delphi isp

8/11/2019 Delphi ISP

1/19

Information Security PolicyManual

1 Applicability ........................................................................................................... 22 Security Policy ........................................................................................................ 33 Organization of Information Security ..................................................................... 34 Asset Management .................................................................................................. 35 Human Resources Security ..................................................................................... 56 Physical and Environmental Security ..................................................................... 67 Communications and Operations Management ...................................................... 88 Access Control ...................................................................................................... 109 Information Systems Acquisition, Development and Maintenance ..................... 1310 Information Security Incident Management ......................................................... 1511 Business Continuity Management ........................................................................ 1612 Compliance ........................................................................................................... 16Index .......................................................................................................................... 19


2/19

DELPHI INFORMATION SECURITYPOLICY MANUAL

Page 2 Version 1.0 Effective: 6-10-10

1 ApplicabilityDelphi information is one of the Corporations most important assets and must be

protected accordingly. Protection of Delphis information assets is necessary to establishand maintain trust between Delphi and its customers, suppliers, and business partners,maintain compliance with the law, and protect the companys reputation.

Timely and reliable information is necessary to perform business operations, processtransactio ns and support business decisions. Delphis business processes, earnings andcapital can be adversely affected if information becomes known to unauthorized parties,is altered, or is not available when it is needed.

These policies apply to all users of Delphi information globally, including visitors,contractors, suppliers and employees. These policies also apply to all informationsystems owned, contracted, leased or operated for or by Delphi.

All personnel are responsible to understand and accept their responsibilities with regardto information security and acceptable use of Delphi information and informationsystems. User responsibilities include, but are not limited to, the following:

Safeguarding all Delphi information from unauthorized disclosure, modificationor destruction during and after their period of employment.

Being accountable for all activity associated with the use of their Delphi userID.Abiding by the Delphi employee code of conduct guidelines, acceptable use

policy, non-compete agreements, intellectual property rights agreements and allother applicable laws and regulations pertaining to Delphi information andinformation systems.Reporting information security issues to the local IT Security Manager and/orInformation Security.

Any issues or circumstances that do not fully comply with this policy must be reviewedand approved by the appropriate management representative and IT Security Manager.Managements non -enforcement of any policy requirement does not constitute its

consent.

Non-compliance with the Delphi Information Security Policy (ISP) may result indisciplinary action up to and including termination of employment and/or criminal orcivil legal action.


3/19



2 Security PolicyThe Delphi Information Security Policy (ISP) provides Delphi IT and Business Unitswith management direction and support for information security in accordance with

business requirements and relevant laws and regulations.

The Delphi Information Security Policy is approved by Delphi IT Management, and published and communicated to all employees and relevant external parties.

3 Organization of Information Security

Management commitment to information security - Delphi IT Managementactively supports IT security within the organization through clear direction,

demonstrated commitment, explicit assignment, and acknowledgement ofinformation security responsibilities.Information security coordination - Information security activities arecoordinated by the Delphi Global IT Security Manager, the IT Security Managers,and Delphi IT Service Providers.Allocation of information security responsibilities - Delphi informationsecurity responsibilities are clearly defined within the Delphi Business SystemsManual (DBSM) and Information Security Policy and Procedures.Confidentiality agreements - Requirements for confidentiality of data and non-disclosure agreements reflecting Delphi IT and Business Unit requirements for the

protection of information are identified, regularly reviewed and coordinated

through Delphi Global Supply Management (GSM), Delphi Human Resources,and Delphi Legal.Contact with authorities - Delphi IT Security Managers and IT Managementmaintain authorized contacts with internal organizations supporting informationsecurity (Corporate Security, IT Internal Audit, Internal Controls, Delphi Legal)and with external organizations (Law Enforcement, Fire Departments and LifeSafety).

4 Asset Management

4 .1 Respo ns ib i l i ty fo r asse t sInventory of assets - All assets associated with information processing facilitiesshould be clearly identified and an inventory of all important assets drawn up andmaintained.Ownership of assets - All information and assets associated with information

processing facilities should be owned by a designated part of the organization.The implementation of specific controls may be delegated by the owner as


4/19



appropriate but the owner remains responsible for the proper protection of theassets.Acceptable use of assets - Standards for the acceptable use of information andassets associated with information processing facilities should be identified,documented, and implemented in accordance with the appropriate local policiesand requirements.Personal/Privately owned computers , computer peripherals, or computersoftware are not permitted into Delphi facilities and must not connect to theDelphi network.Delphi contractors, consultants and vendors are allowed to connect theircorporate computer equipment, computer peripherals, or computer software intoDelphis Network to provide support and services to Delphi under servicedelivery contracts. This equipment must be pre-approved by Delphi IT through

proper authorization. All equipment must follow ISP Guidance and:o Have anti-virus software with updated signatures installed at least

equivalent to Delphi requirements.o Have the ability to perform patch management at least equivalent to

Delphi requirements.o Allow their corporate computers to be audited for sensitive Delphi data at

any time.o Have Delphi data purged upon conclusion of contracted support.

4 .2 In fo rm at ion c lass i f i cat ionClassification guidelines - Information should be classified in terms of its value,

legal requirements, sensitivity, and criticality to the organization to ensure thatinformation receives an appropriate level of protection.

Criteria used to identify what Delphi information should be classified is derivedfrom trade secret and other laws providing for the protection of intellectual

property and/or other confidential business information, and the risks ofcompetitive harm if the Delphi information is wrongfully or inadvertentlydisclosed outside of Delphi. Posting sensitive Delphi information on the DelphiIntranet (which encompasses more than just Apollo) is prohibited withoutappropriate access controls in place.

Information labeling and handling

o Classification labeling uses a prefix (e.g., Delphi) and a category suffix(e.g. CONFIDENTIAL). The prefix explicitly identifies Delphiownership.

o Customer information handling - When information is received from acustomer outside of Delphi as part of the customer-supplier relationship,


5/19



information security protections for customer information must conform tocontractual requirements or other commitments made to the customer.

Additional information can be found in the Information and Product SecurityHandling Guide and the Information Classification Tool .

5 Human Resources Security

5 .1 Pr io r to em ploy m entIn order to ensure that employees, contractors and third party users understand theirresponsibilities, and are suitable for the roles they are considered for, and to reduce therisk of theft, fraud or misuse of facilities:

Security roles and responsibilities should be defined in the job descriptions forDelphi employees, contractors and third party users of information processingfacilities for the job roles they are undertaking and in terms and conditions ofemployment.Adequate screening must be performed through standard HR hiring processagreed by Delphi to ensure the candidates suitability to the business requirementand compliance of the relevant legal provisions and confidentiality agreements.Delphi employees, contractors and third party users must agree to and sign adocument stating their and the organizations responsibilities for Delphiinformation security.

5 .2 Dur ing em ploy mentIn order to ensure that employees, contractors and third party users are aware ofinformation security threats and concerns, their responsibilities and liabilities, and areequipped to support Delphi security policy in the course of their normal work, and toreduce the risk of human error:

Delphi management must ensure that all employees, contractors and third partyusers understand their obligation to protect Delphi information and informationsystems through awareness education programs, training in security proceduresand providing Delphi acceptable use policies.Any suspected Delphi policy violation must be immediately reported to DelphiEthics Line or Regional/Divisional IT Security manager for investigation of

security breach.

5 .3 Term ina t ion o r change o f em plo ym entIn order to ensure that employees, contractors and third party users exit an organizationor change employment in an orderly manner:

The immediate supervisor of leaving Delphi employees, contractors and third party users is responsible to ensure the leaving employee/contractor/third party
http://apollo.delphiauto.net/info_security/info_security_handling_guide.htmhttp://apollo.delphiauto.net/info_security/info_security_handling_guide.htmhttp://apollo.delphiauto.net/info_security/info_security_handling_guide.htmhttp://apollo.delphiauto.net/info_security/info_security_handling_guide.htmhttp://apollo.delphiauto.net/info_security/policies/information_classifier/information_classifier.htmhttp://apollo.delphiauto.net/info_security/policies/information_classifier/information_classifier.htmhttp://apollo.delphiauto.net/info_security/policies/information_classifier/information_classifier.htmhttp://apollo.delphiauto.net/info_security/policies/information_classifier/information_classifier.htmhttp://apollo.delphiauto.net/info_security/info_security_handling_guide.htmhttp://apollo.delphiauto.net/info_security/info_security_handling_guide.htm


6/19



users id termination and removal of all access rights process is initiated, andnotification to Delphis Human Resource is made in a timely manner.Any ongoing Delphi security requirements, legal responsibilities and, whereappropriate, responsibilities contained within any confidentiality agreement withDelphi and the terms and conditions of employment continuing for a defined

period after the end of employment, must be included in the communication oftermination and the employees, contractors or third party users contracts. Change of responsibilities or employment within Delphi or third partyorganization should be evaluated to determine if it is appropriate for the existingID and access to be retained, or if the existing ID should be terminated and a newID issued.All Delphi employees, contractors and third party users must return all ofDelphis assets and equipment , including any information belonging to Delphi intheir possession upon termination of their employment, contract or agreement.

6 Physical and Environmental Security

6.1 Secu re areasIn order to prevent unauthorized physical access, damage, and interference to theorganizations premises and infor mation:

Access to computer rooms and high security areas will be restricted toauthorized employees with a business need to know and must be regularlymonitored, documented and reviewed at least semi-annually. Photographic,video, audio or other recording equipment, such as cameras in mobile devices, arenot allowed in Delphi computer rooms and high security areas without proper

prior authorization.Physical security perimeters (barriers such as walls, card controlled entry gatesor manned reception desks) must be used to protect areas that contain Delphiclassified information and information processing facilities used by Delphi.Physical entry controls - Delphi secure areas must be protected by appropriateentry controls to ensure that only authorized personnel are allowed access and therecord of all such access and its business needs are maintained.Work Area Security - All Delphi employees, contractors, and third party users ofDelphi information processing facilities are required to secure classified Delphiinformation, personal information, lock their computers, and in general securetheir work area before leaving at the end of the work day, or when their work areawill be unattended for an extended period of time in accordance with the DelphiClean Desk Policy. Vacant secure areas should be physically locked and

periodically checked.Public access, delivery, and loading areas - Access points such as delivery andloading areas and other points where unauthorized persons may enter the premises


7/19



should be controlled and, if possible, isolated from Delphi information processingfacilities to avoid unauthorized access.To further ensure compliance with Delphi requirements, refer to the DelphiCorporate Security Manual for the applicable specific procedures.

6 .2 In fo rm at ion sys tems equ ip m ent secur i tyIn order to prevent loss, damage, theft or compromise of assets and interruption to theorganizations activities:

Physical and environmental threats - Equipment used for processing Delphiinformation should be protected from physical and environmental threats toreduce the risk of interruption to Delphi business activities, to protect against lossor damage, and to prevent unauthorized access to Delphi information.

Supporting utilities - Critical IT equipment used by Delphi must be protectedfrom power failures and other disruptions caused by failures in supportingutilities.Cabling security - All Delphi network and communications wiring must be

protected from all hazardous environmental conditions and unauthorized accessregardless of whether the facility is leased or owned.Equipment maintenance - All critical IT equipment should be maintained byauthorized personnel to ensure its continued availability and integrity according torecommended service intervals and specifications.Security of equipment off-site - All Delphi employees, contractors and third

party users must exercise a high degree of personal responsibility to protect

physical assets and any Delphi classified information stored on those assets whenDelphi equipment and information is taken off-site. Laptops must be securedwhen not in use.Secure disposal or re-use of equipment - All equipment to be disposed or re-used by Delphi employees, contractors, and third party users containing storagemedia must be processed using the appropriate procedures and tools.Removal of property - Any equipment, information or software must not betaken off-site from Delphi or Delphi joint venture facilities without priorauthorization, and inspections should be carried out in accordance with relevantlegislation and regulations.
http://apollo.delphiauto.net/security/corporatesecuritymanual.htmhttp://apollo.delphiauto.net/security/corporatesecuritymanual.htmhttp://apollo.delphiauto.net/security/corporatesecuritymanual.htmhttp://apollo.delphiauto.net/security/corporatesecuritymanual.htmhttp://apollo.delphiauto.net/security/corporatesecuritymanual.htmhttp://apollo.delphiauto.net/security/corporatesecuritymanual.htm


8/19



7 Communications and Operations

Management7 .1 Operat iona l p rocedu res and respo ns ib i l i t ies

Procedures must be established to ensure the correct and secure operation ofDelphi information processing facilities, responsibilities and procedures for themanagement and operation of all Delphi information processing facilities.Segregation of duties must be implemented, where appropriate, to reduce the riskof negligent or deliberate system misuse and to reduce opportunities forunauthorized or unintentional modification or issuance of the organizationsassets.Operating procedures should be documented, maintained, and made available toall users. Changes to information processing facilities and systems should becontrolled.Development, test, and operational facilities should be segregated to reduce therisks of unauthorized access or changes to the operational system.

7 .2 Th i rd par ty se rv ice de l ivery managem entTo implement and maintain the appropriate level of information security and servicedelivery in line with third party service delivery agreements:

Services must be delivered according to the appropriate service deliveryagreements.

Delphi management must check the implementation of agreements, monitorcompliance with the agreements, and manage changes to agreements to ensurethat the services delivered meet all requirements.

7 .3 Sys tem p lann in g and accep tanceTo minimize the risk of Delphi systems failures:

Advance planning and preparation are required to ensure the availability ofadequate capacity and resources to deliver the required system performance.Projections of future capacity requirements should be made to reduce the risk ofsystem overload. The use of resources should be monitored, tuned, and

projections made of future capacity requirements to ensure the required system performance.The operational requirements of new systems should be established, documented,and tested prior to their acceptance and use.Acceptance criteria for new information systems, upgrades, and new versionsshould be established and suitable tests of the system(s) carried out duringdevelopment and prior to acceptance.


9/19



7 .4 Pro tec t ion agains t mal ic ious c odeTo protect the integrity of Delphi software and information:

Precautions are required to prevent and detect the introduction of malicious andunauthorized code.Detection, prevention, and recovery controls to protect against malicious code andappropriate user awareness procedures must be implemented.

7 .5 Backu pTo maintain the integrity and availability of information and information processingfacilities:

Backup procedures shall be established, documented and implemented to ensuretimely restoration of data. Backup media and restoration procedures shall betested regularly.Backup media must be stored in a physically and environmentally secure location.

7 .6 Netwo rk secur i ty managementTo ensure the protection of information in networks and the protection of the supportinginfrastructure:

Delphi networks must be properly managed and controlled.Security features, service levels, and management requirements of all networkservices must be identified and included in any network services agreements.

7.7 Storage Media handl in gTo prevent unauthorized disclosure, modification, removal or destruction of assets, andinterruption to business activities:

Storage media must be controlled and physically protected.Appropriate operating procedures should be established to protect storage mediafrom unauthorized disclosure, modification, removal, and destruction.There must be procedures in place for the management of removable media.Media must be disposed of securely and safely when no longer required, usingformal procedures.Procedures for the handling and storage of information should be established to

protect this information from unauthorized disclosure or misuse.

System documentation must be protected against unauthorized access.

7 .8 Exchang e o f in fo rm at ionTo maintain the security of information and software exchanged within an organizationand with any external entity:

Formal exchange policies, procedures, and controls must be in place to protect theexchange of information through the use of all types of Delphi communicationfacilities.


10/19



Delphi information exchange facilities must comply with any relevant legalrequirements.Agreements must be established for the exchange of information and software

between Delphi and external parties.Media containing information must be protected against unauthorized access,misuse or corruption during transportation beyond an organiza tions physical

boundaries.Information involved in electronic messaging must be appropriately protected.Policies and procedures must be developed and implemented to protectinformation associated with the interconnection of business information systems.

7 .9 Elec t ron ic com m erce se rv icesTo ensure the security of electronic commerce services, and their secure use:

Information involved in electronic commerce passing over public networks must be protected from fraudulent activity, contract dispute, and unauthorizeddisclosure and modification.Information involved in online transactions must be protected to preventincomplete transmission, misrouting, unauthorized message alteration,unauthorized disclosure, unauthorized message duplication or replay.The integrity of information being made available on a publicly available systemmust be protected to prevent unauthorized modification.

7 .10 Moni to r in gTo detect unauthorized information processing activities:

Delphi systems must be monitored, where appropriate and technically possible.Content of the system logs will be determined by the appropriate standardsProcedures for monitoring use of information processing facilities must beestablished and the results of the monitoring activities reviewed regularly.System log access must be controlled and must follow the appropriate procedures,standards, and approval processes.Creation, retention and deletion of system logs must be controlled and follow the

proper procedure and approval process.The clocks of all relevant information processing systems should be synchronizedwith an agreed accurate time source.

8 Access Control

8 .1 Bu s iness requ i rement fo r access con t ro lTo control access to information:

Access to all information and data shall be restricted to only authorized personneland appropriately segregated by business need.


11/19



Access to information and data shall only be granted through an approved process by authorized personnel having appropriate authority to grant such access.All access requests shall be documented and maintained for a period appropriatefor the data classification and risk assessment or legal requirement.Access control rules should take account of policies for information disseminationand authorization.Users must not share, distribute or in any way disseminate information that theyare not authorized to release.

8.2 Us er access man agem entTo ensure authorized user access and to prevent unauthorized access to informationsystems:

Creation of user IDs must follow the appropriate procedures and standards.

Assignment of user IDs must follow the appropriate procedures and standards.Disabling of user IDs must follow the appropriate procedures, and occurautomatically after the established period of time, where technically feasible.Deletion of user IDs must follow the appropriate procedures, and occurautomatically after the established period of time, where technically feasible.Creation of root, admin and other privileged access accounts must be restrictedand follow the proper procedure and approval process.Creation of group, service, application and kiosk IDs must be restricted andfollow the proper procedure and approval process.Access reviews must be conducted by the application or information owner

periodically in accordance with the appropriate procedures and regulations.

8.3 User respo nsi b i l i t iesTo ensure authorized user access and to prevent unauthorized access to informationsystems:

Passwords must not be shared.Passwords must not be stored in a non-secure location.Passwords must be stored and transmitted in encrypted form, where technically

possible.

Temporary passwords (ex. assigned for password reset) must be changed uponinitial use.Creation of user passwords must follow the appropriate procedures and standards.Users must lock their computers, and in general secure their work area beforeleaving at the end of work day, or when their work area will be unattended for anextended period of time in accordance with the Delphi Clean Desk Policy.


12/19



8 .4 Netwo rk access con t ro lTo prevent unauthorized access to networked services:

Access to both internal and external networks must be controlled and must followthe appropriate procedures, standards, and approval processes.Users must access only those services that they have been specifically authorizedto use.Only Delphi approved computers and devices may connect to the Delphi network.Delphi reserves the right to monitor, block, or discontinue any network service atany time without advance notice.

8 .5 Operat ing sys tem access co n t ro lTo prevent unauthorized access to operating systems:

Operating system access must be controlled and must follow the appropriate procedures, standards, and approval processes.Users must access only those services, features, and utilities that they have beenspecifically authorized to use.Only Delphi approved users may log into Delphi computers or equipment.Delphi reserves the right to monitor, block, or discontinue operating system logon

privileges at any time without advance notice.

8 .6 Ap pl ica t ion and in fo rm at ion access con t ro lTo prevent unauthorized access to applications and information systems:

Application and information systems access must be controlled and must followthe appropriate procedures, standards, and approval processes.Users must access only those application and information systems that they have

been specifically authorized to use.Only Delphi approved users may use Delphi applications and informationsystems.Application and information systems must be protected in a secure environment,restricting physical and logical access to those on an as-needed basis.Delphi reserves the right to monitor, block, or discontinue application orinformation system access at any time without advance notice.

8 .7 Moni to r ing sys tem access and useTo ensure authorized use and to prevent unauthorized access to Delphi networks,systems, applications and information systems:

When technically possible, all servers and applications that are business critical,under legal requirements, or the subject of an audit/risk assessment findings must

be monitored.


13/19



Content of the system logs will be determined by the appropriate standards. Thelevel of monitoring and reviews required may be driven by legal requirements(such as SOX or HIPAA), an internal audit finding, or by a risk assessment

performed by the IT Security Team.System log access must be controlled and must follow the appropriate procedures,standards, and approval processes.Creation, retention and deletion of system logs must be controlled and follow the

proper procedure and approval process.Delphi reserves the right to monitor system access and use.

8 .8 Mo b i l e co m p u t i n g an d t e leco mm u t i n gTo ensure information security when using mobile computing and telecommuting

facilities:Remote access to Delphi network and information systems must be controlled andmust follow the appropriate procedures, standards, and approval processes.Users must access only those resources that they have been specificallyauthorized to use.Only Delphi approved users may utilize remote access to log into the Delphinetwork or information systems.Users must ensure that the any Delphi classified information contained in a

portable device receives the proper protection according to the Delphi Informationand Product Security Handling Guide (see section 4.2 of this document for additionalinformation).

9 Information Systems Acquisition,Development and Maintenance

9 .1 Secur i ty requ i rements o f in fo rm at ion sys temsTo ensure that security is an integral part of information systems:

Information systems include: operating systems, infrastructure, business

applications, off-the-shelf products, services, and user-developed applications.Security requirements - must be identified and agreed prior to the developmentand/or implementation of information systems.

o All security requirements should be identified at the requirements phase ofa project and justified, agreed, and documented as part of the overall

business case for an information system.
http://apollo.delphiauto.net/info_security/info_security_handling_guide.htmhttp://apollo.delphiauto.net/info_security/info_security_handling_guide.htmhttp://apollo.delphiauto.net/info_security/info_security_handling_guide.htmhttp://apollo.delphiauto.net/info_security/info_security_handling_guide.htmhttp://apollo.delphiauto.net/info_security/info_security_handling_guide.htmhttp://apollo.delphiauto.net/info_security/info_security_handling_guide.htm


14/19



o Statements of business requirements for new information systems, orenhancements to existing information systems should specify therequirements for security controls.

9 .2 Correc t p roc ess ing in app l i ca tionsTo prevent errors, loss, unauthorized modification or misuse of information inapplications:

Appropriate controls must be designed into applications, including user developedapplications to ensure correct processing. These controls should include thevalidation of input data, internal processing and output data.Additional controls may be required for systems that process, or have an impacton, sensitive, valuable or critical information. Such controls should bedetermined on the basis of security requirements and risk assessment.

9 .3 Cryp to graph ic con t ro l sTo protect the confidentiality, authenticity or integrity of information by cryptographicmeans:

Users must ensure that reasonable precautions are implemented so that Delphiinformation, while in transit, cannot be observed, tampered with, or extractedfrom the Delphi information systems and networks by some unauthorized personor device.Only Delphi approved cryptographic controls must be utilized.

9.4 Securi ty of sys t em f i lesTo ensure the security of system files:

Access to system files and program source code must be controlled , and IT projects and support activities must be conducted in a secure manner. Sensitivedata must not be exposed in test environments.Control of operational software Procedures must be implemented to controlthe installation of software on operational systems.Protection of system test data - Test data must be selected carefully, protected,and controlled.Access control to program source code must be restricted.

9 .5 Secur i ty in deve lop m ent and sup por t p ro cessesTo maintain the security of application system software and information:

Project and support environments must be strictly controlled.All proposed system changes must be reviewed to check that they do notcompromise the security of either the system or the operating environment.Change control procedures - The implementation of changes must be controlled

by the use of formal change control procedures.


15/19



Technical review of applications after operating system changes - Whenoperating systems are changed, business critical applications should be reviewedand tested to ensure there is no adverse impact on organizational operations orsecurity.Restrictions on changes to software packages - Modifications to software

packages should be discouraged, limited to necessary changes, and all changesshould be strictly controlled.Outsourced software development - Outsourced software development must besupervised and monitored.

9.6 Tech nic al Vuln erabi l i ty Managem entTo reduce risks resulting from exploitation of published technical vulnerabilities:

Technical vulnerability management must be implemented in an effective,

systematic, and repeatable way with measurements taken to confirm itseffectiveness. These considerations should include operating systems, and anyother applications in use.Control of technical vulnerabilities - Timely information about technicalvulnerabilities of information systems being used must be obtained, theorganizations exposure to such vulnerabilities evaluated, and appropriatemeasures taken to address the associated risk.

10 Information Security IncidentManagement

10.1 Repo r t ing in fo rm at ion s ecur i ty even t s andweaknesses

To ensure information security events and weaknesses associated with informationsystems are communicated in a manner allowing timely corrective action to be taken:

Reporting information security events - Information security events must bereported through appropriate management channels as quickly as possible.Reporting security weaknesses - All employees, contractors and third partyusers of information systems and services are required to note and report anyobserved or suspected security weaknesses in systems or services.

10.2 Management o f in fo rm at ion secur i ty inc iden t s andi mp ro v emen t s

To ensure a consistent and effective approach is applied to the management ofinformation security incidents:

Responsibilities and procedures - Management responsibilities and proceduresmust be established to ensure a quick, effective, and orderly response to


16/19



information security incidents. A process of continual improvement should beapplied to the response to, monitoring, evaluating, and overall management ofinformation security incidents.Learning from information security incidents - There should be mechanisms in

place to enable the types, volumes, and costs of information security incidents to be quantified, analyzed. Preventive measures should be taken to avoid repeatincidents.Collection of evidence - Where a follow-up action against a person ororganization after an information security incident involves legal action (eithercivil or criminal), evidence must be collected by the security staff, retained, and

presented to conform to the rules for evidence laid down in the relevant jurisdiction(s). Where evidence is required, it must be collected and preserved toensure compliance with legal requirements.

11 Business Continuity ManagementTo counteract interruptions to business activities and to protect critical business processesfrom the effects of failures of information services and to ensure their timely resumption:

A managed process must be developed and maintained throughout theorganization that addresses the information security requirements needed for theorganizations business continuity. Events that can cause interruptions to business processes must be identified, alongwith the probability and impact of such interruptions and their consequences forinformation security.Plans must be developed and implemented to maintain or restore operations andensure availability of information at the required level and in the required timescales following interruption to, or failure of, critical business processes.A single framework of business continuity plans must be maintained to ensure all

plans are consistent, to address information security requirements, and to identify priorities for testing and maintenance.Business continuity plans must be tested and updated regularly to ensure that theyare up-to-date and effective.

12 Compliance

12.1 Com pl iance wi th l egal requ i rementsIn order to avoid breaches of any law, statutory, regulatory or contractual obligations, andsecurity requirements:

Advice on specific legal requirements should be sought from the Delphi LegalStaff.


17/19



Non-Disclosure and Confidentiality Agreements - Refrain from the signing ofnon-disclosure or confidentiality agreements or otherwise obligating Delphi to

protect or not use information provided by third parties, without prior review andapproval by the Delphi Legal Staff.Identification of applicable legislation - All relevant statutory, regulatory, andcontractual requirements and the organizations approach to meet theserequirements must be explicitly defined, documented, and kept up-to-date.Intellectual property rights (IPR) - Appropriate procedures must beimplemented to ensure compliance with legislative, regulatory, and contractualrequirements on the use of material in respect of which there may be intellectual

property rights, and on the use of proprietary software products.Protection of organizational records - Important records must be protected fromloss, destruction, and falsification, in accordance with statutory, regulatory,contractual, and business requirements.Data protection and privacy of personal information - Data protection and

privacy must be ensured as required in relevant legislation, regulations, and, ifapplicable, contractual clauses.Prevention of misuse of information processing facilities - Users must bedeterred from using information processing facilities for unauthorized purposes.Regulation of cryptographic controls - Cryptographic controls must be used incompliance with all relevant agreements, laws, and regulations.

12.2 Com pl iance wi th secur i ty p o l i c ies and s t andards ,and t echn ica l com pl iance

To ensure compliance of systems with organizational security policies and standards:The security of information systems must be regularly reviewed.Such reviews must be performed against the appropriate security policies and thetechnical platforms and information systems should be audited for compliancewith applicable security implementation standards and documented securitycontrols.Compliance with security policies and standards - Management shall enforcethe Delphi Information Policy and the corresponding Information Standards, andProcedures for all users. The penalty for non-compliance shall include, but willnot be limited to, disciplinary action (up to and including termination ofemployment) and/or appropriate legal action.Technical compliance checking - Information systems must be regularlychecked for compliance with security implementation standards.

12.3 In fo rm at ion sys tems aud i t cons iderat ionsTo maximize the effectiveness of the information systems audit process:

Information systems audit controls - Audit requirements and activitiesinvolving checks on operational systems are to be planned to minimize the risk of


18/19



disruptions to business processes. There should be controls to safeguardoperational systems and audit tools during information systems audits.Protection of information systems audit tools - Access to information systemsaudit tools must be protected to prevent any possible misuse or compromise.Protection is also required to safeguard the integrity and prevent misuse of audittools.


19/19



IndexAcceptable use of assets , 5 Access Control, 11Access to computer rooms , 7

Acquisition, 14 Allocation of information security

responsibilities, 4 Applicability, 3 Application and information access control,

13 Asset management, 4 Audit considerations, 18Backup, 10Business Continuity Management, 17Business requirement for access control, 11Cabling security, 8Change control procedures, 15Change of responsibilities, 7Classification guidelines, 5Collection of evidence, 17Communications and Operations

Management, 9Compliance with security policies and

standards, 18Compliance, legal requirements, 17Confidentiality agreements, 4, 18Contact with authorities , 4Contractors, consultants and vendors , 5Coordination of Information Security , 4Cryptographic controls, 15Customer information handling , 5Delivery, and loading areas , 7Development, 14development and support processes, 15Disposal or re-use of equipment, 8Electronic commerce, 11Equipment maintenance, 8Equipment off-premises, 8Equipment security, 8Exchange of information, 10High Security Areas , 7

HR Security, During employment, 6HR Security, Prior to employment, 6Human Resources Security, 6Incident Management, 16Information classification, 5Information labeling and handling , 5Intellectual property rights (IPR), 18Inventory of assets , 4

Maintenance, 14Malicious and code, 10Management commitment , 4Management of information security

incidents, 16Mobile computing and telecommuting, 14Monitoring, 11Monitoring system access and use, 13Network access control, 13Network security, 10Non-disclosure agreements, 18Operating system access control, 13Operational procedures and responsibilities,

9Outsourced software development, 16Ownership of assets , 4Personal/Privately owned computers , 5Physical and Environmental Security, 7Physical and environmental threats , 8Physical entry controls, 7Physical security perimeters , 7privacy of personal information, 18Processing in applications, 15Protection of organizational records, 18Public access area , 7Public access, delivery, and loading areas, 7Regulation of cryptographic controls, 18Removal of property, 8Reporting information security events, 16Reporting security weaknesses, 16Responsibility for assets, 4Restrictions on changes , 16Secure areas, 7Secured Work Area, 7Security Policy, 4Security requirements, 14source code, 15Storage Media handling, 10System planning and acceptance, 9system test data, 15

Technical review , 16Technical Vulnerability Management, 16Termination or change of employment, 6Third party service delivery management, 9User access management, 12User responsibilities, 12Utilities, 8

delphi isp

Documents