I-P114-F SUPPLIERS INFORMATION SECURITY GUIDELINES · 2019-05-02 · INFORMATION SECURITY GUIDELINES FOR SUPPLIERS Page: Review No: 0 Date: 04-04-2019 6 of 21 COMPANY: GRUPO ANTOLIN

INFORMATION SECURITY GUIDELINES FOR SUPPLIERS

Review No: 0

Date: 04-04-2019

Page: 1 of 21

COMPANY: GRUPO ANTOLIN

I-P114-F Level - 0 04 / 04 / 19 PUBLIC

GRUPO ANTOLIN

INFORMATION SECURITY GUIDELINES FOR

SUPPLIERS


Review No: 0

Date: 04-04-2019

Page: 2 of 21


I-P114-F Level - 0 04 / 04 / 19 PUBLIC

INDEX

I. INTRODUCTION ..................................................................................................... 4

1. TARGET AND DEFINITIONS ....................................................................................................................... 4

2. SCOPE ....................................................................................................................................................... 4

3. THIRD PARTIES AND SUPPLIER’S SUBCONTRATORS ................................................................................ 5

II. ORGANIZATIONAL SECURITY ................................................................................. 6

4. INFORMATION SECURITY MANAGEMENT SYSTEM ................................................................................. 6

5. ROLES AND RESPONSIBILITIES ................................................................................................................. 6

III. ASSET MANAGEMENT AND INFORMATION CLASSIFICATION ................................ 7

6. ASSETS MANAGEMENT ............................................................................................................................ 7

7. INFORMATION CLASSIFICATION .............................................................................................................. 7

8. RETURNING AND DELETING INFORMATION ............................................................................................ 8

9. INFORMATION SECURITY INCIDENTS MANAGEMENT ............................................................................. 8

10. BUSINESS CONTINUITY MANAGEMENT FROM AN INFORMATION SECURITY POINT OF VIEW .......... 9

11. COMPLIANCE........................................................................................................................................ 9

IV. HUMAN RESOURCES SECURITY ........................................................................... 10

12. ADEQUATE PROFILES ......................................................................................................................... 10

13. CONFIDENTIALITY .............................................................................................................................. 10

14. TRAINING AND AWARENESS .............................................................................................................. 10

V. PHYSICAL SECURITY ............................................................................................. 11

15. ZONING CONCEPT – AREAS DEFINITION ............................................................................................ 11

16. AREAS SEPARATION ........................................................................................................................... 11

17. ACCESS CONTROL ............................................................................................................................... 12

18. BUILDING PERIMETER AND FENCE .................................................................................................... 12

19. FIRE PROTECTION AND EXTINCTION ................................................................................................. 13

20. SPECIFIC MEASURES FOR SERVER ROOM .......................................................................................... 13

21. GLOBAL ALARM .................................................................................................................................. 13

22. VISITORS AND UNAUTHORIZED PERSONNEL IN RESTRICTED ZONES ................................................ 13

23. VIDEO AND PHOTOGRAPHY ............................................................................................................... 14

VI. IT SECURITY ......................................................................................................... 15

24. ACCESS CONTROL ............................................................................................................................... 15

25. ENCRYPTION ...................................................................................................................................... 16


Review No: 0

Date: 04-04-2019

Page: 3 of 21


I-P114-F Level - 0 04 / 04 / 19 PUBLIC

26. DISPOSAL OF DATA MEDIA ................................................................................................................ 16

27. WORKING OFF-PREMISES .................................................................................................................. 16

28. BRING YOUR OWN DEVICE ................................................................................................................ 17

29. EXCHANGE OF INFORMATION ........................................................................................................... 17

30. IT OPERATIONS .................................................................................................................................. 17

31. COMMUNICATIONS SECURITY ........................................................................................................... 18

32. CLOUD ................................................................................................................................................ 18

VII. PROTOTYPES HANDLING ..................................................................................... 19

VIII. ANNEXES ............................................................................................................. 20

ANNEX 1 – DAMAGE CAUSED TO THE COMPANY ......................................................................................... 20

ANNEX 2 – ALLOWED USES FOR GRUPO ANTOLIN’S INFORMATION ............................................................ 21


Review No: 0

Date: 04-04-2019

Page: 4 of 21


I-P114-F Level - 0 04 / 04 / 19 PUBLIC

I. INTRODUCTION

1. TARGET AND DEFINITIONS

Grupo Antolin is aware of the importance of the information and works to preserve its confidentiality,

integrity and availability for both, own information and information received from other parties.

The target of this document is protect the information sent to or shared with Grupo Antolin Suppliers.

With Grupo Antolin we make reference to all subsidiary companies belonging to Grupo Antolin.

Supplier means the service provider supplying goods or services, including the Supplier’s employees and

Supplier’s subcontractors. If information is shared with subcontractors, same security measures and

requirements must be applied for those subcontractors, being Grupo Antolin’s Supplier responsible for it.

Third parties means any other party than Supplier and Grupo Antolin.

2. SCOPE

This document applies to all Grupo Antolin Suppliers handling Grupo Antolin’s information, or using

information technology resources on behalf of Grupo Antolin.

Grupo Antolin’s information includes any kind of information supplied from Grupo Antolin, owned by Grupo

Antolin or owned by third parties. Information created by Supplier from Grupo Antolin’s information is

affected as well by these guidelines.

Some of the measures are applicable depending on the kind of information handled by the Supplier. As

examples given:

- Section talking about prototypes handling: if Supplier is not handling prototypes, Supplier doesn’t

need to apply this part of the Guidelines.

- Section talking about Server Room: if Supplier has not a Server Room involved in the services supplied

to Grupo Antolin, specific measures for Server Room are not applicable.

For applicable measures, all of them are mandatory. If some of the mandatory measures required through

this document are not implemented, Supplier must report the situation to Grupo Antolin explaining why

(i.e.: risk analysis has been done and measure has been considered no needed, explaining why).

When Grupo Antolin’s liaison for Supplier sends other requisites defined by Grupo Antolin’s Customers or

Grupo Antolin’s interested parties, Supplier must comply those requirements as well.

Grupo Antolin reserves the right to audit supplier if it is considered needed.

Supplier must be able to demonstrate that all security controls required in this document are effective and

auditable.

For any kind of communication regarding information security: doubts, suggestions, events, complains or

any other report, Supplier can contact through [email protected]


Review No: 0

Date: 04-04-2019

Page: 5 of 21


I-P114-F Level - 0 04 / 04 / 19 PUBLIC

3. THIRD PARTIES AND SUPPLIER’S SUBCONTRATORS

When a supplier needs to send or share information owned by Grupo Antolin with third parties, it is a must

to get permission from its Grupo Antolin business liaison before do nothing.

When a Grupo Antolin Supplier send or share information with third parties, the scope of this document

must be extended, so Grupo Antolin Supplier must require to those third parties the same requirements

explained in this document.

In any case, for Supplier’s subcontractors or for third parties accessing Grupo Antolin’s information, an initial

risk assessment must be done to avoid future security breaches affecting Grupo Antolin’s information. One

of the requirements to be observed during this risks assessment is the acceptance for Non-Disclosure-

Agreement and the Security Measures compliance, being both mandatory.

As part of the risks assessment, while collaboration with third parties and/or subcontractors is in place,

performance and security compliance for these requirement must be verified regularly.


Review No: 0

Date: 04-04-2019

Page: 6 of 21


I-P114-F Level - 0 04 / 04 / 19 PUBLIC

II. ORGANIZATIONAL SECURITY

4. INFORMATION SECURITY MANAGEMENT SYSTEM

Supplier must count with a documented framework for Information Security, supported from Supplier’s

management body.

Supplier must count with a risk management process ensuring that all the risks for Grupo Antolin’s

information are taken into account and treated according to risk level, for every project involving the

handling of Grupo Antolin’s information, including any department (Engineering, IT, etc.).

Security controls defined to protect the information must be effective.

5. ROLES AND RESPONSIBILITIES

A responsible for Information Security Management must be identified by Supplier, and the contact e-mail

for this position must be reported to Grupo Antolin. This position must be communicated as well to

Supplier’s employees.

As part of the information security management system, all the relevant positions with activities to preserve

the information security must be defined and communicated to Supplier’s employees when needed.


Review No: 0

Date: 04-04-2019

Page: 7 of 21


I-P114-F Level - 0 04 / 04 / 19 PUBLIC

III. ASSET MANAGEMENT AND INFORMATION CLASSIFICATION

6. ASSETS MANAGEMENT

All the assets involved in the information handling must be identified in order to help during the process for

risk management, avoiding forget important assets that could conduct to a security breach.

Identified assets, together with the dependencies between them, must be inventoried as a need to evaluate

properly every asset according to the impact caused to information security.

7. INFORMATION CLASSIFICATION

Grupo Antolin’s information handled by the Supplier must be classified according to Grupo Antolin’s criteria.

This classification is required for an adequate risk assessment, conducting to define and apply a proper set

of security measures to protect the information, depending on its classification, and respecting the uses

allowed from Grupo Antolin.

Classification must be done from 3 points of view: confidentiality, integrity and availability.

For each one of these categories, Grupo Antolin defines 4 classes based on the damage that Company can

suffer if information security is violated (damage definition can be read in the annex number 1).

Confidentiality.

Information must be accessible only to those persons authorized to access it (“need to know” principle).

- Public: no restrictions, only those defined from Marketing and Communication department.

- Internal: for internal usage, must not be distributed to people out of its scope. Confidentiality loss

should not cause more than a minor damage.

- Confidential: accessible to a limited group of people needing of this information to perform their

work. Confidentiality loss can cause a serious damage.

- Secret: accessible to a very limited and strictly defined group of people, with strong security

measures. Confidentiality loss can cause a severe damage.

Integrity.

Completeness and error-free information, protected against unauthorized modifications.

- Low: integrity violation should not suppose a business damage.

- Medium: integrity violation should not mean a damage bigger than minor.

- High: integrity violation could suppose a serious damage for Company.

- Very high: integrity violation could cause a severe damage to the Company.


Review No: 0

Date: 04-04-2019

Page: 8 of 21


I-P114-F Level - 0 04 / 04 / 19 PUBLIC

Availability.

Information must be available for use according to agreed requirements. Classification is defined according

to table shown below.

UNAVAILABILITY TIME TOLERATED BY INFORMATION OWNER

1 hour 4 hours 24 hours 3 days > 3 days

DAMAGE OR IMPACT CAUSED BEYOND

TOLERATED DOWNTIME

Severe very high very high very high high high

Serious very high high high medium medium

Minor high high medium low low

No damage

low low low low low

Suppliers must map the classification of Grupo Antolin’s information handled by them according to the

classification provided by Grupo Antolin. If that classification is not defined by Grupo Antolin, the supplier

must ask about it to its Grupo Antolin business liaison.

In any case, if classification is not clear, Grupo Antolin’s information must be considered as confidential and

treated according to that class.

Information owner at Supplier is responsible for classifying and labelling the information.

The annex number 2 shows a table with the allowed uses for the information depending on its

confidentiality classification, including the rules for labelling. Supplier must respect these usages.

Grupo Antolin’s information must be separated from the information of third parties (i.e. applying rights

management) and especially from data belonging to other customers of the Supplier.

8. RETURNING AND DELETING INFORMATION

At the end of the contract or when is required by Grupo Antolin, information must be properly returned or

deleted from devices and storage media of the Supplier.

Retention periods agreed with Grupo Antolin or legally required must respected.

9. INFORMATION SECURITY INCIDENTS MANAGEMENT

Any information security event concerning Grupo Antolin’s information must be reported to Grupo Antolin.

Any suspected loss of the confidentiality for confidential or secret information, must be reported to Grupo

Antolin marking the e-mail as “high priority”.

Supplier must collect and properly treat any information security event or incident for protecting Grupo

Antolin’s information.


Review No: 0

Date: 04-04-2019

Page: 9 of 21


I-P114-F Level - 0 04 / 04 / 19 PUBLIC

10. BUSINESS CONTINUITY MANAGEMENT FROM AN INFORMATION SECURITY POINT OF VIEW

A Business Continuity Plan must be in place to ensure the service level agreed with Grupo Antolin, from an

information security point of view, considering especially availability and integrity.

11. COMPLIANCE

Legal regulations applying to Supplier must be observed: intellectual property rights, personal data

protection or any other applying from an information point of view.

Contractual requirements must be observed as well, implementing the security measures needed to cover

Grupo Antolin’s requisites.


Review No: 0

Date: 04-04-2019

Page: 10 of 21


I-P114-F Level - 0 04 / 04 / 19 PUBLIC

IV. HUMAN RESOURCES SECURITY

12. ADEQUATE PROFILES

People selected for every position must have an adequate profile to perform their activities without

degrade the effectiveness of the information security controls.

For those positions where a big risk for information security is detected, Human Resources must consider

the risks taking the measures needed to avoid an information damage or leakage.

13. CONFIDENTIALITY

Every Supplier’s employee with access to Grupo Antolin’s information must sign an internal confidentiality

agreement covering at least the same points appearing in the confidentiality agreement required by Grupo

Antolin to the Supplier.

This confidentiality agreement must protect the secret of the information even when employee leaves the

company, by default 5 years more, except if applicable laws and regulations require a different time.

14. TRAINING AND AWARENESS

Supplier’s employees must be trained and informed about their obligations and responsibilities to protect

the information. The attendance and the adherence to the obligations explained in this training must be

recorded for every employee, being a requirement before grant the access for handling Grupo Antolin‘s

information.

An awareness and refresh training program must be in place to guarantee staff is aware of the relevance of

the information security.


Review No: 0

Date: 04-04-2019

Page: 11 of 21


I-P114-F Level - 0 04 / 04 / 19 PUBLIC

V. PHYSICAL SECURITY

15. ZONING CONCEPT – AREAS DEFINITION

Supplier must identify and classify the different zones in its buildings according to the information located in

that zones and the risks associated.

From the point of view of Grupo Antolin’s information located in every zone and bearing in mind the

damage that Grupo Antolin can suffer (according to annex number 1), we have the following definitions:

- Class 1 Restricted Zones (red zones): violations of information security (confidentiality, integrity or

availability) can suppose a severe damage.

- Class 2 Restricted Zones (yellow zones): violations of information security (confidentiality, integrity or

availability) can suppose a serious damage.

- Internal Zones (green zones): violations of information security should not suppose more than a

minor damage.

- Public Zones (white zones): normally there is no information in these areas or violations to

information located here can’t cause any kind of damage.

16. AREAS SEPARATION

Different type of areas (red, yellow, green and white) must be physically separated by walls or similar

measures, depending on risk assessment, and preventing the free access at least to yellow and red zones.

Access to red zones must not be directly available from white or green zones, unless it is justified and

mitigating security measures are in place to avoid unauthorized access.

Confidential and secret content must not be visible from the outside. Measures to be applied could be

organizational (i.e. information placement) or physical (i.e. windows or glass-doors fitted with anti-spy films,

screens, etc.). This requirement applies as well while windows and doors are opened for entrance, exit or

other reasons.

Surveillance cameras or similar taking images (video or photo) of any confidential or secret information are

forbidden. These cameras can be located to help in the surveillance activity, but avoiding confidentiality

breaches.

Restricted areas must never be used as a passage zone to other areas: that would force to give access to

people no needing the access to these confidential or critical zones.

Logistics zone, where normally courier companies access to do the deliveries or to collect the sends, must

be separated from red and yellow zones, with no direct visibility to confidential/secret information. If

separation is not possible, confidentiality must be kept through other security measures and courier

companies must be escorted all the time.

For confidential sends and deliveries, while confidential parts are in logistic area waiting to be collected by

recipient (during a delivery process) or courier company (during a send process) must be kept out of risk of

theft, damage or confidentiality violation. It is recommended a locked room with restricted access.


Review No: 0

Date: 04-04-2019

Page: 12 of 21


I-P114-F Level - 0 04 / 04 / 19 PUBLIC

Rooms where IT equipment (like servers, storage boxes, PCs, etc...) are hosting or processing confidential or

secret information are considered restricted zones and must be treated according to this class.

Networking equipment must be considered as well, because it is a risk point to access to the internal

network and could cause an availability, so they must be located in a locked room or at least in a locked

rack.

17. ACCESS CONTROL

Any restricted zone must be locked and the access must be restricted, controlled and if needed, recorded

through ID card readers or similar in order to enable monitoring processes.

Access to restricted areas must be limited to the people needing to access the information inside, no more

and no less (this means the implementation of the “Need to Know Principle”).

An access rights management process must be in place, considering registration, grant, modification and

removal when a there is a role/position change or departure. An inventory of the accesses allowed must

exist, and regular reviews to ensure a management free of errors must be implemented.

These are other security measures to be implemented, unless alternative security measures are in place or

unless risk assessment justify these measures are no needed:

- It is recommended to implement a double factor of authentication to enter in class 1 restricted zones,

mandatory for Server Room if it hosts secret information.

- It is recommended to install an intrusion detection system for restricted areas, monitor it and connect

it to a global alarm system according to risk analysis.

- It is recommended to install surveillance cameras to monitor and record passage areas inside the

building to help and improve the security patrols, according to risk analysis and always respecting

the confidentiality.

18. BUILDING PERIMETER AND FENCE

According to risk assessment, following measures must be considered and implemented. Only when a

reasonable justification exists, these measures can be avoided:

- Solid fence around the building, with access restricted and controlled for both cars and pedestrian.

- Solid outer-skin for building, avoiding an easy entrance.

- Perimeter monitored by video-surveillance.

- Intrusion detection and monitoring system for the perimeter or for the entrance to relevant areas.

- A security guard booth or reception area, controlling the accesses and registering properly the visits.

- Exterior doors and windows must be kept locked (or at least under surveillance if they are opened,

like could happen with reception entrance), being possible their opening only from inside of the

building or from outside of the building by ID card readers, remote controls, keys or similar.


Review No: 0

Date: 04-04-2019

Page: 13 of 21


I-P114-F Level - 0 04 / 04 / 19 PUBLIC

19. FIRE PROTECTION AND EXTINCTION

Fire detection must be implemented for the complete building and connected to global alarm system.

Fire extinction means must be installed:

- At least manual extinguishers.

- It is recommended an automatic extinction system (water sprinklers or similar).

20. SPECIFIC MEASURES FOR SERVER ROOM

It is recommended to install air conditioner (not located over any IT equipment to avoid water dripping) to

avoid IT equipment outages or malfunctioning (if possible double unit to give high availability).

Flood protection is a must: Server Room should be located upstairs if possible or at least on an enough

raised floor in the case it is located at ground floor.

Fire detection and extinction as stated in the “Fire protection and extinction” section.

Temperature and humidity monitoring must be installed and monitored at least during working hours. It is

recommended to be monitored 24x7x365.

Power loss prevention must be implemented:

- At least UPS for critical equipment in Server Room.

- It is recommended a power generator or similar additionally to the UPS.

21. GLOBAL ALARM

All monitored systems where exists a risk for Grupo Antolin’s information must be connected to a global

alarm monitored 24x7x365.

This global alarm must count with a programmed answer depending on the detected situation, with an

adequate answer time depending on impact (i.e. for class 1 restricted zones we need to implement an

answer time shorter than for class 2 restricted zones).

22. VISITORS AND UNAUTHORIZED PERSONNEL IN RESTRICTED ZONES

Visitors in general.

All visitors must be registered at the entrance, keeping a record of the entry and departure time (according

to local regulations for personal data, these records should be deleted after a time). They must be identified

and escorted, avoiding risks for Grupo Antolin’s information. An information security policy for visitors must

be in place: visitors must be informed and they must accept a confidentiality agreement and respect the

rules and policies explained.


Review No: 0

Date: 04-04-2019

Page: 14 of 21


I-P114-F Level - 0 04 / 04 / 19 PUBLIC

Visitors in restricted zones.

When for business reasons visitors must access to restricted zones where Grupo Antolin’s information is

located, this information must be properly protected. A policy or instruction must exist for these cases.

Services staff.

Service staff need to access protected rooms for some maintenance activities, but this kind of access must

be considered in the risk assessment to avoid confidentiality problems. Security measures must be applied

to protect properly the information.

Security staff.

If security staff need to access restricted areas where Grupo Antolin’s information is located (i.e. out of

working time to verify a possible security event), a control and record of that access must be kept (as

example given: the keys to access these zones can be enclosed in a sealed envelope that security staff must

break in case of need, reporting the situation to facilities manager and/or information security responsible).

23. VIDEO AND PHOTOGRAPHY

A regulation about how to proceed with video and photography must be in place, protecting Grupo Antolin’s

confidential and secret information from unauthorized captures and from a wrong management of the

captured information.


Review No: 0

Date: 04-04-2019

Page: 15 of 21


I-P114-F Level - 0 04 / 04 / 19 PUBLIC

VI. IT SECURITY

Security controls defined here apply to those Suppliers handling Grupo Antolin’s information in electronic

format through information technology resources.

24. ACCESS CONTROL

Access control and rights assignation must be restricted and controlled.

When assign credentials following rules, between others, must be observed:

- User credentials are personal and nobody must use the ID or account assigned to another person.

- Common accounts shared by more than one person must not be used in general, only for justified

cases where there is not another solution and there is not risks for information.

- Temporary passwords or PINs must be changed at the first log-on.

- Passwords or PINs must be protected against disclosure, and never must be shared.

- When appear any suspect of compromise for passwords or PINs, they must be immediately changed.

- Passwords or PINs must be changed at first use and regularly, at least every 90 days.

- User accounts must be locked after a reasonably defined number of wrong log-on attempts.

- Accounts don’t used during more than 6 months must be locked.

An access assignation process must be defined and in place ensuring:

- Registration.

- Rights grant and modification, approved by information owner.

- Removal on role/position changes and departures.

Regular reviews must be done to correct the lack of efficiency in the process for permissions removal and

changes.

Privileged access rights must be specially treated, increasing the security measures as needed (i.e. regular

monitoring for administrator activities, with higher review frequency than standard accounts).

Secret authentication must be properly managed, including creation and distribution to the users.

Authentication.

Authentication measures to access information must be established according to information classification,

as defined in annex number 2.

- Weak authentication: only a password is required for log-on.

Password must be enough secure:

o At least 10 characters.


Review No: 0

Date: 04-04-2019

Page: 16 of 21


I-P114-F Level - 0 04 / 04 / 19 PUBLIC

o At least 3 of the 4 groups listed here: lower case letters, upper case letters, numbers and

special characters.

o Don’t use trivial combinations, like typical passwords (“Test123456”) or personal

environment information (name, birth date, etc.).

o Don’t use identical passwords for accessing Grupo Antolin systems and repositories, and

for accessing other systems provided by third parties.

- Strong authentication: in this case a 2 factor authentication (2FA) is required. This means that 2 of 3

factors must be supplied for log-on:

o Knowledge factors, i.e. a password or a PIN.

o Possession factors, i.e. and ID card or a PIN supplied from a token or a smartphone.

o Inherence factors (biometrics), i.e. fingerprint, face, voice.

For remote access to the network where Grupo Antolin’s information is located, strong authentication is a

requirement.

25. ENCRYPTION

Local storage at office (network repositories or any other kind of electronic storage) containing Grupo

Antolin’s information classified as secret must be encrypted, unless other security measures with the same

protection level would be in place. For information classified as confidential, encryption is recommended.

For remote access, traffic involving confidential or secret information must be always secured and

encrypted.

Mobile devices (Smartphones, laptops, etc.) and removable data media (hard disks, DVDs, tapes, memory

stocks, etc.) susceptible to be used off-premises and/or easily stolen, and containing confidential and/or

secret information, must be always encrypted.

In general, when during risk assessment is detected a high risk for confidential or secret information, data

must be encrypted

26. DISPOSAL OF DATA MEDIA

Disposal of data media with confidential or secret information must be done ensuring information can’t be

read. In this sense, the guidelines shown in annex number 2 must be respected.

27. WORKING OFF-PREMISES

When working off-premises is allowed, a policy must be in place regulating this activity and ensuring,

according to a proper risk assessment, risks for Grupo Antolin’s information are properly treated, in

particular:

- Supplier’s employees know working-off premises policy and accept to comply with it.

- Only IT devices complying Supplier’s regulations must be used to manage Grupo Antolin’s

information, and those devices must be used only for professional purposes.


Review No: 0

Date: 04-04-2019

Page: 17 of 21


I-P114-F Level - 0 04 / 04 / 19 PUBLIC

- Special care is taken to avoid credentials could be stolen.

- All data media and devices storing Grupo Antolin’s information or enabling access to Grupo Antolin’s

information must be under personal surveillance, avoiding they can be stolen. These devices must

be properly encrypted as has been explained in “encryption” chapter in this document.

- Original information must remain at protected repositories at Supplier’s premises, only in case of

need temporal copies will be extracted from those premises.

- Information must be protected from eavesdropping and view.

- Special care must be taken when documents are printed, avoiding to print Grupo Antolin’s

confidential and secret information if possible.

- When travelling abroad, country specific regulations must be observed, avoiding risks for Grupo

Antolin’s information (e.g. encryption).

28. BRING YOUR OWN DEVICE

A policy about the possibility for employees to bring their own device to access information must be in

place. On this regard, security measures must be applied independently of personal or corporate devices.

29. EXCHANGE OF INFORMATION

Data exchanged through electronic means must be done through the following tools:

- Confidential information:

o DAXS.

o E-mail: confidential content must be encrypted with a secure method (AES256 or similar).

o Other means specifically informed by Grupo Antolin.

- Secret information:

o DAXS.

o Other means specifically informed by Grupo Antolin.

Confidential or secret information shared through phone calls, video or web conference, etc. must be

protected against spying, eavesdropping or unintentional disclosures.

For transport of IT devices, confidentiality must be protected, encrypting the information for confidential

and secret data, and respecting the guidelines detailed in annex number 2.

Authenticity of data/information recipients must be ensured before start the exchanging or sharing process.

30. IT OPERATIONS

IT Changes.

Supplier must approve, schedule, test and validate any change avoiding affectation to Grupo Antolin

supplied services and CIA security principles (confidentiality, integrity and availability).


Review No: 0

Date: 04-04-2019

Page: 18 of 21


I-P114-F Level - 0 04 / 04 / 19 PUBLIC

Development, test and production environments must be properly separated to avoid outages or any other

affectation to Grupo Antolin’s information security.

In the same manner, acquisition, development and maintenance processes for IT systems must be

programmed to avoid affectation to CIA information security principles for Grupo Antolin assets.

Backup.

Supplier must define and deploy a backup policy for ensuring the business continuity and the retention

periods agreed with Grupo Antolin. Together with this requirement must be considered the need to keep

information stored in repositories where backup is applied.

Backup process must be monitored to guarantee a successful operation, testing and verifying restoration

process.

Protection against malware.

Supplier must enable systems avoiding infections of the information, that could damage Grupo Antolin’s

information or that can be forwarded to Grupo Antolin or other interested parties.

Logging and monitoring.

Users, systems and administrator activities must be properly logged and monitored, to detect events and

treat them to avoid the impact of the associated incidents.

These logs must be regularly reviewed, especially for IT administrators’ activity.

Vulnerabilities management.

IT systems must be properly patched, avoiding vulnerabilities that could enable or make easier an attack

from existent threats.

31. COMMUNICATIONS SECURITY

Internal networks must be protected by firewalls, avoiding that external attacks could affect security for

Grupo Antolin’s information. As part of this protection, intrusion prevention and intrusion detection systems

should be implemented.

Network segmentation to separate Grupo Antolin information from other environments is a need.

Exchange systems must count with authentication, transport encryption and access control measures.

32. CLOUD

If CLOUD services are in use for storing Grupo Antolin’s information, these services must be reported

previously to Grupo Antolin’s liaison to be approved.


Review No: 0

Date: 04-04-2019

Page: 19 of 21


I-P114-F Level - 0 04 / 04 / 19 PUBLIC

VII. PROTOTYPES HANDLING

Physical measures are defined and implemented according to the classification of the prototypes, the

measures listed in the “Physical Security” section of this document and the risk assessment done.

A policy or similar document must be in place, explaining to employees how to handle prototypes.

Compliance with this prototypes policy is mandatory and employees’ adherence to it must be

demonstrable.

Prototypes policy must include, between other, how to handle the prototypes in a secure way from the

following points of view:

- How to camouflage prototypes avoiding confidentiality events while working, during breaks, at the

end of the day or while unauthorized persons enter in restricted areas in a programmed manner.

- How to manufacture prototypes, including protection when subcontractors or third parties are

included in the prototypes management cycle.

- How to pack and identify the packages containing prototypes prior to be sent.

- How to store prototypes.

- How to internally move/transport prototypes.

- How to send and deliver prototypes.

- How to dispose prototypes (for prototypes and for any other physical part containing Grupo Antolin’s

confidential or secret information): must be properly destroyed, ensuring confidentiality is kept

along the complete process.

- How to manage tests and validations in an agreed manner with Grupo Antolin.

- How to act in case of no described situations and how to treat events and incidents.


Review No: 0

Date: 04-04-2019

Page: 20 of 21


I-P114-F Level - 0 04 / 04 / 19 PUBLIC

VIII. ANNEXES

ANNEX 1 – DAMAGE CAUSED TO THE COMPANY

To classify the information, Grupo Antolin defines the damage that the Company can suffer, distinguishing

between the following 4 levels:

- No damage: information security breach shouldn’t cause any damage to the Company.

- Minor damage: a damage for the Company can appear, though its present or future business effect

should be negligible or easily assumable, don’t affecting any relevant objective.

- Serious damage: Company would be affected seriously, either by an economic direct impact, by a

potential impact in future business or by a damage of the good image of the Company. There is not

risk affecting the main Company objectives or the Company existence.

- Severe damage: opposite to serious damage, in this case there is a risk for main Company objectives

and/or even for Company existence.


Review No: 0

Date: 04-04-2019

Page: 21 of 21


I-P114-F Level - 0 04 / 04 / 19 PUBLIC

ANNEX 2 – ALLOWED USES FOR GRUPO ANTOLIN’S INFORMATION

Allowed uses based on confidentiality classification:

PUBLIC INTERNAL CONFIDENTIAL SECRET

LABELLING Optional Optional

Confidentiality level in

national language and in

English on each page of the

document

Confidentiality level in

national language and in

English on each page of the

document.

Additionally pages must be

numbered in format “page

x of y”.

DUPLICATION AND

DISTRIBUTION No restrictions

Only to authorized group

of employees,

subcontractors and third

parties according to need-

to-know principle

Only to authorized group

of employees,



to-know principle and with

approval of information

owner

Only to an extremely

limited and authorized

group of employees,



to-know principle and with

approval of information

owner

STORAGE No restrictions Protection against

unauthorized access

Only accessible to an

authorized group of

employees, subcontractors

and third parties according

to need-to-know principle

and with approval of

information owner (for

electronic and physical

formats)

Only accessible to an

extremely limited and

authorized group of

employees, subcontractors

and third parties according

to need-to-know principle

and with approval of

information owner (for

electronic and physical

formats)

DELETION No restrictions Data no longer needed

must be deleted

Data no longer needed

must be deleted

Data no longer needed

must be deleted

DISPOSAL No restrictions Recommendable through

an shredder

Destruction class 5

according to DIN 66399

Destruction class 5

according to DIN 66399

AUTHENTICATION No restrictions Weak authentication Weak authentication Weak authentication

TRANSPORTATION No restrictions No restrictions

Closed neutral envelope

with inner envelope

labelled as confidential

Closed neutral envelope

with inner envelope

labelled as secret, with

delivery confirmation from

recipient

If other requirements supplied by Supplier’s liaison at Grupo Antolin are more restrictive, must be respected

(as example given, requirements defined by Grupo Antolin’s Customers when information shared belongs to

those Customers).

Documents

I-P114-F SUPPLIERS INFORMATION SECURITY GUIDELINES · 2019-05-02 · INFORMATION SECURITY GUIDELINES FOR SUPPLIERS Page: Review No: 0 Date: 04-04-2019 6 of 21 COMPANY: GRUPO ANTOLIN