Intel Enhanced Data Security Assessment Form



Similar documents
University of Pittsburgh Security Assessment Questionnaire (v1.5)

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

MSSTAN 1504: Supplier Security Requirements and Expectations (SSRE) Web Applications For Externally Facing (Public) Data

Security Controls What Works. Southside Virginia Community College: Security Awareness

Newcastle University Information Security Procedures Version 3

IBX Business Network Platform Information Security Controls Document Classification [Public]

Supplier Information Security Addendum for GE Restricted Data

How To Ensure Your Supplier Is Secure

ISO Controls and Objectives

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

INFORMATION SECURITY SPECIFIC VENDOR COMPLIANCE PROGRAM (VCP) ACME Consulting Services, Inc.

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Client Security Risk Assessment Questionnaire

Supplier IT Security Guide

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Supplier Security Assessment Questionnaire

HIPAA CRITICAL AREAS TECHNICAL SECURITY FOCUS FOR CLOUD DEPLOYMENT

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

INFORMATION TECHNOLOGY SECURITY STANDARDS

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

ISO 27002:2013 Version Change Summary

DHHS Information Technology (IT) Access Control Standard

Information Technology Branch Access Control Technical Standard

FINAL May Guideline on Security Systems for Safeguarding Customer Information

ISO27001 Controls and Objectives

PCI COMPLIANCE ON AWS: HOW TREND MICRO CAN HELP

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

CHIS, Inc. Privacy General Guidelines

The Second National HIPAA Summit

Altius IT Policy Collection Compliance and Standards Matrix

Draft Information Technology Policy

ACCEPTING PAYMENT CARD ASSESSMENT Pre-Selection Questionnaire

ADEC GROUP INFORMaTiON SecURiTY AND CONTROLS

Managed Hosting & Datacentre PCI DSS v2.0 Obligations

How To Manage Security On A Networked Computer System

PCI DSS Requirements - Security Controls and Processes

HIPAA Security Alert

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

Hengtian Information Security White Paper

Top Ten Technology Risks Facing Colleges and Universities

Information Security Policy

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

VMware vcloud Air HIPAA Matrix

System Security Plan University of Texas Health Science Center School of Public Health

Small Business IT Risk Assessment

How To Protect Decd Information From Harm

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Using the HITRUST CSF to Assess Cybersecurity Preparedness 1 of 6

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

KeyLock Solutions Security and Privacy Protection Practices

INFORMATION SYSTEMS. Revised: August 2013

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

Information Security Policy

Security Controls for the Autodesk 360 Managed Services

Security Manual Template Policy and Procedure Manual Compliance Management Made Easy ISO / HIPAA / SOX / CobiT / FIPS 199 Compliant

Georgia Institute of Technology Data Protection Safeguards Version: 2.0

SUPPLIER SECURITY STANDARD

Data Management Policies. Sage ERP Online

Central Agency for Information Technology

Miami University. Payment Card Data Security Policy

Services Providers. Ivan Soto

Retention & Destruction

Federal Trade Commission Privacy Impact Assessment

IT - General Controls Questionnaire

TELEFÓNICA UK LTD. Introduction to Security Policy

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

THE BLUENOSE SECURITY FRAMEWORK

ISO COMPLIANCE WITH OBSERVEIT

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

White Paper How Noah Mobile uses Microsoft Azure Core Services

Cloud Computing: Legal Risks and Best Practices

HIPAA Compliance Guide

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.

Virginia Commonwealth University School of Medicine Information Security Standard

CONTENTS. Security Policy

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

FormFire Application and IT Security. White Paper

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

An Introduction to HIPAA and how it relates to docstar

SecureAge SecureDs Data Breach Prevention Solution

NETWORK SERVICES WITH SOME CREDIT UNIONS PROCESSING 800,000 TRANSACTIONS ANNUALLY AND MOVING OVER 500 MILLION, SYSTEM UPTIME IS CRITICAL.

How To Write A Health Care Security Rule For A University

Technical Standards for Information Security Measures for the Central Government Computer Systems

Information Security Policy

Microsoft Online Subscription Agreement/Open Program License Amendment Microsoft Online Services Security Amendment Amendment ID MOS10

BMC s Security Strategy for ITSM in the SaaS Environment

Certified Information Systems Auditor (CISA)

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

Privacy + Security + Integrity

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

DEVELOPING A CYBERSECURITY POLICY ARCHITECTURE

Memorandum. ACTION: Report on Computer Security Controls of Financial Management System, FTA FE May 23, 2000.

GE Measurement & Control. Cyber Security for NEI 08-09

Securing Personal Information: A Self-Assessment Tool for Organizations

Transcription:

Intel Enhanced Data Security Assessment Form Supplier Name: Address: Respondent Name & Role: Signature of responsible party: Role: By placing my name in the box above I am acknowledging that I am authorized to agree on behalf of the Supplier named, and do agree to meet the requirements outlined. Any items that are out of scope or that the Supplier cannot meet are identified below. Areas that are out of scope or that are not met: Support Location: Contact Number: Name: Date: / Supplier Profile: What is your organizations main business function: What function(s) does your organization perform for Intel: What is your organizations maturity level in provision of this function: Is there anything you need from Intel Information Risk and Security organization: Is an industry standard accreditation issued by ISO27001, PCI DSS, or independent audit, SSAE-16 or ISAE-3402 audit report or equivalent available? Supplier Instructions: This document should be reviewed by the Corporate Chief Information Security Officer or the person responsible for Information Security for the organization. Intel's data protection strategy is to perform a due diligence assessment of data protection controls regardless of location. Your assistance to achieve this goal is greatly appreciated. In addition to meeting Intel Supplier and Security Requirements and Expectations (SSRE) your feedback will be used to assist in the assessment process. Intel requires all suppliers to identify any risk potential associated with this engagement. Therefore a response from your organization is required regarding the controls listed herein. Please provide feedback identifying which controls are comprehended within your environment by answering any questions related the controls listed below. In the comment section, please provide additional controls detail for items answered or NA, and include any compensating mitigation controls for items where requested. This includes changes requested by the Intel Business Contact you support. Additional reviews may be required if this is an Offsite Design Center (ODC) 1 Rev. 5.0

Once you have reviewed the completed document please send a copy to the Intel Business Contact working with you who will work with Intel Security to complete the assessment process. 1.0 Security Policy Do you have a documentation process for any out of policy exceptions which would affect or override your security policies and is it subject to management review? If or Please explain any mitigating controls: If - Is the process based on a formal risk assessment? (Y/N) Are all employees and 3 rd party sub-contractors who have access to Intel Information and assets trained in the appropriate policies related to the activities performed? If How often? If or Please explain any mitigating controls: 2.0 Organizing Information Security Do you have a n-disclosure agreement on file with Intel? If Which one: CNDA RSNDA RSNDA Special Purpose RUNDA IPL Other Please provide the NDA Agreement Number(S) if available: If or Other Please explain provide details: Are there any 3 rd party contractors who will have access to Intel information or assets? If Can you provide a list of those contractors if needed? If or Please explain provide details: 2 Rev. 5.0

3.0 Asset Management Do you have training and awareness programs for employees and contractors on data classification and acceptable use of assets? If How often is training refresh required? Is all Intel data, electronic and hard copy, labeled with its Intel data classification? If or Please explain provide details: Do you have a documented list of assets (with owners identified) used to manage Intel information? If - How often is access to information and information processing assets reviewed and updated? If or Please explain provide details: 4.0 Human Resources Security Does the supplier maintain a security standard which limits access control to company employees to the minimum necessary to perform their job? If - How often is access to information and information processing assets reviewed and updated? If or Please explain provide details: Do contracts with third parties include responsibilities for the appropriate handling of information, use of information assets and handling of information from other companies or external parties? 3 Rev. 5.0

Are security and privacy requirements included into sub-contractor agreements? If or Please explain provide details: Does the supplier have a last day office procedure which terminates all access to supplier systems when an employee or a contractor or subcontractor terminates its relationship? If or Please explain provide details: 5.0 Physical and Environmental Security Is the Data Center location identifiable by either building or room labeling signs or on evacuation maps? If or Please explain provide details: Please describe the security controls that have been implemented to control access to the data center where Intel information is managed? Do the walls extend true floor to ceiling or are there additional controls such as motion detectors? Are phone and power cables secured including tamper proof monitoring for intrusion and phone equipment housed in a secure room with managed access control? Are installation and default passwords removed from all equipment? 4 Rev. 5.0

Is equipment protected from power failures and other disruptions caused by failures in supporting utilities? If required, can you provide physical separation of any Intel assets to limit access to those who require it? If yes Please describe how this would be managed? Does the facility have 24x7 intrusion detection? If yes Do you respond to security alarm activation by following a documented response process that includes documenting the incident response? Are you willing to permit on-site risk assessments or site inspections if adequate notice is provided by Intel? If or Please explain provide details: Is the janitorial staff access governed by the visitor policy? If or Please explain provide details: 6.0 Communications and Operations Management Do the operating procedures specify the detailed instructions for each job including, processing and handling of information, backup, error handling, support contacts, system restart and recovery procedures for use in the event of system failure, the management of audit-trail and system log information? Are back-ups taken at prescribed intervals and stored in a remote location away from the main site? If - Are back-ups tested at regular intervals to insure integrity? 5 Rev. 5.0

Are back-up s encrypted during transit and storage to prevent unintended access? If yes Please describe the encryption method used? Are development and test systems isolated from production environment / network? Is production data isolated from the development and test systems? If or Please explain provide details: Do you maintain separation of duties, or implement alternate mitigating controls, between and within the following functional areas? Information Systems End-Users (Y/N) System (Platform) Administration (Y/N) Network Administration (Y/N) Application/Systems Development (Y/N) Production Support & Maintenance (Y/N) Security Administration (Y/N) Security Audit (Y/N) If or Please explain provide details: Do you have a procedure for the handling and storage of information to protect from unauthorized disclosure or misuse including the disposal of data and assets? If - Please describe your process for securely disposing of assets including Hard Drives, Tapes, writable media such as CD or DVD s, portable memory devices such as USB drives and memory sticks, and hand held computing devices, smart phones or mobile computing devices, when no longer required: 6 Rev. 5.0

Do you encrypt data in Storage using public / private key managed system with an industry recognized strong encryption algorithm? If - Please describe your encryption methodology. If - Please describe the mitigating controls that are deployed to address the risks? Do you have security controls that insure the data is encrypted at rest (in the database) inter-module (between software modules) and to the end-user (SSL) and that data access by the user can only be maintained via multifactor authentication. If - Please describe your encryption methodology. If Please describe the mitigating controls that are deployed to address the risks? Do you have security controls in place to prevent interception by sniffing or other detection methods? If Please describe the security controls? Are you providing E-commerce functionality (payment or debit card processing) for Intel or on behalf of Intel? If yes - Are you PCI Certified? If Please describe the controls used? If or Please explain provide details: How often do you review third party logs and processes? If or Please explain provide details: 7 Rev. 5.0

7.0 Access Control Does the password reset process have controls that ensure only the authorized user can request a password reset? If yes -Does the reset process verify the account holder by sending a confirming email? If yes Does the password communication contain the account name for the logon? If or Please explain provide details: Does your organization allow Tele-working? If Please describe the security controls required? Are laptops and mobile devices used for support? Is HDD password usage enforced? If Please describe how it is enforced? Do you have a clear desk / screen policy in place? If Please describe how it is enforced? If or Please explain provide details: Have you engaged with the Intel engineering services team? If or Please explain provide details: Are Intrusion Detection Systems in place and configured to provide data, on demand, to identify sources of what could be a potential attack/intrusion at the network perimeter? 8 Rev. 5.0

Does all equipment have the installation or default passwords removed? If or Please explain provide details: Is Intel data logically and physically separated from other data? If Please describe the mitigation in place to protect Intel data? If or Please explain provide details: Are all system security and event logs reviewed regularly for anomalies and in the event of an incident are audit trails available to assist investigations? If or Please explain provide details: Are processes in place to notify Intel of incidents and to manage the risks appropriately? If or Please explain provide details: 9 Rev. 5.0

8.0 Information Systems Acquisition, Development and Maintenance Are processes in place to protect data processed by an application, as well as the integrity and availability of services provided by the application including: live or production data used for testing? Use of built-in access controls, security auditing features, fail-over features, etc.? Authentication, encryption, etc.? Regulatory, legislative, privacy policies and procedures that the data owners and developers must comply with? Safeguards against attacks (e.g. sniffing, password cracking, defacing, back-door exploits)? Secured databases as well as the applications and servers on which they reside? Separation of databases and applications on different servers? Requiring secure interfaces between applications (Examples: HTTPS / SSL / SSH)? harvesting of account passwords by applications or allowing saving of passwords stored as cookies? If or Please explain provide details: 9.0 Information Security Incident Management Do you have a documented procedure for security incident management? If or Please explain provide details: 10 Rev. 5.0

10.0 Business Continuity Management In an event that is major and very disruptive does the disaster recovery plan include the following steps be taken: Identification of mission or business critical functions and recovery or continuity plans to match Intel's defined SLA? Identification of the resources that support these functions? Contingency and disaster planning strategies? Periodic testing and revision where necessary? Documentation and communication of ownership and responsibilities provided to Intel? If or Please explain provide details: 11.0 Compliance Do you have a Purpose of collection, tice, and Complaint Management: For applications where an individual enters Sensitive Personal Information (banking information, credit card information, government ID, health information, life style preferences). A supplemental privacy notice must exist on each page where that information is collected, and be easy to find, read, and understand by the individual using the application. It must clearly state the purpose of information collection, how it is protected, used and retained. It must also include the link to the Intel Online Privacy tice Summary (http://www.intel.com/privacy). It is available in many languages. The tice includes information in how to get in contact with Intel to submit a complaint. If handling credit card data - Is your system PCI DSS certified and will you provide the certification? If Please describe any alternate controls or mitigation available? Do you have any external accreditation or certification that can be shared with Intel (E.g.: ISO27001 or SSAE-16 Type II)? If What are they? 11 Rev. 5.0

Will you permit Intel to perform on-site risk assessments if adequate notice is provided? If Please describe why they are not permitted? Does the supplier / vendor selection and management program include a vendor certification for data protection that meets regulatory controls (based on industry standards), regulatory and legislative requirements? If Please describe your vendor selection process? If or Please explain provide details: 12.0 Virtualization and Cloud Services Can your Cloud Service provide dedicated hardware or instances for Intel usage? If or Please explain provide details: Where physical and logical separation of data greater than Intel Confidential is not possible, strong storage encryption must be used. Encryption keys must be managed separately from the cloud service platform in which the data is stored and must be controlled by the Intel tenant and procedures must be in place to ensure against insider privileged abuse or enable the tenant to exclusively manage the keys. Are encryption keys used in Cloud Services physically separate from the data and capable of being controlled by Intel? If or Please explain provide details: 12 Rev. 5.0

Do you provide a dashboard of showing the compliance status of the cloud service provider s security compliance and status (Demonstrating compliance with industry security standards and agreed upon security service level agreements)? If or Please explain provide details: 13 Rev. 5.0

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information