ISPOL-50-Overview

Introduction to Information Security Policy 50 Information Systems Development, Acquisition, and Maintenance ISPOL 50 is the basis for a robust system development, acquisition, and maintenance framework. This framework outlines the overall security and compliance requirements for systems, applications and systems software, and hardware life-cycles. Key components of this policy are the security requirements for information systems development. One example of those requirements is the use of Secure Development Lifecycle controls, or SDL controls, to address security risks, privacy needs, and ensure that information security is built into the development life-cycle. More specific examples of information systems development requirements are: meeting application security requirements and achieving certification for developed applications in accordance with Application Security standards. The Application Security Standard under ISPOL 50 will provide you with details on how to comply with that policy requirement. ISPOL 50 also includes security requirements for working with third party systems and solutions. Whether prepackaged, turn-key or customized solutions, Policy 50 ensures that security, privacy, procurement, and legal requirements are addressed during product development or acquisition. That way, no matter who we work with outside of Intel, we’ll be able to hold them to our high standards. Beyond development and third parties, there’s maintenance to consider. ISPOL 50 requires that Maintenance controls must be configured and applied to Intel information systems. This includes regular monitoring, response to issues, and restrictions on programs that could override controls. A key maintenance requirement in ISPOL 50 is complying with Minimum Security Specifications, or MSS. MSS requires that Intel systems be kept up to date with the latest trusted vendor-supplied security configurations, required software, and patches. Note that IT Information Security can enforce compliance of systems, services, or applications that are not following MSS requirements. Another maintenance requirement found in ISPOL 50 is Change Management. This requires that system development changes must follow the formal process defined by Intel IT for review and approval. The change management process includes review of technical, functional, and operational security requirements and plans. Proposed changes must be approved by a Change Advisory Board, or CAB, as well as the system owners. There are many other important requirements covered in ISPOL 50. Some of the remaining subsections discuss Separation of Duties, Testing, Upgrades, Assessments, and even Decommissioning and Disposal. Information Security Policy 50, Information Systems Development, Acquisition, and Maintenance ensures that information systems and resources maintain adequate security controls. It also ensures that the appropriate hardware, applications and systems software, and procedural mechanisms are defined, implemented, and maintained. These updated policies, supporting documents, and the improved portal should make it easier for you to locate and understand our corporate information security requirements. They can be found on our corporate policy repository, Policy Central Visit goto/InfoSecPolicies to learn more or ask questions. Thank you for your help to keep Intel secure!