| I spend many hours tracking down the "official" Digital security
policy, The P&P manual didn't have it, my PSA didn't have it, but
eventually I got it, direct from the people who know:
From: WITNES::WITNES::MRGATE::"WDECMAIL::141739" 28-DEC-1987 20:34:45.21
To: MRGATE::"STAR::BOUCHARD"
CC:
Subj: CORP. SECURITY PROP. INFO. POLICY AND STANDARD
From: NAME: CASEY
INITLS: ARLENE
FUNC: M.E.&M SECURITY
ADDR: MSO
TEL: 223-4097 <141739@WDECMAIL@WITNES@PKO>
(1 November 1987 version)
SUMMARY
This policy applies to all information of a confidential,
sensitive, or proprietary nature used, generated, or held within
Digital Equipment Corporation (DEC).
It is Corporate policy that business information of all types will
be controlled and protected as a vital business resource. This
protection is critical to the continued growth and competitive
market posture of Digital Equipment Corporation.
These control and accountability requirements for the Corporation's
information apply, as well, to sensitive data held by the
Corporation on behalf of others. The only exceptions are (1)
information belonging to others which the Corporation has agreed
contractually to protect in a different manner; and (2) government
classified data, which must be handled according to U.S. Federal or
host country regulations. The active cooperation of every employee
in correctly handling sensitive business information is essential.
The classifications to be used are:
DIGITAL INTERNAL USE ONLY
DIGITAL CONFIDENTIAL
DIGITAL RESTRICTED DISTRIBUTION
DIGITAL PERSONAL
Public disclosure of Digital proprietary information will be made
ONLY with the prior approval of the appropriate Corporate officer
or designee, Public Relations representative or designee, and in
accordance with the Proprietary Information Protection Standard.
The policy applies to information stored in whatever form, whether
on paper, microfilm or in any electronic medium, such as computer
files or electronic mail.
SCOPE
Digital Equipment Corporation, worldwide, wherever issuance is not
in conflict with country state, province or local laws.
�
DEFINITIONS
PROPRIETARY INFORMATION: Any information or material which is
owned by Digital Equipment Corporation, or entrusted to Digital,
which requires protection against unauthorized disclosure and has
been so designated. This includes trade secrets, plans, ideas, or
data that Digital would not want a competitor or the general public
to know. This could be technical or business data, or employee
data. Aside from legal reporting requirements and our own
announcement decisions, Digital need not communicate this kind of
information to anyone. Domestic U.S. laws and laws in other
nations protect proprietary information by affording civil and
criminal remedies against misappropriation and/or exploitation.
These laws permit us to retain our commercial market position and
ensure employee privacy by protecting highly valuable or
confidential data. Many nations protect the privacy of personally
identifiable information; some countries even restrict the
intracorporate flow of personal flow of personal data across
national boundries.
NEED-TO-KNOW: "Need-to-know" is a self-imposed discipline relative
to the sharing of all proprietary information. At the heart of
this discipline is the determination by the originator and/or the
custodian that the information is of intrinsic value to the
recipient and is needed by the recipient to carry out his or her
function within the Corporation.
CLASSIFICATIONS
DIGITAL INTERNAL USE ONLY - This proprietary information label
indicates that unauthorized or inadvertent disclosure could cause
business damage to the Corporation. It can be distributed to
Digital employees but should not be given to customers,
competitors, vendors, or other persons or organizations without
originator authorization.
Examples: Digital telephone directories, daily operational
memos, or selected policies, standards and
procedures.
�
DIGITAL CONFIDENTIAL - The mid-level label for proprietary
information, DIGITAL CONFIDENTIAL, indicates that unauthorized or
inadvertent disclosure could have a substantially detrimental
effect on the operation of the Company. This is information which
is sensitive to Digital and normally associated to a particular
process, project or function, the very nature of which requires
limited need-to-know distribution.
Examples: customer information, customer lists, supplier or
vendor lists, marketing strategies, product sales
reports, competitive survey data, organizational
financial plans and results, pricing data, new
product training information, service accounts,
subsystems designs, program listings, and work plans
pertaining to most products under development.
Sensitive vendor or customer information should be
treated at least as carefully as Digital information,
unless otherwise stipulated. Surveys,
questionnaires, and similar items that are received
from outside sources also may fall within this
category (organizational legal support should be
consulted in questions of doubt). For further
guidance refer to Digital Policy, "Information
Exchange Between Digital and Non-Digital Parties".
DIGITAL RESTRICTED DISTRIBUTION - This is the highest Digital
classification category. Information labelled DIGITAL RESTRICTED
INFORMATION indicates that its unauthorized or inadvertent
disclosure could cause serious damage to the operation of the
Corporation. Its use and distribution must be severely restricted.
The assignment of this classification must be a subjective judgment
on the part of the author or custodian. This category include the
most sensitive plans, ideas, financial data, R&D activities, and
similar information which only a few people within the Corporation
have an absolute need-to-know.
�
Examples: Unannounced new product specifications, business
plans, key technical concepts and processes, code
names, manufacturing processes, forecasts or
projections about financial results, pending stock
announcements, acquisition plans, long-term
strategies, unannounced financial summaries,
market strategy papers, potential real estate
purchases or divestments, executive-level personnel
or business decision papers, and information required
by law to be preserved or shielded under the highest
classification system. Sensitive proprietary
information that vendors or customers give us must
be put in this category, if stipulated by contract
and/or negotiated agreement. For further guidance,
refer to Digital Policy "Information Exchange Between
Digital and Non-Digital Parties."
DIGITAL PERSONAL - This level of proprietary information involves
personal data about individuals that will only be distributed in a
manner based only upon local law and an absolute need-to-know.
Personal data about an individual refers to information that (1)
protected by law; or (2) is of a descriptive, personal nature; or
(3) a reasonable individual might not want disclosed; and/or (4) an
originator determines should be limited in its disclosure.
Examples: salary data, performance evaluations, medical
information, job applications, personal or family
details, curriculum vitae, resumes, etc.
POLICY
CLASSIFICATION CATEGORIES
There are four classification categories and markings utilized by
Digital. In INCREASING order of sensitivity, they are as follows:
(Note that DIGITAL RESTRICTED DISTRIBUTION and DIGITAL PERSONAL
have different meanings, but are equal in their sensitivity).
�
DIGITAL INTERNAL USE ONLY
DIGITAL CONFIDENTIAL
DIGITAL RESTRICTED DISTRIBUTION
DIGITAL PERSONAL
The above classifications are the only classifications to be used
to identify Digital's proprietary information. The following
additional labels may be used in conjunction with the above
classifications, but cannot be used as substitutes:
"TO BE OPENED BY ADDRESSEE ONLY"
"DO NOT COPY"
"CONFIDENTIAL TO DIGITAL"
"ATTORNEY-CLIENT PRIVILEGED"
"WORK PRODUCT DOCUMENT"
INFORMATION CONTROL
Proprietary information is to be used only for authorized Digital
business purposes. Information shall be protected appropriate to
its assigned classification by all persons who handle, use, or have
access to such information.
PROTECTION OF INFORMATION
Digital classified documents are to be marked, distributed, copied,
mailed, handcarried, transmitted, stored, destroyed and/or
discussed in accordance with this policy and the Proprietary
Information Protection Standard.
Each employee who comes into contact with proprietary information
will ensure that the information is disseminated to or discussed
with only to those individuals who have a legitimate need-to-know.
�Information belonging to others which Digital has received under a
Non-Disclosure Agreement may only be received by a vice president.
Such Agreements should only be signed by a vice president.
Business information of all types will be controlled and protected
as a vital business resource. To accomplish this, all proprietary
information will be assigned a classification category as specified
in this policy.
Originators of information are responsible for the assignment of
the appropriate Digital classification, consistent with this
policy. Either independently, or in coordination with others, such
individuals will also determine the "distribution" of such
documents. "Distribution lists" should be kept to the absolute
minimum, consistent with "need-to-know." Custodians of third party
information are responsible for designating a Digital
classification category.
As a condition of employment, all persons who handle, use, or have
access to proprietary business information are responsible for
taking appropriate measures to protect that information.
CARELESS TALK
Unnecessary or careless talk about Digital proprietary information
must be avoided, both on and off the job. Reasonable precautions
are particularly relevant in such public areas as airports,
airplanes, restaurants, social gatherings, academic and
professional gatherings and seminars, and public telephone areas.
Under no circumstances should there be any unauthorized discussion
with outsiders, customers, vendors, members of the media, or others
concerning prospective growth, sales, earnings, research efforts,
new products, product profitability, contributions to profit by
line of business, ideas, contract awards, acquisitions and
divestitures of business or properties, lawsuits, unannounced
changes in management personnel, or other company information which
should reasonably be viewed as sensitive. Employees should be
sensitive to the potential for a series of unclassified pieces of
business information taking on a classification of their own when
grouped together (e.g., a lengthy discussion of unclassified issues
can conceivably assume a Digital proprietary classification as
defined in this policy).
�
CLEAN DESK
All Digital employees are to adhere to a "clean desk" program.
Proprietary Digital information must be adequately protected at all
times. When office/workstations are left unattended, information
labeled "DIGITAL RESTRICTED DISTRIBUTION","DIGITAL CONFIDENTIAL"
and "DIGITAL PERSONAL" information shall be secured in accordance
with Corporate Security Proprietary Information Protection Standard
10.1 or in a designated "secure/controlled project area" in
accordance with business or site standards.
Care must be exercised to avoid leaving proprietary business data
around copy machines, or discarded in adjacent trash receptacles.
Proprietary business data is to be disposed of either through
shredding, classified waste receptacles, or destroying in an
appropriate manner consistent with the Proprietary Information
Protection Standard.
AWARENESS
Awareness and proprietary information awareness orientation
programs will be implemented by each organization, advising
employees of their individual responsibilities to protect Digital
proprietary information, as well as the reasons for such
requirements.
Personnel procedures will ensure that all employees, including
temporary staff, read and sign the "Digital Non-Disclosure
Agreement and Conflict of Interest Statement" during initial
employment processing as required by the Personnel Policy and
Procedures Manual. Employees are also required to comply with the
provisions of the "Manager's Termination Form" upon termination of
employment with Digital.
DISCLOSURE OF INFORMATION TO NON-DIGITAL PARTIES
If, in the course of business, it is necessary that consultants,
contractors, and other third parties have access to proprietary
information, such individuals must first sign a non-disclosure
agreement. They are to receive only such information as is
necessary for compliance with their contract or arrangement, and
must agree to conform to Digital proprietary information protection
procedures, unless otherwise indicated in the contract or
agreement. All materials and copies of proprietary information
�
must be destroyed or returned to Digital at the conclusion of the
contract.
Contacts by the media must be referred to the appropriate Public
Relations resource within the organization, or to the Corporate
Public Relations office, in accordance with the provisions of
Corporate Personnel Policy 6.28.
Contacts by other non-DEC agencies, such as financial analysts,
market research consultants, etc., should be referred to the
appropriate DEC staff agency (e.g., Corporate Relations, Manager of
Consultant Relations, etc.).
Employees should be sensitive to proprietary business information
being deliberately or inadvertently included in academic case
studies, term papers, photographs, graphs, projections, or similar
information released to non-Digital personnel or agencies.
No proprietary information should be given to anyone via the
telephone, through the mail, or over an electronic mail system,
unless the identity of the caller and need-to-know requirements are
properly confirmed.
Disclosing Digital proprietary information to unauthorized
individuals or firms, or to make use of it, except on Digital's
behalf, whether or not such information is produced by one's own
effort, is prohibited. Unauthorized possession of such proprietary
data is an infringement of this policy.
An employee who violates this policy may be subject to disciplinary
proceedings and may also incur civil or criminal penalties.
RESPONSIBILITIES
A. General
All subsequent policies, standards, guidelines and/or
procedures dealing with proprietary information protection
should be consistent with this policy and "Proprietary
Information Protection Standard 10.1."
�
B. Originators and Custodians
Determine the appropriate classification category for
information originated by them or coming into their possession.
Provide a continuous degree of protection, from creation to
destruction, consistent with the requirements of this policy
and Proprietary Information Protection Standard 10.1.
Determine the appropriate distribution of proprietary
information, consistent with "need-to-know" criteria.
C. Corporate Security
Develop policies and standards for safeguarding Digital
proprietary information. Revise, as appropriate.
Develop training programs, awareness materials, and
self-audit criteria, as required.
Promote implementation of this policy within operating
organizations.
Monitor for compliance through staff visits, reviews, and
audits.
Provide guidance and leadership in the resolution of
information security issues.
Investigate and report violations of this policy to senior
management and/or the Law Department, as appropriate.
D. Area and Function Security Management (e.g., Europe, Field
Service, GIA, MEM, US Area, etc.)
Develop, publish and implement information protection plans,
awareness training and procedures, consistent with this
policy. Where necessary, written procedures or guidelines
should be developed to tailor implementation of this policy
to unique conditions that may exist at certain operating
entities.
�
Each vice president of an operating entity, and/or country
manager, will appoint, in writing, an individual not more
than two reporting levels subordinate to that position, to
serve as the principal contact point on matters pertaining to
the protection of DEC proprietary information for that
particular organization or entity.
E. Site Security Managers/Coordinators
Will be fully conversant with security policies, standards,
and procedures and will serve as a security resource to their
respective organizations.
Will act as the security focal point between their respective
organizations and the next senior security organization.
Will conduct training and awareness programs as set forth by
Corporate Security and/or senior management.
Will periodically review the proprietary information program
for effectiveness and compliance.
F. Business Managers
Will be fully conversant with security policies, standards,
and procedures relative to the protection of DEC proprietary
information.
Will support and ensure adherence to this policy and related
standards through accepted management practices and
procedures.
Will designate members of respective organizations to assume
formal responsibility for security training, audits, and
related security issues (e.g., a "security coordinator," in
the absence of an assigned security manager).
Will conduct operating compliance reviews to identify and
correct actual and potential security weaknesses.
Will report immediately significant information security
compromises and/or needs for corrective action to area,
functional, or local security management.
�
G. Employees
Employees will be fully conversant with policies, standards,
and procedures relative to the protection of DEC proprietary
information.
Employees will protect Digital proprietary information as a
regular part of the business process and their individual
work assignments.
Employees are expected to immediately report violations of
this policy to their manager and/or the local security
manager/coordinator.
H. Audit
Information protection, including compliance with this policy
and its supporting standard, will be a subject of special
interest by corporate auditors.
I. Purchasing
Will ensure that vendors and subcontractors are familiar with
Digital's proprietary information requirements and that
contracts include appropriate provisions to safeguard such
information.
REFERENCE
"Proprietary Information Protection" Standard 10.1 of Corporate
Security Policies and Standards.
"Information Exchange Between Digital and Non-Digital Parties."
<--------------------------------------------------------------------->
**************************************************************************
(1 November 1987 version)
SUMMARY
To establish uniform guidelines for the classification, marking,
distribution, storage, destruction and overall protection of
Digital proprietary information and the proprietary information of
others entrusted to Digital.
SCOPE
Digital Equipment Corporation, worldwide, wherever issuance is not
in conflict with country, state, province or local laws.
DEFINITIONS
PROPRIETARY INFORMATION: Any information or material which is owned
by Digital Equipment Corporation, or entrusted to Digital, which
requires protection against unauthorized disclosure and has been so
designated. This includes trade secrets, plans, ideas, or data
that Digital would not want a competitor or the general public to
know. This could be technical or business data, or employee data.
Aside from legal reporting requirements and our own announcement
decisions, Digital need not communicate this kind of information to
anyone. Domestic U.S. laws and laws in other nations protect
proprietary information by affording civil and criminal remedies
against misappropriation and/or exploitation. These laws permit us
to retain our commercial market position and ensure employee
privacy by protecting highly valuable or confidential data. Many
nations protect the privacy of personally-identifiable information;
some countries even restrict the intra-corporate flow of personal
data across national boundaries.
DISCLOSURE: The furnishing, actively or passively, of proprietary
information to an individual, organization or firm.
NEED-TO-KNOW: "Need-to-know" is a self-imposed discipline relative
to the sharing of all proprietary information. At the heart of
this discipline is the determination by the originator and/or the
custodian that the information is of intrinsic value to the
recipient and is needed by the recipient to carry out his or her
function within the Corporation.
�
CLASSIFICATIONS
DIGITAL INTERNAL USE ONLY: This proprietary information label
indicates that unauthorized or inadvertent disclosure could cause
business damage to the Corporation. It can be distributed to
Digital employees but should not be given to customers,
competitors, vendors, or other persons or organizations without
originator authorization.
Example: Digital telephone directory, daily operational memo,
or selected policies, standards and procedures.
DIGITAL CONFIDENTIAL: The mid-level label for proprietary
information, DIGITAL CONFIDENTIAL, indicates that unauthorized or
inadvertent disclosure could have a substantially detrimental
effect on the operation of the Company. This is information which
is sensitive to Digital and normally associated with a particular
process, project or function, the very nature of which requires
limited need-to-know distribution.
Example: Customer information, customer lists, supplier or
vendor lists, marketing strategies, product sales
reports, competitive survey data, organizational
financial plans and results, pricing data, new
product training information and service accounts,
subsystem designs, program listings, and work plans
pertaining to most products under development.
Sensitive vendor or customer information should be
treated at least as carefully as Digital
information, unless otherwise stipulated. Surveys,
questionnaires, and similar items that are received
from outside sources also may fall within this
category (organizational legal support should be
consulted in questions of doubt). For further
guidance, refer to Digital Policy, "Information
Exchange Between Digital and Non-Digital Parties."
DIGITAL RESTRICTED DISTRIBUTION: This is the highest Digital
classification category. Information labelled DIGITAL RESTRICTED
DISTRIBUTION indicates that its unauthorized or inadvertent
disclosure could cause serious damage to the operation of the
Corporation. Its use and distribution must be severely restricted.
The assignment of this classification must be a subjective judgment
on the part of the author or custodian. This category includes the
most sensitive plans, ideas, financial data, R&D activities, and
�similar information that only a few people within the Corporation
have an absolute need-to-know.
Example: Unannounced new product specifications, business
plans, key technical concepts and processes, code
names, manufacturing processes, forecasts or
projections about financial results, pending stock
announcements, acquisition plans, long-term
strategies, unannounced financial summaries,
market strategy papers, potential real estate
purchases or divestments, executive-level
personnel or business decision papers, and
information required by law to be preserved or
shielded under the highest classification system.
Sensitive proprietary information that vendors or
customers give us may be put in this category, if
stipulated by contract and/or negotiated
agreement.
DIGITAL PERSONAL: This level of proprietary information involves
personal data about individuals that will be distributed in a
manner based upon local law and absolute need-to-know. Personal
data about an individual refers to information that is (1)
protected by law; or (2) is of a descriptive, personal nature; or
(3) a reasonable individual might not want disclosed; and/or (4) an
originator determines that it should be limited in its disclosure.
Example: Salary data, performance evaluations, medical
information, job applications, personal or family
details, curriculum vitae, resumes, etc.
STANDARD
CLASSIFICATION CATEGORIES
There are four classification categories and markings utilized by
Digital. In INCREASING order of sensitivity, they are as follows
(Note that DIGITAL RESTRICTED DISTRIBUTION and DIGITAL PERSONAL
have different meanings, but are equal in their sensitivity):
�
DIGITAL INTERNAL USE ONLY
DIGITAL CONFIDENTIAL
DIGITAL RESTRICTED DISTRIBUTION
DIGITAL PERSONAL
The above classifications are the only classifications to be used
to identify Digital's proprietary information. The following
additional labels may be used in conjunction with the above
classifications, but cannot be used as substitutes:
"TO BE OPENED BY ADDRESSEE ONLY"
"DO NOT COPY"
"CONFIDENTIAL TO DIGITAL"
"ATTORNEY-CLIENT PRIVILEGED"
"WORK PRODUCT DOCUMENT"
CLASSIFICATION AUTHORITY
The author of the information, with the review and concurrence of
his or her cost center manager, is primarily responsible for
classification of information. In addition, if technical
information is involved, the Engineering Law Group in the Law
Department shall concur in the classification. "DIGITAL PERSONAL"
data is classified by the originator or members of the Personnel
community and requires no additional concurrence.
For a major project or activity in engineering, manufacturing,
sales or marketing, the classification authority is encouraged to
prepare a "project classification guide" that advises project
members of the specific categories of information relevant to the
project, and of the classifications that apply to that information.
Employees who extract information from a classified document or
respond to a classified document must be careful to apply the same
classification marking as in the original.
�
MARKINGS
The originator of a sensitive Digital proprietary document will
ensure that one of the four classification markings are shown on
the document in the following manner. The title page will have the
marking prominently displayed at the top and bottom of the page.
(Note: The top marking may be placed immediately preceeding the
first line of text in a preformatted memorandum.) All subsequent
pages will have the classification marking at the bottom of each
page.
Documents designated DIGITAL RESTRICTED DISTRIBUTION will also
require a log number marking on the bottom right corner of the
title page. Details of this marking are discussed under the
accountability section in this standard.
An entry also may be made on a classified document when a definite
determination can be made that the document will no longer be
sensitive or proprietary on a specified date, i.e., the date when a
Corporate financial announcement will be made. The appropriate
marking in such cases should be: "No longer classified on
date/or product announcement." When that date arrives, the
document markings may be crossed out and, if DIGITAL RESTRICTED
DISTRIBUTION material, an appropriate log entry made.
Computer printouts, volume runs, vendor printed material, etc.,
shall have the classification marking displayed on the top and
bottom of the first page (or title page), and front and back
covers, if a bound document. The classification marking should be
at the bottom of each page of a volume run or other unbound
document.
Magnetic tapes, floppy disks, dispacks, hardware, modules, etc.,
which are sensitive proprietary information will have the
appropriate classification marking affixed by use of a stick-on
label on the outer shell or container. The classification also
should be stored electronically on the media.
All engineering drawings and specifications also will have the
following notice marked on the first page:
�
THIS DRAWING AND SPECIFICATION, HEREIN, ARE THE
PROPERTY OF DIGITAL EQUIPMENT CORPORATION AND
SHALL NOT BE REPRODUCED OR COPIED OR USED IN WHOLE
OR IN PART AS THE BASIS FOR THE MANUFACTURE OR SALE
OF ITEMS WITHOUT WRITTEN PERMISSION.
COPYRIGHT (c) (year) Digital Equipment Corporation
Originators of Digital proprietary information must ensure that
their drafts and working papers are also marked with the
appropriate classification.
ACCOUNTABILITY
All DIGITAL RESTRICTED DISTRIBUTION material requires special
handling within the Corporation, far above that normally provided
for other proprietary information. Accordingly, a special logging
system will be utilized by all cost centers that originate or
receive this category of classified material in order to provide a
continuous audit trail.
Each copy of a DIGITAL RESTRICTED DISTRIBUTION document will be
numbered and logged. The document number will be marked in the
bottom right corner of the title or first page of a document, or on
the separate stick-on label for hardware or tapes. The document
number shall include the "year, cost center number, and document
number" of the originator as well as the copy number. An example
of the document number follows:
DOCUMENT NUMBER
1988-68R-001
COPY 1 OF 20
Attachment 1 is a sample orignator's log and attachment 2 is an
incoming log for incoming DIGITAL RESTRICTED DISTRIBUTION
information to be used by cost center managers or their designees.
Recipients will use the originator's document number when logging
incoming documents.
All DIGITAL RESTRICTED DISTRIBUTION material will have a "return
receipt" (Attachment 3) attached to the material. The addressee
will sign the receipt indicating the document arrived as sent, and
return the receipt to the originator. Return receipts will be
audited by the originator to ensure everyone received their copy.
�
Unaccounted for copies will be investigated by the originator to
determine the whereabouts of the document/material.
Copying/reproduction: Copying or reproduction of DIGITAL
RESTRICTED DISTRIBUTION material is discouraged. However, when it
is absolutely necessary, all copies will be logged in the cost
center's originator's log with copy numbers assigned and all copies
controlled.
Cover Sheets: All DIGITAL RESTRICTED DISTRIBUTION documents will
have a cover sheet (attachment 4) placed on each copy.
Off-site Storage of Tapes, Disks, etc.: The classification marking
and control number will be visible on the outside of the container
or package when stored off-site. Receipts for the material must
also be obtained.
The aforementioned procedure only applies to DIGITAL RESTRICTED
DISTRIBUTION material and does not apply to other classification
categories. There are no logging or other special accountability
requirements for the other classification categories.
DISTRIBUTION
DIGITAL RESTRICTED DISTRIBUTION material should not be transmitted
by electronic means. It should be disseminated in hard copy
format. This provision is subject to future review when full
encryption capability exists within the Corporation.
Digital classified proprietary information shall only be
distributed to employees who have a "need-to-know." Recipients of
such material have the responsibility to ensure that further
dissemination is based on the "need-to-know" principle.
It is incumbent on all employees to ensure that distribution lists
for classified proprietary information only contain the names of
individuals who have been determined to have a "need-to-know"
for the material being disseminated.
Information classified DIGITAL RESTRICTED DISTRIBUTION, DIGITAL
CONFIDENTIAL, and DIGITAL PERSONAL must be double wrapped when sent
through the mail. The following applies:
�
EXTERNAL MAIL: The material will be placed in an inner envelope
which will be marked with the name and address of the
addressee, marked "TO BE OPENED BY ADDRESSEE ONLY," and display
the appropriate classification marking. The outer envelope
will only show the name and address of the addressee.
Additionally, DIGITAL RESTRICTED DISTRIBUTION material will be
mailed by U.S. Certified or Registered mail, or its equivalent,
with a return receipt required.
INTERNAL DIGITAL MAIL: The material will be placed in an inner
envelope which will be marked with the name and address of the
addressee, marked "TO BE OPENED BY ADDRESSEE ONLY," and display
the appropriate classification marking. The outer envelope for
DIGITAL RESTRICTED DISTRIBUTION will be non-transparent and
marked with the name and address of the addressee. Other
classifications may be placed in the Digital
"Inter-Departmental Correspondence" envelope.
DIGITAL INTERNAL USE ONLY material may be sent through regular mail
channels without special markings.
When it is absolutely necessary to utilize mailing and/or
distribution lists for recurring dissemination of proprietary
information, originators must ensure that such lists only contain
the names of individuals with a "need to know." All such lists
should be updated monthly for DIGITIAL RESTRICTED DISTRIBUTION
information, and quarterly for DIGITAL CONFIDENTIAL information.
STORAGE/PROTECTION
The quantity and sensitivity of proprietary information often
determines the methods and requirements for protection of the
material. A research and development facility housing thousands of
documents, all of which may be very sensitive, will require more
secure storage than a small sales office with only one document.
For such a facility, enhanced site-wide (CONTROLLED PROJECT AREAS)
or project security measures should be considered. The
establishment of restricted areas, may be a valid alternative to
the provision of individual secure storage containers. Therefore,
there must be some flexibility in this standard in establishing
basic criteria for secure storage of Digital's proprietary
information. The following represents the minimum standards
required for the protection of a limited quantity of proprietary
information. Larger quantities may require additional protection,
�
such as vaults or tamper-resistant combination locks on safes.
Your security representative can help you evaluate your
requirements.
DIGITAL RESTRICTED DISTRIBUTION: Must be placed in a secure
container or safe which is locked nightly. Must not be left
exposed on desks, file tops, tables, etc. If stored in a file
cabinet, the cabinet must be equipped with a bar and lock or
similar device which precludes a drawer being opened more than 1/8"
when closed and locked. This material may not be stored in office
desks.
DIGITAL CONFIDENTIAL: Must be filed or stored in a locked desk or
file cabinet. Must not be left exposed on desks, file tops,
tables, or otherwise exposed, unless in a secure/controlled area
dedicated to a major project.
DIGITAL PERSONAL: Must be placed in a secure container or safe
which is locked nightly. Must not be left exposed on desks, file
tops, table, etc.
DIGITAL INTERNAL USE ONLY: No special storage requirements when
maintained on Digital property. Should be stored in a locked
container or be in the possession of a Digital employee at all
times when off Digital property.
DIGITAL RESTRICTED DISTRIBUTION and DIGITAL CONFIDENTIAL
material/media stored off-site will be segregated from other tapes,
disks, or material and secured in a locked cabinet or safe. If the
volume prohibits such protection, then a secure room will be used
with floor to ceiling walls, an alarm system to detect unauthorized
intrusion, and enforced access controls. Off-site storage
locations will be inspected and approved by the appropriate line
organization Digital security respresentative. Vendors must agree
to the foregoing before off-site storage begins. They must also
sign a non-disclosure agreement.
Engineering material also must be stored in accordance with Digital
Standard 128.
Clean Desk Procedure: The protection of Digital proprietary
information requires that sensitive material not be inadvertently
compromised by being left unattended on employee's desks.
�
Therefore, it is Digital's policy that classified proprietary
information will be secured if it is assumed that it will be left
unattended during working hours. When employees possessing such
information will be absent from their workstation in excess of two
hours, they shall lock this material in their desk or a secure file
cabinet. If a secretary or other person will be present in the
area and able to observe the desk to ensure there is no
unauthorized access to the document, and they agree to accept this
responsibility, then the material may be left unattended for
periods up to two hours. A locked office door or secure controlled
project area may serve as a substitute to having the desk watched.
PROPRIETARY WASTE AND DESTRUCTION
All facilities will provide a sufficient number of storage
containers at convenient locations for secure disposal of
proprietary information. The secure storage containers will be
"one-way feed" to accept proprietary waste and preclude easy
removal of deposited material.
All facilities which accumulate waste over several days or longer
periods will provide a secure storage room to protect the collected
material prior to its destruction. These areas will be
appropriately secured to preclude unauthorized access and
compromise of the material stored therein.
All classified waste will be destroyed in such a manner that it is
unreadable for documents, or unrecognizable and not useable for
hardware, microfiche, microfilm, and related material. Document
shredders, disintegrators, burning, etc., are approved methods of
destruction.
There must be a record made of the destruction of DIGITAL
RESTRICTED DISTRIBUTION material. An entry in the log concerning
the date of destruction and the person destroying the material is
adequate.
If an outside vendor is selected to destroy Digital's proprietary
information the following shall be adhered to:
o The vendor will sign a non-disclosure agreement.
o The vendor will agree to announced and unannounced
inspections of the storage and destruction sites.
�
o The vendor shall agree to physical security requirements as
defined by Digital. If the vendor does not comply with these
guidelines, then the contract shall be voided.
o An initial security review will be conducted by the Digital
line organization security function prior to finalizing the
contract to ensure that the vendor can comply with
appropriate destruction requirements. A written record of
this review will be maintained by the security function.
COMPROMISE OR LOSS OF PROPRIETARY INFORMATION
Digital employees who become aware of the compromise or loss of
DIGITAL RESTRICTED DISTRIBUTION and/or DIGITAL CONFIDENTIAL
information will report this fact to their manager. Managers will
report such instances to the appropriate security manager and the
originator of the document, if known.
RESPONSIBILITIES
A. Originators and Custodians
Determine the appropriate classification category for
information originated by them or coming into their possession.
Provide a continuous degree of protection, from creation to
destruction, consistent with the requirements of this standard
and Proprietary Information Protection Policy 10.
Determine the appropriate distribution of proprietary
information consistent with "need-to-know" criteria.
B. Corporate Security
Develop and revise policies and standards for safeguarding
Digital proprietary information.
Develop training programs, awareness materials, and self-audit
criteria, as required.
Promote implementation of this standard within Digital.
Monitor for compliance through staff visits, reviews and
audits.
�
Provide guidance and leadership in the resolution of
information security issues.
Investigate and report violations of this policy to senior
management and/or the Law Department, as appropriate.
C. Area and Security Management (e.g., GIA, Europe, Field Service,
US Area, MEM, etc.)
Develop organizational structures to implement the provisions
of this standard and supporting policy.
Develop, publish and implement supporting plans and procedures
consistent with Corporate Security Policy.
Conduct training and awareness programs.
Report significant violations to corporate Security.
D. Site Security Managers/Coordinators
Will be fully conversant with security policies, standards, and
procedures and will serve as a security resource to their
respective organizations.
Will act as the security focal point between their respective
organizations and the next senior security organization.
Will conduct training and awareness programs as set forth by
Corporate Security and/or senior management.
Review the proprietary information program for effectiveness
and compliance.
E. Business Managers
Will be fully conversant with security policies, standards and
procedures relative to the protection of Digital proprietary
information.
Support and ensure adherence to this standard and related
standards through accepted management practices and procedures.
� Designate members of their respective organizations to assume
formal responsibility for security training, audits, and
related security issues (e.g, a "security coordinator," in the
absence of an assigned security manager) to implement this
standard.
Conduct operating compliance reviews to identify and correct
actual and potential security weaknesses.
Report immediately significant information security compromises
and/or needs for corrective action to area, functional or local
security management.
F. Employees
Employees will be conversant with policies, standards and
procedures relative to the protection of Digital proprietary
information.
Employees, as a condition of employment, agree to protect
Digital proprietary information.
Employees are expected to report immediately violations of this
standard to their manager and/or the local security
manager/coordinators.
G. Audit
Information protection, including compliance with this standard
and its supporting policy, will be a subject of special
interest by corporate auditors.
H. Purchasing
Ensure that vendors and subcontractors are familiar with
Digital proprietary information requirements and that contracts
include the appropriate provisions to safeguard such
information.
REFERENCE
Corporate Security Policy 10, Protection of Proprietary Information
|