ISPOL-70-02
0 (0 Likes / 0 Dislikes)
Introduction to Information Security Policy 70,
Physical and Environmental Security Policy
Physical and environmental security controls are
outlined in Policy 70 to protect not
only sensitive information resources, but also
people and property against unauthorized physical access,
damage, and tampering.
To that end, Intel facilities must incorporate
site security protections in line with
the size of the work population, criticality
of operations, sensitivity of information,
and specific location risks.
Each Intel business group must ensure physical
security for their areas. They can best accomplish
this by following the requirements set forth in IT
Information Security and Corporate Physical Security
policies and standards.
Access to physically protected assets must be granted in a
controlled manner based on need-to-know and least
privilege principles. Access to
physically protected assets may be denied or revoked at
at any time by the employee manager, contingent
worker sponsor, site security,
HR Legal, or room owner.
Access denial may occur for many reasons, including:
job requirements and status change,
compliance reasons, or pending investigations.
And access must be reviewed periodically
to ensure that it’s still appropriate.
Policy 70 also covers secured room
protection. Intel secured rooms
are located within Intel facilities, managed and
controlled by Intel employees.
A few examples of secured rooms are Data Centers,
Network Rooms, Labs, Computer and
Server Rooms, Building and Satellite Communications
Rooms, and Telecommunication Rooms.
Secured Rooms have many security controls,
covering access management, access
record retention, length of access,
room labeling restrictions, and physical
controls like badge readers and cameras.
Owners of secured rooms have several responsibilities,
including reviewing access at least twice a year
and ensuring that those accessing the room have completed
required training. Other security controls
in this policy cover worker access to secured
rooms based on the type of worker, including Intel
employees, non-Intel employees,
and Visitors. Remember, granting
access to a secured room does not mean that individual
has access to systems and information assets
within that room. Additional layers of physical
controls must further restrict access within
the secured room for critical and sensitive systems
and information assets. A few examples
of these extra layers are locked cabinets for data
backups, locking equipment racks,
and securing classified documents in a locked
cabinet. Cameras and other image capturing devices
are a potential risk to exposing sensitive
information in a secured room.
Owners of secured rooms must post signs restricting
image capture device use to the appropriate level of
the room’s sensitivity. Equipment protection responsibilities
for all Intel users is addressed in Policy 60.
Intel users must protect
Intel-issued computing equipment like laptops,
desktops, and mobile devices from theft,
damage, or unauthorized access.
One example of protecting equipment would be
placing it into a locked cabinet or drawer when left
unattended during non-business or non-working hours.
Many Intel-issued computing
equipment protection measures are travel-related,
including: Not checking them as airline
baggage, not leaving them unattended in public areas,
not leaving them visible in a hotel room,
locking them in a concealed trunk, and not
indicating that they are valuable Intel property with stickers or
labels. Except for user-issued devices
like laptops, equipment may not be removed
from Intel without proper approval.
Users carrying assets out of Intel may be subject
to inquiry and a search. Policy 70
also describes high-level requirements for
protecting Intel’s technical infrastructure.
If this infrastructure is considered business critical,
it must be maintained in facilities with appropriate
controls. Other technical infrastructure
protection requirements include precautions
and controls that reduce risks from environmental hazards,
interrupted power, data storage,
remote locations, and leased equipment
requirements. In summary,
Information Security Policy 70 provides
a framework of physical and environmental security control
requirements that help protect us and our
assets from harm. This and other
Information Security policies,
supporting documents, and our improved policy portal
should make it easier for you to locate and understand
our corporate information security requirements.
They can be found on our corporate policy repository
Policy Central.
Visit goto/infoSecPolicies to learn more
or ask questions. Thank you for your help to keep Intel secure!
---