CHRYSLER LLC Document Number: PS-10052

Process Standard Date Published: 2007-12-20

Category Code: A-5 Change Level: C
EASL Requirement: No
RESTRICTED: No

INFORMATION SECURITY

1.0 GENERAL

Chrysler LLC Product Creation Process Information Security Requirements are:

- To treat as confidential all information generated by the product creation process that has not been
publicly disclosed.

- To utilize standardized procedures that facilitate the efficient transfer of information from the product
creation process among Chrysler LLC Team Members, while maintaining an appropriate level of security
(i.e. access on a “need-to-know” basis).

- To make Chrysler LLC Team Members aware that they are responsible for maintaining the security of
confidential and trade secret information under their control.

There are three fundamental provisions to the Information Security Requirement:

A. It is intended that a balance be maintained between absolute information security and the efficient
running of the business. This standard provides methods to manage risk. It is not an attempt to formulate
a process which will eliminate all risk.

B. Responsibility to safeguard information rests with the Information Owner as well as all Chrysler LLC
Team Members while confidential or trade secret information is under their control.

C. An increased awareness of the need, procedures, and guidelines required for information to be
effectively controlled and protected, where appropriate.

1.1 Purpose of Standard

Chrysler LLC policy and Corporate Process Guidelines direct that confidential and trade secret
information be protected from improper use, loss, destruction, or disclosure. Chrysler LLC management is
responsible for maintaining methods to safeguard, account for, and immediately detect the loss of these
assets.

This standard covers issues that arise relating to the protection of information assets generated as part of
the product creation process. This standard is not meant to replace existing standards that are consistent
with or more stringent than this standard.

Corporate Process Guideline GEN-001, Confidential Information, establishes instructions for the
identification, preservation, and authorized disclosure of confidential and trade secret information.
Chrysler LLC documents marked as “CHRYSLER CONFIDENTIAL” or any other information which has
not been publicly disclosed must not be distributed to unauthorized individuals and must be kept in a
secured location at all times.

1.2 Scope

This standard applies to confidential and trade secret information generated by the product creation

PS-10052, Change C, 2007-12-20, Page 1

Copyright Chrysler LLC

(2006-03-20)
process including manufacturing, regardless of source, storage or distribution methods.

1.3 Coverage of this Standard

This standard applies to all Chrysler LLC Team Members.

Chrysler LLC Team Members should report instances of information security breaches, exposures, and
other security issues to their immediate supervisor, Corporate Information
Security([email protected]), or the Chrysler LLC Engineering Information Security
Manager([email protected]), as deemed appropriate.

1.4 Enforcement of this Standard

The Business Practices Office, Special Security, Human Resources, and Procurement & Supply will
investigate violations of this standard and take the appropriate action(s).

2.0 INFORMATION SECURITY PROCESS - ROLES AND RESPONSIBILITIES

Chrysler LLC policy states that confidential and trade secret information from the product creation process
may be made available only on a "need-to-know" basis only. Safeguards must be put in place to allow
access to this information to those who require it, and restrict access to those who have no legitimate
"need-to-know."

Chrysler LLC’s confidential and trade secret information must be distributed to Tier 1 and sub-tier
suppliers on a “need-to-know basis” only. While it is essential that paper copies, tapes or other physical
media and access to on-line databases be provided to suppliers who require access to such information to
perform work for Chrysler LLC, each Chrysler LLC Manager/Supervisor must ensure that access is limited
to only those suppliers who have a legitimate “need-to-know” for the information being accessed.

Chrysler LLC Management must make information security an integral part of the vehicle planning process
(e.g., during design reviews, at supplier events, etc.) and review security status periodically to ensure that
sensitive information is safeguarded from premature or unauthorized disclosure.

2.1 Chrysler LLC Team Member Responsibilities

2.1.1 Senior Management

Senior management is responsible for overall information security risk assessment and corrective actions
across the technical disciplines of a major vehicle program including, but not limited to, design and
development activities, laboratory functions, tooling, supplier sourcing, electronic mail, Internet/Intranet,
PC applications, etc. Senior Management must ensure that guidelines and procedures are in place, as
defined in this standard and by corporate policies and procedures, to safeguard confidential and trade
secret information.

Responsibilities include:

- Taking an active role in creating, implementing, and enforcing information security guidelines and
procedures specific to their operating area, including but not limited to, design, engineering, laboratory,
and the office environment.

- Reinforcing the commitment to security by periodically reviewing security initiatives to ensure

confidential and trade secret information is safeguarded from premature or unauthorized disclosure.

- Ensuring that operating departments are aware of their duties relating to information security and are in
compliance with their security responsibilities.

- Performing periodic information security self-assessments across all aspects of the business unit (e.g.
PS-10052, Change C, 2007-12-20, Page 2

Copyright Chrysler LLC

(2006-03-20)
CATIA, CAE, PC, office environment, etc.).

2.1.2 Managers/Supervisors

Managers/Supervisors in all aspects of the product creation process are responsible as Data Owners of
confidential and trade secret information for authorizing access to Chrysler LLC Team Members who need
departmental information in order to perform work for Chrysler LLC. Responsibilities include:

- Appointing qualified individuals to act as Department Security Administrators. The total number should
not exceed the minimum needed for functional backup and efficient running of the department.

- Creating and maintaining department-specific guidelines and procedures for the safeguarding of
confidential and trade secret information from premature or unauthorized use or disclosure.

- Maintaining operating level awareness of technical and business process security across all areas of
their department's function.

- Safeguarding design information for product or manufacturing information not yet publicly disclosed (e.g.
CATIA, DMA, 2D drawings, etc.)

- Safeguarding engineering information such as CAE, lab testing, lab automation, etc. for product not yet
publicly disclosed. Ensure that critical data is backed up to the network.

- Safeguarding manufacturing information such as die, fixture, gauge and tooling designs, simulation, data
and numerical control machining.

- Monitoring monthly design data transfer activity.

- Requiring workstation and PC users to log off or lock their computer systems when away from their work
area.

- Ensuring that the office environment is secure (e.g. computer-generated documents are stored using
encryption where appropriate, physical documents are secured, waste containers or recycle bins do not
contain confidential or trade secret information, file cabinets are locked, etc.).

- Controlling/minimizing visitor access to suites with access to confidential and trade secret information or
with confidential and trade secret information in plain view. Escorting visitors while in these areas, when
appropriate.

- Working with Tier 1 design, parts, and tooling suppliers to communicate Chrysler LLC security
requirements to safeguard Chrysler LLC information entrusted to them, particularly for international
suppliers. Also, inform Tier 1 suppliers to communicate security requirements to lower tier suppliers.

- Periodically reviewing the status of security in the department (e.g. at staff meetings, design reviews, by
conducting self-assessments, etc.).

- Approving Gate Pass Property and Shipper requests to remove computer hardware, software and
information in physical form from Chrysler LLC facilities (e.g. DVDs, CDs, tapes, drawings, documents,
etc.).

- Creating and maintaining department information security employee education initiatives.

- Annually reviewing all information access which has been granted to assure that the “need-to-know”
tenant of this policy is preserved. This includes, but is not limited to, CATIA, DMA, and all corporate
computer systems.

PS-10052, Change C, 2007-12-20, Page 3

Copyright Chrysler LLC

(2006-03-20)
- Ensuring that Chrysler LLC Team Member access to Chrysler LLC systems is revoked when it is no
longer required. This is most critical for Extended EnterpriseTM supply chain (suppliers).

2.1.3 Department Security Administrators and VPM Org Managers

The job functions of Department Security Administrators include, but are not limited to, establishing and
maintaining appropriate access control measures for CATIA, DMA, engineering CAE computer systems,
AME applications and systems, and ITM data centers and respective applications. All areas involved in
the product creation process which create or process confidential or trade secret information must appoint
a Department Security Administrator.

For ITM data center and applications, login IDs and passwords are assigned and controlled by the
Department Security Administrator (this function is often called the department approver). In small
departments, the CATIA administrator, department approver, and DIA functions may be assigned to one
person. Department Security Administrators’ responsibilities include:

- Administrating ID and password security for CAD/CAM/CAE Network data in cooperation with ITM.

- Administrating ITM login IDs. The Security Administrator must obtain management approval to create
IDs on a “need-to-know” basis only. This includes issuing new IDs and passwords, revoking old or
unauthorized accounts, IDs, and passwords, and modifying permissions/roles as individual business
needs change.

- Administrating access to VPM organizations (orgs) under their control per direction of department
management.

- Administrating supplier CATIA access to Chrysler LLC network by working with the Supplier Integration
Infrastructure Administration Group ([email protected]). Data access should be organization-
specific and on a “need to know” basis only.

- Administrating other methods of offsite access as established by ITM and AME, including but not limited
to, Internet access to Chrysler LLC computer systems.

Scientific Lab Department Security Administrators responsibilities include:

- Administering Users Accounts, IDs, and passwords for Lab Test systems.

- Administering User IDs and Passwords for Chrysler LLC Team members who require access to test
data.

- Administering outside supplier access to Lab Test data/systems on a “need-to-know basis” only.

- Working with the Platform teams to determine access requirements for test data.

NOTE: Security Administrators and Managers/Supervisors must be aware that IDs for ITM data centers
have permissions that are granted by default when a new ID is created. The Security Administrator and
Manager/Supervisor must alter the default permissions to the minimum required for the Chrysler LLC
Team Member to perform necessary work. This is particularly important for supplier personnel at offsite
locations who are granted ITM systems access.

2.1.4 Data Users (e.g. Designers/Engineers/Technicians, both on-roll and supplemental)

Data Users are responsible for performing design, engineering, test, tooling and other functions of vehicle
components with adequate protection of confidential and trade secret information. Education and
awareness of security requirements are particularly important in areas with high turnover of Chrysler LLC
Team Members. Responsibilities include:

PS-10052, Change C, 2007-12-20, Page 4

Copyright Chrysler LLC

(2006-03-20)
- Being aware of security considerations for design (e.g. CATIA, DMA, 2D drawings, screen dump hard
copies, computer storage media left on desktops, etc.)

- Being aware of security considerations for CAE, lab testing, lab automation, etc.

- Personally safeguarding confidential and trade secret information entrusted to them (e.g. data transfer
procedures, logging off computers when away from area, using workstation screen locks, etc.)

- Maintaining a secure office environment (computer-generated document protection, protection of

physical documents, proper disposal of waste, challenging the business purpose of visitors in the area,
etc.)

- Ensuring that critical data is backed up to the network (e.g. PC’s, laboratory automation equipment, etc.)

- Assist with security considerations for design, parts, and tooling suppliers.

- Obtaining an approved Gate Pass Property or Shipper when removing Chrysler LLC computer hardware
or software from Chrysler LLC facilities. The responsibility to show proper documentation to Security rests
solely with the user.

- Participating in periodic self-assessments of department information security status.

2.1.5 Department Information Administrators (DIAs)

DIAs most commonly are responsible for PC and PC network activities, including, but not limited to,
network security issues. In some departments, the DIAs function may be part of the larger function of
Department Security Administrator. DIAs assist ITM, and users with LAN and client (local) PC issues.
DIAs also maintain inventories of equipment in their department such as PCs and CAD/CAM/CAE
workstations (DIA responsibilities vary according to whether or not their areas are directly supported by
ITM).

2.1.6 Procurement and Supply

The Procurement and Supply organization assists in educating suppliers in "best practices" for
safeguarding Chrysler LLC information without introducing bureaucracy or raising costs, as defined in this
standard and by ITM policies and procedures. Responsibilities include:

- Taking an active role in ensuring that the Chrysler LLC has the appropriate rights to any supplier’s
intellectual property covering products the supplier supplies to Chrysler LLC.

- Taking an active role in protecting the intellectual property rights of Chrysler LLC.

- Working with Engineering, Manufacturing, and the Design Office to ensure that confidential and trade
secret information transfer (all types) to and from Chrysler LLC and the Extended EnterpriseTM supply
chain is secure.

- Assisting, as required, in addressing information security issues with specific suppliers.

- Assisting in information security awareness activities conducted with suppliers.

2.1.7 ITM Responsibilities

ITM provides the computing technical architecture for use by Chrysler LLC Team Members for the product
creation process. Responsibilities include:

- Providing a secure mainframe, workstation, and client server hardware computing environment

PS-10052, Change C, 2007-12-20, Page 5

Copyright Chrysler LLC

(2006-03-20)
- Maintaining a secure network architecture, including firewalls to prevent unauthorized access from
outside Chrysler LLC.

- Providing appropriate tools to enable Chrysler LLC management to control access to confidential and
trade secret computer information.

- Maintaining appropriate audit trails, as required, to document access and transfer of confidential and
trade secret information.

- Providing assistance to Chrysler LLC Team Members for all technical issues relating to computer-
generated information security.

- Conducting basic network reconnaissance including monitoring network traffic, determining what
systems are connected to the network, and the services those systems are providing to the network.

2.2 Supplier Access and Responsibilities

Suppliers are responsible for understanding and complying with Chrysler LLC requirements for information
protection as defined in this standard and other applicable Chrysler LLC policies and Corporate Process
Guidelines.

The requirement to safeguard Chrysler LLC confidential and trade secret information extends to all sub-
tier suppliers. Tier 1 suppliers must ensure that their sub-tier suppliers comply with this requirement. A
supplier shall not obtain or utilize any administrative role within a Chrysler LLC network or system
including, but not limited to, VPM.

Supplier responsibilities include:

- Consulting with ITM for approval of technical security issues relating to data transfer between Chrysler
LLC and suppliers and between suppliers and other suppliers.

- Only using the public Internet in a secure manner to transfer confidential or trade secret information as
the Chrysler LLC approved security precautions provide.

- Refrain from the use of the ‘Public’ button when storing data in VPM. Any data stored to ‘Public’ will be
automatically migrated each night to one of that supplier’s unsecured data containers.

- Computer files containing Chrysler LLC confidential or trade secret product design information must be
transferred within the supplier's own network or from supplier-to-supplier using Chrysler LLC-approved
methods (ITM and/or Information Services).

- Product design information confidentiality requirements in Chrysler LLC Purchase Order Terms and
Conditions must be adhered to.

- Supplier internal product design information security policies must be developed, maintained, and taught
to all supplier employees and supplemental workers.

- Supplier internal security policies must be made available for Chrysler LLC inspection and approval.

- An on-going product design information security awareness program must be in place.

- Product design information security awareness activities must be regularly performed.

- Appropriate technology must be in place to safeguard Chrysler LLC confidential and trade secret
product design information from access outside the supplier's site and network (e.g. by installation of a
firewall).

PS-10052, Change C, 2007-12-20, Page 6

Copyright Chrysler LLC

(2006-03-20)
- Non-Chrysler LLC dial-in modem access to any supplier workstation containing Chrysler LLC
confidential or trade secret product design information is prohibited.

- Use of the public Internet for any transfer of Chrysler LLC confidential or trade secret product design
information is prohibited.

- Supplier employees and supplemental workers must be educated in Chrysler LLC’s information security
requirements (e.g., proper handling of confidential and trade secret product design information and other
items from this document).

- Written confidentiality agreements must be signed by supplier employees and supplemental workers
who have access to Chrysler LLC confidential and trade secret product design information.

- Exit interview reminders of confidentiality obligations for supplier employees and supplemental workers
must be made when they leave their Chrysler LLC assignment.

- Service Bureaus transferring Chrysler LLC product design information electronically to other suppliers
via Autoweb CCX/AFX or direct connection must have a unique connection for each supplier served.

- Safeguarding Chrysler LLC information that is located at the supplier's facility by keeping access secure
and physically separate from Chrysler LLC competitors in the same building or operation.

- Ensuring that supplier procedures utilized for protecting Chrysler LLC information/data are available to
Chrysler LLC personnel upon request for inspection.

- Ensuring that workstations and PCs containing Chrysler LLC confidential and trade secret information
are physically and logically separated from non-Chrysler LLC computing environments.

- Supplier computer hardware directly connected to Chrysler LLC network must not allow simultaneous
connection to the supplier’s own network.

- ITM approved firewalls must be constructed to separate supplier networks from the Chrysler LLC
network.

Exceptions to the above requirement must be known and approved by Chrysler LLC management.

Distinctions must be made between those suppliers responding to a Request for Quotation (RFQ) and
those suppliers who are working under an active Purchase Order (PO).

RFQ Access - A supplier responding to a request for quotation from a Chrysler LLC product team for
which that supplier does not have an active purchase order must be limited to data necessary to respond
to the RFQ even if the supplier has an active purchase order from another Chrysler LLC product team.
However, if the supplier has been pre-sourced to supply a component/system, the supplier should be
treated as if an active purchase order exists. An exchange file/mail box arrangement such as CCX could
be used to provide RFQ access to suppliers.

Purchase Order Access - A direct access arrangement (e.g. T-1 or ISDN line) can be used for a supplier
who meets the following on-site requirements for data transmission:

- A Purchase Order has been granted.

- Chrysler LLC Management has approved the direct connection and this approval has been documented
by ITM (e.g. the Supplier Integration Infrastructure Administration Group).

- Database access is essential for simultaneous engineering. Less critical access can be performed by a
“mailbox” arrangement such as CCX or CTX.

ITM will provide the supplier with appropriate IDs and passwords. ID and Password combinations are for
PS-10052, Change C, 2007-12-20, Page 7

Copyright Chrysler LLC

(2006-03-20)
the expressed purpose of performing Chrysler LLC authorized work. The usage of each supplier may be
tracked and recorded by ITM, as appropriate, to ensure compliance with this requirement.

Each supplier must be informed of the responsibilities assumed when access is granted to Chrysler LLC
data. The "Chrysler LLC Network Access Privileges" document sets forth the conditions for data use that
suppliers must follow when accessing Chrysler LLC computer systems. A network license screen has
been developed by ITM and the Office of the General Counsel that summarizes the Chrysler LLC Network
Access Privileges document. This screen appears each time the supplier logs onto the Chrysler LLC’s
network.

Suppliers must ensure that each employee on its site who is granted access to Chrysler LLC data abides
by this agreement.

2.2.1 Supplier’s Responsibilities within VPM

All suppliers must obtain a supplier ID (SID) for access to VPM. This SID can be generated by completing
a registration for a Covisint ID. These SIDs must reside within the corresponding V org for their respective
company.

Any geometry of components/systems planned for production release on Chrysler LLC vehicles must not
be stored in the V org. This data must be stored either in a Chrysler LLC org or a vehicle-specific data
container which is a child org of the V org. Any geometry intended for a production vehicle that is stored in
a V org will be automatically migrated accordingly to the guidelines stated above.

Suppliers who are required to perform model create and release transactions may have their V orgs
mapped to the corresponding Chrysler LLC department for which they are performing these duties. This
mapping will ensure that the appropriate privileges are provided.

3.0 PASSWORD SECURITY

Guidelines and procedures in this section are based on current best practices as defined by the Chrysler
LLC information security specialists.

3.1 Employee Passwords

The primary identification of Data Users to Chrysler LLC computer applications is through their ID and
password. A password must be selected so that it can be easily memorized, but not easily guessed.
Passwords should be a combination of upper and lowercase letters, numbers, and special characters.
Three out of four of these criteria must be employed. A password should not be a word associated with
the Data User's personal interests, family names, words in a dictionary, or other commonly used words. It
is possible for unauthorized users to determine passwords using existing software guessing routines that
find short or obvious passwords quickly.

Passwords should never be written down or posted on your computer (see also Section 1.4). If a user
believes their password has been disclosed, it must be changed immediately. Passwords should never be
disclosed to anyone.

IDs and Passwords are assigned on an individual basis and must be used only by one person. Use of
shared IDs and passwords is prohibited because user accountability cannot be maintained.

Default passwords must be changed with the first access of the system. Passwords should never be part
of an auto logon file, keyboard hot key, or macro.

3.2 Suppliers and Supplemental Worker Passwords

Suppliers and supplemental workers granted access to the Chrysler LLC computer applications must be
given unique IDs and passwords. Supplier and supplemental worker passwords should be selected with
PS-10052, Change C, 2007-12-20, Page 8

Copyright Chrysler LLC

(2006-03-20)
the same precautions as employee passwords.

Chrysler LLC departments granting computer access IDs and passwords to suppliers and supplemental
workers should consider the following information:

- IDs and Passwords must be individual as well as data and computer system-specific allowing only
access to the data required by the supplier or supplemental worker to do their work (this requires action by
the Department Security Administrator or VPM org manager to alter default ID privileges).

- Suppliers often use independent contractors and sub-tier suppliers who are indirectly given access to
confidential or secret Chrysler LLC information by virtue of Chrysler LLC arrangement with the Tier 1
supplier.

3.3 Computer System Access Cautions

Chrysler LLC managers must be aware that default access for new IDs may include access to the
mainframe (but not necessarily all applications on those data centers). Access to some or all of these
systems (and the applications which reside on them) may be required in order to perform services for the
Chrysler LLC. More access than the manager intended may be granted by default. If this is the case, the
Department Security Administrator or VPM org manager must alter permissions after the ID is created.

Chrysler LLC managers/supervisors can obtain help/advice on computer system security concerns by
contacting the Information Security Manager ([email protected]).

NOTE: Current security practices do not inform Chrysler LLC management, Department Security
Administrators, or VPM org managers of the specifics of application level security.

4.0 WORKSTATION, TERMINAL, AND PC SECURITY

4.1 Securing Unattended Hardware

Users must not leave signed-on workstations, terminals or PCs unattended. Once the user has logged on
to a system or application, access is available to anyone who can use the unattended hardware.
Examples include CATIA/VPM, DMA, mainframe applications, CAE, DEC/VAX, and the PC LAN
environment.

Before leaving for short or moderate lengths of time (i.e. meetings, lunch, or breaks) Data Users must
secure the workstation or PC from unauthorized use by “locking” the hardware using a screen saver
equipped with a password, or logging off the network or application. No workstation, terminal or PC
should be left unattended when it is logged into the Chrysler LLC network or to an application or program
which contains confidential or secret information. Each Data User must be disconnected from the
Chrysler LLC network whenever their computer hardware is left unattended for long periods, such as
overnight.

NOTE: CAD/CAE workstations are the only exception as they need to be left powered on in order to
receive nightly automated software and data updates.

As a general rule, Chrysler LLC data should always be stored on a Chrysler LLC network disk drive. This
drive is protected against unauthorized access when the user is not logged into the Chrysler LLC network
and the data is backed up on a regular basis to avoid loss. To ensure the protection of confidential
information on the network drive, be sure to log off the network or shut the PC down before leaving the
area. For assistance on logging off (and re-logging on) to the Chrysler LLC network, contact the
department DIA.

Should it become necessary to store data locally on a PC hard disk, the PC can further be protected from
unauthorized start-up by setting a hardware password, sometimes called a “CMOS” or “BIOS” password.
For assistance on using this protection, contact your department DIA.
PS-10052, Change C, 2007-12-20, Page 9

Copyright Chrysler LLC

(2006-03-20)
4.2 Other Hardware Security Considerations

Installation of additional hardware such as network cards or disk storage devices into corporate PCs or
workstations is prohibited except when authorized by ITM. This is particularly important for hardware
installed at an offsite non corporate (supplier) location.

CAD and CAE workstations that access CAD/CAM/CAE files shall be secured from unauthorized file
transfer by disabling the disk storage devices or restricting them to ‘read only’ mode via the use of a third
party software. Examples of these devices include CD/DVD burners, jump drives, external hard drives,
etc.

In some cases, disk storage devices of workstations may be left enabled in order for the Data User to
perform necessary work. However, Chrysler LLC management must be made aware of just such an
exception and approve of it in advance.

NOTE: When required, PC data stored locally on the PC or workstation can be secured by the use of third
party encryption software. Logging off the Chrysler LLC network effectively prevents unauthorized users
from accessing data stored on a Chrysler LLC server, unless the Data User has copied the data from the
server to their PC’s local hard drive (see section 4.1).

Supplier-owned computer hardware, such as laptop PCs are covered by this standard while they are used
at a Chrysler LLC facility. See also sections 2.2, 6.1, and 6.3.

4.3 Special Security Concerns For Laptop PC Computers

Special considerations for PC laptop security are covered under the “Mobile Security” link located in the
“DC User Community” section of the IT Security website located at http://itm-s.intra.daimlerchrysler.com/.

The small size and easy portability of laptop PCs present special security concerns. Two main security
concerns exist: physical loss of a laptop PC due to theft and loss of confidential or secret information
stored locally on the laptop PC’s hard disk when the PC is lost or stolen.

4.3.1 Physical Loss of Laptop PCs Due to Theft

Laptop PCs must be kept under close personal supervision. Laptop PCs must be physically secured at all
times when in use at a Data User’s office/cubicle. Never leave a laptop unattended in open view as a
target for thieves. Take special precautions when traveling by vehicle or airplane. Laptop PCs are
frequently stolen in airports and from parked vehicles. Peripherals, such as removable hard drives,
modems, and network cards are also easy targets for thieves. Make every effort to physically secure.

There is no specific requirement to lock down a desktop PC because its size and lack of easy portability
does not make it as easy a theft target as laptop PCs, and because in many cases the office environment
is secure. However, if desktop PCs are installed in areas where there is a high risk of theft, department
management should contact ITM to obtain appropriate security devices.

4.3.2 Loss of Information Stored On Laptop and Desktop PCs

Know what confidential or secret information is stored on the laptop’s local hard drive. Information stored
on the local hard disk of a laptop PC may be more valuable to a thief than the PC hardware itself. Various
types of confidential and secret information are routinely stored locally on laptop PC hard disks, including,
but not limited to: electronic mail memos, user IDs and passwords, confidential documents created by PC
applications, databases such as Lotus Notes, automated access to Chrysler LLC computer systems, etc.
Even deleted data can be of value since it is still exists on the hard drive, in many cases, and can be
recovered by thieves unless specially destroyed or overwritten.

All users of laptop PCs shall use specialized security and encryption software to protect confidential and
secret information stored on the PC’s hard drive. This is particularly true for hard drives which are easily
PS-10052, Change C, 2007-12-20, Page 10

Copyright Chrysler LLC

(2006-03-20)
removable. It is much more secure to store documents on a LAN file server and access them when at
your office. It may be impractical to do this if the laptop is frequently used while out of the office or
disconnected from the network drive, but all confidential information should be uploaded to a Chrysler LLC
network server at the first opportunity and the local copies destroyed.

4.4 Obtaining Access to Data Stored in VPM

There are several methods for accessing data stored in the VPM repository. Data may be transferred by
the Data User to an external recipient via the Integrated Collaborative Data Exchange (ICDE) available via
the Engineering Portal. A request may be submitted for access to the Part System Viewer (PSV). This is
a browser-based application which provides read only access and limited functionality for geometry stored
in VPM. The final method involves requesting a VPM license and direct connection to the Chrysler LLC
VPM database. This can be initiated by contacting the Supplier Integration Infrastructure Administration
Group ([email protected]).

5.0 DISPOSITION OF COMPUTER GENERATED INFORMATION

Chrysler LLC information from the product creation process can be physically transmitted as CATIA
models, engineering graphics, PC printouts, data disks, magnetic tape, or other permanent media. Before
removal from a Chrysler LLC site, the confidential or secret information should be labeled "CHRYSLER
CORPORATION CONFIDENTIAL." When in doubt as to how to handle confidential and secret
information, seek the advice of the Office of the General Counsel.

Each medium mentioned above must be secured at all supplier sites and disposed of properly when the
information is no longer needed or in accordance with the current record retention policy. Physical media
must be totally destroyed.

6.0 COMPUTER USAGES

6.1 Employee-Owned and Supplier-Owned Hardware and Software

Corruption of Corporate data and removal of confidential or secret information are the main concerns
when employee-owned computers or supplier-owned computers are connected to the Chrysler LLC
computer network. When transferring data, all software and data disks must be scanned for viruses
before loading data onto Chrysler's mainframes, LAN servers, and local computer disk drives. Chrysler
LLC-owned media must be returned to a Chrysler LLC facility after use. Guest accounts must not be set
up on workstations that have access to Chrysler LLC confidential and trade secret product design
information.

Secure telecom cabinets (either locked or in a secure computer room) must be used at all supplier
locations to house Chrysler LLC network equipment. Category 5 or higher Unshielded Twisted Pair (UTP)
local LAN wiring must be used when connecting to the Chrysler LLC network.
Department manager approval is also required prior to bringing personally-owned or supplier-owned
hardware onto Chrysler LLC property (see CPG GEN-009).

6.2 Security Approvals

Department management approval is required to remove computer hardware or software from a Chrysler
LLC site (this includes personally-owned or supplier-owned property). To protect company equipment
from tampering, damage, theft or unauthorized use, the procedures described below must be followed
when removing computer hardware or software from Chrysler LLC sites. Chrysler LLC Team Members
carrying any hardware or software out of a Chrysler LLC facility, including personally-owned or supplier-
owned property, must possess a Gate Property Pass when leaving. Refer to Corporate Process Guideline
ADM-055: Passes-Employee, Visitor, and Property. Corporate Process Guideline ADM-055 applies to
common items such as laptop computers, diskettes containing work-in-progress files, computer
documentation, software installation disks, etc. The Gate Pass – Property form can be obtained from the
PS-10052, Change C, 2007-12-20, Page 11

Copyright Chrysler LLC

(2006-03-20)
eForms system located at https://eformsanywhere.appl.chrysler.com. Login using your ID and password
and click on forms starting with the letter ‘G’.

When company hardware or software is required off-site for an extended period of time or is not intended
to be returned, a Chrysler LLC Shipper is required to document removal of the assets.

6.3 Authorization Required to Connect to Non-Chrysler LLC Computer Systems

Connections to Chrysler LLC suppliers, customers, dealers or regulatory agencies are allowed when ITM
approved security precautions are taken (e.g. the ITM SPIN system, which is secured through data
encryption). Access approval to non-Chrysler LLC systems must be documented and authorized in writing
by the responsible Chrysler LLC Manager after consulting with ITM. Unapproved access to non-Chrysler
LLC systems is prohibited. This type of access may lead to the corruption of computer data by viruses
imported from the outside systems or to the loss of Chrysler LLC confidential or secret information.

It is imperative that any computer hardware be disconnected from the Chrysler LLC network when
downloading information from non-Chrysler LLC computer systems, except as allowed by ITM. Computer
hardware which is management approved for access to non-Chrysler LLC networks must be virus
protected. All software and data files from outside of the Chrysler LLC must be scanned for viruses.

Supplier-owned computer hardware that is directly connected to the Chrysler LLC network may not be
connected to any other network (e.g. the supplier’s own network). All requests to connect supplier
computer hardware to the Chrysler LLC network must be approved by ITM. This will ensure that technical
safeguards are in place to protect the Chrysler LLC network. See also Section 2.2.

6.4 Rules and Policies for Supplier Access to 3D Geometry in the Corporate Repository***

- As discussed in Corporate Process Guideline GEN-001, Confidential Information, a supplier’s access to

data shall be considered and granted on a need-to-know basis only.
- All suppliers shall register with Covisint (http://www.covisint.com) for access to the corporate repository
of 3D geometry. Suppliers who have a direct connection to the corporate network may utilize the supplier
identification (SID) generated via the Covisint registration process for direct access to the repository.
Suppliers may contact the corporate help desk at 586-274-6000 to obtain their SID if they do not know it.
Suppliers should also access the siiAdmin document database available via the Covisint website for
information on how to register for a Chrysler account.
- All suppliers shall have an organization or ‘org’ created for their respective company in the corporate
repository. This organization will begin with the letter ‘V.’
- All suppliers who provide a service only (also known as a Purchased Service) but do not provide any
components/systems for installation on any Chrysler vehicle shall not have a role provided in their
respective company organization unless expressly granted to them by the Engineering Information
Security team. All of their roles shall be granted in the organizations for which they are providing the
service.
- Default roles for all suppliers in the Engineering environments of the corporate repository are: Viewer
and Product Supervisor.
- Suppliers with a direct connection to the corporate repository must clearly describe, to the satisfaction of
Chrysler personnel, all physical supplier locations which will be connected to the corporate repository,
either directly or indirectly via an internal supplier hub. Any changes to this configuration must be
immediately reported to the Engineering Information Security team via email at [email protected].
Failure to do so may result in a loss of said access up to and including complete disconnection from the
corporate repository.
- All supplier access to the corporate repository must be sponsored by a Chrysler manager. Contact the
Supplier Integration Infrastructure Administration team at: [email protected] for connection
questions and/or assistance.

7.0 DOCUMENT RETENTION

Retention of all information including, but not limited to, CATIA, CAE, DMA, lab automation, digital images,
PS-10052, Change C, 2007-12-20, Page 12

Copyright Chrysler LLC

(2006-03-20)
PC data, paper hardcopy, etc. must be consistent with current corporate guidelines (presently, CPG
ADM-062, Records Management). Where there is any doubt as to what to retain or discard, consult with
the Office of the General Counsel.

8.0 QUALITY

Refer to CS-9801 for general quality requirements.

9.0 DEFINITIONS

Application - A program used by a Data User to perform Chrysler LLC business functions. Examples
include mainframe, workstation and server-based programs such as CATIA/VPM, DMA, DEC/VAX,
EBOM, CN, Visitor Authorization, laboratory automation, data acquisition, etc. Applications also include
PC software such as MS Word, MS Excel, MS PowerPoint, Lotus Notes, etc. Normally, only server-based
PC applications, such as Lotus Notes, require a user login. Applications may reside locally on a
workstation or PC, on a server (such as Lotus Notes), or on a mainframe (such as ITM data center
applications).

CCX (Chrysler Communications eXchange) - System which provides “store and forward” capability
primarily used to send CATIA data to and from suppliers. Sometimes called a “mailbox.”

Chrysler LLC Team Member - Chrysler LLC employees, supplemental workers (i.e. contractors) on-site
at a Chrysler LLC facility or off-site at a supplier facility, and supplier personnel, working to design,
develop, test, tool, and build Chrysler LLC vehicles and components. These external suppliers are also
known as the Extended EnterpriseTM supply chain.

CN (Change Notice) - System for managing and processing changes to production vehicle parts and
specifications. A mainframe system integrated with EBOM.

Confidential information - the second highest level of Information Classification.

Unauthorized disclosure would have significant negative impact on Chrysler LLC, business partners or
employees. Unauthorized disclosure may even violate laws or regulations.
Access is always restricted based on a need to know (typically to a small group of people).

CTX (Chrysler LLC Telecommunication eXchange) - A Chrysler LLC-wide “store and forward” network
(i.e., a “mailbox”) originally designed to transmit non-geometric data such as specifications, Purchase
Orders, etc., to and from suppliers.

DATA - Any information stored and/or processed by Chrysler LLC Team Members, including hardcopy or
electronic formats.

Data User - Data Users are those individuals given access to certain computer hardware and software
needed to complete their job assignment.

DB2 - An IBM relational database. DB2 has powerful data storage, retrieval, and security mechanisms.
It is the underlying system for many electronic tracking systems such as VPM. DB2 permits data entry,
modification, update, delete, and query (search) capabilities.

Department Approver - Individual selected by the department manager to grant or revoke access to ITM
computer systems. This individual may or may not perform other duties of department Security
Administrators.

Department Information Administrator (DIA) - The individual selected to be the first point of contact for
PC and LAN operations, problems, or other issues. DIAs are the liaison between Data Users and ITM.

PS-10052, Change C, 2007-12-20, Page 13

Copyright Chrysler LLC

(2006-03-20)
Department Security Administrator - The individuals selected to be responsible for access control to
design, engineering, manufacturing, and business computer systems. These include CATIA/VPM, DMA,
CAE systems, ITM systems, etc. Security Administrators are delegated authority by the department
Manager/Supervisor to manage departmental computer assets. Security Administrators are responsible
for data security administration and control activities, maintenance of user ID records, access rules,
terminal controls, and security documentation.

DMA (Digital Mockup and Assembly) - The process of viewing large amounts of shaded image data,
commonly in vehicle packaging studies.

EBOM (Electronic Bill Of Material) - A database system that stores non-geometric part and part usage
information. EBOM manages production intent parts and part usage data from initial entry through
disclosure and production release, manages production part change data through integration with the CN
system, directly feeds other corporate systems to generate purchase orders, tooling authorizations and
supplier releases.

EXTENDED ENTERPRISETM - A Chrysler LLC-coordinated process that unifies and extends the
business relationships of suppliers and supplier tiers in order to maximize the effectiveness of vehicle
development, minimize total system costs, and improve quality and customer acceptance.

Firewall - A network security technology using special servers to logically protect a network from
unauthorized access from outside the company. For example, Chrysler LLC’s network is protected from
external Internet access by a firewall.

Identification/Authentication - Security methodology that ensures that a computer system knows who the
system’s users are. Authentication is usually accomplished via login ID, password and access rules. May
also include auxiliary devices, such as SmartCards, for conditions in which an ID and password do not
provide sufficient security.

Information - Material, whether created by computer (data) or other means, which has value to the
product creation process or the Chrysler LLC. This standard is primarily intended to cover confidential and
secret materials. This includes, but is not limited to, CATIA/VPM, CAE, DMA, computer images or
photographs, test data, PC data, paper memos, video or design conferencing, and other types of design,
development or tooling information.

Information Owner - The Chrysler LLC manager who has been formally assigned to protect information
under the control of their department or operation (i.e. the manager with responsibility as defined in CPG
GEN-001). For example, Engineering design managers “own” the information and computer data for parts
they design or release and are responsible for protecting that information from unnecessary risk or
premature disclosure.

Information Security - The protection of information (all types) against accidental or intentional disclosure,
destruction or modification by unauthorized persons. Includes protection of non-computer generated
information of all types.

Internet - The Internet consists of a large number of computers that are loosely linked to each other by
use of a common communications protocol (TCP/IP). The most common features presently implemented
on the Internet are the World Wide Web (WWW), electronic mail (E-mail), News Groups, File Transfer
Protocol (FTP), and Telenet (terminal emulation).

Intranet - Chrysler LLC’s internal Internet established for Chrysler LLC internal communication. The
Chrysler LLC Intranet has low-level security for the content posted on it unless specific security
mechanisms, such as passwords, are established. The Chrysler LLC Intranet has essentially the same
capabilities as the Internet and WWW, except that it is secured inside a “firewall” to provide security from
outside access.

ISDN (Integrated Services Digital Network) - A high-speed, low cost dial-in digital telephone line used to
connect to the Chrysler LLC network. It is typically used to communicate data to/from suppliers.
PS-10052, Change C, 2007-12-20, Page 14

Copyright Chrysler LLC

(2006-03-20)
ITM (Information Technology Management) - Organization responsible for corporate business computer
systems and telecommunications services, corporate computer hardware/software architecture, and
corporate computer strategic planning. This organization is also responsible for installation and support of
engineering and manufacturing technical computer systems such as CATIA/VPM, DMA, PCs, corporate
network, etc.

LAN (Local Area Network) - Name commonly given to a network operating system connecting PCs or
workstations. MS Active Directory is a LAN operating system used for PCs.

Non-Chrysler LLC Networks - Includes any outside network or system that is not owned by the Chrysler
LLC. Examples include, but are not limited to, the Internet, and networks belonging to suppliers.

Outside Access Sponsor - Chrysler LLC department manager who authorizes in writing access to
Chrysler LLC computer systems and data by outside users (e.g. someone not directly employed by the
Chrysler LLC, such as a supplier). For CATIA access, departments should contact the Supplier
Integration Infrastructure Administration Group ([email protected]). Non-CATIA access is provided
by ITM Technical Services department. Managers need to be aware of the amount of access given to
non-Chrysler LLC employees, and limit access to the minimum necessary to accomplish required work for
the Chrysler LLC (“need to know” only).

Procurement and Supply - Responsible to leverage the resources and capabilities of internal
organizations and external suppliers to continuously impact the quality, cost, technology and delivery of
Chrysler LLC vehicles for our customers.

Secret Information - the most confidential Chrysler LLC information classification. Unauthorized disclosure
would have severe negative impact on Chrysler LLC, its stockholders, business partners
or employees. Unauthorized disclosure may even violate laws or regulations. Distribution of secret
information must be restricted to a very small group of identified people.
Only a very small portion of Chrysler LLC Information is secret.

Senior Management - Chrysler LLC Executives at Grade Band 94 or higher with responsibility for major
vehicle components, systems, tooling, etc. For information security, senior management has the
responsibility to implement and enforce this standard. For example, in Engineering, this is considered to
be a Senior Manager, Director, Chief Engineer, or Vice President.

SPIN (Supply Partner Information Network) - Chrysler LLC Internet system intended to facilitate secure
communication with suppliers. SPIN uses advanced encryption techniques to provide security on the
public Internet.

Trojan Horse - A virus-like harmful program that masquerades as another program. An example is an
“unzip” program that deletes files or changes the computer operating system when it runs. Users fall prey
to trojan horses by running what they believe to be a valid application when it is really a form of virus.
Data users should never run programs or applications from unverifiable sources.

Virus - A harmful program that inserts itself into an application (i.e. “infecting“ the application). When the
application is executed, the virus is also executed. Viruses can also insert themselves into the macro
language of many applications (e.g. Microsoft Word). Viruses can do damage such as deleting files and
preventing computers from operating correctly or at all. Viruses are most often introduced by infected
programs via diskette, electronic mail, or downloaded from the Internet or other on-line databases.
Viruses can propagate from one computer to another over networks and can render networks inoperable.

VPM (Virtual Product Modeler) - A DB2-based data management system designed to manage and track
CATIA geometry by vehicle nomenclature such as part number, part name, user ID, etc. VPM provides
security to geometry (through release responsibilities and roles) as well as change control and notification.

PS-10052, Change C, 2007-12-20, Page 15

Copyright Chrysler LLC

(2006-03-20)
World Wide Web (WWW) - Multimedia pages on the Internet that are accessed with browser-based
technology such as Netscape, Internet Explorer, or Mozilla. In addition to text, the WWW can include
graphics, sound, and video. WWW pages can be linked by use of hypertext links that permit a user to
jump from the page having the hypertext link to the linked page by “clicking” on the link. Some WWW
pages may also be dynamic, in that they may include small computer programs, referred to as “applets”,
that are designed to operate in conjunction with the WWW page.

Worm - A harmful program that travels from computer to computer over a network. One example of a
worm is a program that exploits workstation Unix operating system security holes to gain access to remote
computer systems.

10.0 GENERAL INFORMATION

Three asterisks “***” after the section/paragraph header denotes single or multiple technical changes to
the section/paragraph.

Certain important information relative to this standard has been included in separate standards. To assure
the processes submitted meet all of Chrysler requirements, it is mandatory that the requirements in the
following standards be met.

CS-9800 - Application of this standard, the subscription service, and approved sources
CS-9003 - Regulated substances and recyclability

Within Engineering Standards, the Regulatory (Government-mandated) requirements are designated by

<S> and <E> which correspond to Safety and Emission Shields respectively. The Chrysler-mandated
requirements are designated by <D> and correspond to the Diamond symbol respectively.

For specific information on this document, please refer to the contact person shown in the "Publication
Information" Section of this document. For general information on obtaining Engineering Standards and
Laboratory Procedures, see CS-9800 or contact the Engineering Standards Department at
[email protected].

11.0 REFERENCES

Chrysler ASTM ISO SAE Federal

Standards Standards Standards Standards Standards
CS-9003
CS-9800
CS-9801

Other Documents: The following are available from the Engineering Standards Department
([email protected])
Chrysler Corporate Process Guideline ADM-055: Passes-Employee, Visitor, and Property
Chrysler Corporate Process Guideline ADM-062: Records Management
Chrysler Corporate Process Guideline GEN-001: Protection of Confidential Material
Chrysler Corporate Process Guideline GEN-009: PC and Software Use Guidelines

12.0 ENGINEERING APPROVED SOURCE LIST

Not Applicable

PS-10052, Change C, 2007-12-20, Page 16

Copyright Chrysler LLC

(2006-03-20)
13.0 PUBLICATION INFORMATION

Contact/Phone Number: John Borowski (248) 576-5980

Alternate Contact/Phone Number: Larry Gilin (248) 576-5605
Department Name & Department Number/Tech Club/Organization:
Engineering Standards Department / 2140
Date Standard Originally Published: 1998-04-03
Date Published: TBD
Change Notice:
Description of Change:
- Throughout document replaced CDV with DMA.
- Added Section 6.4.
- Section 9.0 - Removed CDV definition. Added DMA definition. Removed “it’s stockholders” from
paragraph 5.

#####

PS-10052, Change C, 2007-12-20, Page 17

Copyright Chrysler LLC

(2006-03-20)