Cloud Security Measures
This Appendix applies in addition to the Intel Information Security Addendum if the Supplier
operates one or more Cloud Computing Services to provide contracted services to Intel.
1. Security Governance and Compliance
1.1. Supplier will maintain a SOC 2 Type 2 certification of the Cloud Computing Services it
provides to Intel or an industry standard... equivalent and:
a. Remediate audits findings in a timely manner.
b. Provide Intel with annual audit results upon request.
1.2. Supplier will enlist a third-party to conduct penetration testing of the Cloud Computing
Services on an annual basis based on industry best practices and will:
a. Remediate findings in a timely manner.
b. Provide Intel with testing results.
2. Worker Security
2.1. No additions.
3. Asset Management
3.1. No additions.
4. Information Handling, Processing and Protection
4.1. Supplier will encrypt Intel data with data-level encryption that uses strong, industry
recognized, non-deprecated algorithms.
4.2. Supplier will manage encryption keys according to industry security standards.
5. Change Management
5.1. No additions.
6. Authentication and Access Management
6.1. Supplier will support industry standard authentication mechanisms including but not
limited to federated authentication, single sign-on, and two factor authentication.
6.2. Supplier will protect API access using industry standard API security mechanisms.
7. Physical and Environmental Security
7.1. Supplier will ensure its data processing facilities (and those of its subcontractors) that
store or process Intel Data maintain an industry standard security certification, such as
a SOC 2 Type 2 certification, an ISO 27001 certification or industry standard equivalent.
Supplier will ensure that such certifications are renewed on an annual basis or more
frequently and ensure timely remediation of material findings from such renewals.
Certification must be available to Intel upon request.
8. Secure Operations
8.1. Supplier will maintain a firewall that meets industry best practices and review the
firewall configuration at least once annually.
© 2019 Intel Corporation
8.2. Supplier will have a security event and incident monitoring system in place with
processes to alert appropriate personnel of potential threats and security events, and
Supplier will have a timeline for closing alerts that meets industry best practices.
8.3. Supplier will implement a vulnerability management plan for the Cloud Computing
Services that meets or exceeds industry best practices. As part this plan, the Supplier
must at minimum:
a. Audit and scan the Suppliers’ entire network, systems, applications and internet or
external interfaces for vulnerabilities. Supplier will scan for vulnerabilities at least
once per two weeks.
b. Remediate vulnerabilities and apply security configuration patches for all
components in the production and development environments in accordance with
Table 1 – Remediation Timeline. The remediation timeline begins once both
conditions are met: the regular audit (or other discovery mechanism) reveals a gap
in compliance and a remediation solution is available.
c. Implement alternative means to mitigate the vulnerabilities until the remediation
solution has been applied. Mitigations must be documented by Supplier and made
available by Supplier during an audit.
Table 1 – Remediation Timeline
Rating CVSS (V3.0) Score
Read the full Intel Information Security Addendum
Appendix A – Cloud Security 2019ww41.