Last updated October 1, 1996

SUNWEB INFORMATION PROTECTION GUIDELINES

SUN PROPRIETARY/CONFIDENTIAL INFORMATION

All information posted to the internal Sun web page, SunWeb, is considered proprietary and confidential to Sun. Information found on SunWeb cannot be disclosed outside of Sun without approval by the Content Provider and/or owner of the information and proper execution of a Confidential Disclosure Agreement (CDA), or suitable contractual agreement that specifically addresses information ownership by Sun and confidentiality responsibilities of the receiving party.

POSTING OF SUN PROPRIETARY/CONFIDENTIAL INFORMATION TO SUNWEB and WWW

Sun Proprietary / Confidential: Internal Use Only Internal Web Posting:Internal Use Only information may be posted without restriction on the SunWeb internal web site. The information must be appropriately labeled.

External Web Posting:Internal Use Only information may be posted to a domestic U.S. WWW site that is served by a WWW Netscape Commerce Server. The information must be appropriately labeled and access by non-SMI individuals must be in accordance with aforementioned CDA and or contractual agreement requirements. For more information on WWW Netscape Commerce Server requirements, please refer to applicable Security Technology Engineering policy and procedure below:

ENS Policy Regarding

Posting Proprietary Information on the WWW and SunWeb

Approved Policy

Purpose

Scope

Definitions

World Wide Web (WWW): The World Wide Web is a worldwide collection of information resources linked by hypertext. In the context of this document, the WWW is that part of this web that resides outside of the SMI firewall. The Sun WWW server provides information to the Internet population at large.
SunWeb: The SunWeb is that portion of the Web that resides inside of the SMI Internet firewall. Individuals outside of the SMI firewall do not have access to the SunWeb.
Sun Proprietary Information: The document Three Proprietary Labels provides more detailed information on what constitutes Sun Proprietary Information.

Policy

Summary

"Internal Use Only" and "Need-To-Know" information may be posted to the WWW if properly labeled and all such information is served by a WWW Netscape Commerce Server that is located on a subnet isolated from SWAN and firewalled from the Internet.

SunWeb

Sun proprietary or confidential material may be posted to SunWeb if the following conditions are met:

"Internal Use Only" documents may be posted on SunWeb if all documents are labeled Sun Proprietary/Confidential: Internal Use Only.
"Need To Know" documents may be posted on SunWeb if and only if the following conditions are met:
- All documents are labeled Sun Proprietary/Confidential: Need To Know.
- All documents are served by a SunWeb Netscape Commerce Server as defined below in the sections titled Netscape Commerce Servers and SunWeb Netscape Commerce Servers.
"Registered" information may not be posted on SunWeb.

WWW

Sun proprietary or confidential material may be posted on the WWW if the following conditions are met:

"Internal Use Only" documents may be posted on the WWW if and only if the following conditions are met:
- All documents are labeled Sun Proprietary/Confidential: Internal Use Only.
- All documents are served by a WWW Netscape Commerce Server as defined below in the sections titled Netscape Commerce Servers and WWW Netscape Commerce Servers.
- The server is located in the domestic U.S.
"Need To Know" documents may be posted on the WWW if and only if the following conditions are met:
- All documents are labeled Sun Proprietary/Confidential: Need To Know.
- All documents are served by a WWW Netscape Commerce Server as defined below in the sections titled Netscape Commerce Servers and WWW Netscape Commerce Servers below.
- The server is located in the domestic U.S.
"Registered" information may not be posted on the WWW.

Netscape Commerce Servers

All implementations that require Netscape Commerce Servers must comply with all conditions listed in this section. Additional requirements for SunWeb and WWW Netscape Commerce Servers are listed in SunWeb Netscape Commerce Servers, and WWW Netscape Commerce Servers, respectively.

It is the responsibility of the department owner of the Netscape Commerce Server to obtain a digital certificate from an ENS authorized Certificate Authority.
All Netscape Commerce Servers must be registered with ENS.
The security feature of the Netscape Commerce Server must be enabled at all times.
The port number for secure HTTP must be set to 443.
Access control for all Netscape Commerce Servers must be enabled for user authorization.
The system security of all Netscape Commerce Servers must comply with the standards defined in the NSG Server Security Standard.
WWW Netscape Commerce Servers are subject to both random and scheduled audits for compliance with this policy.

SunWeb Netscape Commerce Servers

All SunWeb implementations that require Netscape Commerce Servers must comply with all conditions listed in the section titled Netscape Commerce Servers and the following:

The only cipher that may be used on the SunWeb Netscape Commerce Servers is RC4 with 40 bit encryption.

WWW Netscape Commerce Servers

All WWW implementations that require Netscape Commerce Servers must comply with all conditions listed in the section titled Netscape Commerce Servers and the following:

The installation of a WWW Netscape Commerce Server requires prior approval from the OpCo IRX and the ENS IRX and must comply with all conditions listed in the ENS Service Offering for Internet Commerce Servers (TBD GNO).
All data and information management including confidentiality on the WWW Netscape Commerce Servers are the responsibility of the user OpCo.
The ciphers that may be used on the WWW Netscape Commerce Servers are DES with 64 bit encryption, DES with EDE 3 with 192 bit encryption, and IDEA with 128 bit encryption.
Access control for all WWW Netscape Commerce Servers must be enabled for both user authorization and hostname/IP address restriction.

Policy Exceptions

Exceptions to this policy may be granted on an individual basis by the appropriate OpCo IRX, ENS IRX and the CIO.

IRX approvals for policy exceptions signify OpCo concurrence with the business case presented and full acceptance of all responsibility and accountability for risk to SMI resulting from the exception. NSG/ENS will not be held liable for any mishaps or damage to SMI that may occur as a result of policy exceptions.
OpCo Service Level Agreements may not override or supersede SunIR security policy or SEA architecture.
All exceptions to the policy must be documented and kept on file.