IT requirements for contractors

1. Computer equipment supplied:

  • preferred standard of the server, desktop computer, laptop or other computer equipment compatible with the current configuration in place for UTC (information currently available for review in IT PWK);
  • preferred operating system compatible with UTC policy (information currently available for review in IT PWK);
  • Supplier shall provide acknowledgement of legality (license certificate, invoice) for each type of software installed;
  • Supplier shall set forth terms of warranty and service for the computer hardware supplied;
  • PWK does not allow the Supplier to take hard disks and other information carriers used for testing and/or production purposes (in the system provided) out of the company premises.
2. In case computer/equipment is equipped with a modem or a network card, the Supplier shall:
  • precisely set forth the purpose of using such modem and its preferred configuration;
  • precisely set forth the purpose of using such network card and its preferred configuration.
3. Range of authorization to computer equipment provided:
 
  • Supplier’s employees’ access to the computer configuration is limited to the fewest possible access rights enabling repairing a defect, setting configuration during implementation etc. in case such items are part of the order, contract and are set forth therein;
  • during the final acceptance of the equipment/design etc., the Supplier agrees to provide all rights, access passwords to the systems and applications provided under the service, order etc.;
  • the rights should be provided in writing in a sealed envelope to PWK IT representative receipt acknowledged;
  • access rights are subject to verification by PWK (IT, W74) employees;
  • Supplier may not be granted a privileged user rights (administrator, root etc.) to the computer equipment provided while it is used in the production process
4. Remote access to PWK computer systems is possible only if the following conditions are met:
 
  • Supplier shall present a written acceptance of the Non-Disclosure Agreement which is required prior to any cooperation;
  • Supplier states, warrants, agrees and expresses its consent that access to PWK computer systems is granted for the period not longer than the term of this Agreement;
  • Supplier agrees to meet the export control terms on data transfer (if required).
5. PWK reserves a right to estimate Supplier’s ability to meet UTC security requirements.

6. PWK reserves a right to refuse Supplier’s employees access to PWK IT system, connect a modem and/or a network card to the external network, external link, telephone line etc. in case the above requirements are not met.

7. Any products produced for PWK under the Agreement are PWK property. PWK holds a right to use, make copies or modify copies of Goods and/or Services supplied.
 
8. Supplier guarantees that it holds proper rights to tools or software used to provide Goods and/or Services for PWK, which are subject of the Agreement.

9. Supplier shall cover all costs related to damages in case the manner of producing Goods and/or Services shall violate property rights of other entities.

10. In case a part of the agreement is to develop and/or modify WWW:
  • Contents on WWW are protected by copyright owned by PWK. Implementation and use of tools applied to search for contents must comply with UTC policy. In case the tools used to search for contents make copies of reference data, such copies are subject to the same protection as such reference data;
  • Supplier shall regularly update WWW sites containing PWK data through an electronic interface. PWIK is responsible for defining the range of data and frequency of updating.

11. All applications must use standard authorization and access control tools (current tools: SiteMinder by Netegrity, Inc) or such applications need to have features implemented to ensure security and compliance with UTC policy, including, but not limited to the following:

  • passwords of the computer system users must be difficult to guess, any dictionary words or words similar to individual ID, sequential strings of characters from the keyboard, e.g. 123456, asdfgh, personal data (e.g. date of birth), commonly used acronyms, proper names of locations etc. are prohibited;
  • passwords must be at least 6 character long and be changed at least once every 90 days
  • IDs connected with work automation are subject to the following restrictions for passwords:
    • a) passwords must be longer that 14 characters;
    • b) passwords must be complicated (applying at least 3 rules, such as special characters, upper and lower case and alphanumeric characters);
  • minimum password life is 1 day; passwords can be reused after 6 months;
  • passwords may not be displayed or kept in an open file (without encoding);
  • IDs of those users who have not used their account for 3 months, must be blocked, and removed after 6 months of the user’s account  inactivity;
  • where possible, there must UTC approved information (banner) before access to the system is granted.

12. Supplier is responsible for ensuring compliance of Goods and/or Services with UTC security policy in place.


13. Supplier must provide a copy of the current security policy on data storage and processing and of the policy of physical access to equipment where PWK data are stored and/or processed. Supplier should annually provide current PWK security policy and present a plan including dates of planned updates.


14. PWK or a designated third party is allowed to conduct a security audit in the Supplier’s premises without notification. In case PWK data are stored in a shared environment, PWK may appoint a third party to conduct such audit. The audit must take all facilities and equipment into consideration, where PWK data are stored including their backup, and may verify whether all necessary controls were implemented in compliance with UTC security policy.

 
15. it is recommended Supplier should segregate PWK data and store them in separate databases accessible only to PWK, authorized parties and Supplier’s employees necessary to maintain the respective environment.

16. Supplier shall take every effort to prevent unauthorized access to PWK data.

17. PWK data shall be filed for the term of the Agreement. The minimum requirement is an incremental backup every 24 hours and a complete backup every 7 days. The term of storing backup copies in the archives is 30 days.

18. Unsuccessful security or information protection audits may be used to cancel the Agreement with Supplier. PWK may indicate Supplier’s weaknesses, whereas Supplier should, within 30 days, provide PWK with a correction plan to eliminate such non-compliance and, at PWK discretion, Supplier should apply temporary solutions until all non-compliance is removed. In case risks identified by PWK are not eliminated within the set time or Supplier refuses to remove such non-compliance, PWK may terminate the Agreement with immediate effect.

19. According to IT UTC IT011 policy, information owned by the company and transferred through such public networks as the Internet, must be encoded. The encoding technology must be approved by PWK snf comply with the effective law.

20. Supplier shall ensure an adequate level of verification for non-PWK employees who have access to PWK environment and data and based on the verification results, it will authorize such employees to cooperate with PWK. Supplier shall disclose to PWK the procedures used for the said employees who have access to PWK data.
Furthermore, based on IT006 „Virus Protection” procedure, prior to use of its own data carriers (incl. Flash Memory / USB, CDR/RW, DVDR/RW, laptop disk etc.), Supplier shall absolutely make such carriers available to IT PWK to be verified using PWK approved anti-virus software.

21. Prior to or when signing the Agreement, Supplier shall present PWK with a plan which describes how all data, including backup and filed data, will be provided to PWK upon expiry of the Agreement term and how they will be permanently deleted from Supplier’s system. The plan must account for provision of the data to PWK in the database which complies with PWK standards; otherwise, Supplier must supply a software license which enables access to data provided to PWK.

22. Prior to or when signing the Agreement, Supplier shall declare how it will meet PWK requirements as regards authorization of access to goods and/or services provided.

23. Supplier shall notify PWK of any attempts to obtain PWK data by third parties. Supplier shall immediately notify PWK of any request from third parties to provide PWK data.

24. Supplier must ensure update of its procedures with specified time to achieve compliance with UTC policy about information security.

25. Supplier should be able to ensure, at PWK request, compliance with the following security policy requirements. Furthermore, PWK reserves a right to evaluate Supplier’s ability to provide services and goods according to the security and data protection policy requirements in effect in PWK (UTC) at each stage of Purchase Order/Agreement/Service etc. performance:
 
  • Supplier states that UTC policies and practices regarding security shall be referred to when performing Purchase Order/Agreement/Service etc.;
  • Supplier agrees to act in compliance with export control requirements;
  • Supplier agrees to verify the past  of individuals involved in communication with PWK;
  • Supplier ensures it has necessary procedures of controlling and monitoring information functions;
  • Supplier ensures it is able top detect intrusion or an attempt to intrude the computer systems;
  • Supplier confirms authorization of users when granting remote access to PWK equipment;
  • Supplier ensures software integrity procedures;
  • Supplier confirms it is protected against malicious procedures (e.g. viruses, intrusion detection);
  • Supplier confirms its participation in security alert services;
  • Supplier confirms its use of secure communication channels in case of remote connection;
  • Supplier ensures protection from significant known information attacks;
  • Supplier ensures physical and logical segregation of access to PWK/UTC information;
  • Supplier ensures proper physical safety;
  • Supplier ensures corrective actions regarding any defects and procedures once such defects appear.
26. Each external user must comply with all PWK/UTC policies and standards. Supplier shall pursue an awareness improvement program and file a written statement of raising accountability for remote access.
© PWK "Pratt & Whitney Kalisz" 2008 | All rights reserved.