Intel Information Security Addendum Appendix A – Cloud Security 2019ww41

Intel Information Security Addendum 
Appendix A – Cloud Security 2019ww41

Intel Information Security Addendum Appendix A – Cloud Security 2019ww41

Cloud Security Measures This Appendix applies in addition to the Intel Information Security Addendum if the Supplier operates one or more Cloud Computing Services to provide contracted services to Intel. 1. Security Governance and Compliance 1.1. Supplier will maintain a SOC 2 Type 2 certification of the Cloud Computing Services it provides to Intel or an industry standard... equivalent and: a. Remediate audits findings in a timely manner. b. Provide Intel with annual audit results upon request. 1.2. Supplier will enlist a third-party to conduct penetration testing of the Cloud Computing Services on an annual basis based on industry best practices and will: a. Remediate findings in a timely manner. b. Provide Intel with testing results. 2. Worker Security 2.1. No additions. 3. Asset Management 3.1. No additions. 4. Information Handling, Processing and Protection 4.1. Supplier will encrypt Intel data with data-level encryption that uses strong, industry recognized, non-deprecated algorithms. 4.2. Supplier will manage encryption keys according to industry security standards. 5. Change Management 5.1. No additions. 6. Authentication and Access Management 6.1. Supplier will support industry standard authentication mechanisms including but not limited to federated authentication, single sign-on, and two factor authentication. 6.2. Supplier will protect API access using industry standard API security mechanisms. 7. Physical and Environmental Security 7.1. Supplier will ensure its data processing facilities (and those of its subcontractors) that store or process Intel Data maintain an industry standard security certification, such as a SOC 2 Type 2 certification, an ISO 27001 certification or industry standard equivalent. Supplier will ensure that such certifications are renewed on an annual basis or more frequently and ensure timely remediation of material findings from such renewals. Certification must be available to Intel upon request. 8. Secure Operations 8.1. Supplier will maintain a firewall that meets industry best practices and review the firewall configuration at least once annually. Revision 2019ww41 © 2019 Intel Corporation 1 8.2. Supplier will have a security event and incident monitoring system in place with processes to alert appropriate personnel of potential threats and security events, and Supplier will have a timeline for closing alerts that meets industry best practices. 8.3. Supplier will implement a vulnerability management plan for the Cloud Computing Services that meets or exceeds industry best practices. As part this plan, the Supplier must at minimum: a. Audit and scan the Suppliers’ entire network, systems, applications and internet or external interfaces for vulnerabilities. Supplier will scan for vulnerabilities at least once per two weeks. b. Remediate vulnerabilities and apply security configuration patches for all components in the production and development environments in accordance with Table 1 – Remediation Timeline. The remediation timeline begins once both conditions are met: the regular audit (or other discovery mechanism) reveals a gap in compliance and a remediation solution is available. c. Implement alternative means to mitigate the vulnerabilities until the remediation solution has been applied. Mitigations must be documented by Supplier and made available by Supplier during an audit. Table 1 – Remediation Timeline Rating CVSS (V3.0) Score Read the full Intel Information Security Addendum Appendix A – Cloud Security 2019ww41.

Related Videos