Company-wide Security Policy

Honeywell’s Information and System Security Supplier

Terms and Conditions

Notice to Reader
In this document, “Honeywell” or the “Company,” shall mean Honeywell International Inc., its subsidiaries and affiliates, and
their respective predecessors and successors.

This policy is intended to create contractual obligations between the Supplier and the Company. In the United States and
certain other countries, employment with the Company is "at will," which means that either the Company or the employee may
terminate the employment relationship at any time and for any reason, without notice. The Company reserves the right to
modify, amend, or rescind this policy at any time. This policy supersedes any prior policies of Honeywell International Inc. or
its predecessors, subsidiaries, and affiliates, whether written or oral, on the topics covered herein.
 Honeywell’s Information and System Security Supplier Terms and Conditions Version 4.0

Table of Contents

1. PURPOSE ..............................................................................................................................1
2. REVISION HISTORY .............................................................................................................1
3. SCOPE ...................................................................................................................................1
3.1 ESTABLISHING SECURITY REQUIREMENTS .........................................................................1
4. STANDARD ............................................................................................................................2
GENERAL SECURITY REQUIREMENTS .........................................................................................2
4.1 SECURITY POLICIES .........................................................................................................2
4.2 LOGICAL ACCESS CONTROL .............................................................................................3
4.3 COMPLIANCE WITH HONEYWELL CODE OF BUSINESS CONDUCT .........................................3
4.4 INFORMATION CLASSIFICATION .........................................................................................4
4.5 PERSONNEL SCREENING ..................................................................................................4
4.6 USER TRAINING ...............................................................................................................5
4.7 PHYSICAL AND ENVIRONMENTAL SECURITY .......................................................................5
4.8 NETWORK SECURITY ........................................................................................................6
4.9 INFORMATION EXCHANGE .................................................................................................7
4.10 ENCRYPTION MANAGEMENT .............................................................................................8
4.11 SUPPLIER AUDIT ..............................................................................................................9
4.12 SUPPLIER NETWORK TRANSPORT REQUIREMENTS ............................................................9
SEMI-TRUSTED SUPPLIER SECURITY REQUIREMENTS ...............................................................10
4.13 SEMI-TRUSTED NETWORK TRANSPORT REQUIREMENTS ..................................................10
TRUSTED SUPPLIER SECURITY REQUIREMENTS ........................................................................11
4.14 TRUSTED SUPPLIER REQUIREMENTS ...............................................................................11
APPLICATION SERVICE PROVIDER (ASP) SECURITY REQUIREMENTS .........................................11
4.15 ASP GENERAL SECURITY REQUIREMENTS ......................................................................11
4.16 SECURITY ARCHITECTURAL REQUIREMENTS ....................................................................12
4.17 APPLICATION AND CODE REVIEW ....................................................................................12
4.18 CHANGE MANAGEMENT ..................................................................................................13
4.19 AUTHENTICATION AND ACCESS CONTROL........................................................................13
4.20 THREAT AND VULNERABILITY ASSESSMENT .....................................................................13
4.21 HOST SECURITY.............................................................................................................14
4.22 NETWORK SECURITY ......................................................................................................14
4.23 FIREWALL ......................................................................................................................15
4.24 INTRUSION DETECTION ...................................................................................................15
4.25 SECURITY MONITORING ..................................................................................................15
4.26 INCIDENT RESPONSE HANDLING .....................................................................................15
4.27 DATA BACKUP AND DISASTER RECOVERY PLANNING .......................................................15
4.28 PHYSICAL SECURITY AND ENVIRONMENTAL CONTROLS ....................................................16
4.29 ENCRYPTION ..................................................................................................................16
4.30 LOGGING .......................................................................................................................16
5. ROLES AND RESPONSIBILITIES ......................................................................................16
6. DEFINITIONS .......................................................................................................................17
7. SUPPORTING DOCUMENTATION .....................................................................................17
8. FORMS AND EXHIBITS ......................................................................................................17

Honeywell Policy Template v1.0 Page: I OF I

© 2006-2007 Honeywell International Inc. All Rights Reserved.

 Honeywell’s Information and System Security Supplier Terms and Conditions Version 4.0

Honeywell’s Information and System Security Supplier Terms and

Conditions
Policy Owner: VP of Global Security
Focal Point: Shannon Scott
http://start.law.honeywell.com/gpp

Approvals

Approval Date Approval Role Title Name

19-MAR-2009 Policy Owner VP of Global Security John McClurg

1. Purpose
Honeywell will ensure that 1) supplier services employ, maintain and monitor adequate security controls, and 2) that
Honeywell monitors security control compliance of these suppliers. [UCF ID 01134]

The purpose of this policy is to address technical and physical security, management, support, access, monitoring and
compliance concerns for the management of Information Technology (IT) related supplier services. In addition this
policy addresses physical security of building access, badging and environmental controls. It is imperative that all
supplier relationships are formalized to include continuity of service and auditing of those services.

2. Revision History

Effective Date Version Description of Change Section(s) Affected

19-MAR-2009 4.0 New requirements document Not Applicable

3. Scope

Supplier is defined as a third party responsible for supplying goods or services. This also extends to individuals or
businesses that perform part or all of the obligations on behalf of the Supplier. Examples of suppliers include commodity
hardware and software suppliers, network and telecom providers, and outsourcing organizations.

If the supplier is unable to comply with all of the requirements as outlined in this Policy, the supplier must provide a
detailed explanation of the specific requirements that cannot be met, to the Honeywell Global Security (HGS) Focal Point
listed above. It will be assumed that the supplier employees and any subcontractors of the Supplier will comply with all
the requirements as outlined in this policy, unless otherwise indicated.

Suppliers are responsible for the actions of their employees and any subcontractors of the Supplier.

3.1 Establishing Security Requirements

This policy is organized in four sections. Based upon Honeywell assessment of business access needs, the
Supplier will adhere to the language in the applicable sections. Use the table below to determine the
applicable sections:

HGS Policy Template v1.0 Page 1 of 17

© 2006-2007 Honeywell International Inc. All Rights Reserved

 Honeywell’s Information and System Security Supplier Terms and Conditions Version 4.0

General Semi- Trusted Application

Section(s) Security Trusted Supplier Service
(All Suppliers) Supplier Provider (ASP)

4.1 – 4.12 � � � �
4.13 �
4.14 �
4.15 – 4.30 �
Note: Honeywell Sponsor and Honeywell Security Leader will adjust based
upon business need and data classification

Certain terms are used throughout this policy; in order to avoid misinterpretation, several of the more
commonly used terms are defined below:

General Supplier: A third party with access to Honeywell networks or resources, responsible for supplying
goods or services that are required to deliver IT services.

Semi-Trusted Supplier: A site-to-site connection between Supplier network and Honeywell internal
network that requires Least Access firewall rules. Used for outbound-initiated connectivity into the network,
or a specific set of inbound IPs/ports/protocols acceptable to Honeywell.

Trusted Supplier: A physically isolated segment of the Supplier network connected to Honeywell internal
network in a manner identical to a Honeywell remote office. The Trusted Supplier network by default is a
standalone group of subnets with no physical or logical connectivity to any network other than the
Honeywell network.

Application Service Provider (ASP): Supplier is an external service provider hosting/housing Honeywell
data, which may include the transmitting or transporting of Honeywell information.

4. Standard
General Security Requirements
4.1 Security Policies
Honeywell requires that agreements with the supplier include contract provisions that address regulatory
obligations for secure operations. The supplier must have security policies and procedures that are
reviewed on a regular basis. Security policies and procedures will include but not be limited to:

4.1.1 Security Policy and Standard Compliance

Supplier contracts require compliance with this Supplier Compliancy Policy and supporting
standards outlined in this document. Failure to comply may result in revoking access to Honeywell’s
infrastructure, or revocation of the agreement or contract with the suppler.

4.1.2 Security Incidents

Any security incident involving unauthorized disclosure of Honeywell information, either physically or
electronically, by a supplier or third-party, is to be reported to Honeywell immediately using the

HGS Policy Template v1.0 Page 2 of 17

© 2006-2007 Honeywell International Inc. All Rights Reserved

 Honeywell’s Information and System Security Supplier Terms and Conditions Version 4.0

authorized Honeywell process. Suppliers are responsible for the actions of their employees and any
subcontractors of the Supplier.

The supplier must use Honeywell’s formal computer incident response and handling plan to provide
guidance to the response team in the event that a security incident occurs that relates to
Honeywell’s systems. For additional information, please visit the HGS Security Operation Center
(SOC) incident system at https://soc.honeywell.com/incident.html. The incident response and
handling plan typically contain the following processes:

• Identification of incident and assignment of responsibilities

• Containment of incident
• Eradication of the cause and symptoms of the incident
• Recovery of system

4.2 Logical Access Control

4.2.1 Identification and Authentication
Supplier access to Honeywell’s information assets must be allowed to only Authorized Agents; that
is those who have a valid, documented, and approved need as set out in a written contractual
agreement between Honeywell and the supplier and the supplier’s staff member who will be granted
access.

4.2.1.1 Supplier Approvals

All supplier access must be sponsored, reviewed and approved by the sponsoring Strategic
Business Group (SBG) or Honeywell IT Services (HITS) with:
• SBG/HITS Sponsor: Approves request as a business need and ensures the security
reporting structure is in place.
• Procurement: Approves contract as meeting Honeywell’s standards. Ensures Master
Services Agreement (MSA) is reviewed and approved by the appropriate department with
necessary signatures from both parties.
• Honeywell Global Security (HGS): Approves request as meeting security requirements

Honeywell unique Electronic Identifier (EID) is to be employed for systems access controls for all
suppliers requiring access to Honeywell networks and systems.

All users must be authenticated using a password or other stronger authentication mechanism
acceptable to information security. The supplier password convention must match or exceed
Honeywell’s password complexity requirements.

4.2.2 Removal of Access

Honeywell expects commensurate or more stringent actions than recommended by Honeywell, to be
enforced by the supplier to protect access to their customer’s information systems and assure only
authorized personnel login and access is removed in timely fashion.

4.3 Compliance with Honeywell Code of Business Conduct

Supplier will comply with Honeywell’s Code of Business Conduct, a copy of which may be obtained at
http://media.corporate-ir.net/media_files/irol/94/94774/corpgov/conduct.pdf. Supplier will maintain an
integrity and compliance program acceptable to Honeywell and effective in preventing and correcting ethical
violations and in maintaining compliance with laws.

HGS Policy Template v1.0 Page 3 of 17

© 2006-2007 Honeywell International Inc. All Rights Reserved

 Honeywell’s Information and System Security Supplier Terms and Conditions Version 4.0

4.4 Information Classification

Honeywell information must be properly classified and protected in order to ensure that information created
or received in the course of business will not impair Honeywell’s legal, financial or competitive position or
image, if disclosed outside Honeywell without using appropriate restrictions.

It is the responsibility of the supplier and individuals generating Honeywell information to classify and follow
the information classification requirements.

Honeywell sponsor will advise the supplier’s personnel on the required actions for handling Honeywell
information assets and their respective disposal requirements. Disposal of such material is expected to be
conducted in accordance to the information categorization.

If Honeywell confidential information is accidentally disclosed to an unauthorized party, the individual

discovering the compromise will immediately notify their management and report to Honeywell Global
Security (HGS).

4.5 Personnel Screening

For the protection and security of Honeywell personnel and assets, it is expected that Supplier’s personnel
who are to access Honeywell networks and facilities will be screened prior to their access. The supplier will
use a contractor (a 3rd party consultant) to fulfill this requirement.

4.5.1 Accessing Honeywell Networks

Suppliers pre-hire screening; at a minimum must have the following background checks completed (in
accordance with regionally accepted privacy legislation):

• Criminal Records Check

• Social Security Number validation or Personal Identity Code
• Verification of complete employment history
• Verification of educational history and status of academic degrees
• Character references, e.g. one business and one personal

Additional screening may be required per job description and job location requirements. Personnel who
access information processing facilities for confidential information, e.g. financial, or confidential-restricted
materials are to have additional screening requirements for:

• Credit checks

For personnel holding positions of considerable authority, the above check should be repeated annually.
Agencies responsible for providing contract personnel include the aforementioned screening requirements.
The communication of verifying actions are to include notification of any negative and incomplete check
information to hiring management prior to personnel assignment.

4.5.2 Unescorted Badge Access to Honeywell Facilities

Suppliers requiring unescorted access to Honeywell facilities must meet the background investigation
requirements listed below. Suppliers that do not meet the requirements will not be granted unescorted
access to Honeywell property. If granted access, they must be properly escorted.

Background investigation requirements include the following (in accordance with regionally accepted privacy
legislation):

1. Social Security Trace (to identify addresses to be used for the Criminal History)
2. Criminal History – verify court records for the last seven (7) years
a. County Records Check – all addresses at which the individual lived and worked during the past
seven (7) years
HGS Policy Template v1.0 Page 4 of 17

© 2006-2007 Honeywell International Inc. All Rights Reserved

 Honeywell’s Information and System Security Supplier Terms and Conditions Version 4.0

b. Federal Criminal Check – covers all locations at which the individual lived and worked during the
past seven (7) years
3. National Sex Offender Registry (State Sex Offender Registries are too restrictive)
4. Prohibited Parties List - Vendor employee cannot be a prohibited party that would be recognized under
the terms listed.
a. Debarred Parties - Parties denied export privileges under the International Traffic in Arms
Regulations (ITAR) as administered by the Office of Defense Trade Control (DTC)
b. Denied Persons List - Parties denied export privileges as administered by the Bureau of Industry
and Security. The list may be found in the Export Administration Regulations, 15 CFR Part 764
Supplement No. 2.
c. Entity List - Entities subject to license requirements because of their proliferation of weapons of
mass destruction. The list may be found in the Export Administration Regulations, 15 CFR Part
774 Supplement No. 4.
d. Special Designated Nationals, Terrorists, Narcotics Traffickers, Blocked Persons and Vessels
Parties subject to various economic sanctioned programs administered by the Office of Foreign
Assets Control (OFAC).

Background investigations that are older than 30 days must be updated using the above listed criteria in
order for a badge for unescorted access to be issued to a Supplier’s employee. Honeywell will rely upon the
Supplier to ensure that specified background investigations is less than 30 days old, that the background
investigation has been adjudicated according to the criteria listed above.

4.6 User Training

All users of Honeywell’s information assets must be given Security Awareness Training that will detail the
users’ responsibilities and address best practices for satisfying those responsibilities. The training will occur
as outlined in the Security Awareness, Training and Clearance Policy, a copy of which may be obtained
at http://start.law.honeywell.com/gpp/2011.

4.7 Physical and Environmental Security

Suppliers will follow Honeywell's policy and formal practices for protecting distributed assets. The protection
requirements are outlined in the Physical Security of Distributed IT Assets Policy, a copy of which may
be obtained at http://start.law.honeywell.com/gpp/2050. In addition Suppliers must follow any local site
policies and practices.
.
4.7.1 Equipment and Cabling Security
Equipment, including personal computing devices and portable or handheld devices, used for
management and support of Honeywell, must be physically protected from security threats,
environmental hazards, and maintained according to manufacturer’s specifications. Protection of
equipment and information, including equipment located at off-site facilities, is required to reduce the
risk of unauthorized access to data and to protect against loss or damage. Any equipment or media
taken off-premises should not be left unattended in public areas. Lost or stolen computing devices
must be reported immediately to the Authorized Ordering Agent (AOA) as outlined at
http://inside.honeywell.com/globaltechservices/us/emp-it-serv/desk-asset-mgmt.html.

4.7.2 Supplier Identification and Facility Access

All suppliers are responsible for protecting Honeywell’s information assets, from damage, theft,
misuse, or unauthorized use. In an effort to fulfill this responsibility, only Authorized Agents, per
Section 4.2.1.1., are allowed unescorted access to company facilities. Each facility has established
procedures for controlling building access. The following controls are examples that the supplier’s
personnel should be aware of and must comply with as permitted by local law:
• With proper authorization, photographic supplier identification badges may be issued to
suppliers, contractors, or others who are assigned to company facilities and report to work
there on a daily basis for extended periods. As with employee identification badges, supplier

HGS Policy Template v1.0 Page 5 of 17

© 2006-2007 Honeywell International Inc. All Rights Reserved

 Honeywell’s Information and System Security Supplier Terms and Conditions Version 4.0

badges must be worn in a visible manner while the bearer is in any company facility not
generally open to the public.
• All other visitors must be signed in and escorted by a company employee throughout the
time that the visitor is in a company facility.
• All visitors should receive written and/or verbal instructions on the visited area’s security
requirements and emergency procedures.
• Any supplier who discovers an unauthorized individual within a company facility should
notify their supervisor, or contact HGS.
• Any packages, objects, bags, etc. brought into or removed from company facilities are
subject to inspection.
• Authorization by Management must precede any equipment, information or software being
taken off-site. Honeywell’s security guards will log out and log in equipment as it leaves or
enters Honeywell’s facility in accordance with established procedures developed by HGS.
• Cameras and recording devices are not permitted on Honeywell premises without prior
authorization from HGS.
• Access rights to facilities will be regularly reviewed and updated. Supplier must make
Honeywell aware of any changes to personnel who no long need access.
• Access rights to facilities must be removed upon employee/contractor termination or a
change in job responsibilities that no longer requires physical access to the facility.

4.7.3 Secure Disposal or Re-use

Computers, storage components, removable storage media, and printed products that contain or
have ever contained Honeywell confidential information must be disposed of in a secure manner.
The disposal requirements will be followed as defined in the Disk Wiping Standard. See Section
7.0 Supporting Documentation below

4.7.3.1 Honeywell Sponsor will provide additional clarification and procedures to the supplier where
Department of Defense (DoD) and/or other regulations must be followed.

4.8 Network Security

4.8.1 Access to Honeywell
Suppliers must maintain network and computing devices security through demonstrated
provisioning, patching, and anti-virus processes. Anti-virus software is required for all network and
computing devices.

Although laptops should primarily be used for access, not storage, Honeywell data may only be
stored on these devices or other portable computing devices with approved configured security
settings (i.e. laptop disks should be encrypted and personal firewalls are highly recommended).

4.8.2 Controls against Malicious Software

All supplier personnel must take precautions to ensure that malicious code is not introduced into the
Honeywell environment. Software must not be written, generated, copied, propagated or executed
that will damage or hinder the performance of any Honeywell information asset.

Honeywell approved software must be used to detect and remove viruses and malicious software.
Automatic anti-virus software is mandatory for all computer operating systems. The software must
be actively enabled at all times, except when required to perform other administrative functions. The
software must be configured to scan all files types when accessed.

Anti-virus software should be configured to perform a scan of all files on the systems, including
servers at an acceptable frequency as defined in the Security Component: Antivirus Standard.
See Section 7.0 Supporting Documentation below. Procedures must be developed to ensure the
availability of anti-virus software updates and reliable virus information as released by a commercial

HGS Policy Template v1.0 Page 6 of 17

© 2006-2007 Honeywell International Inc. All Rights Reserved

 Honeywell’s Information and System Security Supplier Terms and Conditions Version 4.0

supplier. Virus signatures must be obtained from the software supplier on at least a weekly basis,
and on a daily basis, if available.

4.8.3 Service Packs and Patches

All HGS approved patches must be applied within 10 business days to a network or computing
device connecting to Honeywell Network.

4.8.4 Remote Access

Remote access to the Honeywell network infrastructure must only be obtained via access methods
approved by HGS. Any remote access method must employ two factor authentications as approved
by HGS.

Telecommuting or remote access networking requires the use of either Honeywell-provided secure
computing equipment or approved software installed for Honeywell’s network protection. Users not
issued a Honeywell-provided secure remote access solution must get approval by HGS before
connecting to the network remotely. Failure to do so is in direct violation of this Policy.

Suppliers authorizing persons to telecommute or work remotely must provide the person with the
resources necessary to protect Honeywell’s information assets. Telecommuting requires employees
to use a Honeywell approved secure remote laptop to ensure the protection of Honeywell’s
information assets as described in this standard.

Contractors are required to verify the use of an anti-virus software product with most current version
on any system to be used before accessing Honeywell’s network if a Honeywell-provided secure
system is unavailable.

4.8.5 Wireless Networks

Honeywell personnel will advise the supplier’s personnel on the required actions for connecting to
and accessing Honeywell networks. Supplier’s personnel will not be allowed to connect to
Honeywell networks and/or create their own wired and/or wireless network without HGS
authorization.

Any information classified as Honeywell confidential must not be transmitted over wireless
connections without the approved and implemented method of encryption for wireless technology.

4.8.6 Penetration Testing

Penetration testing provides a means of validating the security of external connections and the
effectiveness of internal operational procedures to maintain network security. Suppliers are not
allowed to perform penetration testing within Honeywell or externally (pointed at Honeywell) without
HGS authorization.

4.8.7 Vulnerability Assessment Testing

Suppliers are not allowed to perform vulnerability testing/assessments within Honeywell or externally
(pointed at Honeywell) without HGS authorization.

4.9 Information Exchange

Confidential information of suppliers must not be accepted and Honeywell confidential information may not
be disclosed except pursuant to Non-Disclosure Agreements (NDA) being executed. Each such agreement
should describe the confidential information being received or disclosed with the specification and protection
requirements of that information.

HGS Policy Template v1.0 Page 7 of 17

© 2006-2007 Honeywell International Inc. All Rights Reserved

 Honeywell’s Information and System Security Supplier Terms and Conditions Version 4.0

4.9.1 Security of Media in Transit

Physical transport of media offsite must be controlled against unauthorized access, misuse or
corruption. Security requirements commensurate with the sensitivity, value, and criticality of the
identified information classification(s) must be used to protect Honeywell confidential information.

4.9.2 Electronic Communications

Electronic communication is the transmission of voice, data or other information using electronic
means. Electronic communication must be protected from unauthorized access, improper use, theft,
and accidental or unauthorized modification, disclosure, transfer, or destruction. Protective
measures must be implemented commensurate with the sensitivity, value, and criticality of the
communications.

In order to assist employees and authorized contract personnel in performing their jobs, Honeywell
provides certain equipment and materials including, but not limited to, electronic mail, voice mail,
telephones, Internet access, copy and fax machines, computer equipment such as personal
computers, laptops, other hardware/software, mainframe access, networks and communications
media.

Such equipment, materials, services, communications systems and information transmitted using
these systems are and shall remain the property of Honeywell at all times. Honeywell reserves the
right, but not the responsibility, to monitor, seize, access, inspect, review, copy, remove, change or
disclose the contents of such equipment, materials, services and communications systems as it
deems appropriate.

Such equipment, materials, services and communications systems principal use must be that of
advancing our business objectives, very limited, judicious personal use of these assets are allowed
as long as such use complies with both local laws and Honeywell’s Code of Business Conduct.

4.9.3 No Expectation of Privacy

Where not in conflict with local laws and regulations, users should have no expectation of privacy in
anything created, stored, sent or received on Honeywell's information assets, and to the extent
permitted by law, users waive all privacy rights in such materials. All e-mail and electronic records
are subject to disclosure to enforcement agencies in connection with civil litigation or regulatory
investigations.

4.9.4 Disclaimer of Liability

Honeywell is not responsible for material viewed or downloaded by users from the Internet or other
public communications networks. Users are cautioned that the Internet or other public
communications networks may include offensive, sexually explicit, and/or other inappropriate
material. In addition, having a public E-Mail or other communications address may lead to receipt of
unsolicited messages containing offensive content.

Users accessing the Internet and other public communications networks accept the associated risk
of doing so. Honeywell reserves the right, but not the responsibility, to block inappropriate use of its
information systems.

4.9.5 Other Forms of Information Exchange

Confidential information must not be discussed, recorded or disclosed in non-secure situations.
Examples of such situations are messages left on voice message systems, public telephone
conversations, unencrypted wireless and cellular telephone conversations, and conversations on
airplanes, elevators or other public spaces.

4.10 Encryption Management

The decision to encrypt communications must be made on a case-by-case basis and in alignment with
contractual obligations and legislated controls.
HGS Policy Template v1.0 Page 8 of 17

© 2006-2007 Honeywell International Inc. All Rights Reserved

 Honeywell’s Information and System Security Supplier Terms and Conditions Version 4.0

Any encryption technology used must be approved by HGS. Requirements must be met to use only
approved forms of encryption, escrow of encryption keys and comply with national and international
restrictions on and for the use of encryption.

4.10.1 Use of Encryption

The cryptographic requirements will be followed as defined in the Encryption Standard. See
Section 7.0 Supporting Documentation below.

Each individual user is responsible for all activities, whether intentional or unintentional, conducted
under his/her User ID(s), private signing keys or other assigned resource(s).

All individual users shall report any known or suspected security exposures, violations, or threats,
whether accidental or intentional, to their management and HGS.

4.11 Supplier Audit

The MSA will be used as the conditions and procedures used for any security audit actions and should cover
the Honeywell ability to audit supplier periodically.

4.12 Supplier Network Transport Requirements

Dedicated circuit/frame/ATM connection or site-to-site VPN from the Supplier parent network to the
Honeywell internal network leveraging existing ISP Internet connectivity is acceptable. Other options such
as MPLS require special review and approval by HGS. The following are the site-to-site requirements:

Use a stateful firewall that only allows VPN IPSec protocols (IP 50/UDP 500/ping) to the Supplier-side
termination point. The VPN termination point will be configured to allow only IPSec main-mode connections
from a fixed list of Honeywell VPN devices. IPSec aggressive mode is not allowed.

Honeywell will manage the network device endpoints. This is desirable for both security and operational
reasons. Honeywell IT Services (HITS) operations requires out-of-band connectivity to the remote endpoint
for debugging purposes.

Periodic audit should include external scans of the Internet-reachable devices used to build the VPN tunnel.

No unencrypted confidential Honeywell traffic will traverse the Internet when being transmitted from between
Honeywell and the supplier.

4.12.1 Supplier Access Requirements

4.12.1.1 A site-to-site connection between the Supplier’s network and Honeywell internal
network must have a firewall that meets the following requirements:
• Use a stateful firewall
• FIPS 140-2
• Certified EAL4 compliant

HGS Policy Template v1.0 Page 9 of 17

© 2006-2007 Honeywell International Inc. All Rights Reserved

 Honeywell’s Information and System Security Supplier Terms and Conditions Version 4.0

4.12.1.2 The Honeywell firewall should be on the Honeywell network in a Honeywell-

controlled facility. Since it is a Honeywell internal firewall, it must not be visible to
the Internet.
4.12.1.3 It is recommended that the supplier protect its internal network from Honeywell by
implementing a supplier-managed firewall with Least Access rules.
4.12.1.4 Access to and from Honeywell to the Supplier’s network should be reviewed and
approved by HGS.
4.12.1.5 Rules should specify IP-to-IP access with specific ports and protocols.
4.12.1.6 Supplier and Honeywell should not use NetBIOS protocols (for example
135/137/138/139/445).

4.12.2 Supplier Network Architecture

4.12.2.1 All current and new interconnections between the Supplier’s network and any other
network, including the Internet and other companies, should be managed by
Honeywell and should meet Honeywell standards and requirements for these types
of connections.
4.12.2.2 Remote access for all suppliers is only allowed through the Honeywell approved
remote access VPN infrastructure with two-factor authentication. The Supplier’s
network site-to-site VPN device should not be configured to support client remote
access VPNs.
4.12.2.3 Modem access (dial-up or ISDN) to any Supplier’s network is prohibited except for
Honeywell out-of-band management access of critical systems, in conformance
with Honeywell guidelines. For out-of-band access, modem should be set to silent
answer, callback, or authenticating in addition to remote device authentication with
failure delay settings and placed in a physically locked area.

Semi-Trusted Supplier Security Requirements

Semi-Trusted requirements applies if a site-to-site connection between Supplier network and Honeywell internal network
that requires Least Access firewall rules. Used for outbound-initiated connectivity into the network, or a specific set of
inbound IPs/ports/protocols acceptable to Honeywell.

4.13 Semi-Trusted Network Transport Requirements

4.13.1 Semi-Trusted Supplier Network Architecture
4.13.1.1 Firewall filtering rules will be established between the Semi-Trusted Supplier’s
network and the Honeywell network to limit the access from the Semi-Trusted
Supplier’s network to only the systems needed to implement the business function.
These filters should also ensure that all traffic destined for the Honeywell network
originated on the Semi-Trusted Supplier’s network. The use of filtering rules should
support the business need while providing only necessary access.
4.13.1.2 It is recommended that the interface between Honeywell and the Semi-Trusted
Supplier be monitored by the supplier for inappropriate activity using intrusion
prevention/detection technology.
4.13.1.3 Semi-Trusted supplier network and computing devices should at a minimum be
updated with security patches deemed critical by the vendor within 10 business
days of release.

HGS Policy Template v1.0 Page 10 of 17

© 2006-2007 Honeywell International Inc. All Rights Reserved

 Honeywell’s Information and System Security Supplier Terms and Conditions Version 4.0

4.13.2 Semi-Trusted Supplier Outbound Proxy Servers

4.13.2.1 Honeywell recommends blocking Anonymizers/Translators, Sex, Drugs, Hate
Speech, Criminal Skills, Gambling, Games, Extreme/Obscene/Violence, Chat,
Webmail, Dating, and Cults/Occult.
4.13.2.2 Semi-Trusted supplier should review the logs of proxy periodically for potential
violations.

4.13.3 Semi-Trusted Supplier Workplace Security

Physical access to the Supplier’s computing resources with access to Honeywell’s networks, systems
and/or data, must be restricted to personnel authorized for access including an access termination
procedure and periodic audit.

Visitor logbooks must be maintained which include visitors name, purpose of visit, arrival and leaving
time. A Supplier employee must always escort visitors within the Supplier’s area.

A security guard or electronic access control must protect entry to Supplier’s area. Entry and exit logging
are preferable. Software-based access control systems must be secured, have proper backups and be
highly available. Entry logs must be maintained for at least six months.

Ensure windows or any other auxiliary entry points are secured. If not staffed 24x7, alarms and entry
point security cameras must be installed for off-hours access monitoring with recordings retained for at
least one month.

Trusted Supplier Security Requirements

4.14 Trusted Supplier Requirements

4.14.1 Trusted Supplier requirements applies if a physically isolated segment of the Supplier network
connected to Honeywell internal network in a manner identical to a Honeywell remote office.
The Trusted Supplier network by default is a standalone group of subnets with no physical or
logical connectivity to any network other than the Honeywell network. The Trusted Supplier
requirements will be followed as defined in the Use Model: Trusted Site Standard. See
Section 7.0 Supporting Documentation below.

Application Service Provider (ASP) Security Requirements

Application Service Provider (ASP) security requirements applies if supplier is hosting/housing Honeywell data.

4.15 ASP General Security Requirements

4.15.1 Storage of Confidential Information by a Supplier Outside of Honeywell
4.15.1.1 Any discrepancies with this policy and supporting Honeywell standards and the
supplier’s practices will be reviewed, risks identified, and a risk acceptance decision
made.

HGS Policy Template v1.0 Page 11 of 17

© 2006-2007 Honeywell International Inc. All Rights Reserved

 Honeywell’s Information and System Security Supplier Terms and Conditions Version 4.0

4.15.1.2 Suppliers who will process or store information on behalf of Honeywell, will provide
to Honeywell:
4.15.1.2.1 Identification of confidential information stored on non-Honeywell
systems and the protection controls.
4.15.1.2.2 A copy of the latest external financial and non-financial audit report, or
internal audit report, and the latest review(s) to meet governmental
regulations.
4.15.1.2.3 Documentation describing procedures covering, physical access,
logical access, network, and business continuity controls.
4.15.1.2.4 System documentation should contain descriptions of Honeywell’s
applications processes, procedures, data structures and authorization
processes. System documentation should be stored securely to ensure
protection against unauthorized disclosure. Access to system
documentation should be authorized by the data owner and provided
with appropriate physical and logical protection.

4.15.2 The ASP must have formalized hiring policies and procedures, performance management, and
termination practices. The ASP will disclose all foreign national employees and their related
roles and duties upon the request of Honeywell.
4.15.3 The ASP must provide identification of all individuals responsible for implementing the security
policies/procedures and their related roles and duties.
4.15.4 The ASP must provide evidence of policy enforcement procedures.
4.15.5 The ASP must be able to immediately disable all or part of the functionality of the application
should a security issue be identified.

4.16 Security Architectural Requirements

The ASP will be held responsible for the maintenance of an evergreen diagram of all servers, network
maps, and protocols used for all services hosted. In addition, interdependencies and trust relationships
required between servers comprising the application will be documented. Any single-points-of-failure will
be identified. The diagrams will be updated by the ASP on a regular basis.

In the event that systems hosted or applications developed by the ASP are compromised from the
Internet, the ASP may be held accountable. To minimize this exposure, the ASP will incorporate a
layered approach to security, eliminating single points of failure that can allow unauthorized access to its
network.

Additionally, in order to protect the network, administrative and privileged access will be sourced from a
non-public network and any traffic that traverses over the Internet will be encrypted using an encryption
standard that meets the requirements stated in Encryption Section below of this document.

4.17 Application and Code Review

For web-based applications that are developed by the ASP, Honeywell Application Hosting Services will
reserve the right to mandate an independent review of all code to ensure good coding standards are
followed and that security weaknesses are identified and addressed.
Some of the components of an application and code review will include but not be limited to:

HGS Policy Template v1.0 Page 12 of 17

© 2006-2007 Honeywell International Inc. All Rights Reserved

 Honeywell’s Information and System Security Supplier Terms and Conditions Version 4.0

4.17.1 Evaluation of compliance with Honeywell security policies and guidelines

4.17.2 Assessment of technical controls for authentication, authorization, administration, and user
access to data
4.17.3 Attempts of buffer overflow via login process or data submission
4.17.4 Attempts of denial of service attack via process or data submission
4.17.5 Attempts of administrative or Operating System functions via user input field
4.17.6 Attempts to execute prohibited transaction
4.17.7 Breaking of the user "shell" to achieve access of administrator or another user
4.17.8 Verification of data storage and transmission encryption and key management
4.17.9 Attempts of malicious code exploits via well-known hacker information sites

In those cases where source code is not available or strictly proprietary, alternative approaches such as
application-focused penetration testing will be considered so that an acceptable level of assurance is
achieved. In the event that a third party is employed for such review, the results will be supplied to
Honeywell.

4.18 Change Management

The ASP will have a change management process that will be consistently applied to the web content,
software, and hardware components comprising the web site or application being hosted. Before any
changes are implemented, a formal mechanism for identifying the security impact of changes will be
established and evaluated by a qualified security professional.
For those approved changes, the ASP will ensure that changes applied to production services are made
in accordance to a defined and documented change management process approved by Honeywell
Corporation.

The ASP’s Change Management procedures will be documented and supplied to Honeywell upon
request.

4.19 Authentication and Access Control

The ASP will have a standardized authentication and access control process. Any server hosted at the
ASP will adopt a "Role-Based Access Control Methodology" separating system administrator,
application administrator, and anonymous/guest roles.

Authentication of all administrative and privileged access to those servers hosted at the ASP will be one
or a combination of the following:
4.19.1 two-factor authentication
4.19.2 one-time passwords
4.19.3 reusable password that is changed every 30 days and not repeated during the life of the server
4.19.4 Where remote traffic originating on the Internet accessing systems or networks within the ASP is
necessary, an acceptable Virtual Private Network (VPN) solution requiring two-factor
authentication will be used to provide maximum security. VPN security will be IPSEC or SSL-
based and meet all the requirements outlined in Encryption Section below of this document.

4.20 Threat and Vulnerability Assessment

The ASP will conduct network and host vulnerability scans periodically. The purpose of vulnerability
assessment is to test security modules and assess system attributes that allow threats to succeed such
as poor password management, non-configured firewalls or hub ports exposed to unauthorized users.
Where in-house expertise is lacked, the ASP will engage third party security professionals to conduct
such tests, pending approval of HGS.

HGS Policy Template v1.0 Page 13 of 17

© 2006-2007 Honeywell International Inc. All Rights Reserved

 Honeywell’s Information and System Security Supplier Terms and Conditions Version 4.0

4.21 Host Security

The ASP must have the below host security requirements and provide upon Honeywell’s request:
4.21.1 How and to what extent the hosts, (Unix, NT, etc.) comprising the Honeywell application
infrastructure have been hardened against attack.
4.21.2 Information on how and when security patches will be applied, which must be provided when
requested. How does the ASP keep up on security vulnerabilities, and what is the policy
applying security patches?
4.21.3 Processes for monitoring the integrity and availability of those hosts.
4.21.4 Information on their password policy for the Honeywell application infrastructure, including
minimum password length, password generation guidelines, and how often passwords are
changed.
4.21.5 How the ASP will authenticate users (e.g., LDAP, Netegrity, Client certificates).
4.21.6 What measures are in place, both physical and logical, for keeping Honeywell’s data isolated
from other companies’ data? Will this include an air-gap between Honeywell and any other
network or customer that the ASP may have?

4.21.7 Information on the account generation, maintenance, and termination process, for both
maintenance as well as user accounts. Include information as to how an account is created,
how account information is transmitted back to the user, and how accounts are terminated when
no longer needed. Below are Honeywell’s requirements for account management:
4.21.7.1 All user accounts, except for the server account(s) and authorized administrator
account, will be removed.
4.21.7.2 Different root directories for the server and server document will be used.
4.21.7.3 Interpreters, shells, and configuration files will be located outside the server directory.

4.21.7.4 A dedicated host for the server will be used and all other unnecessary services,
including Simple Mail Transfer Protocol (SMTP) and File Transfer Protocol (FTP) will
be disabled.

4.21.7.5 Only a minimum set of client applications will be installed. If a browser must be
installed, then downloading of active content (for example, Active X and Java) will be
disabled.
4.21.7.6 Where appropriate, multiple server instances under different IDs will be run in order to
provide different types of access to different users.
4.21.7.7 Packet filters, such as TCP wrappers, will be used to restrict connections from known
hosts or services and to log incoming service requests.

4.22 Network Security

The ASP will ensure that all connectivity initiated from the hosting server into the Honeywell application
server is restricted. Network security practices will include but not be limited to:
4.22.1 Running only services and protocols necessary. Where insecure protocols are used, i.e. FTP,
Telnet etc. all sessions must be encrypted through a service such as "Secure Shell"
4.22.2 Limiting network access to the web-hosting systems by IP-address and meet service levels
required for application performance
4.22.3 Blocking any unauthorized usage of security discovery tools and protocols (i.e. port scanners,
trace-route, etc.)
4.22.4 While connected remotely and/or connected directly to Honeywell’s networks, split tunneling is
not permitted, as it presents security risks to the overall Honeywell network.

HGS Policy Template v1.0 Page 14 of 17

© 2006-2007 Honeywell International Inc. All Rights Reserved

 Honeywell’s Information and System Security Supplier Terms and Conditions Version 4.0

4.23 Firewall
The ASP must ensure a process is in place for configuration, monitoring, auditing, and active
management of the locally-maintained firewall infrastructure. As in any other security platforms,
maintaining the currency of the firewall vendor issued updates and patches is critical. If the firewall is
compromised, an alert must be sent to Honeywell Global Security immediately.
4.24 Intrusion Detection
Intrusion Detection Systems (IDS) is a critical security architecture component. It is the ASP’s
responsibility to configure and manage the IDS as well as maintaining the currency of any patches and
attack signatures. All applicable event logs for potential malicious attacks and probes will be reviewed
and analyzed by the ASP on a daily basis. In the event of a successful intrusion, there must be a
process in place so that Honeywell is alerted immediately.

4.25 Security Monitoring

Since the website and applications are hosted at the ASP, regular and frequent reviews must be
conducted to ensure all components continue to adhere to the agreed configuration standards required
for security. Some of the required security-monitoring components include but are not limited to:
4.25.1 Audit logs on all web-hosting systems and applications that have the capability
4.25.2 Logs and events of web-hosting systems on a daily basis with ability to trace a user’s actions for
incident response purposes
4.25.3 Process to obtain all new security alerts for operating systems, commercial applications, and
technologies that are in use by the ASP

4.26 Incident Response Handling

The ASP will have a formal incident response and handling plan to provide guidance to the response
team in the event that a security incident occurs that relates to Honeywell’s systems. The incident
response and handling plan typically contain the following processes:
4.26.1 Identification of incident and assignment of responsibilities
4.26.2 Containment of incident
4.26.3 Eradication of the cause and symptoms of the incident
4.26.4 Recovery of system

The ASP will have formalized documentation regarding incident response procedures, as well as
resultant findings of any incidents that relate to Honeywell systems and information.

4.27 Data Backup and Disaster Recovery Planning

The ASP will ensure that a backup and disaster recovery plan (DRP) is developed and implemented to
safeguard its web-hosting systems or data hosted from disruption and suspension.

The DRP will include but not be limited to:

4.27.1 Awareness and discovery of possible and plausible threats
4.27.2 Assessment of risks in relation to perceived threats
4.27.3 Mitigation of risk exposures and possible losses
4.27.4 Preparation of specific actions that must be taken should a disaster occur
4.27.5 Annual validity testing of the current DRP
4.27.6 Preparation of response and recovery

Backup will, at a minimum, occur daily for servers and weekly for key files. Backup tapes will be stored
off-site. Where the security of Honeywell’s information or data is of vital concern, a secure media vault at
a storage facility maintained by an offsite media storage company will be engaged.
HGS Policy Template v1.0 Page 15 of 17

© 2006-2007 Honeywell International Inc. All Rights Reserved

 Honeywell’s Information and System Security Supplier Terms and Conditions Version 4.0

4.28 Physical Security and Environmental Controls

The ASP will restrict physical access to the data center in order to protect Honeywell hosted systems
and other related supporting infrastructures against threats. Physical access to the server will be
secured by a secure cabinet. Further, identification badges, key card access, cameras, and guards will
be deployed at key entry points to the data center.

Key points for the ASP to consider:

4.28.1 Is the application hosting equipment located in a physically secure facility?
4.28.2 What access control measures are in place to restrict access by authorized employees?
4.28.3 What are the background check procedures and results for authorizing individual access to the
server room?
4.28.4 Which authorized individuals are able to access the environment that hosts the application
servers?

Environmental controls are also critical and at a minimum will include but not be limited to:
4.28.5 Installation and regular testing of fire suppression and preventive devices to protect the data
center from fire
4.28.6 Implementation and maintenance of uninterruptible power supply (UPS) or backup generator to
protect against sudden loss of electric power
4.28.7 Regular maintenance of heating and air-conditioning systems
4.28.8 Periodic review of the electric power distribution, heating plants, water, sewage, and other
utilities for risk of failure
4.28.9 Full-time security monitoring and closed circuit television (CCTV)
4.28.10 Implementation of moisture and humidity detectors above and below raised floor environment.

4.29 Encryption
The Honeywell application infrastructure cannot use any "home-grown" cryptography. Any symmetric,
asymmetric, or hashing algorithm used by Honeywell’s application infrastructure must use algorithms
that have been published and evaluated by the general cryptographic.

The following are a list of encryption guidelines that will be followed:

4.29.1 Encryption algorithms must be of sufficient strength to Advanced Encryption Standard (AES)
4.29.2 Preferred hashing functions are SHA-1 and MD-5
4.29.3 Connections to the ASP utilizing the Internet must be protected using any of the following
cryptographic technologies: IPSec, SSL, SSH/SCP, PGP
4.29.4 If the Honeywell application infrastructure requires PKI, please contact Honeywell Global
Security for additional guidance

4.30 Logging
The ASP will have logging policies and procedures. Any pertinent policies and procedures will be
provided to Honeywell upon request. Logging policies and procedures will include but not be limited to:
4.30.1 Systems logged (i.e. firewall servers, etc)
4.30.2 Logging requirements
4.30.3 Log review periods
4.30.4 Log retentions
4.30.5 Incident response process of steps to be taken if there is a security breach

5. Roles and Responsibilities

5.1 The VP of Global Security of the Company shall ensure compliance with this policy.
HGS Policy Template v1.0 Page 16 of 17

© 2006-2007 Honeywell International Inc. All Rights Reserved

 Honeywell’s Information and System Security Supplier Terms and Conditions Version 4.0

5.2 The Security Policy & Standards Manager shall serve as the Focal Point of this policy and may serve as
the primary author in future revision cycles.
5.3 All Suppliers shall adhere to this policy.

6. Definitions
Confidential information: Organized data (data are facts, they become information when they are seen in
context and convey meaning to people) that requires safeguarding in the interest of client, personnel, or
organizational security.

The terms can be found in the Glossary of Compliance Terms and Acronyms.

7. Supporting Documentation
7.1 Corporate Policy: Honeywell Code of Business Conduct
7.2 HGS Policy: Security Awareness, Training and Clearance Policy
7.3 HGS Standard: Disk Wiping
7.4 HGS Standard: Encryption
7.5 HGS Standard: Security Component: Antivirus
7.6 HGS Standard: Use Model: Trusted Site
7.7 The following control that this standard complies with can be found in the UCF control matrix:
UCF ID 01134

8. Forms and Exhibits

8.1 Exhibit: N/A

HGS Policy Template v1.0 Page 17 of 17

© 2006-2007 Honeywell International Inc. All Rights Reserved