Tag: assets

ISO 27001

ISO 27001 Annex : A.8.3 Media Handling

info savvy

ISO 27001 Annex : A.8.3 Media Handling Its objective is to Stop unauthorized release, alteration, deletion, or destruction of information contained in the media.

A.8.3.1 Management of Removable Media

Control- Procedures shall be implemented for the management of removable media in accordance with the classification scheme adopted by the organization.

Implementation Guidance- The following guidelines should be considered for the management of removable media:

  1. If not needed, the contents of any reusable media that are to be removed from the organization should be made unrecoverable;
  2. Where applicable and practicable, authorization should be needed for the removal of media from the company and a record of these removals should be maintained in order to preserve the audit trail;
  3. In compliance with manufacturers’ standards, all media should be kept in a secure and safe environment;
  4. Where confidentiality or integrity of data is important, cryptographic techniques for securing data on removable media must be used;
  5. In order to minimize the possibility of media loss when storage data is still needed, the data should be moved to fresh media before being unreadable;
  6. Multiple copies of important data should be stored in different media to further reduce the possibility of accidental data damage or loss;
  7. Registration of removable media should be taken into account to limit the possibility of data loss;
  8. Removable media drives should only be allowed if there is a business purpose to do so;
  9. Where there is a requirement for the use of disposable media, the movement of data to such media will be supervised.

Where there is a need to use disposable media, the transition of data to such devices will be monitored. Procedures and levels of approval will be reported.

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

A.8.3.2 Disposal of Media

Control- When not required by specific protocols, media should be disposed of securely.

Implementation Guidance- Formal protocols for the secure disposal of media should be established to reduce the possibility of leakage of sensitive information to unauthorized persons. The protocols for the secure processing of sensitive information media should be proportionate to the sensitivity of that material.

Following should be taken into account:-

  1. Confidential media should be processed and disposed of safely through, e.g. by incineration or shredding, or data erasure for use by another application within an organization.
  2. Procedures should be in place to identify the items that could need safe disposal
  3. Instead of trying to isolate important objects, it could be better to plan to safely collect and dispose of all media items;
  4. Many organizations offer media collection and disposal services; care must be taken to select a suitable external party with adequate controls and experience;
  5. In order to maintain an audit trail, the disposal of confidential items will be logged.

The aggregation effect should be taken into account when collecting media for disposal, and a large number of sensitive information can become vulnerable.

For a healthy business, identifying the assets, making an inventory of the assets, and then secure disposal. At Infosavvy we have our trainers as our assets who are skilled and well-trained in various courses in the field of information security and we are also eligible for one of the most important certificates in the area of information security. i.e. IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification) . Our trainers can empower you to do better asset management by providing you with in-depth information and numerous examples for the same, helping the applicant to improve their skills and do well.

Other Information- Damaged devices containing sensitive data can require a risk assessment to evaluate the physical loss of objects instead of being sent to them for repair or discharge.

Also Read : ISO 27001 Annex : A.8.2.2 Labeling of Information & A.8.2.3 Handling of Assets

A.8.3.3 Physical Media Transfer

Control- Information media should be protected from unauthorized access, misuse or corruption during transportation.

Implementation Guidance- For the safety of media containing information transported, the following guidelines should be considered:

  1. Reliable transport or the use of couriers;
  2. Management should agree on a list of authorized couriers;
  3. procedures should be established for verifying courier identification;
  4. Packaging should probably be sufficient to safeguard the content from any physical damage likely to occur during transit and to protect the content against environmental factors such as exposure to heat, humidity, or electromagnetic fields which could reduce media recovering efficiency.
  5. Logs should be maintained, the content of the media should be established, the security applied, and times of transfer to custodians and reception should be reported at the destination.

Read More : https://www.info-savvy.com/iso-27001-annex-a-8-3-media-handling/

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ

ISO 27001

ISO 27001 Annex : A.8.2 Information Classification

info savvy

ISO 27001 Annex : A.8.2 Information Classification Its objective is To ensure that the information is properly secured, in accordance with its significance to the organization.

A.8.2.1 Classification of Information

Control- Information should be classification the basis of their legal provisions, criticality, and vulnerability to unwanted release or alteration

Implementation Guidance- Classifications and associated information security measures will also include regulatory standards, which take into account market demands for information sharing or restriction. Assets other than information may also be classified according to the information classification stored, processed, otherwise handled or protected by the asset. Information asset owners would be responsible for their classification.

The classification system will include classification standards, as well as classification analysis guidelines over time. The level of security found in the system will be determined by evaluating confidentiality, integrity and availability, and all other information specifications under consideration. The scheme should be aligned with policy on access control

The scheme will be consistent with the policy on access management. Each level should be given a name which makes sense for the application of the classification scheme. The scheme should be consistent across the organization to ensure that everyone classifies information and related assets in the same way, has a common understanding of the security standards, and applies appropriate protection.

Related Product : ISO 27001 Lead Auditor Training And Certification ISMS

Classification should be part of the organization ‘s processes and be consistent across the organization. Classification results may highlight the importance of assets, depending on their sensitivity and their criticality to the organization, e.g. in terms of confidentiality, integrity, and availability. Classification findings should be revised to reflect changes in their importance, responsiveness, and criticality during their life-cycle.

Other Information- Classification offers a concise summary of how to manage and secure knowledge for those who deal with it. This is facilitated by establishing information groups with similar protection needs and defining information security procedures that apply to all or some of the information in each group. This approach eliminates the need for case-by-case risk assessment, as well as personalized control design.

Information can cease to be sensitive or critical after a certain duration of the time, when the information is made public, for example. These aspects should be taken into account, as over-classification may result in the implementation of unnecessary controls resulting in additional expenditure or, on the contrary, under-classification may threaten the achievement of business goals.

At Infosavvy we have our trainers as our assets who are skilled and well-trained in various courses in the field of information security and we are also eligible for one of the most important certificates in the area of information security. i.e. IRCA CQI ISO 27001:2013 Lead Auditor (LA) and ISO 27001 Lead Implementer (LI) (TÜV SÜD Certification) . Our trainers can empower you to do better asset management by providing you with in-depth information and numerous examples for the same, helping the applicant to improve their skills and do well.

Also Read : ISO 27001 Annex : A.8.1.3 Acceptable Use of Assets & A.8.1.4 Return of Assets

An example of a classification scheme for the confidentiality of information may be based on four levels as follows:-

  1. Disclosure does not cause harm;
  2. Disclosure leads to mild humiliation or organizational discomfort;
  3. The short-term impact of the disclosure on operations or tactical objectives is significant.
  4. Our putting the survival of an organization at risk a serious impact on long-term strategic goals

Read More : https://www.info-savvy.com/iso-27001-annex-a-8-2-information-classification/

Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092

Contact us – www.info-savvy.com

https://g.co/kgs/ttqPpZ