Professional Documents
Culture Documents
Notice to Reader
In this document, “Honeywell” or the “Company,” shall mean Honeywell International Inc., its subsidiaries and affiliates, and
their respective predecessors and successors.
This policy is intended to create contractual obligations between the Supplier and the Company. In the United States and
certain other countries, employment with the Company is "at will," which means that either the Company or the employee may
terminate the employment relationship at any time and for any reason, without notice. The Company reserves the right to
modify, amend, or rescind this policy at any time. This policy supersedes any prior policies of Honeywell International Inc. or
its predecessors, subsidiaries, and affiliates, whether written or oral, on the topics covered herein.
Honeywell’s Information and System Security Supplier Terms and Conditions Version 4.0
Table of Contents
1. PURPOSE ..............................................................................................................................1
2. REVISION HISTORY .............................................................................................................1
3. SCOPE ...................................................................................................................................1
3.1 ESTABLISHING SECURITY REQUIREMENTS .........................................................................1
4. STANDARD ............................................................................................................................2
GENERAL SECURITY REQUIREMENTS .........................................................................................2
4.1 SECURITY POLICIES .........................................................................................................2
4.2 LOGICAL ACCESS CONTROL .............................................................................................3
4.3 COMPLIANCE WITH HONEYWELL CODE OF BUSINESS CONDUCT .........................................3
4.4 INFORMATION CLASSIFICATION .........................................................................................4
4.5 PERSONNEL SCREENING ..................................................................................................4
4.6 USER TRAINING ...............................................................................................................5
4.7 PHYSICAL AND ENVIRONMENTAL SECURITY .......................................................................5
4.8 NETWORK SECURITY ........................................................................................................6
4.9 INFORMATION EXCHANGE .................................................................................................7
4.10 ENCRYPTION MANAGEMENT .............................................................................................8
4.11 SUPPLIER AUDIT ..............................................................................................................9
4.12 SUPPLIER NETWORK TRANSPORT REQUIREMENTS ............................................................9
SEMI-TRUSTED SUPPLIER SECURITY REQUIREMENTS ...............................................................10
4.13 SEMI-TRUSTED NETWORK TRANSPORT REQUIREMENTS ..................................................10
TRUSTED SUPPLIER SECURITY REQUIREMENTS ........................................................................11
4.14 TRUSTED SUPPLIER REQUIREMENTS ...............................................................................11
APPLICATION SERVICE PROVIDER (ASP) SECURITY REQUIREMENTS .........................................11
4.15 ASP GENERAL SECURITY REQUIREMENTS ......................................................................11
4.16 SECURITY ARCHITECTURAL REQUIREMENTS ....................................................................12
4.17 APPLICATION AND CODE REVIEW ....................................................................................12
4.18 CHANGE MANAGEMENT ..................................................................................................13
4.19 AUTHENTICATION AND ACCESS CONTROL........................................................................13
4.20 THREAT AND VULNERABILITY ASSESSMENT .....................................................................13
4.21 HOST SECURITY.............................................................................................................14
4.22 NETWORK SECURITY ......................................................................................................14
4.23 FIREWALL ......................................................................................................................15
4.24 INTRUSION DETECTION ...................................................................................................15
4.25 SECURITY MONITORING ..................................................................................................15
4.26 INCIDENT RESPONSE HANDLING .....................................................................................15
4.27 DATA BACKUP AND DISASTER RECOVERY PLANNING .......................................................15
4.28 PHYSICAL SECURITY AND ENVIRONMENTAL CONTROLS ....................................................16
4.29 ENCRYPTION ..................................................................................................................16
4.30 LOGGING .......................................................................................................................16
5. ROLES AND RESPONSIBILITIES ......................................................................................16
6. DEFINITIONS .......................................................................................................................17
7. SUPPORTING DOCUMENTATION .....................................................................................17
8. FORMS AND EXHIBITS ......................................................................................................17
Approvals
1. Purpose
Honeywell will ensure that 1) supplier services employ, maintain and monitor adequate security controls, and 2) that
Honeywell monitors security control compliance of these suppliers. [UCF ID 01134]
The purpose of this policy is to address technical and physical security, management, support, access, monitoring and
compliance concerns for the management of Information Technology (IT) related supplier services. In addition this
policy addresses physical security of building access, badging and environmental controls. It is imperative that all
supplier relationships are formalized to include continuity of service and auditing of those services.
2. Revision History
3. Scope
Supplier is defined as a third party responsible for supplying goods or services. This also extends to individuals or
businesses that perform part or all of the obligations on behalf of the Supplier. Examples of suppliers include commodity
hardware and software suppliers, network and telecom providers, and outsourcing organizations.
If the supplier is unable to comply with all of the requirements as outlined in this Policy, the supplier must provide a
detailed explanation of the specific requirements that cannot be met, to the Honeywell Global Security (HGS) Focal Point
listed above. It will be assumed that the supplier employees and any subcontractors of the Supplier will comply with all
the requirements as outlined in this policy, unless otherwise indicated.
Suppliers are responsible for the actions of their employees and any subcontractors of the Supplier.
4.1 – 4.12 � � � �
4.13 �
4.14 �
4.15 – 4.30 �
Note: Honeywell Sponsor and Honeywell Security Leader will adjust based
upon business need and data classification
Certain terms are used throughout this policy; in order to avoid misinterpretation, several of the more
commonly used terms are defined below:
General Supplier: A third party with access to Honeywell networks or resources, responsible for supplying
goods or services that are required to deliver IT services.
Semi-Trusted Supplier: A site-to-site connection between Supplier network and Honeywell internal
network that requires Least Access firewall rules. Used for outbound-initiated connectivity into the network,
or a specific set of inbound IPs/ports/protocols acceptable to Honeywell.
Trusted Supplier: A physically isolated segment of the Supplier network connected to Honeywell internal
network in a manner identical to a Honeywell remote office. The Trusted Supplier network by default is a
standalone group of subnets with no physical or logical connectivity to any network other than the
Honeywell network.
Application Service Provider (ASP): Supplier is an external service provider hosting/housing Honeywell
data, which may include the transmitting or transporting of Honeywell information.
4. Standard
General Security Requirements
4.1 Security Policies
Honeywell requires that agreements with the supplier include contract provisions that address regulatory
obligations for secure operations. The supplier must have security policies and procedures that are
reviewed on a regular basis. Security policies and procedures will include but not be limited to:
authorized Honeywell process. Suppliers are responsible for the actions of their employees and any
subcontractors of the Supplier.
The supplier must use Honeywell’s formal computer incident response and handling plan to provide
guidance to the response team in the event that a security incident occurs that relates to
Honeywell’s systems. For additional information, please visit the HGS Security Operation Center
(SOC) incident system at https://soc.honeywell.com/incident.html. The incident response and
handling plan typically contain the following processes:
Honeywell unique Electronic Identifier (EID) is to be employed for systems access controls for all
suppliers requiring access to Honeywell networks and systems.
All users must be authenticated using a password or other stronger authentication mechanism
acceptable to information security. The supplier password convention must match or exceed
Honeywell’s password complexity requirements.
It is the responsibility of the supplier and individuals generating Honeywell information to classify and follow
the information classification requirements.
Honeywell sponsor will advise the supplier’s personnel on the required actions for handling Honeywell
information assets and their respective disposal requirements. Disposal of such material is expected to be
conducted in accordance to the information categorization.
Additional screening may be required per job description and job location requirements. Personnel who
access information processing facilities for confidential information, e.g. financial, or confidential-restricted
materials are to have additional screening requirements for:
• Credit checks
For personnel holding positions of considerable authority, the above check should be repeated annually.
Agencies responsible for providing contract personnel include the aforementioned screening requirements.
The communication of verifying actions are to include notification of any negative and incomplete check
information to hiring management prior to personnel assignment.
Background investigation requirements include the following (in accordance with regionally accepted privacy
legislation):
1. Social Security Trace (to identify addresses to be used for the Criminal History)
2. Criminal History – verify court records for the last seven (7) years
a. County Records Check – all addresses at which the individual lived and worked during the past
seven (7) years
HGS Policy Template v1.0 Page 4 of 17
b. Federal Criminal Check – covers all locations at which the individual lived and worked during the
past seven (7) years
3. National Sex Offender Registry (State Sex Offender Registries are too restrictive)
4. Prohibited Parties List - Vendor employee cannot be a prohibited party that would be recognized under
the terms listed.
a. Debarred Parties - Parties denied export privileges under the International Traffic in Arms
Regulations (ITAR) as administered by the Office of Defense Trade Control (DTC)
b. Denied Persons List - Parties denied export privileges as administered by the Bureau of Industry
and Security. The list may be found in the Export Administration Regulations, 15 CFR Part 764
Supplement No. 2.
c. Entity List - Entities subject to license requirements because of their proliferation of weapons of
mass destruction. The list may be found in the Export Administration Regulations, 15 CFR Part
774 Supplement No. 4.
d. Special Designated Nationals, Terrorists, Narcotics Traffickers, Blocked Persons and Vessels
Parties subject to various economic sanctioned programs administered by the Office of Foreign
Assets Control (OFAC).
Background investigations that are older than 30 days must be updated using the above listed criteria in
order for a badge for unescorted access to be issued to a Supplier’s employee. Honeywell will rely upon the
Supplier to ensure that specified background investigations is less than 30 days old, that the background
investigation has been adjudicated according to the criteria listed above.
badges must be worn in a visible manner while the bearer is in any company facility not
generally open to the public.
• All other visitors must be signed in and escorted by a company employee throughout the
time that the visitor is in a company facility.
• All visitors should receive written and/or verbal instructions on the visited area’s security
requirements and emergency procedures.
• Any supplier who discovers an unauthorized individual within a company facility should
notify their supervisor, or contact HGS.
• Any packages, objects, bags, etc. brought into or removed from company facilities are
subject to inspection.
• Authorization by Management must precede any equipment, information or software being
taken off-site. Honeywell’s security guards will log out and log in equipment as it leaves or
enters Honeywell’s facility in accordance with established procedures developed by HGS.
• Cameras and recording devices are not permitted on Honeywell premises without prior
authorization from HGS.
• Access rights to facilities will be regularly reviewed and updated. Supplier must make
Honeywell aware of any changes to personnel who no long need access.
• Access rights to facilities must be removed upon employee/contractor termination or a
change in job responsibilities that no longer requires physical access to the facility.
4.7.3.1 Honeywell Sponsor will provide additional clarification and procedures to the supplier where
Department of Defense (DoD) and/or other regulations must be followed.
Although laptops should primarily be used for access, not storage, Honeywell data may only be
stored on these devices or other portable computing devices with approved configured security
settings (i.e. laptop disks should be encrypted and personal firewalls are highly recommended).
Honeywell approved software must be used to detect and remove viruses and malicious software.
Automatic anti-virus software is mandatory for all computer operating systems. The software must
be actively enabled at all times, except when required to perform other administrative functions. The
software must be configured to scan all files types when accessed.
Anti-virus software should be configured to perform a scan of all files on the systems, including
servers at an acceptable frequency as defined in the Security Component: Antivirus Standard.
See Section 7.0 Supporting Documentation below. Procedures must be developed to ensure the
availability of anti-virus software updates and reliable virus information as released by a commercial
supplier. Virus signatures must be obtained from the software supplier on at least a weekly basis,
and on a daily basis, if available.
Telecommuting or remote access networking requires the use of either Honeywell-provided secure
computing equipment or approved software installed for Honeywell’s network protection. Users not
issued a Honeywell-provided secure remote access solution must get approval by HGS before
connecting to the network remotely. Failure to do so is in direct violation of this Policy.
Suppliers authorizing persons to telecommute or work remotely must provide the person with the
resources necessary to protect Honeywell’s information assets. Telecommuting requires employees
to use a Honeywell approved secure remote laptop to ensure the protection of Honeywell’s
information assets as described in this standard.
Contractors are required to verify the use of an anti-virus software product with most current version
on any system to be used before accessing Honeywell’s network if a Honeywell-provided secure
system is unavailable.
Any information classified as Honeywell confidential must not be transmitted over wireless
connections without the approved and implemented method of encryption for wireless technology.
In order to assist employees and authorized contract personnel in performing their jobs, Honeywell
provides certain equipment and materials including, but not limited to, electronic mail, voice mail,
telephones, Internet access, copy and fax machines, computer equipment such as personal
computers, laptops, other hardware/software, mainframe access, networks and communications
media.
Such equipment, materials, services, communications systems and information transmitted using
these systems are and shall remain the property of Honeywell at all times. Honeywell reserves the
right, but not the responsibility, to monitor, seize, access, inspect, review, copy, remove, change or
disclose the contents of such equipment, materials, services and communications systems as it
deems appropriate.
Such equipment, materials, services and communications systems principal use must be that of
advancing our business objectives, very limited, judicious personal use of these assets are allowed
as long as such use complies with both local laws and Honeywell’s Code of Business Conduct.
Users accessing the Internet and other public communications networks accept the associated risk
of doing so. Honeywell reserves the right, but not the responsibility, to block inappropriate use of its
information systems.
Any encryption technology used must be approved by HGS. Requirements must be met to use only
approved forms of encryption, escrow of encryption keys and comply with national and international
restrictions on and for the use of encryption.
The cryptographic requirements will be followed as defined in the Encryption Standard. See
Section 7.0 Supporting Documentation below.
Each individual user is responsible for all activities, whether intentional or unintentional, conducted
under his/her User ID(s), private signing keys or other assigned resource(s).
All individual users shall report any known or suspected security exposures, violations, or threats,
whether accidental or intentional, to their management and HGS.
Dedicated circuit/frame/ATM connection or site-to-site VPN from the Supplier parent network to the
Honeywell internal network leveraging existing ISP Internet connectivity is acceptable. Other options such
as MPLS require special review and approval by HGS. The following are the site-to-site requirements:
Use a stateful firewall that only allows VPN IPSec protocols (IP 50/UDP 500/ping) to the Supplier-side
termination point. The VPN termination point will be configured to allow only IPSec main-mode connections
from a fixed list of Honeywell VPN devices. IPSec aggressive mode is not allowed.
Honeywell will manage the network device endpoints. This is desirable for both security and operational
reasons. Honeywell IT Services (HITS) operations requires out-of-band connectivity to the remote endpoint
for debugging purposes.
Periodic audit should include external scans of the Internet-reachable devices used to build the VPN tunnel.
No unencrypted confidential Honeywell traffic will traverse the Internet when being transmitted from between
Honeywell and the supplier.
Visitor logbooks must be maintained which include visitors name, purpose of visit, arrival and leaving
time. A Supplier employee must always escort visitors within the Supplier’s area.
A security guard or electronic access control must protect entry to Supplier’s area. Entry and exit logging
are preferable. Software-based access control systems must be secured, have proper backups and be
highly available. Entry logs must be maintained for at least six months.
Ensure windows or any other auxiliary entry points are secured. If not staffed 24x7, alarms and entry
point security cameras must be installed for off-hours access monitoring with recordings retained for at
least one month.
4.14.1 Trusted Supplier requirements applies if a physically isolated segment of the Supplier network
connected to Honeywell internal network in a manner identical to a Honeywell remote office.
The Trusted Supplier network by default is a standalone group of subnets with no physical or
logical connectivity to any network other than the Honeywell network. The Trusted Supplier
requirements will be followed as defined in the Use Model: Trusted Site Standard. See
Section 7.0 Supporting Documentation below.
4.15.1.2 Suppliers who will process or store information on behalf of Honeywell, will provide
to Honeywell:
4.15.1.2.1 Identification of confidential information stored on non-Honeywell
systems and the protection controls.
4.15.1.2.2 A copy of the latest external financial and non-financial audit report, or
internal audit report, and the latest review(s) to meet governmental
regulations.
4.15.1.2.3 Documentation describing procedures covering, physical access,
logical access, network, and business continuity controls.
4.15.1.2.4 System documentation should contain descriptions of Honeywell’s
applications processes, procedures, data structures and authorization
processes. System documentation should be stored securely to ensure
protection against unauthorized disclosure. Access to system
documentation should be authorized by the data owner and provided
with appropriate physical and logical protection.
4.15.2 The ASP must have formalized hiring policies and procedures, performance management, and
termination practices. The ASP will disclose all foreign national employees and their related
roles and duties upon the request of Honeywell.
4.15.3 The ASP must provide identification of all individuals responsible for implementing the security
policies/procedures and their related roles and duties.
4.15.4 The ASP must provide evidence of policy enforcement procedures.
4.15.5 The ASP must be able to immediately disable all or part of the functionality of the application
should a security issue be identified.
In the event that systems hosted or applications developed by the ASP are compromised from the
Internet, the ASP may be held accountable. To minimize this exposure, the ASP will incorporate a
layered approach to security, eliminating single points of failure that can allow unauthorized access to its
network.
Additionally, in order to protect the network, administrative and privileged access will be sourced from a
non-public network and any traffic that traverses over the Internet will be encrypted using an encryption
standard that meets the requirements stated in Encryption Section below of this document.
In those cases where source code is not available or strictly proprietary, alternative approaches such as
application-focused penetration testing will be considered so that an acceptable level of assurance is
achieved. In the event that a third party is employed for such review, the results will be supplied to
Honeywell.
The ASP’s Change Management procedures will be documented and supplied to Honeywell upon
request.
Authentication of all administrative and privileged access to those servers hosted at the ASP will be one
or a combination of the following:
4.19.1 two-factor authentication
4.19.2 one-time passwords
4.19.3 reusable password that is changed every 30 days and not repeated during the life of the server
4.19.4 Where remote traffic originating on the Internet accessing systems or networks within the ASP is
necessary, an acceptable Virtual Private Network (VPN) solution requiring two-factor
authentication will be used to provide maximum security. VPN security will be IPSEC or SSL-
based and meet all the requirements outlined in Encryption Section below of this document.
4.21.7 Information on the account generation, maintenance, and termination process, for both
maintenance as well as user accounts. Include information as to how an account is created,
how account information is transmitted back to the user, and how accounts are terminated when
no longer needed. Below are Honeywell’s requirements for account management:
4.21.7.1 All user accounts, except for the server account(s) and authorized administrator
account, will be removed.
4.21.7.2 Different root directories for the server and server document will be used.
4.21.7.3 Interpreters, shells, and configuration files will be located outside the server directory.
4.21.7.4 A dedicated host for the server will be used and all other unnecessary services,
including Simple Mail Transfer Protocol (SMTP) and File Transfer Protocol (FTP) will
be disabled.
4.21.7.5 Only a minimum set of client applications will be installed. If a browser must be
installed, then downloading of active content (for example, Active X and Java) will be
disabled.
4.21.7.6 Where appropriate, multiple server instances under different IDs will be run in order to
provide different types of access to different users.
4.21.7.7 Packet filters, such as TCP wrappers, will be used to restrict connections from known
hosts or services and to log incoming service requests.
4.23 Firewall
The ASP must ensure a process is in place for configuration, monitoring, auditing, and active
management of the locally-maintained firewall infrastructure. As in any other security platforms,
maintaining the currency of the firewall vendor issued updates and patches is critical. If the firewall is
compromised, an alert must be sent to Honeywell Global Security immediately.
4.24 Intrusion Detection
Intrusion Detection Systems (IDS) is a critical security architecture component. It is the ASP’s
responsibility to configure and manage the IDS as well as maintaining the currency of any patches and
attack signatures. All applicable event logs for potential malicious attacks and probes will be reviewed
and analyzed by the ASP on a daily basis. In the event of a successful intrusion, there must be a
process in place so that Honeywell is alerted immediately.
The ASP will have formalized documentation regarding incident response procedures, as well as
resultant findings of any incidents that relate to Honeywell systems and information.
Backup will, at a minimum, occur daily for servers and weekly for key files. Backup tapes will be stored
off-site. Where the security of Honeywell’s information or data is of vital concern, a secure media vault at
a storage facility maintained by an offsite media storage company will be engaged.
HGS Policy Template v1.0 Page 15 of 17
Environmental controls are also critical and at a minimum will include but not be limited to:
4.28.5 Installation and regular testing of fire suppression and preventive devices to protect the data
center from fire
4.28.6 Implementation and maintenance of uninterruptible power supply (UPS) or backup generator to
protect against sudden loss of electric power
4.28.7 Regular maintenance of heating and air-conditioning systems
4.28.8 Periodic review of the electric power distribution, heating plants, water, sewage, and other
utilities for risk of failure
4.28.9 Full-time security monitoring and closed circuit television (CCTV)
4.28.10 Implementation of moisture and humidity detectors above and below raised floor environment.
4.29 Encryption
The Honeywell application infrastructure cannot use any "home-grown" cryptography. Any symmetric,
asymmetric, or hashing algorithm used by Honeywell’s application infrastructure must use algorithms
that have been published and evaluated by the general cryptographic.
4.30 Logging
The ASP will have logging policies and procedures. Any pertinent policies and procedures will be
provided to Honeywell upon request. Logging policies and procedures will include but not be limited to:
4.30.1 Systems logged (i.e. firewall servers, etc)
4.30.2 Logging requirements
4.30.3 Log review periods
4.30.4 Log retentions
4.30.5 Incident response process of steps to be taken if there is a security breach
5.2 The Security Policy & Standards Manager shall serve as the Focal Point of this policy and may serve as
the primary author in future revision cycles.
5.3 All Suppliers shall adhere to this policy.
6. Definitions
Confidential information: Organized data (data are facts, they become information when they are seen in
context and convey meaning to people) that requires safeguarding in the interest of client, personnel, or
organizational security.
The terms can be found in the Glossary of Compliance Terms and Acronyms.
7. Supporting Documentation
7.1 Corporate Policy: Honeywell Code of Business Conduct
7.2 HGS Policy: Security Awareness, Training and Clearance Policy
7.3 HGS Standard: Disk Wiping
7.4 HGS Standard: Encryption
7.5 HGS Standard: Security Component: Antivirus
7.6 HGS Standard: Use Model: Trusted Site
7.7 The following control that this standard complies with can be found in the UCF control matrix:
UCF ID 01134