Intel defines overall requirements for managing risks and threats based on regulatory, and security and risk managements efforts.

The regulatory component is driven by the Global Trade group and drives compliance with US and international export regulations. Some key aspects of the regulatory component include the following:

• The Global Trade group interprets export regulations, classifies restricted technology, and determines export restrictions to international destinations.
• The Global Trade group and Information Security conduct technology reviews with business groups in advance of moving operations (part or all) to overseas destinations. Such reviews assess the scope of the project, associated technologies, and determine license and security requirements that allow Intel to have consistent controls across the corporation.
• The Global Trade group defines and manages the global hiring processes and foreign national license reviews. Here, Global Trade evaluates the job requirements of Intel's foreign national employees, classifies the type of technology the employee will be able to access, and obtains the appropriate export license for each foreign national.

The security and risk management component (Figure 4) drives Intel's IP and regulatory protection efforts consistently across the various security groups at Intel.

Figure 4: Security management model
click image for larger view
 

Having clear security policies that outline roles and responsibilities, expectations, and requirements is the cornerstone of Intel's security program. Flexibility is maintained within security policies by working with the business groups to understand the demands of the business. For example, data segmentation or additional security monitoring may be required when sensitive IP is involved in certain high-risk countries.

Security groups work closely with Global Trade and take additional precautions to adhere to any conditions that are spelled out in any export license that Intel obtains.

To stay current with competitive intelligences, cyber threats, and availability of the latest security tools, education of Intel's security professionals is actively pursued. Through participation in security conferences and seminars and working with external security organizations (e.g., Information Risk executive council [1]) Intel is able to stay abreast of the latest information in the security field.

Additionally, most security professionals at Intel have or are pursuing some type of security credentials. Among the most common are Certified Information System Security Professional (CISSP), Professional Certified Investigator (PCI), Physical Security Professional (PSP), and Global Information Assurance Certification (GIAC). The wide variety of certifications maximizes the capabilities of Intel's security professionals and maintains a high standard across multiple security groups.

Training Intel employees is just as important as educating Intel's security workforce and is paramount in keeping Intel compliant. Intel's training and awareness programs cover both security and global export education. Courses provide basic understanding on expectations, regulatory and security requirements, and case studies to educate Intel employees. The native language of a country is also used where possible to facilitate learning.

The combination of regulatory and security efforts allows Intel to conduct compliance assessments across the company. Assessments are conducted annually while differentiating between export and Intel security compliance. Business groups require a clear understanding between US government vs. Intel requirements to better manage their own resources to address gaps and continually improve.