ISPOL-40-02

Introduction to Information Security Policy 40, Information Classification, Handling, and Protection ISPOL 40 reasonably assures information security is embedded into the information lifecycle. This helps safeguard Intel information assets and allows us to understand the sensitivity level of information we work with so we can handle and protect it appropriately according to that sensitivity level. Policy 40 aids in ensuring the confidentiality, integrity, and availability of systems and information assets, including the protection of corporate intellectual property and individual privacy rights, in compliance with applicable law. Responsibilities in this policy focus on proper information classification. At every stage of the information lifecycle, you must use these classifications to identify the level of information security that the information requires. Let’s take a look at the Information Classification Categories: Intel Top Secret, also known as ITS, is the highest sensitivity of Intel information classifications. ITS is non-public information that requires high-level security controls. Intel Confidential, also known as IC, is the next level of information classification and is much more common. IC is also non-public information but the required level of security controls may vary depending on the sensitivity of the information and who needs to know. IC includes most business, financial, and legal information. It also includes technical information regarding the design or reverse engineering of an Intel product. You may also come across Intel Restricted Secret, or IRS, information. This former classification category, which had a sensitivity level close to ITS, is not used for data created after 2017, but may still appear on older data. Information you work with must be classified in accordance with the Intel classification categories. You can learn more by visiting goto/classifications. Let’s examine additional classification requirements and responsibilities outlined in this policy. For the purpose of securing information, any information classified as IC or ITS must have a designated “Information Owner” These owners are responsible for creation, maintenance, protection, and access to the information. This includes information shared with Intel by others, and information shared externally. Policy 40 describes controlled access responsibilities, framed by principles of a business need-to-know and the least-privilege necessary. Information handling requirements and responsibilities are also covered. These handling requirements and responsibilities address a wide range of topics from information registration to handling third-party information. An example of these requirements is the handling of personal information. Personal information may be classified and handled as ITS or IC, depending on the sensitivity of the information. Regardless of classification level, you must never disclose the confidential and personal information of others without the explicit and documented permission of those affected. This includes information like birthdays and phone numbers. Visit privacy.intel.com to learn more about the handling and use of personal information. Of course Intel follows the law closely, and to do so, policy 40 addresses legal and regulatory handling requirements, especially when handling certain information types. Some of these information types include: Intel personal information subject to Privacy Policies Controlled technology subject to Export Compliance Financial information subject to Sarbanes-Oxley (SOX) or Intel’s Insider Trading Policy Any information subject to Legal hold or requirements and Payment card information There are additional information handling responsibilities regarding aggregation of information, third-parties and the disclosure of Intel information, Archiving, Storage, Backup, and keeping your work area clear of exposed information assets. Policy 40 contains two helpful tables for quick reference. The first table lists security requirements for each classification category. It describes how these handling requirements are expected to be implemented on classified information. These security requirements range from access control, to labeling, to retention and disposal. The second table is a list of ways Intel information may need to be handled in order to conduct Intel business. This table specifies handling restrictions and requirements based on the information’s classification. Some handling methods covered are virtual environments, remote access, transmission and collaboration, printing, and storage. Cryptographic controls are also outlined in policy 40, covering management of public key infrastructure, key access and lifecycle, and minimum requirements for encryption. In summary, Information Security Policy 40, Information Classification, Handling, and Protection outlines the high-level responsibilities, practices, and compliance requirements for individuals who have access to Intel systems and information assets. This includes Intel employees and contingent workers or contractors. This and other updated Information Security Policies, supporting documents, and our improved policy portal make it easier for you to locate and understand our corporate information security requirements. They can be found on our corporate policy repository, Policy Central. Visit goto/InfoSec Policies to learn more or ask questions. Thank you for your help to keep Intel secure!