GE Third Party Policy
GE Third Party Policy
GE Third Party Policy
GE Corporate Security
January 4, 2007
Table of Contents
5 Appendix..............................................................................................20
5.1 Appendix A: GE Data Classification Standard..................................................................20 5.2 Appendix B: GE Acceptable Use Guidelines.....................................................................20 5.3 Appendix C: GE Supplier Security Risk Analysis Checklist...............................................20
January 4, 2007
1.2 Scope
This policy addresses technical security and compliance concerns with respect to GE on-site and VPN-connected contractors, GE data housed or hosted by external service providers, site-to-site customer-facing network connectivity, and general connections into the GE internal network from non-GE sites. Specially designed GE external customer services DMZs with no inbound access to GE internal networks are out-of-scope. The basis for the control objectives and controls is compliance with applicable law and GE general policies, primarily the GE Spirit & Letter policies. However, most of this documents procedures go beyond technology concerns and have wider applicability. For example, information protection applies to data in electronic form as well as printed or paper documents. Contractual language requirements for agreements are highlighted in gray. GE may periodically update its security policies based upon newly identified vulnerabilities and threats. In addition, GE already has an extensive network of existing Third Party Connections with additional joint risk. To minimize this residual risk, new third parties or contract renewals should be brought in line with the then current policy document. All third parties should have all gaps identified, then brought into compliance or mitigated. September 15, 2007: All new third parties or contract renewals should use the latest documented policy
January 4, 2007
Least Access: The minimum required access rules necessary to achieve function required; used to describe locked-down firewall rules. NAT: Network address translation; used to change GE internal addresses to numbers routable on the Third Partys network; required for Basic Third Party connectivity. Remote VPN: Individual Internet-based access to the GE internal network using two-factor authentication such as SSL-VPN or IPSec. Because a token is required, it is not suitable for access by automated processes. Third Party: non-GE vendor, supplier, partner, contractor, service provider, or customer with connectivity to GEs internal network or access to GE data. This includes joint ventures without majority GE ownership. Third Party Manager: The individual at the vendor responsible for the GE/Third Party relationship. Third Party Security Leader: Appointed by the Third Party Manager with notification to the GE Sponsor and GE Information Security Leader to supervise and coordinate security activities within the organizations. Assumes role as primary point of contact with GE in case of security incident response. Trusted Third Party Connection: A physically isolated segment of the Third Party network connected to GE internal network in a manner identical to a GE remote office. Commonly used for GDCs servicing multiple businesses, or Third Parties where full network/system management access is required.
1.4 Organization
GE Sponsor: Every Third Party should have a GE Sponsor, responsible for owning the business relationship and overall performance including adherence to compliance and security requirements. The GE Sponsor should be guided by local business definitions, legal or regulatory requirements and the specifications of the GE Information Security Data Classification Standard (see Appendix) and security program. GE Information Security Leader: The GE Information Security Leader should assess Third Party risks for the GE Sponsor, and ensure the Third Party implements security controls appropriate to the classification of the data and access required. The GE Information Security Leader should work closely with the Third Party Security leader to maintain adequate incident response/audit, and provide updates to any ongoing changes to GE security practices. Third Party Manager & Third Party Security Leader: The Third Party Manager must identify a Third Party Security Leader responsible for adherence to GE security policies. The Third Party Security Leader is responsible for preparing and implementing a security program that promotes compliance and assists workers in practicing sound security principles, reviewing security plans periodically and updating them as necessary, reporting security incidents, and scheduling periodic audits as directed in this policy. The Third Party Manager is responsible for notifying the GE Sponsor of any subcontracts/outsourced work and maintaining Third Party subcontractor security levels and agreements that ensure GE information security requirements and audits are met. The Third Party Security Leader interfaces with the GE Information Security Leader.
January 4, 2007
Section 4. Network Connectivity: Additionally applies if the Third Party has direct access to GE networks The business need to access GE data, networks, and systems is a decision based upon assessment by the GE Sponsor and GE Information Security Leader of the Third Party status, work performed, number of GE businesses served and type of access.
Examples (Note: GE Sponsor and GE Security Leader will adjust based upon business need and data classification) On-site with No Sensitive Access Remote VPN L1 Helpdesk Basic Third Party L1 Helpdesk/Device Support Remote Hosting/Housing On-site Development/Data Processing Basic Third Party Development/Data Processing Trusted Third Party L1 Helpdesk/ Device Support/Network Management Trusted Third Party Development/ Data Processing/Hosting/Housing 2. General Security Requiremen ts Yes 3. Data and Application Security Requirements 4. Network Connectivity Security Requirements
January 4, 2007
2.1.1.2 Third Party must be prepared to provide necessary confirming documentation in support of GEs external audits (such as Sarbanes-Oxley) upon GE request as outlined in GE supplier agreements. 2.1.1.3 In addition to any audits provided for in GE contractual agreements, the Third Party must permit GE to request and/or perform, at the expense of GE, up to two security assessments per year, including but not limited to, review of policies, processes, and procedures, on-site assessment of physical security arrangements, network, system, and application vulnerability scanning, and penetration testing. Such assessments will be communicated at least one-quarter year in advanced and conducted at a time mutually agreed upon between the Third Party and GE, and GE will provide the results to the Third Party. 2.1.2 Based upon GE business access type and security requirements established, ensure the appropriate general security controls are audited. 2.1.2.1 The Third Party upon request must provide copies of relevant security policy, process, and procedure documents to GE for review and audit purposes. GE should review and recommend reasonable changes, and supplier must amend the policies or respond with mitigating controls and responses.
2.2 Personnel
2.2.1 2.2.2 Specific language must be included in agreements to ensure Third Party has conducted region-specific background checks for Third Party GE Workers in GE engagements. Third Party Manager must ensure employees are aware of the fact that they are not entitled to privacy protection in the use of their company computers and networks, since these resources may be monitored. Third Party Manager must define a formal process for responding to a security policy breach by Third Party GE Workers. All Third Party GE Workers, contractors, and relevant third parties with access to GE networks and data must receive training on Acceptable Use of GE Information Resources (see document in Appendix) and Third Party security policy and legal compliance developed by the Third Party as part of their security awareness program. Third Party must maintain and audit the inventory of individual yearly acceptance of the guideline. The Third Party must employ designated staff whose primary job responsibilities focus on information security and information risk management. The Third Party Manager should ensure that Third Party personnel added to the GE account (in-processing) and removed from the GE account (out-processing) are completed in a timely, consistent manner auditable by GE.
2.2.3
2.2.4 2.2.5
Physical Inventory: Third Party must maintain an inventory of physical computing assets (including VPN hard tokens) used in the performance of the GE engagement. 2.3.6.1 Physical assets and equipment must have asset tags or recorded serial numbers. 2.3.6.2 Assign a knowledgeable individual owner and usage requirements to each asset. 2.3.6.3 Include purpose or project, locations authorized, and current location. 2.3.6.4 For GE-supplied equipment, record GE authorization (GE provides a template) and return date. 2.3.7 Software Inventory: Third Party must maintain an inventory of software used in the performance of the GE engagement: those licensed and issued by GE, procured by the Third Party and reimbursed by GE, and those procured by GE. 2.3.7.1 Include license date, purpose/locations authorized, and return date. 2.3.7.2 Record the GE authorization (GE provides a template) and usage compliance.
January 4, 2007
2.5.1.2 Printed Delivery: Send GE Confidential and Restricted printed information by trusted courier or registered mail with tracking approved by GE. 2.5.1.3 Fax: Information classified as GE Confidential or Restricted can be faxed to passwordprotected mailboxes or a by sent after verifying a trusted contact is standing by to receive. 2.5.1.4 Phone: GE Restricted information must not be discussed on speakerphones or during teleconferences unless all participating parties first confirm that no unauthorized persons are in close proximity such that they might overhear the conversation. 2.5.1.5 Mobile Phone: GE Confidential or Restricted information must never be discussed on cordless or cellular telephones. 2.5.1.6 Electronic Transmission: where available, use file-based PGP/GPG encryption with TLS/SSH encryption over a Basic Third Party Network connection.
2.6 Laptops/Workstations
2.6.1 Third Party is responsible for the infrastructure that supports user compliance with the Acceptable Use of GE Information Resources (see Appendix). The policy applies to laptops, desktop PCs, Unix workstations, and mainframe terminals. Third Party must maintain laptop and workstation security through demonstrated provisioning, patching, and antivirus processes. Personal firewall and anti-virus are required for all Windows systems. Laptop disks should be encrypted. Systems with direct access to the GE internal network must follow monthly reporting to the GE Information Security Leader in the form of the GE Information Security Metrics. They may be restricted or removed for compliance failure or compromise. GE data must not be stored on laptop computers or other portable computing devices. Although laptops should primarily be used for access, not storage, specific exceptions may be granted by the GE Information Security Leader for GE coreload systems running GE-licensed software, with patching, anti-virus, encryption, and personal firewall conforming to GE security requirements with justified business need.
2.6.2
2.6.3
2.6.4
2.7.2
January 4, 2007
2.8.1.2 The Third Party, at the request of GE, must provide copies of any log files maintained by the Third Party (including firewall, intrusion detection, system, and application log files) to support any investigation or legal action that may be initiated by GE. 2.8.2 Specific language must be included in agreements to ensure Third Party has a tested and sufficient incident response and GE reporting process. Third Party Manager must notify and update the GE Sponsor and/or GE Information Security Leader without unreasonable delay of any actual or threatened unauthorized access or release of GE Confidential or Restricted data or to the systems holding or providing access to such data. Final notification must include detailed incident log and root cause analysis within five days of closure that describes actions taken and plans for future actions to prevent a similar event from occurring in the future. The Third Party Information Security Leader must negotiate process with GE Security Leader, but expectation is within two hours of discovery and mutually agreed upon updates for agreed upon high-impact incidents. 2.8.2.1 Third Party must report all occurrences of viruses and malicious code, not handled by deployed detection and protection measures, on any workstation or server used to provide services under the work agreement, to GE without unreasonable delay. GE expectation is within four hours as negotiated with the GE Information Security Leader. 2.8.3 Specific language must be included in agreements to ensure Third Party has a tested and sufficient GE disclosure approval process. Third Party must take action immediately to identify and mitigate an incident, and to carry out any recovery or remedies. Third Party must first secure GE approval of the content of any filings, communications, notices, press releases, or reports related to any security breach prior to any publication or communication thereof to any third party. The Third Party Security Leader must maintain a well-understood reporting procedure for security incidents and train Third Party GE Workers on GE contracts.
2.9.3
2.9.4
January 4, 2007
2.10.5 Anyone needing badge access to any computer room must follow a defined procedure approved by the Third Party Security Leader including the badge holders name, badge number, computer room location, reason access is needed, and termination date for fixed duration Third Party GE Workers. The Third Party Security Office must not configure any badge for computer room access without being authorized by the Third Party Security Leader or designated team members. 2.10.6 Employment termination must result in badge access termination within a number of hours agreed upon by the GE Information Security Leader. The Third Party Security Leader must confirm that the badge access list is validated every quarter to verify those on this list still require access. Any discrepancies found must be corrected. 2.10.7 Badge access must only be given to individuals who require long-term access (those who are responsible for continuous administration or maintenance of the equipment located in the room). Visitors having business need confirmed by the Third Party Security Leader are allowed escorted access. If system access is required, the escort must have the technical security background to monitor any commands typed, or equipment added or removed. The Third Party Security Leader may allow badge access for short-term access under special circumstances if determined appropriate. 2.10.8 Anyone having badge access to a computer room must not give or loan their badge to another to gain access to a computer room. 2.10.9 If it is necessary to leave a computer room door open for a specific time period for individuals who do not have access: 2.10.9.1 The Third Party Security Leader or designated team members must authorize the unsecured door request for a specific time period and document in the access logs. 2.10.9.2 A badged contact must be assigned to monitor the unsecured area and ensure the door is secured at the end of the specified time. Posted signs are recommended.
3.1.3 3.1.4
Third Party must review with GE all high-risk items identified through infrastructure reviews, code reviews and audits (internal or external, security and otherwise) that Third Party does not remediate within 10 business days. 3.1.6 Based upon GE business access type and security requirements established, ensure the Data and Application Security Requirements (and Appendix checklist) to assess application security controls are audited. 3.1.6.1 The Third Party upon request must provide copies of relevant security policy, process, and procedure documents to GE for review and audit purposes. GE should review and recommend reasonable changes, and supplier must amend the policies or respond with mitigating controls and responses.
3.2.2
3.2.3
3.2.4
January 4, 2007
upon with the GE Information Security Leader. Other patches should be assessed and applied during periodic maintenance windows. 3.4.3 Lock down the server operating system. The following minimum requirements must be expanded upon based upon industry best practices. 3.4.3.1 Only the minimum/necessary set of applications and services should be installed. 3.4.3.2 Source code of server-side executables and scripts should not be viewable by external users. 3.4.3.3 Packet filters (such as host-based firewall and TCP wrappers) should be installed to restrict connections to necessary hosts on necessary services and log incoming requests. 3.4.3.4 Synchronize time to a trusted time service. 3.4.3.5 Services that require different access should use different accounts IDs. 3.4.3.6 No SNMP accessibility from the Internet. It is recommended to disable all SNMP. 3.4.3.7 There should be legal notice warning of unauthorized access penalties where applicable. 3.4.3.8 The password database should be encrypted. 3.4.4 Lock down the web server using industry best practices. 3.4.4.1 The servers web root should be a unique directory from all other server files (i.e. all interpreters, shells and configuration files should be located outside of web server directory). 3.4.4.2 Directory browsing (indexed directories) should be turned off at the web server as to not reveal the presence of unlinked files. 3.4.4.3 The web server should run with minimum privileges necessary (not root or Administrator). 3.4.4.4 The web server host should not be a domain controller (NIS or Windows). 3.4.4.5 The web server host should not be configured as a router or packet sniffer. 3.4.4.6 The web server identification should be removed from the returned HTTP server field. 3.4.5 Lock down administration using industry best practices. 3.4.5.1 If Third Party has the capability to remotely administer servers, the remote connection must take place over an encrypted tunnel, and must require two-factor authentication. 3.4.5.2 All administrator accounts should have IP address restrictions, two-factor authentication or be limited to console login. 3.4.5.3 All administrative traffic should be encrypted. Encryption level should be defined based on the needs of the application. 3.4.5.4 All default accounts should be renamed or removed and all default passwords changed. 3.4.5.5 Access to devices involved in the provision of services should be granted only on a need to have basis. Server administration permissions are typically granted to a limited number of individuals within an organization. 3.4.5.6 More than one person should approve the granting of new administrator account access, and the addition/removal of account access should be auditable. 3.4.5.7 Shared administrative accounts should not be used. Instead, use individual accounts with an auditable method to escalate privileges for administration (example: PowerBroker, sudo) where possible. Admin passwords can also be checked out for a period of time then reset. 3.4.5.8 System and service account passwords used by automated and batch processes should only be granted restricted access. The account should be single purpose, noninteractive login, from controlled sources such as a fixed source IP as a second login factor. If account should have more access, the GE Sponsor should be made fully aware of their account responsibilities with the account description field annotating the contact. 3.4.6 At the initial user sign-on to any system, server, device, and/or application used to provide services under the work agreement, the Third Party must display a warning banner advising users that the system they are accessing is a private computer system and is for authorized use only and activities are monitored and recorded. The warning
January 4, 2007
message should include content that advises prospective users that unauthorized and/or malicious use of the system is prohibited and violators may be prosecuted to the fullest extent of the local and international law and that by logging on, the user has read and understood these terms.
3.7.2
3.7.3
3.7.4
January 4, 2007
3.8.1.1 Every user must have a unique user ID. No shared accounts must be used beyond built-in and system accounts where individual usage can be tracked. 3.8.1.2 The account owner is responsible for protecting data and resources that are proprietary to GE, respecting privacy considerations where appropriate, operating ethically, and following security and legal procedures. 3.8.1.3 Account settings should be configured such that files owned by that account are not world-accessible or other-accessible (for reading, write, or executing) by default. The account owner can modify accessibility as needed. 3.8.1.4 Upon employment termination, all accounts belonging to exiting GE Workers must be disabled or deleted on their departure date. 3.8.1.5 When an account is removed, files associated with the account must be transferred as instructed by the request. If specific instructions were not received, the files must be archived on tape or other approved backup media and then deleted from the system. 3.8.1.6 On a quarterly basis all user accounts must be reconciled. Any account that is not owned must be removed. Any account that is not sponsored, is not valid, or has not been accessed during the prior 90 calendar days or longer must be disabled. 3.8.2 GE Sponsored user accounts including SSO 3.8.2.1 A GE employee should sponsor all accounts on GE-managed systems assigned to Third Party GE Workers 3.8.2.2 The full name of the GE employee sponsoring the account should be included in the account profile in readable form such that the account can be easily identified as the responsibility of that employee. 3.8.2.3 The GE account sponsor is jointly responsible with the owner for protecting GE data and resources. 3.8.2.4 When a Third Party GE Worker leaves or is no longer actively engaged on a GE project, it is the responsibility of Third Party to inform the GE Sponsor to initiate account termination activities. 3.8.2.5 Disabled accounts must not be re-enabled until sponsored by a GE employee.
January 4, 2007
3.10.3.1 A secure process should be in place for distributing first-time passwords. First time password should be unique, randomly generated, not publicly available, and may only function one time. 3.10.3.2 The system should force a password change upon a users first login. The permanently selected password may not be the same as the first time password. 3.10.3.3 An account lockout should be in place whereby the users account is locked after a certain number of unsuccessful attempts. 3.10.3.4 A user may reset or reactivate their password by answering a challenge/response or requiring that a new one-time use password be sent to the users e-mail address. The username should not be present in this e-mail. 3.10.3.5 Auditing and logging procedures should be in place for all account access. 3.10.3.6 A process should be in place for account disablement. Third Party should have a process to immediately disable an account in an emergency situation (within 10 minutes) as well as a process for normal account retirement. 3.10.3.7 Password aging should be in place for all accounts, with password changes forced at least yearly. Any system that houses HIPAA regulated data should meet HIPAA standards for password aging. 3.10.3.8 After the third set of failed login attempts, the account should be permanently disabled and the user should contact the customer service/help desk to reestablish the account. 3.10.3.9 Administrative accounts should be automatically disabled when an administrator no longer requires access to systems or applications or terminate employment with the Third Party. 3.10.3.10 Third Party should perform administrative account audits at least quarterly. Audits should identify and disable accounts that are not actively administering the system or accounts that no longer require access to the systems or networks. 3.10.3.11 At GEs request, Third Party should provide an inventory, for each application or system that accesses GE Data, of all application roles, a description of each role and how many active users are assigned to each role.
January 4, 2007
4.2.1.2 The VPN termination point that allows IPSec main-mode connections from a fixed list of GE VPN hubs. IPSec aggressive mode is not allowed. The VPN may optionally terminate on either the screening or firewall device. 4.2.1.3 GE manages the network device endpoints. This is required for both security and operational reasons. GE Global Infrastructure Services (GIS) requires out-of-band connectivity to the remote endpoint for debugging purposes. 4.2.1.4 Periodic audit should include external scans of the Internet-reachable devices used to build the VPN tunnel 4.2.1.5 No unencrypted sensitive GE traffic transits the Internet. If unencrypted but sensitive email attachments are required over the Internet, GE supports SMTP TLS transport encryption.
January 4, 2007
All access from Basic Third Party Segment to other networks not managed by GE
User
Server
GE Network
All access from Trusted Third Party Segment to other networks managed by GE
User
Server
GE Network
January 4, 2007
4.4.3
4.4.7
The Trusted Third Party should scan their network and systems at least weekly using the supplied GE Security Metrics ISS scanner policies or an equivalent tool and updated process agreed upon with the GE Information Security leader. All machines with vulnerabilities should at a minimum be updated with patches assessed by GE as trackable within 7/30-day patch cycle. Security metrics for systems on the network should be reported monthly to the GE Information Security Leader. 4.5.8 Network ownership for reporting and incident response should be assigned to the sponsoring GE business in the GE Subnet Inventory. The GE Suspect List should be regularly monitored by the Trusted Third Party and suspects investigated and closed within a 48-hour timeframe. 4.5.9 Remote access is only allowed through the GE VPN hub infrastructure with two-factor authentication. The Third Party Network site-to-site hub should not be configured to support client access. 4.5.10 Modem access (dial-up or ISDN) to the Trusted Third Party Network is prohibited except for GE out-of-band management access of critical systems, in conformance with GE guidelines. 4.5.10.1 Modem should be set to silent answer, callback, or authenticating in addition to remote device authentication with failure delay settings and placed in a physically locked area.
January 4, 2007
5 Appendix
5.1 Appendix A: GE Data Classification Standard
2006/07/19 2006/11/15
CIS/GIS Corporate Approved Third Party Guideline not yet ratified by GE Security Council GE Commercial Finance changes with GE Security Council Approval; Merged GE Supplier Security Checklist with Trusted Third Party; Scope timeline and GE TSG updates. Updates from Corporate Sourcing and GDC reviews Finalized effective date to September 15th, 2007 Updated embedded AUG document to new Acceptable use of GE Information Resources document and updated references to use the new document name.
2006/12/18
2007/01/04 2007/07/10