intel enhanced data security assessment form - ver 5... · intel enhanced data security assessment...
TRANSCRIPT
1 Rev. 5.0
Intel Enhanced Data Security Assessment Form
Supplier Name: Support Location: Address: Contact Number: Respondent Name & Role: Signature of responsible party:
Name:
Role:
Date:
By placing my name in the box above I am acknowledging that I am authorized to agree on behalf of the Supplier named, and do agree to meet the requirements outlined. Any items that are out of scope or that the Supplier cannot meet are identified below.
Yes / No
Areas that are out of scope or that are not met:
Supplier Profile: What is your organizations main business function: What function(s) does your organization perform for Intel: What is your organizations maturity level in provision of this function: Is there anything you need from Intel Information Risk and Security organization: Is an industry standard accreditation issued by ISO27001, PCI DSS, or independent audit, SSAE-16 or ISAE-3402 audit report or equivalent available? Supplier Instructions: This document should be reviewed by the Corporate Chief Information Security Officer or the person
responsible for Information Security for the organization. Intel's data protection strategy is to perform a
due diligence assessment of data protection controls regardless of location. Your assistance to achieve
this goal is greatly appreciated. In addition to meeting Intel Supplier and Security Requirements and
Expectations (SSRE) your feedback will be used to assist in the assessment process.
Intel requires all suppliers to identify any risk potential associated with this engagement. Therefore a response from your organization is required regarding the controls listed herein. Please provide feedback identifying which controls are comprehended within your environment by answering any questions related the controls listed below. In the comment section, please provide additional controls detail for items answered No or NA, and include any compensating mitigation controls for items where requested. This includes changes requested by the Intel Business Contact you support. Additional reviews may be required if this is an Offsite Design Center (ODC)
Yes
No
2 Rev. 5.0
Once you have reviewed the completed document please send a copy to the Intel Business Contact working with you who will work with Intel Security to complete the assessment process.
1.0 Security Policy
Do you have a documentation process for any out of policy exceptions which would
affect or override your security policies and is it subject to management review?
Yes
No
N/A
If No or N/A – Please explain any mitigating controls: If Yes -
Is the process based on a formal risk assessment? (Y/N)
Are all employees and 3rd party sub-contractors who have access to Intel Information and assets trained in the appropriate policies related to the activities performed?
If Yes – How often?
Yes
No
N/A
If No or N/A – Please explain any mitigating controls:
2.0 Organizing Information Security
Do you have a Non-Disclosure agreement on file with Intel?
CNDA RSNDA RSNDA Special Purpose
RUNDA IPL Other
Please provide the NDA Agreement Number(S) if available: _____________
Yes
No
N/A
If No or Other– Please explain provide details:
Are there any 3rd party contractors who will have access to Intel information or
assets?
If Yes – Can you provide a list of those contractors if needed?
Yes
No
N/A
If No or N/A– Please explain provide details:
Yes No
Yes No
If Yes – Which one:
3 Rev. 5.0
3.0 Asset Management
Do you have training and awareness programs for employees and contractors on
data classification and acceptable use of assets?
If Yes – How often is training refresh required?
Yes
No
N/A
Is all Intel data, electronic and hard copy, labeled with its Intel data classification? Yes
No
N/A
If No or N/A– Please explain provide details:
Do you have a documented list of assets (with owners identified) used to manage Intel information?
If Yes - How often is access to information and information processing assets reviewed and updated?
Yes
No
N/A
If No or N/A– Please explain provide details:
4.0 Human Resources Security
Does the supplier maintain a security standard which limits access control to company employees to the minimum necessary to perform their job?
If Yes - How often is access to information and information processing assets reviewed and updated?
Yes
No
N/A
If No or N/A– Please explain provide details:
Do contracts with third parties include responsibilities for the appropriate handling
of information, use of information assets and handling of information from other
companies or external parties?
Yes
No
N/A
4 Rev. 5.0
Are security and privacy requirements included into sub-contractor agreements? Yes
No
N/A
If No or N/A– Please explain provide details:
Does the supplier have a last day office procedure which terminates all access to supplier systems when an employee or a contractor or subcontractor terminates its relationship?
Yes
No
N/A
If No or N/A– Please explain provide details:
5.0 Physical and Environmental Security
Is the Data Center location identifiable by either building or room labeling signs or on
evacuation maps?
Yes
No
N/A
If No or N/A– Please explain provide details:
Please describe the security controls that have been implemented to control access to the data center where Intel information is managed?
Do the walls extend true floor to ceiling or are there additional controls such as
motion detectors?
Yes
No
N/A
Are phone and power cables secured including tamper proof monitoring for intrusion
and phone equipment housed in a secure room with managed access control?
Yes
No
N/A
Are installation and default passwords removed from all equipment? Yes
No
N/A
5 Rev. 5.0
Is equipment protected from power failures and other disruptions caused by failures
in supporting utilities?
Yes
No
N/A
If required, can you provide physical separation of any Intel assets to limit access to those who require it?
If yes –
Please describe how this would be managed?
Yes
No
N/A
Does the facility have 24x7 intrusion detection?
If yes – Do you respond to security alarm activation by following a documented response process that includes documenting the incident response?
Yes
No
N/A
Are you willing to permit on-site risk assessments or site inspections if adequate
notice is provided by Intel?
Yes
No
N/A
If No or N/A– Please explain provide details:
Is the janitorial staff access governed by the visitor policy? Yes
No
N/A
If No or N/A– Please explain provide details:
6.0 Communications and Operations Management
Do the operating procedures specify the detailed instructions for each job including,
processing and handling of information, backup, error handling, support contacts,
system restart and recovery procedures for use in the event of system failure, the
management of audit-trail and system log information?
N/A
Are back-ups taken at prescribed intervals and stored in a remote location away from the main site?
If Yes - Are back-ups tested at regular intervals to insure integrity?
Yes
No
N/A
Yes
No
Yes No
6 Rev. 5.0
Are back-up’s encrypted during transit and storage to prevent unintended access?
If yes – Please describe the encryption method used?
Yes
No
N/A
Are development and test systems isolated from production environment / network? Yes
No
N/A
Is production data isolated from the development and test systems? Yes
No
N/A
If No or N/A– Please explain provide details:
Do you maintain separation of duties, or implement alternate mitigating controls, between and within the following functional areas?
• Information Systems End-Users (Y/N)
• System (Platform) Administration (Y/N)
• Network Administration (Y/N)
• Application/Systems Development (Y/N)
• Production Support & Maintenance (Y/N)
• Security Administration (Y/N)
• Security Audit (Y/N)
Yes
No
N/A
If No or N/A– Please explain provide details:
Do you have a procedure for the handling and storage of information to protect from
unauthorized disclosure or misuse including the disposal of data and assets?
If Yes - Please describe your process for securely disposing of assets including Hard
Drives, Tapes, writable media such as CD or DVD’s, portable memory devices such as
USB drives and memory sticks, and hand held computing devices, smart phones or
mobile computing devices, when no longer required:
Yes
No
N/A
7 Rev. 5.0
Do you encrypt data in Storage using public / private key managed system with an industry recognized strong encryption algorithm?
If Yes -
Please describe your encryption methodology.
If No -
Please describe the mitigating controls that are deployed to address the risks?
Yes
No
N/A
Do you have security controls that insure the data is encrypted at rest (in the
database) inter-module (between software modules) and to the end-user (SSL) and
that data access by the user can only be maintained via multifactor authentication.
If Yes - Please describe your encryption methodology.
If No Please describe the mitigating controls that are deployed to address the risks?
Yes
No
N/A
Do you have security controls in place to prevent interception by sniffing or other detection methods?
If Yes –
Please describe the security controls?
Yes
No
N/A
Are you providing E-commerce functionality (payment or debit card processing) for
Intel or on behalf of Intel?
If yes - Are you PCI Certified?
If No – Please describe the controls used?
N/A
If No or N/A– Please explain provide details:
How often do you review third party logs and processes? Yes
No
N/A
If No or N/A– Please explain provide details:
Yes
No
Yes No
8 Rev. 5.0
7.0 Access Control
Does the password reset process have controls that ensure only the authorized user can request a password reset?
If yes -
Does the reset process verify the account holder by sending a confirming email?
If yes – Does the password communication contain the account name for the logon?
Yes
No
N/A
If No or N/A– Please explain provide details:
Does your organization allow Tele-working?
If Yes – Please describe the security controls required?
Yes
No
N/A
Are laptops and mobile devices used for support?
Is HDD password usage enforced?
If Yes – Please describe how it is enforced?
Yes
No
N/A
Do you have a clear desk / screen policy in place?
If Yes – Please describe how it is enforced?
Yes
No
N/A
If No or N/A– Please explain provide details:
Have you engaged with the Intel engineering services team? Yes
No
N/A
If No or N/A– Please explain provide details:
Are Intrusion Detection Systems in place and configured to provide data, on demand,
to identify sources of what could be a potential attack/intrusion at the network
perimeter?
Yes
No
N/A
9 Rev. 5.0
Does all equipment have the installation or default passwords removed? Yes
No
N/A
If No or N/A– Please explain provide details:
Is Intel data logically and physically separated from other data?
If No – Please describe the mitigation in place to protect Intel data?
Yes
No
N/A
If No or N/A– Please explain provide details:
Are all system security and event logs reviewed regularly for anomalies and in the
event of an incident are audit trails available to assist investigations?
Yes
No
N/A
If No or N/A– Please explain provide details:
Are processes in place to notify Intel of incidents and to manage the risks
appropriately?
Yes
No
N/A
If No or N/A– Please explain provide details:
10 Rev. 5.0
8.0 Information Systems Acquisition, Development and Maintenance
Are processes in place to protect data processed by an application, as well as the integrity and availability of services provided by the application including:
• No live or production data used for testing?
• Use of built-in access controls, security auditing features, fail-over features, etc.?
• Authentication, encryption, etc.?
• Regulatory, legislative, privacy policies and procedures that the data
owners and developers must comply with?
• Safeguards against attacks (e.g. sniffing, password cracking, defacing, back-door exploits)?
• Secured databases as well as the applications and servers on which they reside?
• Separation of databases and applications on different servers?
• Requiring secure interfaces between applications (Examples: HTTPS / SSL / SSH)?
• No harvesting of account passwords by applications or allowing saving of passwords stored as cookies?
Yes
No
N/A
If No or N/A– Please explain provide details:
9.0 Information Security Incident Management
Do you have a documented procedure for security incident management? Yes
No
N/A
If No or N/A– Please explain provide details:
11 Rev. 5.0
10.0 Business Continuity Management
In an event that is major and very disruptive does the disaster recovery plan include
the following steps be taken:
• Identification of mission or business critical functions and recovery or
continuity plans to match Intel's defined SLA?
• Identification of the resources that support these functions?
• Contingency and disaster planning strategies?
• Periodic testing and revision where necessary?
• Documentation and communication of ownership and responsibilities
provided to Intel?
Yes
No
N/A
If No or N/A– Please explain provide details:
11.0 Compliance
Do you have a Purpose of collection, Notice, and Complaint Management:
For applications where an individual enters Sensitive Personal Information
(banking information, credit card information, government ID, health
information, life style preferences).
• A supplemental privacy notice must exist on each page where that
information is collected, and be easy to find, read, and understand
by the individual using the application.
• It must clearly state the purpose of information collection, how it is
protected, used and retained.
• It must also include the link to the Intel Online Privacy Notice
Summary (http://www.intel.com/privacy). It is available in many
languages. The Notice includes information in how to get in contact
with Intel to submit a complaint.
Yes
No
N/A
If handling credit card data - Is your system PCI DSS certified and will you provide the certification?
If No – Please describe any alternate controls or mitigation available?
Yes
No
N/A
Do you have any external accreditation or certification that can be shared with Intel (E.g.: ISO27001 or SSAE-16 Type II)?
If Yes – What are they?
Yes
No
N/A
12 Rev. 5.0
Will you permit Intel to perform on-site risk assessments if adequate notice is provided?
If No – Please describe why they are not permitted?
Yes
No
N/A
Does the supplier / vendor selection and management program include a vendor certification for data protection that meets regulatory controls (based on industry standards), regulatory and legislative requirements?
If No – Please describe your vendor selection process?
If No or N/A– Please explain provide details:
12.0 Virtualization and Cloud Services
• Can your Cloud Service provide dedicated hardware or instances for Intel usage?
If No or N/A– Please explain provide details:
• Where physical and logical separation of data greater than Intel Confidential
is not possible, strong storage encryption must be used. Encryption keys
must be managed separately from the cloud service platform in which the
data is stored and must be controlled by the Intel tenant and procedures
must be in place to ensure against insider privileged abuse or enable the
tenant to exclusively manage the keys. Are encryption keys used in Cloud
Services physically separate from the data and capable of being controlled by
Intel?
If No or N/A– Please explain provide details:
Yes
No
N/A
Yes
No
N/A
Yes
No
N/A
13 Rev. 5.0
• Do you provide a dashboard of showing the compliance status of the cloud
service provider’s security compliance and status (Demonstrating compliance
with industry security standards and agreed upon security service level
agreements)?
If No or N/A– Please explain provide details:
Yes
No
N/A