ISO/IEC 27001:2013 Annex A.8 Asset management

Slides:



Advertisements
Similar presentations
1 COMPUTER GENERATED & STORED RECORDS CONTROLS Presented by COSCAP-SA.
Advertisements

The New GMP Annex 11 and Chapter 4 Deadline for coming into operation: 30 June 2011.
Identification and Disposition of Official University Records University of Texas at Arlington Records Management.
Secure Systems Research Group - FAU Process Standards (and Process Improvement)
ISMS standards and control processes ISO27001 & ISO27002
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
ICS 417: The ethics of ICT 4.2 The Ethics of Information and Communication Technologies (ICT) in Business by Simon Rogerson IMIS Journal May 1998.
Employee Medical and Exposure Records Keeping and providing access to medical and exposure records November, 2010.
Chapter 5: Asset Classification
The Islamic University of Gaza
Security Controls – What Works
Sanjay Goel, School of Business/Center for Information Forensics and Assurance University at Albany Proprietary Information 1 Unit Outline Qualitative.
ISO 17799: Standard for Security Ellie Myler & George Broadbent, The Information Management Journal, Nov/Dec ‘06 Presented by Bhavana Reshaboina.
Chapter 9 Information Systems Controls for System Reliability— Part 2: Confidentiality and Privacy Copyright © 2012 Pearson Education, Inc. publishing.
First Practice - Information Security Management System Implementation and ISO Certification.
Session 3 – Information Security Policies
Information Systems Controls for System Reliability -Information Security-
Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Instructions and forms
Information Asset Classification
 Review the security rule as it pertains to ›Physical Safeguards ♦ How to protect the ePHI in the work environment ♦ Implementation ideas for your office.
Security Policies University of Sunderland CSEM02 Harry R. Erwin, PhD.
G17: Recordkeeping for Business Activities Carried out by Contractors Patrick Power, Manager Government Recordkeeping Programme Archives New Zealand.
Evolving IT Framework Standards (Compliance and IT)
Network Security Policy Anna Nash MBA 737. Agenda Overview Goals Components Success Factors Common Barriers Importance Questions.
Information Systems Security Computer System Life Cycle Security.
Principle of Protection By C’Les Jensema About ARMA International and the Generally Accepted Recordkeeping Principles® ARMA International (
Health Insurance Portability and Accountability Act of 1996 (HIPAA) Proposed Rule: Security and Electronic Signature Standards.
How Hospitals Protect Your Health Information. Your Health Information Privacy Rights You can ask to see or get a copy of your medical record and other.
Audit Planning & Audit Evidence
2011 NPMA Conference Series III National Capital Area Conference Leaders in Asset Management National Capitol Area Conference Charles L. Robinson, Director.
Ecords Management Records Management Paul Smallcombe Records & Information Compliance Manager.
ISO17799 Maturity. Confidentiality Confidentiality relates to the protection of sensitive data from unauthorized use and distribution. Examples include:
Information Systems Security Operational Control for Information Security.
Understanding the IT environment of the entity. Session objectives Defining contours of financial accounting in an IT environment and its characteristics.
Information Security Governance and Risk Chapter 2 Part 3 Pages 100 to 141.
S4: Understanding the IT environment of the entity.
Security Policies and Procedures. cs490ns-cotter2 Objectives Define the security policy cycle Explain risk identification Design a security policy –Define.
Eliza de Guzman HTM 520 Health Information Exchange.
Information Asset Classification Community of Practicerev. 10/24/2007 Information Asset Classification What it means to employees.
Guide - Recordkeeping for business activities carried out by contractors Natalie Dewson Senior Advisor Government Recordkeeping Programme Archives New.
Main Requirements on Different Stages of the Licensing Process for New Nuclear Facilities Module 4.5/1 Design Geoff Vaughan University of Central Lancashire,
Today’s Lecture Covers
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
Human Resource Security ISO/IEC 27001:2013
SCHOOLS FINANCE OFFICERS MEETINGS Records Management, “Paper-Lite” Environments and Procedures when a school closes Elizabeth Barber.
Information Security IBK3IBV01 College 2 Paul J. Cornelisse.
International Security Management Standards. BS ISO/IEC 17799:2005 BS ISO/IEC 27001:2005 First edition – ISO/IEC 17799:2000 Second edition ISO/IEC 17799:2005.
Deck 10 Accounting Information Systems Romney and Steinbart Linda Batch March 2012.
Erman Taşkın. Information security aspects of business continuity management Objective: To counteract interruptions to business activities and to protect.
WISHA, 7/23/04 Employee Medical and Exposure Records Chapter WAC Employer Responsibilities.
Health & Safety Management “and a few other things for your consideration”
By: Mark Reed.  Protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction.
Classification September 2003© Peltier and Associates, all rights reserved Creating an Asset Classification Methodology ISIG & ISSA September, 2003.
ISO17799 / BS ISO / BS Introduction Information security has always been a major challenge to most organizations. Computer infections.
EECS David C. Chan1 Computer Security Management Session 1 How IT Affects Risks and Assurance.
Introduction for the Implementation of Software Configuration Management I thought I knew it all !
Providing Access to Your Data: Handling sensitive data
Prepared by Rand E Winters, Jr. ASR Senior Auditor October 2014
Domain 2 – Asset Security
Electronic Records Management Program
Managing the IT Function
Red Flags Rule An Introduction County College of Morris
HIPAA SECURITY RULE Copyright © 2008, 2006, 2004 by Saunders an imprint of Elsevier Inc. All rights reserved.
TEL382 Greene Chapter 5.
CGSB and Electronic Records
Presentation transcript:

ISO/IEC 27001:2013 Annex A.8 Asset management Nguyen Tien Thanh Tran Dinh Minh Thien

Outline 8. Asset management 8.1 Responsibility for assets 8.1.1 Inventory of assets 8.1.2 Ownership of assets 8.1.3 Acceptable use of assets 8.1.4 Return of assets 8.2 Information classification 8.2.1 Classification of information 8.2.2 Labeling of information 8.2.3 Handling of assets 8.3 Media handling 8.3.1 Management of removable media 8.3.2 Disposal of media 8.3.3 Physical media transfer

8.1 Responsibility for assets Objective: To identify organizational assets and define appropriate protection responsibilities.

8.1 Responsibility for assets 8.1.1 Inventory of assets Control Assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained. Implementation guidance An organization should identify assets relevant in the lifecycle of information and document their importance. The asset inventory should be accurate, up to date, consistent

8.1 Responsibility for assets 8.1.2 Ownership of assets Control Assets maintained in the inventory should be owned. Implementation guidance Asset owners: can be individuals or entities Asset owners should: ensure that assets are inventoried; b) ensure that assets are appropriately classified and protected; ensure proper handling when the asset is deleted or destroyed.

8.1 Responsibility for assets 8.1.3 Acceptable use of assets Control Rules for the acceptable use of information and of assets associated with information and information processing facilities should be identified, documented and implemented. Implementation guidance Employees and external party users using assets should be made aware of the information security requirements and their responsibility

8.1 Responsibility for assets 8.1.4 Return of assets Control All employees and external party users should return all of the organizational assets in their possession upon termination of their employment, contract or agreement. Implementation guidance Assets include physical and electronic Have clear procedures If users have important knowledge, it should be documented and transferred The organization should control unauthorized copying of relevant information by terminated employees

8.2 Information classification Objective: To ensure that information receives an appropriate level of protection in accordance with its importance to the organization

8.2 Information Classification 8.2.1 Classification of information Control Information should be classified in terms of legal requirements, value, criticality and sensitivity to unauthorized disclosure or modification. Implementation guidance Classifications should take account of business needs for sharing or restricting information An example of an information confidentiality classification scheme could be based on four levels as follows: a) disclosure causes no harm; b) disclosure causes minor embarrassment or minor operational inconvenience; c) disclosure has a significant short term impact on operations or tactical objectives; d) disclosure has a serious impact on long term strategic objectives or puts the survival of the organization at risk.

8.2 Information Classification 8.2.2 Labeling of information Control An appropriate set of procedures for information labeling should be developed and implemented in accordance with the information classification scheme adopted by the organization. Implementation guidance Procedures for information labeling need to cover information and its related assets in physical and electronic formats Output from systems containing information that is classified as being sensitive or critical should carry an appropriate classification label.

8.2 Information Classification 8.2.3 Handling of assets Control Procedures for handling assets should be developed and implemented in accordance with the information classification scheme adopted by the organization Implementation guidance The following items should be considered: a) access restrictions supporting the protection requirements for each level of classification; b) maintenance of a formal record of the authorized recipients of assets; c) protection of temporary or permanent copies of information to a level consistent with the protection of the original information; d) storage of IT assets in accordance with manufacturers’ specifications; e) clear marking of all copies of media for the attention of the authorized recipient.

8.3 Media handling Objective: To prevent unauthorized disclosure, modification, removal or destruction of information stored on media.

8.3 Media handling 8.3.1 Management of removable media Control Procedures should be implemented for the management of removable media in accordance with the classification scheme adopted by the organization. Implementation guidance The following guidelines for the management of removable media should be considered: a) if no longer required, the contents of any re-usable media that are to be removed from the organization should be made unrecoverable; b) where necessary and practical, authorization should be required for media removed from the organization and a record of such removals should be kept in order to maintain an audit trail;

8.3 Media handling 8.3.1 Management of removable media c) all media should be stored in a safe, secure environment, in accordance with manufacturers’ specifications; d) if data confidentiality or integrity are important considerations, cryptographic techniques should be used to protect data on removable media; e) to mitigate the risk of media degrading while stored data are still needed, the data should be transferred to fresh media before becoming unreadable; f) multiple copies of valuable data should be stored on separate media to further reduce the risk of coincidental data damage or loss; g) registration of removable media should be considered to limit the opportunity for data loss; h) removable media drives should only be enabled if there is a business reason for doing so; i) where there is a need to use removable media the transfer of information to such media should be monitored.

8.3 Media handling 8.3.2 Disposal of media Control Media should be disposed of securely when no longer required, using formal procedures. Implementation guidance - Procedures should be in place to identify the items that might require secure disposal; - Disposal of sensitive items should be logged in order to maintain an audit trail.

8.3 Media handling 8.3.3 Physical media transfer Control Media containing information should be protected against unauthorized access, misuse or corruption during transportation. Implementation guidance The following guidelines should be considered to protect media containing information being transported: a) reliable transport or couriers should be used; b) a list of authorized couriers should be agreed with management; c) procedures to verify the identification of couriers should be developed; d) packaging should be sufficient to protect the contents from any physical damage; e) logs should be kept.

Summary Please refer to the Outline

References ISO-IEC 27001:2013, ISMS requirements, 11-12. ISO-IEC 27002:2013, Code of practice for IS management, 13-19. Video: https://www.youtube.com/watch?v=MljHcgq4agE

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.