ISPOL-40-02
0 (0 Likes / 0 Dislikes)
Introduction to Information Security Policy 40,
Information Classification, Handling, and Protection
ISPOL 40 reasonably assures information security
is embedded into the information lifecycle.
This helps safeguard Intel information assets
and allows us to understand the
sensitivity level of information we work with
so we can handle and protect it appropriately
according to that sensitivity level.
Policy 40 aids in ensuring the confidentiality,
integrity, and availability of systems
and information assets, including
the protection of corporate intellectual property
and individual privacy rights,
in compliance with applicable law.
Responsibilities in this policy focus on proper
information classification. At every stage of the
information lifecycle, you must use these
classifications to identify the level of information
security that the information requires.
Let’s take a look at the Information Classification Categories:
Intel Top Secret, also known as ITS,
is the highest sensitivity of Intel information
classifications. ITS is non-public information
that requires high-level security controls.
Intel Confidential, also known as IC,
is the next level of information classification
and is much more common.
IC is also non-public information
but the required level of security controls
may vary depending on the sensitivity
of the information and who needs to know.
IC includes most business, financial, and legal
information. It also includes technical information
regarding the design or reverse engineering of an Intel product.
You may also come across Intel Restricted Secret,
or IRS, information. This former
classification category, which had a
sensitivity level close to ITS,
is not used for data created after 2017,
but may still appear on older data.
Information you work with must be classified in
accordance with the Intel classification categories.
You can learn more by visiting goto/classifications.
Let’s examine additional classification
requirements and responsibilities outlined in this policy.
For the purpose of securing information, any
information classified as IC or ITS must have a
designated “Information Owner”
These owners are responsible for creation,
maintenance, protection, and access to the
information. This includes information shared with
Intel by others, and information shared externally.
Policy 40 describes controlled access
responsibilities, framed by principles of a business
need-to-know and the least-privilege necessary.
Information handling requirements and responsibilities are also covered.
These handling requirements and responsibilities
address a wide range of topics from information registration
to handling third-party information.
An example of these requirements is the
handling of personal information.
Personal information may be classified and handled
as ITS or IC, depending on the sensitivity of the information.
Regardless of classification level, you must never
disclose the confidential and personal information
of others without the explicit and documented
permission of those affected. This includes
information like birthdays and phone numbers.
Visit privacy.intel.com to learn more about
the handling and use of personal information.
Of course Intel follows the law closely,
and to do so, policy 40 addresses
legal and regulatory handling requirements,
especially when handling certain information types.
Some of these information types include:
Intel personal information subject to Privacy Policies
Controlled technology subject to Export Compliance
Financial information subject to Sarbanes-Oxley
(SOX) or Intel’s Insider Trading Policy
Any information subject to Legal hold or requirements
and Payment card information
There are additional information handling
responsibilities regarding aggregation of information,
third-parties and the disclosure of Intel information,
Archiving, Storage, Backup,
and keeping your work area clear
of exposed information assets.
Policy 40 contains two helpful tables
for quick reference. The first table lists
security requirements for each classification
category. It describes how these handling
requirements are expected to be implemented
on classified information.
These security requirements range from access control,
to labeling, to retention and disposal.
The second table is a list of ways Intel information
may need to be handled in order to conduct Intel business.
This table specifies handling restrictions and requirements
based on the information’s classification.
Some handling methods covered are virtual environments,
remote access, transmission and collaboration,
printing, and storage.
Cryptographic controls are also outlined in policy 40,
covering management of public key infrastructure,
key access and lifecycle, and minimum requirements for encryption.
In summary, Information Security Policy 40,
Information Classification, Handling, and Protection
outlines the high-level responsibilities,
practices, and compliance requirements
for individuals who have access to Intel systems
and information assets. This includes
Intel employees and contingent workers or contractors.
This and other updated Information Security Policies,
supporting documents, and our improved
policy portal make it easier for you to locate and
understand our corporate information security requirements.
They can be found on our corporate policy repository,
Policy Central. Visit goto/InfoSec Policies
to learn more or ask questions.
Thank you for your help to keep Intel secure!