1、Standard for Third Party Network ConnectivityNOVEMBER 2007Standard for Third Party Network ConnectivityCorporate Affairs DepartmentNOVEMBER 2007Special NotesAPI publications necessarily address problems of a general nature. With respect to particular circumstances, local, state, and federal laws and
2、 regulations should be reviewed.Neither API nor any of APIs employees, subcontractors, consultants, committees, or other assignees make any warranty or representation, either express or implied, with respect to the accuracy, completeness, or usefulness of the information contained herein, or assume
3、any liability or responsibility for any use, or the results of such use, of any information or process disclosed in this publication. Neither API nor any of APIs employees, subcontractors, consultants, or other assignees represent that use of this publication would not infringe upon privately owned
4、rights.Users of this recommended practice should not rely exclusively on the information contained in this document. Sound business, scientific, engineering, and safety judgement should be used in employing the information contained herein.API publications may be used by anyone desiring to do so. Ev
5、ery effort has been made by the Institute to assure the accuracy and reliability of the data contained in them; however, the Institute makes no representation, warranty, or guarantee in connection with this publication and hereby expressly disclaims any liability or responsibility for loss or damage
6、 resulting from its use or for the violation of any authorities having jurisdiction with which this publication may conflict.API publications are published to facilitate the broad availability of proven, sound engineering and operating practices. These publications are not intended to obviate the ne
7、ed for applying sound engineering judgment regarding when and where these publications should be utilized. The formulation and publication of API publications is not intended in any way to inhibit anyone from using any other practices.Any manufacturer marking equipment or materials in conformance wi
8、th the marking requirements of an API standard is solely responsible for complying with all the applicable requirements of that standard. API does not represent, warrant, or guarantee that such products do in fact conform to the applicable API standard.All rights reserved. No part of this work may b
9、e reproduced, stored in a retrieval system, or transmitted by any means, electronic, mechanical, photocopying, recording, or otherwise, without prior written permission from the publisher. Contact the Publisher, API Publishing Services, 1220 L Street, N.W., Washington, D.C. 20005.Copyright 2007 Amer
10、ican Petroleum InstituteForewordNothing contained in any API publication is to be construed as granting any right, by implication or otherwise, for the manufacture, sale, or use of any method, apparatus, or product covered by letters patent. Neither should anything contained in the publication be co
11、nstrued as insuring anyone against liability for infringement of letters patent.Suggested revisions are invited and should be submitted to the Director of Corporate Affairs, API, 1220 L Street, NW, Washington, DC 20005.iiiTable of Contents Standard.3 Trust. 4 1 Connection Request The Company creatin
12、g the connection(s) holds the liability; Connections can be terminated at any time. Security Plan An IT security plan should be an integral part of a companys overall security program. Each company considers to the extent possible its unique security risks and then assesses them to ensure the plan c
13、overs those risks. This standard recognizes the need for flexibility in the design of security plans and provides guidance for this need. Some of the security plan must remain confidential. A confidentiality program can ensure understanding of what information can be shared and what remains confiden
14、tial. The ISO/IEC International Standard 17799 describes a framework for the creation of an IT security plan. This framework has been endorsed by APIs Information Technology Security Forum as voluntary guidance to protect the oil and natural gas industry against acts of cyber terrorism. The standard
15、 attempts to ensure preservation of confidentiality, integrity, and availability of user access, hardware and software, and data. The standard involves eight steps in the security process: Create an information security policy; Select and implement appropriate controls; Obtain upper management suppo
16、rt; Perform security risk assessment; Create statement of applicability for all employees; Create information security management system; Educate and train staff; Audit. THIRD PARTY NETWORK CONNECTIVITY 5Information on how to obtain this standard is provided at: http:/webstore.ansi.org/. THIRD PARTY
17、 NETWORK CONNECTIVITY 61 Connection Request including two (2) technical contacts, area code/telephone number, pagers email address, and location address. Identify the Hosting Company organization name and network that you will be accessing, including a technical contact, area code/telephone number,
18、and location address. Indicate the type of connection requested either dial-up, dedicated private leased line or VPN (i.e. Site-to-Site VPN with DMZ, Traditional Site-to-Site VPN, or Site-to-Site VPN internal DMZ), see attachment 1Guidance for Use Document for details related to the type of VPN requ
19、ired. Indicate the date the connection is required. Indicate the date the connection is to be terminated. (Elevated access should be limited and reviewed under tighter controls) Provide a technical description of the project, including assessment of current security level of external party. Include
20、VISIO diagrams, risk assessment, and additional security controls that are to be implemented. Provide justification for the project, including alternatives considered. THIRD PARTY NETWORK CONNECTIVITY 91.4 API Third Party User Responsibility Sample Agreement This agreement sets forth s position conf
21、irming its right to protect property and that its contractors, consultants, and vendors hereafter referred to as “Trusted Third Party” properly uses such property. Obligations and conditions set forward in this statement shall be in addition to any obligations, conditions, or commitments contained i
22、n any agreement(s) under or through which Trusted Third Party users are providing services to . The purpose of this agreement is to ensure that all users use computing facilities in an effective, efficient, ethical and lawful manner. Property Defined property is defined as, but not limited to, the f
23、ollowing: a. All data, documents, correspondence, and intellectual property whether contained in electronic, physical, hard copy or other form, access cards, badges and keys to facilities, desks, and cabinets; b. Hardware, such as network resources including servers, PCs, workstations, networks, mon
24、itors, scanners, printers, telephones and voice mail, facsimile machines, cellular phones, pagers, secured id tokens, smart cards, and personal digital assistants; c. All User IDs, system/application/screensaver passwords, software, including all administrative office, e-mail, Internet, operating sy
25、stems/applications, development applications or special tools and utilities supplied by the company; d. Work areas or related accessible areas, including desks or other workstations, drawers, supplies, and all storage areas. I. Use of PropertyAs a Trusted Third Party you agree to observe and abide b
26、y the following with respect to property. For business purposes, you may be provided with a telephone, computer or workstation with network access to other resources or you may be authorized as a Trusted Third Party to connect your companys notebook to s network. In either case you are responsible f
27、or the appropriate use of all property within or connected to s domain and abiding by the following: a. Computer and communication systems may not be used to view, store, transmit or communicate any language or message that is perceived to be offensive or threatening on the basis of race, sex, relig
28、ion, age, national origin, political orientation, disability or any other basis. Company policies prohibit the transmission of vulgar, pornographic, obscene or threatening messages. b. may use computing systems and facilities for only lawful purposes. Transmission, distribution or storage of materia
29、l in violation of any applicable law or regulation is prohibited. This include, without limitation, material protected by copyright, trademark, trade secret or other intellectual property right used without proper authorization, and material that is obscene, defamatory, fraudulent, harassing, consti
30、tutes an illegal threat, or violates export laws. THIRD PARTY NETWORK CONNECTIVITY 10c. shall not purposely engage in activity with the intent to: harass other users; degrade the performance of systems; deprive an authorized user access to a resource; obtain extra resources, beyond those allocated;
31、circumvent computer security measures or gain access to a system for which proper authorization has not been given. d. is requested to report any weaknesses in computer security, any incidents of possible misuse or violation of this agreement to the proper authorities at . e. The presence or use of
32、techniques or vulnerability assessment and discovery tools such as scanners and sniffers that are capable of hacking against s network or launch attacks against others from within network is strictly prohibited. shall not download, install or run any such security programs or utilities. f. The telep
33、hone system and all communications transmitted by, or stored in this system, are the property of . This includes the use of telephones, voice mail, fax machines and modems. Personal use of the telephone should be limited and all long distance telephone calls not related to Company business should be
34、 billed to your personal calling account. shall not divulge modem phone numbers to anyone outside of the organization. g. Computer hardware and software should not be removed from Company premises without prior management approval. h. Copyright laws prohibit making copies of licensed computer softwa
35、re unless it is specifically permitted within a licensing agreement. Violations may place , you and your company at legal risk. i. Company computers and workstations should only have approved software installed on them. Personal software or non- licensed software should not be installed on any works
36、tation. j. The presence and/or release of malicious code (Trojans, viruses, worms etc.) capable of causing damage or harm against or within s networks is strictly prohibited. k. Software developed by a Trusted Third Party using systems shall be considered the sole property of . l. Trusted Third Part
37、y users are provided password-protected user accounts for computer system access. Passwords should not be shared with fellow employees. is responsible for protecting any information used and/or stored on/in their accounts. m. Electronic mail messages are considered discoverable in a legal proceeding
38、. Trusted Third Party users should exercise the same caution with electronic data as they would with paper documents. THIRD PARTY NETWORK CONNECTIVITY 11n. Sensitive or confidential information should not be sent by electronic mail. Special security and communication software is available to encrypt
39、 sensitive data. When using electronic mail, there should be no expectation of privacy. o. Inappropriate non-business uses of the Companys Internet and electronic mail systems are prohibited. This includes but is not limited to using systems to access or transmit sexually explicit material, offensiv
40、e jokes, chain letters, product solicitations, personal mass mailings or conducting a personal business. Fraudulent, harassing or obscene messages and/or materials shall not be sent from, to or stored on systems. considers the information that people generate, document and communicate using computer
41、 resources to be s property. reserves the right to monitor, inspect, review, or retain any electronic mail or computer records on computer resources. p. All inbound and outbound electronic transmissions, including information obtained via the Internet, are considered the sole property of . The Compa
42、ny exercises its right to scan and monitor all computer and communications systems use (including inbound and outbound electronic mail transmissions, file transfers and Internet usage). When using s systems users expressly accept and consent to having their activities monitored. q. Information prote
43、cted by confidentiality agreements, nondisclosure agreements, licensing agreements, or copyright law should not be posted on publicly accessible bulletin boards, chat rooms or Internet sites. r. shall not attempt to access any data or programs contained on systems for which they do not have authoriz
44、ation or explicit consent of the owner of the data/program. s. Activities designed to circumvent, compromise or otherwise exploit computer security controls are prohibited. t. Access to any network by Virtual Private Network (VPN) is exclusively for use in the performance of business, and users will
45、 not share it or the system privileges that it provides with any other person. II. Monitoring reserves the right to scan, monitor and inspect any and all computer systems to include hard disks, media, inbound/outbound email and Internet traffic) for malicious or inappropriate content or attachments
46、in accordance with the companys monitoring standards and procedures. Authorized personnel routinely monitor s network and systems for performance, maintenance and unauthorized activity. All individuals who access and use resources are subject to having their activities monitored and recorded. Inform
47、ation and material assets that reveal unauthorized or improper use of resources by an employee, contractor, consultant, vendor or service provider will be retained and used as evidence to support disciplinary action and/or criminal prosecution. All individuals using systems expressly consent to such
48、 scanning, monitoring or inspection and agree not to use the companys systems in violation of company policy. A violation of this agreement subjects the undersigned to action up to and including termination and/or criminal prosecution. THIRD PARTY NETWORK CONNECTIVITY 12Any noncompliance with this a
49、greement will constitute a security violation and will be reported to the management of the user and may result in disciplinary action, including termination. Serious violations may result in civil or criminal prosecution. I acknowledge that I have been briefed and have read the information in this Acknowledgment. I understand my responsibilities regarding the use and protection of Property and consent to the scanning, monitoring and inspection of resources and my use of property. Upon my resignation or contract termination from , I will return all Property in my
