ISPOL-70-02

Introduction to Information Security Policy 70, Physical and Environmental Security Policy Physical and environmental security controls are outlined in Policy 70 to protect not only sensitive information resources, but also people and property against unauthorized physical access, damage, and tampering. To that end, Intel facilities must incorporate site security protections in line with the size of the work population, criticality of operations, sensitivity of information, and specific location risks. Each Intel business group must ensure physical security for their areas. They can best accomplish this by following the requirements set forth in IT Information Security and Corporate Physical Security policies and standards. Access to physically protected assets must be granted in a controlled manner based on need-to-know and least privilege principles. Access to physically protected assets may be denied or revoked at at any time by the employee manager, contingent worker sponsor, site security, HR Legal, or room owner. Access denial may occur for many reasons, including: job requirements and status change, compliance reasons, or pending investigations. And access must be reviewed periodically to ensure that it’s still appropriate. Policy 70 also covers secured room protection. Intel secured rooms are located within Intel facilities, managed and controlled by Intel employees. A few examples of secured rooms are Data Centers, Network Rooms, Labs, Computer and Server Rooms, Building and Satellite Communications Rooms, and Telecommunication Rooms. Secured Rooms have many security controls, covering access management, access record retention, length of access, room labeling restrictions, and physical controls like badge readers and cameras. Owners of secured rooms have several responsibilities, including reviewing access at least twice a year and ensuring that those accessing the room have completed required training. Other security controls in this policy cover worker access to secured rooms based on the type of worker, including Intel employees, non-Intel employees, and Visitors. Remember, granting access to a secured room does not mean that individual has access to systems and information assets within that room. Additional layers of physical controls must further restrict access within the secured room for critical and sensitive systems and information assets. A few examples of these extra layers are locked cabinets for data backups, locking equipment racks, and securing classified documents in a locked cabinet. Cameras and other image capturing devices are a potential risk to exposing sensitive information in a secured room. Owners of secured rooms must post signs restricting image capture device use to the appropriate level of the room’s sensitivity. Equipment protection responsibilities for all Intel users is addressed in Policy 60. Intel users must protect Intel-issued computing equipment like laptops, desktops, and mobile devices from theft, damage, or unauthorized access. One example of protecting equipment would be placing it into a locked cabinet or drawer when left unattended during non-business or non-working hours. Many Intel-issued computing equipment protection measures are travel-related, including: Not checking them as airline baggage, not leaving them unattended in public areas, not leaving them visible in a hotel room, locking them in a concealed trunk, and not indicating that they are valuable Intel property with stickers or labels. Except for user-issued devices like laptops, equipment may not be removed from Intel without proper approval. Users carrying assets out of Intel may be subject to inquiry and a search. Policy 70 also describes high-level requirements for protecting Intel’s technical infrastructure. If this infrastructure is considered business critical, it must be maintained in facilities with appropriate controls. Other technical infrastructure protection requirements include precautions and controls that reduce risks from environmental hazards, interrupted power, data storage, remote locations, and leased equipment requirements. In summary, Information Security Policy 70 provides a framework of physical and environmental security control requirements that help protect us and our assets from harm. This and other Information Security policies, supporting documents, and our improved policy portal should make it easier for you to locate and understand our corporate information security requirements. They can be found on our corporate policy repository Policy Central. Visit goto/infoSecPolicies to learn more or ask questions. Thank you for your help to keep Intel secure! ---