Mapa serwisu Pomoc techniczna Drukuj Strona główna
 

Wybierz stronę

70 lat WSK

IT requirements for suppliers

1. Hardware to be supplied:

  • preferred standard of a server, desktop computer, laptop or another computer equipment to be compliant with the current configuration for UTC (information available at any time from the WSK IT Department);
  • preferred operating system to be compliant with the UTC policy (information available at any time from the WSK IT Department);
  • the Supplier shall confirm legality (by providing a licence certificate, invoice) of each type of the installed / supplied software;
  • the Supplier shall define details of the warranty conditions and support for the hardware delivered;
  • WSK does not authorise the Supplier to remove any hard discs or any other information media used for testing and/or production purposes (with the system delivered) outside of the company premises.


2. In the event that the PC/device is equipped with a modem or a network card, the Supplier shall:

 

  • precisely define the purpose for which the modem is used and present its preferred configuration;
  • precisely define the purpose for which the network card is used and present its preferred configuration.


3. User rights pertaining to the hardware delivered:


  • the Supplier’s employees shall have their hardware configuration rights reduced to the biggest possible extent so that they can only make the smallest possible improvements, including error fixing, configuration set-up during implementation, etc. if such elements are a part of the order or contract and were defined therein;
  • during the final acceptance of the device / project, etc. the Supplier shall provide all the access rights, passwords, etc. to the systems and applications delivered as part of the assignment, order, etc.;
  • such rights shall be transferred in writing in a sealed envelope to the representative of WSK IT against confirmation of receipt;
  • access rights are subject to review by WSK personnel (IT, W74);
  • The Supplier shall not receive any rights of a privileged user (administrator, root, etc.) with regard to the delivered hardware during its use in the production process.


4. Remote connection to the WSK computer systems shall at all times be subject to the following conditions:


  • the Supplier shall make a written statement confirming its acceptance of the Confidentiality Agreement, which is a pre-requisite for commencement of a co-operation;
  • the Supplier acknowledges, undertakes and agrees that it is granted access to the WSK computer systems only for the duration of this Agreement;
  • the Supplier shall comply with the export control conditions relating to the transferred data (if applicable).


5. WSK reserves the right to assess the Supplier’s capability to meet the UTC security policy requirements.


6. WSK reserves the right to refuse the Supplier's employees access to the WSK IT system, modem and/or network card connection to an external network, external link, phone line, etc. if the foregoing conditions are not met.


7. Any products developed for WSK under the Agreement shall become the property of WSK. WSK shall have the right to use, copy and modify the copies of the provided Goods and/or Services.


8. The Supplier confirms that it has appropriate rights to the tools and the software used in development of the Goods and/or Services for WSK under the Agreement.


9. The Supplier shall indemnify WSK against any claims that the development of the Goods and/or Services in any way infringes the intellectual property rights of a third party.


10. If the agreement provides for development and/or modification of a website, then:

 

  • the content published on the website shall be protected by copyrights; such rights are vested in WSK. The implementation and use of any tools for content search must be compliant with the UTC policy. If the tools used for content search create copies of the source data, all the copies are subject to the same level of protection as the source data;
  • the Supplier shall ensure regular updates of the website with WSK data through an electronic interface. Defining the scope of data and frequency of updates is the responsibility of WSK.

 

11. All the applications must use the standard authorisation and access control tools (currently used tool: SiteMinder, Netegrity, Inc) or they must have a functionality implemented ensuring their security and compliance with the UTC security policy, including:

 

  • the passwords of the computer system users must not be trivial; it is prohibited to use any dictionary words, words similar to the user ID, characters ordered in the keyboard sequence (e.g. 123456, asdfgh), personal data of the user (e.g. date of birth), common acronyms, names of locations, etc;
  • a password must consist of at least 6 characters and must be changed at least every 60 days;
  • for the IDs connected with work automation, the following password requirements apply:
    a) passwords must have more than 14 characters;
    b) passwords must be complicated (use at least 2 rules such as: special characters, lowercase and uppercase letters and alphanumeric characters);
  • minimum life of a password is 1 day; passwords should be reused only after 6 months;
  • passwords must not be displayed or stored in any open (unencrypted) file;
  • the IDs of the user who has not used their account for 3 months must be blocked; after 6 months of inactivity the user account will be removed;
  • where possible, before receipt of access to the system, a notice (banner) approved by UTC must be displayed.


12. It is the Supplier’s responsibility to ensure compliance of the Goods and/or Services with the applicable UTC security policy.


13. The Supplier must provide a copy of its current security policy pertaining to the storage and processing of the data as well as its policy on physical access to the equipment used for storing and/or processing of the WSK data. Once in a year, the Supplier shall provide WSK with its up-to-date security policy and indicate a plan with dates of the expected updates.


14. WSK or a third party indicated by WSK shall have the right to conduct a security audit at the Supplier’s site without any prior notice. If the WSK data are stored in a shared environment, WKS may contract a third party to conduct such audit. The audit may cover any facilities and equipment used for storing the WSK data, including backups of such data and may check if all the required controls have been implemented in line with the UTC security policy.


15. It is recommended that the Supplier should segregate WSK data, keeping the data in separate databases accessible only by WSK, authorised parties and the employees of the Supplier who need such data to maintain a particular environment.


16. The Supplier shall use its best endeavours to prevent unauthorised access to the WSK data.


17. The WSK data must be archived throughout the term of the Agreement. The minimum requirements are: incremental back-up every 24 hours and a full back up every 7 days. Copies shall be kept in the archive for 30 days.


18. Failure of the security or information protection audit shall be the basis for termination of the Agreement with the Supplier. WSK may indicate identified “soft spots” to the Supplier and the Supplier shall within 30 days provide WSK with a plan to remove such vulnerabilities and if WSK so requires, the Supplier shall apply interim solutions until all the vulnerabilities are removed. If the risks identified by WSK are not removed within the stated period or if the Supplier refuses to remove the same, WSK may terminate the Agreement forthwith.


19. According to the UTC IT policy IT011, any proprietary information transferred via public networks (such as the Internet) must be encrypted. The encryption technologies used shall be approved by WSK and shall comply with the applicable laws.


20. The Supplier shall ensure appropriate level of vetting of the staff not controlled by WSK, who have access to the WSK environment or data and depending on the results of such vetting shall approve such employees for co-operation with WSK. The Supplier must disclose to WSK the procedures applied for such staff who have access to the WSK data.


21. Before or at the date of execution of the Agreement, the Supplier shall provide WSK with a plan which outlines how all the data, including their back-ups and historical data will be transferred to WSK on termination or expiry of the Agreement and how they will be permanently deleted from the Supplier's system. The plan must provide for the data to be delivered to WSK in a database compliant with the WSK standards or else the Supplier shall deliver to WSK the licence for the relevant software that will allow WSK to use the delivered data.


22. Before or at the date of execution of the Agreement, the Supplier shall confirm that it fully satisfies WSK requirements regarding authorisation of access to the goods and/or services rendered.


23. The Supplier must advise WSK of any third party attempts to acquire WSK data. The Supplier shall immediately advise WSK of any third party requests for WSK data.


24. The Supplier shall ensure an update of its procedures, during a stated period of time, to ensure they comply with the UTC policy on information protection. The policy is updated on an on-going basis.


25. The Supplier shall be able to ensure, at the WSK's request, compliance with the below-stated security policy requirements. WSK reserves the right to assess the Supplier’s capability to deliver services and goods in accordance with the WSK (UTC) security and data protection policy at any stage of the Order/Agreement/Assignment, etc.:

 

  • the Supplier confirms that the security policies and practices of UTC will be the basis for delivery of the Order/Agreement/Assignment, etc;
  • the Supplier shall follow the rules of expert control;
  • the Supplier shall check the background of the people engaged in communication with WSK;
  • the Supplier warrants that it has appropriate procedures for checking and monitoring of IT functions;
  • the Supplier confirms that it is capable of detecting any intrusions and attempts of intrusion to the computer systems;
  • the Supplier confirms that it uses user authorisation procedures in the event that the WSK devices are accessed remotely;
  • the Supplier shall ensure software integrity procedures;
  • the Supplier confirms that it has safeguards in place against malicious procedures (such as viruses, intrusions);
  • the Supplier confirms that it participates in the security alerts service;
  • the Supplier confirms that for remote connections it uses safe communication channels;
  • the Supplier shall ensure safeguards against any well-known significant IT attacks;
  • the Supplier shall ensure physical and logical segregation of access to the information of WSK/UTC;
  • the Supplier shall ensure proper physical protection;
  • the Supplier shall correct any defects in the functioning of the procedures.

 

26. Each external user shall follow all the policies and standards of WSK/UTC. The Supplier shall operate an awareness-building programme and sign a statement confirming its responsibility for remote access.


© WSK "PZL-RZESZÓW" S. A. 2003 | Wszelkie prawa zastrzeżone.
CMS   powered by Edito