A detailed look at ISO 27001: Part 3

Section 8:  Asset Management

Assets associated with information and information processing must be identified and appropriate protection responsibilities defined.

8.1  Responsibility for Assets

 

The organisation must identify assets relevant in the lifecycle of information and document their importance.  The lifecycle information must include creation, processing, storage, transmission, deletion and destruction. Documentation must be maintained in dedicated or existing inventories as appropriate.

The Asset inventory must be accurate, up to date, and consistent and aligned with other inventories.
Ownership of assets and their classification must be defined

8.2 Information Classification

 

Information must be classified in terms of legal requirements, value, criticality and sensitivity to unauthorised disclosure or modification.
It is usual to apply the test of analysis of the effect on Confidentiality, Integrity and Availability.
Examples can be based on four levels:

• Disclosure causes no harm   -   Public domain
• Disclosure causes minor embarrassment or minor operational inconvenience  - Restricted
• Disclosure has a significant short term impact on operational or tactical objectives – Confidential
• Disclosure has a serious impact on long term strategic objectives or puts the survival of the organisation at risk - Secret

Section 8.3 Media 

 

To prevent unauthorised disclosure, modification, removal or destruction of information stored on media.

Removable media must be protected and stored in accordance with the organisation’s security classifications.

Media contents no longer required must be made unrecoverable.
If data confidentiality or integrity are important considerations then cryptography techniques must be considered.

Registration of removable media must be considered to limit the opportunity for data loss.
Removable media drives must only be enabled if there is a business case for doing so.
Media that is no longer required must be disposed of securely. Audit trails of these media must be maintained.

Section 9: Access Control

Logical access to IT systems, networks and data must be suitably controlled to prevent unauthorised use.

9.1 Business Requirement for Access Control

 

The organisation’s requirements to control access to information assets must be clearly documented in an access control policy, including for example job-related access profiles (role based access control). [This is an important obligation for information asset owners.]

9.2  User Access Management

 

Formal procedures for the allocation of access rights to users must be controlled through user registration and administration procedures (from initial user registration through to removal of access rights when no longer required), including special restrictions over the allocation of privileges and management of passwords, and regular access rights reviews.

9.3 User Responsibilities

 

Users must be made accountable for safeguarding their authentication information. e.g. keeping their secret authentication confidential and not divulging to any other parties, including those in authority. SSO (Single Sign On and other secret authentication information management tools reduce the amount of secret authentication information that users are required to protect and this can increase the effectiveness of this control. However, these tools can also increase the impact of disclosure of secret authentication information.

9.4  System and Application Access Control

 

Access to information and application system functions must be restricted in accordance with the access control policy.

The following may be considered:

• Providing menus to control access to application systems function;
• Controlling which data can be accessed by a particular user;
• Controlling read, write, delete and execute functions;
•  Controlling the access rights of other applications;
• Limiting information contained in outputs;
• Providing physical or logical access controls for the isolation of sensitive applications or applications data or systems.

Password management systems must be employed to ensure that secure log-on procedures are followed, including the use of strong passwords and regular changing of these passwords.