For internal use only - Scania Group€¦ · ways. While inadequate security may result in...

518

66

40

- G

rap

hic

Pro

du

cti

on

20

17.1

1 ©

Sc

an

ia C

V A

B

For internal use only

2

Henrik HenrikssonPresident CEO

ISec Code of Conduct

forewordInformation Security is essential for ensuring the success of the Scania group and maintaining its competitiveness. Scania’s operations are dependent on information being available and handled in a correct and secure manner.

Breach of information security may result in serious damage to Scania. Errors in or unauthorised changes to information can seriously harm our service for our customers. Disclosure of future products and solutions and interruptions to information processes can jeopardize our objective to be the leading company in our business.

Everyone working with or using Scania’s information or IT systems is responsible for knowing and following the valid Scania Information Security regulations in order to protect our information.

3ISec Code of Conduct

Contents

Information Security ....................................................................................... 4

My responsibility .............................................................................................. 5

1. Non-disclosure .............................................................................................. 6

2. Confidentiality classification ................................................................ 7

3. Handling of information .......................................................................... 8

4. Handling of personal data ...................................................................... 9

5. User access ...................................................................................................10

6. Software, apps and IT equipment ..................................................... 11

7. Public forum, Internet, social networking and e-mail ............12

8. Protection of computers, devices and networks .....................14

9. Physical access and photography ....................................................15

10. Security incidents ....................................................................................16

11. Audit and follow-up..................................................................................17

4 ISec Code of Conduct

Information SecurityInformation Security, at Scania shortened to ISec, is the practice of preventing information leakage/unauthorised use and modification/destruction of information, as well as safeguarding that the information is available when needed. Information can for example be printed, handwritten, prototypes, digital or verbal.

Different types of information need to be handled and protected in different ways. While inadequate security may result in considerable risk, an excessive security level makes it difficult to handle the information and leads to unnecessary costs.

Information is regarded as confidential when a possible breach could have a serious impact on Scania. Laws and agreements may also impact the protection of information, for example laws regarding the protection of personal integrity or financial information.

Examples of confidential information include: aggregated accounting data, new products/design/research, tenders/agreements/price lists and prices, quality reports, sensitive personal data (customers and employees) and passwords.

For a more complete list of types of confidential information, contact your immediate superior or your ISec contact.

The ISec Code of Conduct is an extract of our most important regulations. If you would like to learn more about Information Security, visit the Information Security homepage on Scania intranet.


My responsibilityAs an Employee – you are personally responsible for protecting the information you handle against loss, falsification and/or misuse of any kind. You must observe and follow Scania Information Security (ISec) regulations in your work and check the regulations on a regular basis. If you are unsure – get advice from your manager or ISec contact.

You must report security incidents and weaknesses immediately and be aware that Scania monitors information access, and that violation of the Information Security Policy may result in disciplinary action.

As a Business Manager – you must ensure compliance with Scania ISec regulations and applicable legislation in your area of responsibility.

As a System/Application owner – you must ensure that IT systems for which you are responsible are set up and operated in compliance with Scania ISec regulations and applicable legislation.

Read more about your responsibility in ISec Standard 01 Information Security Governance on the ISec homepage.


• Unwavering loyalty and mutual confidence between Scania and all employees.

• As an employee or consultant¹, you must not disclose anything of a confidential or secret nature concerning Scania’s business or other relationships.

• Employees and consultants¹ have a duty to comply with all Scania security rules.

Outsourced functions and their organisations have a duty to comply with all Scania security rules in accordance with the contract and non-disclosure agreement.

1. Non-disclosureRespect your contract of employment/agreement and make sure that you understand that non-disclosure means:

¹) Non Scania employee


Handling and protection Internal Confidential

Storing/filing

• In office/desk Allowed Locked cabinets

• Digital storage Allowed Encrypted (if outside the server network) and access proitection, Audit logs recommended.

• Laptop/Other portable devices

Encrypted laptop/OK Encrypted information

• Outside Scania/Non Scania device

Approval by your manager after performed risk analysis.

Approval by the information owner after performed risk analysis.

E-mail/File transfer Allowed Encryption required (external & internal)

2. Confidentiality classificationThe goal of confidentiality classification is to assign different classes of protection requirements to information. Based on this classification, different security measures are required.

• You classify and label your information based on the damage if the information is disclosed.

• Use Scania’s confidentiality classification:Public Internal Confidential Secret

• Mark your information with the appropriate classification.

• Handle the information according to the labelled confidentiality class.

• Contact the information owner if there are any doubts about the classification.

Read more about classification in the “Overview - Confidentiality Classification” on the ISec homepage.


3. Handling of information “Sharing is not always caring!”

• Respect the laws relating to protection of information and regulations on personal privacy.

• It is forbidden to access information or systems for which you do not have authorization.

• Any information stored in any shape or form on equipment or media provided by Scania is always regarded as Scania property.

• A small amount of private content can be stored on Scania equipment if marked as private – using a private map or folder.

• Lock your equipment/computer whenever you are away from your equipment/computer.

• Confidential files on Scania’s network must be stored with access protection.

• Confidential information must never be sent via physical media, e-mail or transmitted to a non-Scania infrastructure or location without Scania supplied encryption or secure storage.

• Export and storage of confidential information on facilities outside of Scania’s network must be approved by the information owner.

• Ensure that your external contact persons are bound by a non-disclosure agreement before providing any information.

• Confidential information on portable devices (for example USB memory sticks) must be stored encrypted.

• Do not discuss or handle confidential information in public places or other unsecure locations where it can get into the wrong hands (both in real life and online).

• Keep confidential information protected (locked up) during breaks and when leaving the office.

• Do not leave material in printers, copiers or faxes.

• Dispose documents and digital media securely.


4. Handling of personal dataA special kind of information is so-called ‘personal data’. This is any type of information that can be related to an identifiable living natural person. This data is protected by special data protection legislation to ensure that the privacy and integrity of the person is not violated.

This requires you to ensure that you safeguard personal data by:

• only collecting what is necessary for a defined purpose

• making sure that you have clear legal grounds when you collect personal data

• being transparent about what you collect and how you handle that data

• applying appropriate Information Security controls to protect the data.

For us at Scania protection of personal data comes naturally from our core values.

When we respect the individual and have high integrity – in our interactions with our customers as well as our co-workers – then compliance with data protection legislation is a natural result.


5. User access• Your credentials (Username, ID,

password, PIN etc.) are personal and you are responsible for following Scania credential policies.

• You are responsible for all computer use when your credentials are in use. Report any loss as soon as possible.

• Credentials used for cloud services not controlled by Scania must be unique and not identical to your Scania or private credentials.

• Never give your password or PIN to anyone, or in any other way make your credential accessible for use by a third party or person. Use of another person’s ID or account is not permitted.

• Change your password or PIN immediately if you think somebody may have had access to it.

• Use passwords which are not easy to guess and use special characters when possible.

• Passwords must be changed at least every three months and must be different for different accounts.

• Store your passwords and PINs in such a way that it is not possible to link them to a specific ID and in a secure location.

• When signing an E-Signature, the same legal aspects are to be considered as if you were signing a document using pen and paper.


6. Software, apps and IT equipment• Purchase all equipment, software,

applications and apps through Scania authorised channels.

• For laptops and PCs, there is a standard routine for how to order, setup and connect your Scania equipment to the Scania network. When in doubt contact your local IT coordinator.

• Only use approved and licensed software

• Only install apps and software to your Scania owned equipment that follow Scania guidelines. Apps and software must be work-related and approved by your manager.

• Scania has the right to erase apps or data that do not follow the policy on Scania equipment.


7. Public forum, Internet, social networking and e-mail“A secret is no longer a secret once you publish it on the Internet!”

Only designated persons may act as spokespersons for Scania on the Internet as in other public forums.

Internet and Social networking:• You must use the Internet, social

media and e-mail primarily for business purposes and to follow Scania online. Private use is permitted to a limited extent, as long as it does not impact your work.

• Be aware that everything you do or transmit on the Internet can be traced back to Scania.

• Be aware that Internet use is monitored by Scania for security reasons.

• Participating as an individual in online conversations is permitted, provided that you act in a respectful manner.

Storage and transmitting information:• Do not access, download or store

illegal or offensive materials.

• Confidential information must never be sent via e-mail or transmitted without Scania supplied encryption.

• Confidential information may only be stored/handled on non-Scania controlled equipment after a risk analysis and approval by the Information owner.

• Only cloud services approved by Scania are to be used.


E-mail:• Classify and mark your e-mail with

regards to confidentiality.

• Private e-mail is only permitted to a limited extent and must be marked private and saved in a separate folder for isolation from work-related material.

• Only a Scania e-mail address may be used to send Scania information.

• E-mails must not automatically be forwarded to a private e-mail address or another user.

• Do not send e-mails that may be perceived as offensive.

• Never forward e-mails or send mass e-mails to the whole organisation, not even for serious warnings.


8. Protection of computers, devices and networks

• Only connect Scania approved equipment with by Scania ISec provided security software installed to the Scania network. Use the guest network for all other purposes.

• Lock your equipment if you’re not present and restart your computer frequently for the latest security updates.

• Never try to change your equipment’s security settings.

• Do not lend your equipment to unauthorised persons.

• Protect your mobile equipment with a password, PIN, biometric authentication or smart card.

• Lock your laptop with a security cable or store it in a locked secure cupboard.

• Do not leave your mobile equipment unattended or accessible for others (e.g. in your car, hotel room, air flight).

• Local administration privileges (Local Adm) must only be given to users with a clear business need.


9. Physical access and photography• Wear your Scania ID badge (or

other equivalent ID) visibly inside any Scania facility. All individuals inside a Scania facility must be able to identify themselves and prove their right to access the specific facility on request.

• Only admit authorised persons into the facilities. If there is a need to set up doors, make sure they are supervised. Be helpful to all visitors but don’t take for granted that just because you recognize the person, he or she has the right to access the specific location, room or building.

• Pay attention to persons without a Scania ID badge. Escort them to the reception or to his/her visitor host.

• Escort your guests and make sure that they wear their visitor’s badge.

• Access to areas that contain confidential or secret information e.g. red or orange zone, must be approved by the operating unit manager or their delegated representative.

• Be careful when you attend remote meetings or are working on documents when you are travelling or working in shared spaces.

• There is a general ban on photography and filming on Scania’s premises.


10. Security incidents• Report immediately to the

helpdesk if your computer behaves suspiciously and follow the instructions given.

• Report all security incidents such as theft, loss of IT devices, information leakage or compromised confidential or secret information etc. to your manager and/or local ISec contact.

• Report suspicious circumstances or violations of ISec Code of Conduct to your manager and/or local ISec contact.

• Testing of vulnerabilities and weak points must only be carried out by the responsible and authorized unit.


11. Audit and follow-upThis includes monitoring of:• internet activity and e-mail traffic• that the software and apps policy is

being followed• that only work-related information

and smaller amounts of private information are being stored

• access to sensitive information.

Monitoring of user activities is performed in accordance with local legislation.

• Any access to mailbox and personal folders should be approved by the user. A request for access always needs to be approved in accordance with “Guideline for access to employees mailbox and personal folders”.

• In suspicion of misconduct, fraud or irregularities, the company got the right to access any information without the users approval, see “Guideline for access to employees mailbox and personal folders”.

• Breaches of the law and Scania’s rules may result in a warning being issued and ultimately the termination of employment/assignment.

Scania supervises the use of IT resources and information in order to ensure that Scania’s ISec Code of Conduct is followed.


Information security within Scania is based on your active involvement – everyone’s contribution counts!

If you have identified areas of improvement – contact your manager or ISec contact.

For internal use only - Scania Group€¦ · ways. While inadequate security may result in...

Documents

Transcript of For internal use only - Scania Group€¦ · ways. While inadequate security may result in...