 4. Posting to Southwest corporate-sponsored Internet discussion groups and/or blogs is encouraged. Even still,

only Employees officially designated by Southwest have the authorization to speak on behalf of the Company. 5. See Guidelines for Employees and the SWA Social Media Handbook for further guidance on employee Internet

usage.

E-Mail Usage Rules:

1. Electronic mail messages sent to or from a Southwest email account are considered Southwest Airlines business records.

Page 14: Southwest Airlines Co. and Subsidiaries Information … Southwest Airlines Executive Planning Committee (EPC) is responsible for approval, oversight, and enforcement of the Information

SWA Information Security Policy Copyright © 2008-2012, Southwest Airlines Co.

All Rights Reserved.

14

2. E-mail may be filtered, scanned, and monitored as necessary to ensure the Safety and legal compliance of

Southwest Airlines. Southwest Airlines may restrict or remove attachments to incoming or outgoing electronic messages due to business relevance, processing capacity, or security concerns.

3. Attachments from unknown parties or attachments that are suspicious in nature or origin should not be opened.

4. All Southwest email must include a confidentiality notice for e-mail transmitted outside the company.

5. Electronic messages will be purged every 60 days from user’s Inbox. Any messages requiring long term reference should be archived by the User. Archival storage should only be used for vital messages, not all

messages a user receives. Archiving all messages on network storage is discouraged. 6. The Sender of each message in the Southwest Airlines electronic mail system must be clearly identified.

Concealing or obscuring the source address of a message with the intent to deceive or confuse a recipient is not permitted.

7. Southwest Airlines provides electronic mail accounts to all Employees and other people whose duties require

it. Account use by someone other than the owner of the account requires specific approval by the e-mail account Owner or approval through the Data Access Request process. Such access must only be for the

purposes of viewing existing e-mail. No e-mail will be sent by anyone other than the account Owner except in the case of an Administrative Assistant or other designee acting on behalf of a Southwest Leader.

8. Anyone using the Southwest e-mail system that receives offensive, malicious, or suspicious messages from an

internal source through the Southwest Airlines electronic mail system must report such e-mail to the proper internal authorities at [email protected]

9. IP based voice communications such as Skype, Vonage, Google Voice and Video, etc. should not be used unless approved by the CTO.

10. Users should not auto-forward Southwest email to external addresses as this can result in unintentional disclosure of Southwest confidential information. Confidential information sent to external email systems creates unnecessary risk for the Company. While we allow Employees to send email externally, it is Everyone’s responsibility to use good judgment to consider the content and destination of any email messages we send outside the Southwest network.

11. Users must use Southwest sponsored methods to gain remote access to Company email via SWALife Outlook and/or through the Technology-supported solutions for iOS (iPhone, iPad), Android, Windows 7, or Blackberry.

Mobile Device Usage Rules:

1. Each Employee requesting a Company issued Mobile Device and/or data plan must be approved by their Department VP.

2. Password protection policies must be enforced by default on all Mobile Devices. Minimum password length of four alpha-numeric characters and the idle timeout password lock time must not exceed 15 minutes.

3. The user is responsible for the security of the mobile device and any corporate data stored on it. In the event

a mobile device is lost or stolen, the user must notify Southwest Central Support Desk immediately at 214 792-3300 so that the Southwest data on the device can be remotely deleted or ―wiped‖, where possible.

4. Corporate owned devices must have a regularly updated Mobile Device Management Client installed. This client must not be altered, disabled, or removed by the employee.

5. Unlicensed applications may not be installed on Company Mobile Devices that connect to the Southwest data

network. 6. Southwest reserves the right to remotely ―wipe‖ corporate or personal Mobile Devices when a device is

suspected of being compromised, lost, or when a user leaves the company. 7. Personally-owned Mobile Devices that access the Southwest data network may be subject to the same security

requirements as Company provided devices, including Encryption, where employed. 8. Any mobile device accessing or storing Southwest data should use Encryption.

Attention All Leaders

No additional guidance.

Page 15: Southwest Airlines Co. and Subsidiaries Information … Southwest Airlines Executive Planning Committee (EPC) is responsible for approval, oversight, and enforcement of the Information

SWA Information Security Policy Copyright © 2008-2012, Southwest Airlines Co.

All Rights Reserved.

15

Technically Speaking

This section is made available for Technology Employees and Contractors upon request. It is also available on

SWALife. SWALife.com > technology > infrastructure and ops > info security services > Security Documentation

Network Access

A Deeper Dive

No additional guidance.

Attention All Leaders

1. Only Technology Department approved and supported channels may be used to remotely access Southwest information and information systems.

2. Each user requesting remote access to Southwest resources and corporate applications must obtain the

approval of his or her manager. Requests for custom and/or administrative remote access will require approval by the Customers’ Director and the Information Security Services Team. Users administering

Southwest IT resources via remote access channels will only use approved administration tools. 3. Remote access users will be required to authenticate using a two–factor or stronger, method before being

allowed access to Southwest information or information processing systems. Unapproved remote access

technologies such as ―Jump Desktop‖, ―Go To My PC‖, or other devices which bypass two-factor authentication are prohibited.

4. Every user accessing Southwest information and information processing systems remotely must ensure every remote computer used is configured with basic security measures such as current anti-virus and personal

firewall software. 5. Every user must control access to his/her remote computer so that no other person can utilize an active

remote Southwest connection hosted on that machine.

Technically Speaking

This section is made available for Technology Employees and Contractors upon request. It is also available on SWALife.

SWALife.com > technology > infrastructure and ops > info security services > Security Documentation

Third Party Access

A Deeper Dive

No additional guidance.

Attention All Leaders

1. Access to Southwest information systems must be governed by contractual agreements with the third party.

2. Third parties must contractually agree to adhere, at a minimum, to Southwest’s Information Security Policy

and Standards as applicable. 3. The Purchasing Department must be notified of all agreements for Third Party access to Southwest

information systems.

Page 16: Southwest Airlines Co. and Subsidiaries Information … Southwest Airlines Executive Planning Committee (EPC) is responsible for approval, oversight, and enforcement of the Information

SWA Information Security Policy Copyright © 2008-2012, Southwest Airlines Co.

All Rights Reserved.

16

4. Network Engineering and/or the Information Security Services must NOT implement connection requests or

grant access to third parties without verifying the third party agrees to meet or exceed Southwest’s security policies.

5. Agreements for such access should be reviewed periodically to ensure a continued need for access. Other than approved individuals who are issued Southwest Airlines contractor ID's, Third Parties must not be granted

continuous access to Southwest Airlines networks and systems. Where access is provided to other Third

Parties, strong authentication will be used to access the Southwest network. If Shared IDs must be used, the Southwest Airlines Employee sponsor must own the Shared ID and distribute the password to Third Party

users only when needed for the duration of the individual support transaction. 6. Third Party access must be limited to the required period and must be disabled when no longer required.

Technically Speaking

No additional guidance.

IT Development Security

A Deeper Dive

No additional guidance.

Attention All Leaders

No additional guidance.

Technically Speaking

This section is made available for Technology Employees and Contractors upon request. It is also available on

SWALife.

SWALife.com > technology > infrastructure and ops > info security services > Security Documentation

Risk Assessment

A Deeper Dive

No additional guidance.

Attention All Leaders

The completion of Internal Audit’s annual risk assessment results in the creation of an Audit Plan to evaluate areas of high risk within the organization. This plan is approved and monitored by the Audit Committee of the Board of

Directors.

Technically Speaking

This section is made available for Technology Employees and Contractors upon request. It is also available on SWALife.

SWALife.com > technology > infrastructure and ops > info security services > Security Documentation

Page 17: Southwest Airlines Co. and Subsidiaries Information … Southwest Airlines Executive Planning Committee (EPC) is responsible for approval, oversight, and enforcement of the Information

SWA Information Security Policy Copyright © 2008-2012, Southwest Airlines Co.

All Rights Reserved.

17

Computer Security Incident Response Plan

A Deeper Dive

There are many possible threats to the Southwest Airlines information processing systems. Any employee who has knowledge of a security incident or possible attack against Southwest Systems should contact the 3300

helpdesk to report the issue at 214-792-3300.

Possible threat types:

Denial of service against any of our information processing systems Loss or theft of customer data Loss or theft of employee data Defacement of the southwest websites Computer virus designed to steal employee or customer login credentials

Attention All Leaders

Teams with incident response responsibilities require responses training and need to participate in annual testing

activities. Southwest Teams that need to be involved.

Corporate Security Customer Services & Support Finance Legal Marketing Public Relations Technology helpdesk Technology infrastructure engineering teams Technology application development teams (for applications processing sensitive data)

Technically Speaking

This section is made available for Technology Employees and Contractors upon request. It is also available on

SWALife. SWALife.com > technology > infrastructure and ops > info security services > Security Documentation

Page 18: Southwest Airlines Co. and Subsidiaries Information … Southwest Airlines Executive Planning Committee (EPC) is responsible for approval, oversight, and enforcement of the Information

SWA Information Security Policy Copyright © 2008-2012, Southwest Airlines Co.

All Rights Reserved.

18

Glossary

Access Point - a device that allows wireless communication devices to connect to a wireless network using Wi-Fi,

Bluetooth or related standards.

Non-Employee ID – Login ID for non-employees such as contractors. These IDs start with the letter ―x‖.

Banner - provides notice of legal rights to users of computer networks.

Employee ID – Login ID for Employees of Southwest Airlines. These IDs start with the letter ―e‖.

Encryption - the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to

make it unreadable to anyone except those possessing special knowledge, usually referred to as a key.

HIPAA - Health Insurance Portability and Accountability Act

Keys – used to encrypt or decrypt encrypted information.

May - This word, or the adjective "optional", means that this item is one of an allowed set of alternatives.

Mobile Device - Any computing or communications device intended to frequently move location while maintaining

function and operation (e.g. iPhone, iPad, Blackberry, cell/smart phone, PDA)

Must - Means that the guidance is an absolute requirement of the Policy or Standard.

Must Not or May Not - Means that the guidance is absolutely prohibited by the Policy or Standard.

OWASP Top Ten – The Open Web Application Security Project’s list of the top 10 most critical web application

security risks. More information can be found at www.owasp.org

PCI – Payment Card Industry

PHI - (Protected Health Information) - Individually identifiable health information relating to an employee, spouse

or dependent who participates in a health plan of Southwest Airlines. Includes information relating to such a person's claim under the health plan, an appeal of a denied claim or assistance with a denied claim or appeal. PHI

typically does not include enrollment information (e.g., enrollment elections and coverage levels for Employees and their families).

PII - (Personally Identifiable Information) - information that can be used to uniquely identify, contact, or locate a

single person or can be used with other sources to uniquely identify a single individual.

Robotic Account – account that is used by applications or systems to access data.

Shared IDs – computer accounts that are shared by more than one person such as administrative, temporary, and guest accounts.

Should - Means that there may be valid reasons in particular circumstances to deviate from guidance, but the full

implications should be understood and carefully weighed before choosing a different alternative. The interpretation of this term does not imply an avoidance of meeting a particular standard.

Third Party – a company that is permitted to access Southwest Airlines systems