english isec coc - scania group€¦ · isec code of conduct information security scania’s...

ISec

Code of Conduct

InformationSecurity

Your responsibility!

Internal information

ISec Code of Conduct Information Security

Scania’s operations are dependent on information being available and handled in a correct and secure manner.

Errors in or unauthorised changes to information can seriously harm our service towards our customers. Disclosure of future products and solutions and interruptions of information processes can violate our objective to be the leading company in our business.

Everyone working with or using Scania’s information or IT- systems is responsible to know and follow Scania’s ISec Code of Conduct in order to protect our information.

Per HallbergExecutive Vice PresidentResearch and Development, Purchasing

2-3

The purpose of information security is to prevent information from ending up in the wrong hands, to ensure that it is accessible when needed and that no unauthorised changes are made to it. Informa-tion can be printed, handwritten, digital or verbal.

Different types of information need to be handled and protected in different ways. While inadequate security may result in consider-able risk, an excessive security level makes it difficult to handle the information and leads to unnecessary costs.

Information is regarded as confidential when a possible breach could have a negative impact on Scania. Statutes and agreements may also impact the protection of information, e.g. the protection of personal integrity.

Examples of confidential information includes information that may affect the share price, aggregated accounting data, new products/design/research, tenders/agreements/price lists and prices, qual-ity reports, sensitive personal data (customers and employees) and passwords. For a more complete list of types of confidential information, contact your immediate superior or your Information security coordinator.

ISec Code of Conduct is an extract of our most important rules. If you would like to learn more about information security at Scania visit the Information security homepage on InLine/SAIL.

What is Information security?

Per HallbergExecutive Vice PresidentResearch and Development, Purchasing


As an Employee – you are personally responsible for protecting the information you handle against loss, falsification and/or mis-use of any kind. You must observe and follow Scania Information Security (ISec) standards in your work and maintain a responsible attitude towards security on a day-to-day basis. You must report information security incidents and weaknesses immediately, be aware that Scania monitors information access, and that violation of the Information Security Policy may result in disciplinary action.

As a Business Manager – you must ensure compliance with Scania ISec standards and applicable legislation in your area of responsibility.

As a System Manager – you must ensure that IT systems for which you are responsible are set up and operated in compliance with Scania ISec standards and applicable legislation.

Read the whole policy on InLine/SAIL - Information Security at Scania.

Scania’s Information security policy states:

4-5

ISec Code of Conduct

1. Non-disclosure

2. Confidentiality classification

3. Handling of information

4. Passwords and PINs

5. Internet and social networking

6. E-mail

7. New software and equipment

8. Protection of computers and networks

9. Physical access and photography

10. Security incidents

11. Audit and follow up


Respect your contract of employment/agreement and make sure that you understand what non-disclosure means.

• Unwavering loyalty and mutual confidence between Scania and all employees.

• As an employee or consultant¹, you must not disclose anything of a confidential or secret nature concerning Scania’s business or other relationships.

• Employees and consultants¹ have a duty to comply with all Scania security rules.

¹) Non Scania employee.

1. Non-disclosure

6-7

2. Confidentiality classification

• You classify and label your information based on the damage if the information is disclosed.

• Use Scania’s confidentiality classification: Public Internal Confidential Secret

• Mark your information with the appropriate classification.

• Handle the information according to the labelled confidentiality class.

Document type/Dokumenttyp

INSTRUCTION Title/Rubrik

Confidentiality classification File name/Filnamn

Approved by/Godkänt av (tjänsteställebeteckning namn) Date/Datum Info class/Infoklass

VK Fredrik Sjöblom 2010-06-01 Internal Issued by/Utfärdat av (tjänsteställebeteckning namn telefon) Issue/Utgåva Page/Sida

VK Marika Taavo 80465 2.2 1(1)

STD

1000

0-8

To/Till (tjänsteställebeteckning namn) For information/För information (tjänsteställebeteckning namn)

.

Handling and protection Internal Confidential Storing / filing In office/desk

Shared files Laptop / Other

portable devices Outside Scania / Non

Scania device

Ok Ok Encrypted Laptop / Ok Approved by line manager

Locked storage area Access control, Individual traceability. Encrypted Approved by Information owner. Risk Analysis shall be performed.

Printing Allowed on network printers Allowed on local or network printers, if supervised / Secure printing

Copying and passing it on

Allowed Decided by Information owner

Destruction No requirements Approved manner or device (example shredding, burning, cutting, secure container).

Read the whole Quick guide on InLine/SAIL – Information Security at Scania. Read the whole Quick Guide - Confidentiality Classification on InLine/SAIL - Information Security at Scania


• Respect the laws relating to protection of information and regulations on personal privacy.

• It is forbidden to access information or systems for which you do not have authorisation.

• Lock your computer (Ctrl-Alt-Delete) whenever you are away from your computer.

• Confidential files on Scania’s network must be stored with access protection.

• Confidential information must never be sent via e-mail without Scania supplied encryption.

• Export and storage of confidential information outside of Scania’s network must be approved by the information owner.

• Ensure that your external contact persons are bound by a non-disclosure agreement before providing any information.

• Confidential information on portable devices (for example USB memory sticks) must be stored encrypted.

3. Handling of information

8-9

• Do not discuss or handle confidential information in public places.

• Keep confidential information protected (locked up) during breaks and when going home.

• Do not leave material in printers, copiers or faxes.

• Dispose of documents and digital media securely.

4. Passwords and PINs

• Your password is personal and you are responsible for all computer use under your User ID.

• Never give your password to anyone.

• Change your password immediately if you think somebody may have had access to it.

• Passwords must be changed at least every three months.

• Use passwords and PINs which are not easy to guess. For example: Does the bus to Södertälje leave at 8? DtbtSla8?

• Store your passwords and codes in the same way as items of value.

• Do not use your Scania User ID or password in systems outside Scania.


g

5. Internet and social networking

• You are allowed to use the Internet primarily for business pur-poses and to be able to follow Scania online. But be aware that everything you do on the Internet can be traced back to Scania.

• Private surfing is permitted to a limited extent as long as it does not impact your work.

• Export and storage of confidential information outside of Scania’s network must be approved by the information owner.

• Only designated persons may act as spokespersons for Scania on the Internet.

• Participating as an individual in online conversations is permitted provided that you act in a respectful manner.

• Do not access, download or store illegal or offensive materials.

• Be aware that Internet usage is monitored by Scania for securityreasons.


6. E-mail

• Use e-mail primarily for business purposes. Private e-mail is only permitted to a limited extent and must be saved in a separate folder for isolation from work-related material.

• Avoid sending e-mails with attachments – use links instead.

• Confidential information must never be sent via e-mail without Scania supplied encryption.

• Only a Scania e-mail address may be used to send Scania information.

• E-mails must not automatically be forwarded to a private e-mail address.

• Do not send e-mails that may be perceived as offensive.

• Never forward e-mails to the whole organisation, not even for serious warnings.

14-15

7. New software and equipment

• Purchase all equipment and software through your authorised Scania channels.

• All installations must pass through the local IT coordinator for approval and secure installation.

• Only use approved and licensed software.


8. Protection of computers and networks

• Only connect Scania approved equipment to the network.

• Log off your computer every day and switch off your computer before weekends and holidays.

• Never try to change your computer’s security settings.

• Do not lend your computer to unauthorised persons.

• Protect your mobile equipment with a password or PIN.

• Lock your laptop with a security cable or store it in a locked secure cupboard.

• Do not leave your mobile equipment unattended or accessible (e.g. in your car, hotel room).

16-17

9. Physical access and photography

• Do not admit unauthorised persons.

• Access to buildings and areas that contain confidential or secret information must be approved by authorised visitor host (Operating unit Manager or delegated).

• Pay attention to anyone you do not recognise. Ask who they are looking for and if you can help them find their way.

• Escort your guests and make sure that they wear their visitor’s badge.

• Wear your own company ID badge visibly.

• There is a general ban on photography and filming on Scania’s premises.


10. Security incidents

• Report immediately to the helpdesk if your computer behaves suspiciously.

• Report all security incidents such as theft, loss, etc. to your manager and/or local security contact.

• Report suspicious circumstances and security violations to your manager and/or local security contact.

11. Audit and follow-up

• Scania supervises the use of IT resources and information in order to ensure that Scania’s ISec Code of Conduct is followed. This includes monitoring of: a) internet activity and e-mail traffic b) that only approved software is installed c) that only work-related information is stored d) access to sensitive information Monitoring of user activities is performed in accordance with local legislation.

• Breaches of the law and Scania’s rules may result in a warning being issued and ultimately the termination of employment/assignment.

18-19

Doc

umen

t res

pons

ible

: Cor

pora

te IT

/ 15

9855

6 / H

SIG

Gra

phic

al P

rodu

ctio

n 20

11 S

öder

tälje

english isec coc - scania group€¦ · isec code of conduct information security scania’s...

Documents