You are on page 1of 19

Information Security Policy

Manual
1 Applicability ........................................................................................................... 2
2 Security Policy ........................................................................................................ 3
3 Organization of Information Security ..................................................................... 3
4 Asset Management .................................................................................................. 3
5 Human Resources Security ..................................................................................... 5
6 Physical and Environmental Security ..................................................................... 6
7 Communications and Operations Management ...................................................... 8
8 Access Control ...................................................................................................... 10
9 Information Systems Acquisition, Development and Maintenance ..................... 13
10 Information Security Incident Management ......................................................... 15
11 Business Continuity Management ........................................................................ 16
12 Compliance ........................................................................................................... 16
Index .......................................................................................................................... 19

DELPHI INFORMATION SECURITY
POLICY MANUAL

Page 2 Version 1.0 Effective: 6-10-10


1 Applicability

Delphi information is one of the Corporation’s most important assets and must be
protected accordingly. Protection of Delphi’s information assets is necessary to establish
and maintain trust between Delphi and its customers, suppliers, and business partners,
maintain compliance with the law, and protect the company’s reputation.

Timely and reliable information is necessary to perform business operations, process
transactions and support business decisions. Delphi’s business processes, earnings and
capital can be adversely affected if information becomes known to unauthorized parties,
is altered, or is not available when it is needed.

These policies apply to all users of Delphi information globally, including visitors,
contractors, suppliers and employees. These policies also apply to all information
systems owned, contracted, leased or operated for or by Delphi.

All personnel are responsible to understand and accept their responsibilities with regard
to information security and acceptable use of Delphi information and information
systems. User responsibilities include, but are not limited to, the following:

Safeguarding all Delphi information from unauthorized disclosure, modification
or destruction during and after their period of employment.
Being accountable for all activity associated with the use of their Delphi userID.
Abiding by the Delphi employee code of conduct guidelines, acceptable use
policy, non-compete agreements, intellectual property rights agreements and all
other applicable laws and regulations pertaining to Delphi information and
information systems.
Reporting information security issues to the local IT Security Manager and/or
Information Security.

Any issues or circumstances that do not fully comply with this policy must be reviewed
and approved by the appropriate management representative and IT Security Manager.
Management’s non-enforcement of any policy requirement does not constitute its
consent.

Non-compliance with the Delphi Information Security Policy (ISP) may result in
disciplinary action up to and including termination of employment and/or criminal or
civil legal action.

DELPHI INFORMATION SECURITY
POLICY MANUAL

Page 3 Version 1.0 Effective: 6-10-10

2 Security Policy
The Delphi Information Security Policy (ISP) provides Delphi IT and Business Units
with management direction and support for information security in accordance with
business requirements and relevant laws and regulations.

The Delphi Information Security Policy is approved by Delphi IT Management, and
published and communicated to all employees and relevant external parties.
3 Organization of Information Security

Management commitment to information security - Delphi IT Management
actively supports IT security within the organization through clear direction,
demonstrated commitment, explicit assignment, and acknowledgement of
information security responsibilities.
Information security coordination - Information security activities are
coordinated by the Delphi Global IT Security Manager, the IT Security Managers,
and Delphi IT Service Providers.
Allocation of information security responsibilities - Delphi information
security responsibilities are clearly defined within the Delphi Business Systems
Manual (DBSM) and Information Security Policy and Procedures.
Confidentiality agreements - Requirements for confidentiality of data and non-
disclosure agreements reflecting Delphi IT and Business Unit requirements for the
protection of information are identified, regularly reviewed and coordinated
through Delphi Global Supply Management (GSM), Delphi Human Resources,
and Delphi Legal.
Contact with authorities - Delphi IT Security Managers and IT Management
maintain authorized contacts with internal organizations supporting information
security (Corporate Security, IT Internal Audit, Internal Controls, Delphi Legal)
and with external organizations (Law Enforcement, Fire Departments and Life
Safety).
4 Asset Management

4.1 Responsibility for assets
Inventory of assets - All assets associated with information processing facilities
should be clearly identified and an inventory of all important assets drawn up and
maintained.
Ownership of assets - All information and assets associated with information
processing facilities should be owned by a designated part of the organization.
The implementation of specific controls may be delegated by the owner as

DELPHI INFORMATION SECURITY
POLICY MANUAL

Page 4 Version 1.0 Effective: 6-10-10

appropriate but the owner remains responsible for the proper protection of the
assets.
Acceptable use of assets - Standards for the acceptable use of information and
assets associated with information processing facilities should be identified,
documented, and implemented in accordance with the appropriate local policies
and requirements.
Personal/Privately owned computers, computer peripherals, or computer
software are not permitted into Delphi facilities and must not connect to the
Delphi network.
Delphi contractors, consultants and vendors are allowed to connect their
corporate computer equipment, computer peripherals, or computer software into
Delphi’s Network to provide support and services to Delphi under service
delivery contracts. This equipment must be pre-approved by Delphi IT through
proper authorization. All equipment must follow ISP Guidance and:
o Have anti-virus software with updated signatures installed at least
equivalent to Delphi requirements.
o Have the ability to perform patch management at least equivalent to
Delphi requirements.
o Allow their corporate computers to be audited for sensitive Delphi data at
any time.
o Have Delphi data purged upon conclusion of contracted support.
4.2 Information classification
Classification guidelines - Information should be classified in terms of its value,
legal requirements, sensitivity, and criticality to the organization to ensure that
information receives an appropriate level of protection.

Criteria used to identify what Delphi information should be classified is derived
from trade secret and other laws providing for the protection of intellectual
property and/or other confidential business information, and the risks of
competitive harm if the Delphi information is wrongfully or inadvertently
disclosed outside of Delphi. Posting sensitive Delphi information on the Delphi
Intranet (which encompasses more than just Apollo) is prohibited without
appropriate access controls in place.

Information labeling and handling –

o Classification labeling uses a prefix (e.g., Delphi) and a category suffix
(e.g. CONFIDENTIAL). The prefix explicitly identifies Delphi
ownership.
o Customer information handling - When information is received from a
customer outside of Delphi as part of the customer-supplier relationship,

DELPHI INFORMATION SECURITY
POLICY MANUAL

Page 5 Version 1.0 Effective: 6-10-10

information security protections for customer information must conform to
contractual requirements or other commitments made to the customer.
Additional information can be found in the Information and Product Security
Handling Guide and the Information Classification Tool.
5 Human Resources Security
5.1 Prior to employment
In order to ensure that employees, contractors and third party users understand their
responsibilities, and are suitable for the roles they are considered for, and to reduce the
risk of theft, fraud or misuse of facilities:
Security roles and responsibilities should be defined in the job descriptions for
Delphi employees, contractors and third party users of information processing
facilities for the job roles they are undertaking and in terms and conditions of
employment.
Adequate screening must be performed through standard HR hiring process
agreed by Delphi to ensure the candidate’s suitability to the business requirement
and compliance of the relevant legal provisions and confidentiality agreements.
Delphi employees, contractors and third party users must agree to and sign a
document stating their and the organization’s responsibilities for Delphi
information security.

5.2 During employment
In order to ensure that employees, contractors and third party users are aware of
information security threats and concerns, their responsibilities and liabilities, and are
equipped to support Delphi security policy in the course of their normal work, and to
reduce the risk of human error:
Delphi management must ensure that all employees, contractors and third party
users understand their obligation to protect Delphi information and information
systems through awareness education programs, training in security procedures
and providing Delphi acceptable use policies.
Any suspected Delphi policy violation must be immediately reported to Delphi
Ethics Line or Regional/Divisional IT Security manager for investigation of
security breach.

5.3 Termination or change of employment
In order to ensure that employees, contractors and third party users exit an organization
or change employment in an orderly manner:
The immediate supervisor of leaving Delphi employees, contractors and third
party users is responsible to ensure the leaving employee/contractor/third party

DELPHI INFORMATION SECURITY
POLICY MANUAL

Page 6 Version 1.0 Effective: 6-10-10

user’s id termination and removal of all access rights process is initiated, and
notification to Delphi’s Human Resource is made in a timely manner.
Any ongoing Delphi security requirements, legal responsibilities and, where
appropriate, responsibilities contained within any confidentiality agreement with
Delphi and the terms and conditions of employment continuing for a defined
period after the end of employment, must be included in the communication of
termination and the employee’s, contractor’s or third party user’s contracts.
Change of responsibilities or employment within Delphi or third party
organization should be evaluated to determine if it is appropriate for the existing
ID and access to be retained, or if the existing ID should be terminated and a new
ID issued.
All Delphi employees, contractors and third party users must return all of
Delphi’s assets and equipment, including any information belonging to Delphi in
their possession upon termination of their employment, contract or agreement.

6 Physical and Environmental Security
6.1 Secure areas
In order to prevent unauthorized physical access, damage, and interference to the
organization’s premises and information:
Access to computer rooms and high security areas – will be restricted to
authorized employees with a business need to know and must be regularly
monitored, documented and reviewed at least semi-annually. Photographic,
video, audio or other recording equipment, such as cameras in mobile devices, are
not allowed in Delphi computer rooms and high security areas without proper
prior authorization.
Physical security perimeters (barriers such as walls, card controlled entry gates
or manned reception desks) must be used to protect areas that contain Delphi
classified information and information processing facilities used by Delphi.
Physical entry controls - Delphi secure areas must be protected by appropriate
entry controls to ensure that only authorized personnel are allowed access and the
record of all such access and its business needs are maintained.
Work Area Security - All Delphi employees, contractors, and third party users of
Delphi information processing facilities are required to secure classified Delphi
information, personal information, lock their computers, and in general secure
their work area before leaving at the end of the work day, or when their work area
will be unattended for an extended period of time in accordance with the Delphi
Clean Desk Policy. Vacant secure areas should be physically locked and
periodically checked.
Public access, delivery, and loading areas - Access points such as delivery and
loading areas and other points where unauthorized persons may enter the premises

DELPHI INFORMATION SECURITY
POLICY MANUAL

Page 7 Version 1.0 Effective: 6-10-10

should be controlled and, if possible, isolated from Delphi information processing
facilities to avoid unauthorized access.
To further ensure compliance with Delphi requirements, refer to the Delphi
Corporate Security Manual for the applicable specific procedures.

6.2 Information systems equipment security
In order to prevent loss, damage, theft or compromise of assets and interruption to the
organization’s activities:
Physical and environmental threats - Equipment used for processing Delphi
information should be protected from physical and environmental threats to
reduce the risk of interruption to Delphi business activities, to protect against loss
or damage, and to prevent unauthorized access to Delphi information.
Supporting utilities - Critical IT equipment used by Delphi must be protected
from power failures and other disruptions caused by failures in supporting
utilities.
Cabling security - All Delphi network and communications wiring must be
protected from all hazardous environmental conditions and unauthorized access
regardless of whether the facility is leased or owned.
Equipment maintenance - All critical IT equipment should be maintained by
authorized personnel to ensure its continued availability and integrity according to
recommended service intervals and specifications.
Security of equipment off-site - All Delphi employees, contractors and third
party users must exercise a high degree of personal responsibility to protect
physical assets and any Delphi classified information stored on those assets when
Delphi equipment and information is taken off-site. Laptops must be secured
when not in use.
Secure disposal or re-use of equipment - All equipment to be disposed or re-
used by Delphi employees, contractors, and third party users containing storage
media must be processed using the appropriate procedures and tools.
Removal of property - Any equipment, information or software must not be
taken off-site from Delphi or Delphi joint venture facilities without prior
authorization, and inspections should be carried out in accordance with relevant
legislation and regulations.

DELPHI INFORMATION SECURITY
POLICY MANUAL

Page 8 Version 1.0 Effective: 6-10-10

7 Communications and Operations
Management
7.1 Operational procedures and responsibilities
Procedures must be established to ensure the correct and secure operation of
Delphi information processing facilities, responsibilities and procedures for the
management and operation of all Delphi information processing facilities.
Segregation of duties must be implemented, where appropriate, to reduce the risk
of negligent or deliberate system misuse and to reduce opportunities for
unauthorized or unintentional modification or issuance of the organization’s
assets.
Operating procedures should be documented, maintained, and made available to
all users. Changes to information processing facilities and systems should be
controlled.
Development, test, and operational facilities should be segregated to reduce the
risks of unauthorized access or changes to the operational system.
7.2 Third party service delivery management
To implement and maintain the appropriate level of information security and service
delivery in line with third party service delivery agreements:
Services must be delivered according to the appropriate service delivery
agreements.
Delphi management must check the implementation of agreements, monitor
compliance with the agreements, and manage changes to agreements to ensure
that the services delivered meet all requirements.
7.3 System planning and acceptance
To minimize the risk of Delphi systems failures:
Advance planning and preparation are required to ensure the availability of
adequate capacity and resources to deliver the required system performance.
Projections of future capacity requirements should be made to reduce the risk of
system overload. The use of resources should be monitored, tuned, and
projections made of future capacity requirements to ensure the required system
performance.
The operational requirements of new systems should be established, documented,
and tested prior to their acceptance and use.
Acceptance criteria for new information systems, upgrades, and new versions
should be established and suitable tests of the system(s) carried out during
development and prior to acceptance.

DELPHI INFORMATION SECURITY
POLICY MANUAL

Page 9 Version 1.0 Effective: 6-10-10

7.4 Protection against malicious code
To protect the integrity of Delphi software and information:
Precautions are required to prevent and detect the introduction of malicious and
unauthorized code.
Detection, prevention, and recovery controls to protect against malicious code and
appropriate user awareness procedures must be implemented.
7.5 Backup
To maintain the integrity and availability of information and information processing
facilities:
Backup procedures shall be established, documented and implemented to ensure
timely restoration of data. Backup media and restoration procedures shall be
tested regularly.
Backup media must be stored in a physically and environmentally secure location.
7.6 Network security management
To ensure the protection of information in networks and the protection of the supporting
infrastructure:
Delphi networks must be properly managed and controlled.
Security features, service levels, and management requirements of all network
services must be identified and included in any network services agreements.
7.7 Storage Media handling
To prevent unauthorized disclosure, modification, removal or destruction of assets, and
interruption to business activities:
Storage media must be controlled and physically protected.
Appropriate operating procedures should be established to protect storage media
from unauthorized disclosure, modification, removal, and destruction.
There must be procedures in place for the management of removable media.
Media must be disposed of securely and safely when no longer required, using
formal procedures.
Procedures for the handling and storage of information should be established to
protect this information from unauthorized disclosure or misuse.
System documentation must be protected against unauthorized access.
7.8 Exchange of information
To maintain the security of information and software exchanged within an organization
and with any external entity:
Formal exchange policies, procedures, and controls must be in place to protect the
exchange of information through the use of all types of Delphi communication
facilities.

DELPHI INFORMATION SECURITY
POLICY MANUAL

Page 10 Version 1.0 Effective: 6-10-10

Delphi information exchange facilities must comply with any relevant legal
requirements.
Agreements must be established for the exchange of information and software
between Delphi and external parties.
Media containing information must be protected against unauthorized access,
misuse or corruption during transportation beyond an organization’s physical
boundaries.
Information involved in electronic messaging must be appropriately protected.
Policies and procedures must be developed and implemented to protect
information associated with the interconnection of business information systems.
7.9 Electronic commerce services
To ensure the security of electronic commerce services, and their secure use:
Information involved in electronic commerce passing over public networks must
be protected from fraudulent activity, contract dispute, and unauthorized
disclosure and modification.
Information involved in online transactions must be protected to prevent
incomplete transmission, misrouting, unauthorized message alteration,
unauthorized disclosure, unauthorized message duplication or replay.
The integrity of information being made available on a publicly available system
must be protected to prevent unauthorized modification.
7.10 Monitoring
To detect unauthorized information processing activities:
Delphi systems must be monitored, where appropriate and technically possible.
Content of the system logs will be determined by the appropriate standards
Procedures for monitoring use of information processing facilities must be
established and the results of the monitoring activities reviewed regularly.
System log access must be controlled and must follow the appropriate procedures,
standards, and approval processes.
Creation, retention and deletion of system logs must be controlled and follow the
proper procedure and approval process.
The clocks of all relevant information processing systems should be synchronized
with an agreed accurate time source.
8 Access Control
8.1 Business requirement for access control
To control access to information:
Access to all information and data shall be restricted to only authorized personnel
and appropriately segregated by business need.

DELPHI INFORMATION SECURITY
POLICY MANUAL

Page 11 Version 1.0 Effective: 6-10-10

Access to information and data shall only be granted through an approved process
by authorized personnel having appropriate authority to grant such access.
All access requests shall be documented and maintained for a period appropriate
for the data classification and risk assessment or legal requirement.
Access control rules should take account of policies for information dissemination
and authorization.
Users must not share, distribute or in any way disseminate information that they
are not authorized to release.
8.2 User access management
To ensure authorized user access and to prevent unauthorized access to information
systems:
Creation of user IDs must follow the appropriate procedures and standards.
Assignment of user IDs must follow the appropriate procedures and standards.
Disabling of user IDs must follow the appropriate procedures, and occur
automatically after the established period of time, where technically feasible.
Deletion of user IDs must follow the appropriate procedures, and occur
automatically after the established period of time, where technically feasible.
Creation of root, admin and other privileged access accounts must be restricted
and follow the proper procedure and approval process.
Creation of group, service, application and kiosk ID’s must be restricted and
follow the proper procedure and approval process.
Access reviews must be conducted by the application or information owner
periodically in accordance with the appropriate procedures and regulations.

8.3 User responsibilities
To ensure authorized user access and to prevent unauthorized access to information
systems:

Passwords must not be shared.
Passwords must not be stored in a non-secure location.
Passwords must be stored and transmitted in encrypted form, where technically
possible.
Temporary passwords (ex. assigned for password reset) must be changed upon
initial use.
Creation of user passwords must follow the appropriate procedures and standards.
Users must lock their computers, and in general secure their work area before
leaving at the end of work day, or when their work area will be unattended for an
extended period of time in accordance with the Delphi Clean Desk Policy.

DELPHI INFORMATION SECURITY
POLICY MANUAL

Page 12 Version 1.0 Effective: 6-10-10

8.4 Network access control
To prevent unauthorized access to networked services:
Access to both internal and external networks must be controlled and must follow
the appropriate procedures, standards, and approval processes.
Users must access only those services that they have been specifically authorized
to use.
Only Delphi approved computers and devices may connect to the Delphi network.
Delphi reserves the right to monitor, block, or discontinue any network service at
any time without advance notice.

8.5 Operating system access control
To prevent unauthorized access to operating systems:
Operating system access must be controlled and must follow the appropriate
procedures, standards, and approval processes.
Users must access only those services, features, and utilities that they have been
specifically authorized to use.
Only Delphi approved users may log into Delphi computers or equipment.
Delphi reserves the right to monitor, block, or discontinue operating system logon
privileges at any time without advance notice.
8.6 Application and information access control
To prevent unauthorized access to applications and information systems:
Application and information systems access must be controlled and must follow
the appropriate procedures, standards, and approval processes.
Users must access only those application and information systems that they have
been specifically authorized to use.
Only Delphi approved users may use Delphi applications and information
systems.
Application and information systems must be protected in a secure environment,
restricting physical and logical access to those on an as-needed basis.
Delphi reserves the right to monitor, block, or discontinue application or
information system access at any time without advance notice.
8.7 Monitoring system access and use
To ensure authorized use and to prevent unauthorized access to Delphi networks,
systems, applications and information systems:
When technically possible, all servers and applications that are business critical,
under legal requirements, or the subject of an audit/risk assessment findings must
be monitored.

DELPHI INFORMATION SECURITY
POLICY MANUAL

Page 13 Version 1.0 Effective: 6-10-10

Content of the system logs will be determined by the appropriate standards. The
level of monitoring and reviews required may be driven by legal requirements
(such as SOX or HIPAA), an internal audit finding, or by a risk assessment
performed by the IT Security Team.
System log access must be controlled and must follow the appropriate procedures,
standards, and approval processes.
Creation, retention and deletion of system logs must be controlled and follow the
proper procedure and approval process.
Delphi reserves the right to monitor system access and use.

8.8 Mobile computing and telecommuting
To ensure information security when using mobile computing and telecommuting
facilities:
Remote access to Delphi network and information systems must be controlled and
must follow the appropriate procedures, standards, and approval processes.
Users must access only those resources that they have been specifically
authorized to use.
Only Delphi approved users may utilize remote access to log into the Delphi
network or information systems.
Users must ensure that the any Delphi classified information contained in a
portable device receives the proper protection according to the Delphi Information
and Product Security Handling Guide (see section 4.2 of this document for additional
information).


9 Information Systems Acquisition,
Development and Maintenance
9.1 Security requirements of information systems
To ensure that security is an integral part of information systems:
Information systems include: operating systems, infrastructure, business
applications, off-the-shelf products, services, and user-developed applications.
Security requirements - must be identified and agreed prior to the development
and/or implementation of information systems.
o All security requirements should be identified at the requirements phase of
a project and justified, agreed, and documented as part of the overall
business case for an information system.

DELPHI INFORMATION SECURITY
POLICY MANUAL

Page 14 Version 1.0 Effective: 6-10-10

o Statements of business requirements for new information systems, or
enhancements to existing information systems should specify the
requirements for security controls.
9.2 Correct processing in applications
To prevent errors, loss, unauthorized modification or misuse of information in
applications:
Appropriate controls must be designed into applications, including user developed
applications to ensure correct processing. These controls should include the
validation of input data, internal processing and output data.
Additional controls may be required for systems that process, or have an impact
on, sensitive, valuable or critical information. Such controls should be
determined on the basis of security requirements and risk assessment.
9.3 Cryptographic controls
To protect the confidentiality, authenticity or integrity of information by cryptographic
means:
Users must ensure that reasonable precautions are implemented so that Delphi
information, while in transit, cannot be observed, tampered with, or extracted
from the Delphi information systems and networks by some unauthorized person
or device.
Only Delphi approved cryptographic controls must be utilized.
9.4 Security of system files
To ensure the security of system files:
Access to system files and program source code must be controlled, and IT
projects and support activities must be conducted in a secure manner. Sensitive
data must not be exposed in test environments.
Control of operational software – Procedures must be implemented to control
the installation of software on operational systems.
Protection of system test data - Test data must be selected carefully, protected,
and controlled.
Access control to program source code must be restricted.
9.5 Security in development and support processes
To maintain the security of application system software and information:
Project and support environments must be strictly controlled.
All proposed system changes must be reviewed to check that they do not
compromise the security of either the system or the operating environment.
Change control procedures - The implementation of changes must be controlled
by the use of formal change control procedures.

DELPHI INFORMATION SECURITY
POLICY MANUAL

Page 15 Version 1.0 Effective: 6-10-10

Technical review of applications after operating system changes - When
operating systems are changed, business critical applications should be reviewed
and tested to ensure there is no adverse impact on organizational operations or
security.
Restrictions on changes to software packages - Modifications to software
packages should be discouraged, limited to necessary changes, and all changes
should be strictly controlled.
Outsourced software development - Outsourced software development must be
supervised and monitored.
9.6 Technical Vulnerability Management
To reduce risks resulting from exploitation of published technical vulnerabilities:
Technical vulnerability management must be implemented in an effective,
systematic, and repeatable way with measurements taken to confirm its
effectiveness. These considerations should include operating systems, and any
other applications in use.
Control of technical vulnerabilities - Timely information about technical
vulnerabilities of information systems being used must be obtained, the
organization’s exposure to such vulnerabilities evaluated, and appropriate
measures taken to address the associated risk.
10 Information Security Incident
Management
10.1 Reporting information security events and
weaknesses
To ensure information security events and weaknesses associated with information
systems are communicated in a manner allowing timely corrective action to be taken:
Reporting information security events - Information security events must be
reported through appropriate management channels as quickly as possible.
Reporting security weaknesses - All employees, contractors and third party
users of information systems and services are required to note and report any
observed or suspected security weaknesses in systems or services.
10.2 Management of information security incidents and
improvements
To ensure a consistent and effective approach is applied to the management of
information security incidents:
Responsibilities and procedures - Management responsibilities and procedures
must be established to ensure a quick, effective, and orderly response to

DELPHI INFORMATION SECURITY
POLICY MANUAL

Page 16 Version 1.0 Effective: 6-10-10

information security incidents. A process of continual improvement should be
applied to the response to, monitoring, evaluating, and overall management of
information security incidents.
Learning from information security incidents - There should be mechanisms in
place to enable the types, volumes, and costs of information security incidents to
be quantified, analyzed. Preventive measures should be taken to avoid repeat
incidents.
Collection of evidence - Where a follow-up action against a person or
organization after an information security incident involves legal action (either
civil or criminal), evidence must be collected by the security staff, retained, and
presented to conform to the rules for evidence laid down in the relevant
jurisdiction(s). Where evidence is required, it must be collected and preserved to
ensure compliance with legal requirements.
11 Business Continuity Management
To counteract interruptions to business activities and to protect critical business processes
from the effects of failures of information services and to ensure their timely resumption:
A managed process must be developed and maintained throughout the
organization that addresses the information security requirements needed for the
organization’s business continuity.
Events that can cause interruptions to business processes must be identified, along
with the probability and impact of such interruptions and their consequences for
information security.
Plans must be developed and implemented to maintain or restore operations and
ensure availability of information at the required level and in the required time
scales following interruption to, or failure of, critical business processes.
A single framework of business continuity plans must be maintained to ensure all
plans are consistent, to address information security requirements, and to identify
priorities for testing and maintenance.
Business continuity plans must be tested and updated regularly to ensure that they
are up-to-date and effective.
12 Compliance
12.1 Compliance with legal requirements
In order to avoid breaches of any law, statutory, regulatory or contractual obligations, and
security requirements:
Advice on specific legal requirements should be sought from the Delphi Legal
Staff.

DELPHI INFORMATION SECURITY
POLICY MANUAL

Page 17 Version 1.0 Effective: 6-10-10

Non-Disclosure and Confidentiality Agreements - Refrain from the signing of
non-disclosure or confidentiality agreements or otherwise obligating Delphi to
protect or not use information provided by third parties, without prior review and
approval by the Delphi Legal Staff.
Identification of applicable legislation - All relevant statutory, regulatory, and
contractual requirements and the organization’s approach to meet these
requirements must be explicitly defined, documented, and kept up-to-date.
Intellectual property rights (IPR) - Appropriate procedures must be
implemented to ensure compliance with legislative, regulatory, and contractual
requirements on the use of material in respect of which there may be intellectual
property rights, and on the use of proprietary software products.
Protection of organizational records - Important records must be protected from
loss, destruction, and falsification, in accordance with statutory, regulatory,
contractual, and business requirements.
Data protection and privacy of personal information - Data protection and
privacy must be ensured as required in relevant legislation, regulations, and, if
applicable, contractual clauses.
Prevention of misuse of information processing facilities - Users must be
deterred from using information processing facilities for unauthorized purposes.
Regulation of cryptographic controls - Cryptographic controls must be used in
compliance with all relevant agreements, laws, and regulations.
12.2 Compliance with security policies and standards,
and technical compliance
To ensure compliance of systems with organizational security policies and standards:
The security of information systems must be regularly reviewed.
Such reviews must be performed against the appropriate security policies and the
technical platforms and information systems should be audited for compliance
with applicable security implementation standards and documented security
controls.
Compliance with security policies and standards - Management shall enforce
the Delphi Information Policy and the corresponding Information Standards, and
Procedures for all users. The penalty for non-compliance shall include, but will
not be limited to, disciplinary action (up to and including termination of
employment) and/or appropriate legal action.
Technical compliance checking - Information systems must be regularly
checked for compliance with security implementation standards.
12.3 Information systems audit considerations
To maximize the effectiveness of the information systems audit process:
Information systems audit controls - Audit requirements and activities
involving checks on operational systems are to be planned to minimize the risk of

DELPHI INFORMATION SECURITY
POLICY MANUAL

Page 18 Version 1.0 Effective: 6-10-10

disruptions to business processes. There should be controls to safeguard
operational systems and audit tools during information systems audits.
Protection of information systems audit tools - Access to information systems
audit tools must be protected to prevent any possible misuse or compromise.
Protection is also required to safeguard the integrity and prevent misuse of audit
tools.

DELPHI INFORMATION SECURITY
POLICY MANUAL

Page 19 Version 1.0 Effective: 6-10-10


Index
Acceptable use of assets, 5
Access Control, 11
Access to computer rooms, 7
Acquisition, 14
Allocation of information security
responsibilities, 4
Applicability, 3
Application and information access control,
13
Asset management, 4
Audit considerations, 18
Backup, 10
Business Continuity Management, 17
Business requirement for access control, 11
Cabling security, 8
Change control procedures, 15
Change of responsibilities, 7
Classification guidelines, 5
Collection of evidence, 17
Communications and Operations
Management, 9
Compliance with security policies and
standards, 18
Compliance, legal requirements, 17
Confidentiality agreements, 4, 18
Contact with authorities, 4
Contractors, consultants and vendors, 5
Coordination of Information Security, 4
Cryptographic controls, 15
Customer information handling, 5
Delivery, and loading areas, 7
Development, 14
development and support processes, 15
Disposal or re-use of equipment, 8
Electronic commerce, 11
Equipment maintenance, 8
Equipment off-premises, 8
Equipment security, 8
Exchange of information, 10
High Security Areas, 7
HR Security, During employment, 6
HR Security, Prior to employment, 6
Human Resources Security, 6
Incident Management, 16
Information classification, 5
Information labeling and handling, 5
Intellectual property rights (IPR), 18
Inventory of assets, 4
Maintenance, 14
Malicious and code, 10
Management commitment, 4
Management of information security
incidents, 16
Mobile computing and telecommuting, 14
Monitoring, 11
Monitoring system access and use, 13
Network access control, 13
Network security, 10
Non-disclosure agreements, 18
Operating system access control, 13
Operational procedures and responsibilities,
9
Outsourced software development, 16
Ownership of assets, 4
Personal/Privately owned computers, 5
Physical and Environmental Security, 7
Physical and environmental threats, 8
Physical entry controls, 7
Physical security perimeters, 7
privacy of personal information, 18
Processing in applications, 15
Protection of organizational records, 18
Public access area, 7
Public access, delivery, and loading areas, 7
Regulation of cryptographic controls, 18
Removal of property, 8
Reporting information security events, 16
Reporting security weaknesses, 16
Responsibility for assets, 4
Restrictions on changes, 16
Secure areas, 7
Secured Work Area, 7
Security Policy, 4
Security requirements, 14
source code, 15
Storage Media handling, 10
System planning and acceptance, 9
system test data, 15
Technical review, 16
Technical Vulnerability Management, 16
Termination or change of employment, 6
Third party service delivery management, 9
User access management, 12
User responsibilities, 12
Utilities, 8