Requirement:
Information and technology assets must be classified, labeled and handled as per related law and regulatory requirements.
Control Implementation Guidelines:
- Define and document the requirements of this ECC in the cybersecurity requirements of information and technology assets management at the organization and must be approved by the representative
- Work with the concerned departments to identify all information and technology assets, including (but not limited to)
- Infrastructure (e.g., servers)
- Applications and services
- Networks (e.g., router)
- Workstations
- Peripherals (e.g., printers)
- Operating systems (if any)
- Document all information and technology assets in a single register with characteristics such as (asset name, description, owner and criticality)
- Work with asset owners to identify, document and approve asset classification in the register in accordance with the relevant laws and regulations
- Work with the concerned departments to ensure the coding of assets based on their classification, including but not limited to labelling the assets or automatically coding them through modern systems
- Work with the concerned departments to ensure that assets are handled according to the defined and approved classification level and based on the approved procedures for dealing with each asset
Expected Deliverables:
- A cybersecurity policy that covers the information and technology asset management requirements of the organization (e.g., electronic copy or official hard copy)
- Formal approval by the head of the organization or his/her deputy on the policy (e.g., via the organization's official e-mail, paper or electronic signature)
- A document that outlines the method and system of asset classification, coding and requirements
- An action plan to implement the requirements of classification and coding of information and technology assets (Labelling) in accordance with the relevant laws and regulations
- An up-to-date register that includes all information and technology assets, indicating the level of classification for each asset (e.g., Excel or through automated means using technical solutions such as CMDB)
- Evidence that outlines that the organization's assets are classified according to the defined and approved classification level
- Evidence that outlines that the organization's assets have been labelled according to the classification level defined and based on but not limited to the coding labels that demonstrate the coding of all assets within the organization
- Evidence of the implementation of controls on the organization's assets in accordance with their classification level, including but not limited to the procedures followed when dealing with each asset based on its classification
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
CMMC Level 1 Compliance
Become compliant, provide compliance services, or verify partner compliance with CMMC Level 1 Basic Safeguarding of Covered Contractor Information Systems requirements.
NIST SP 800-171 & CMMC Level 2 Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC Level 2 requirements.
HIPAA Compliance
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.