Assets shall be managed and information shall be classified and labeled to ensure that assets including information receives an appropriate level of information security
T1.1 ASSET MANAGEMENT POLICY
OBJECTIVE
To prevent unauthorized disclosure, modification, removal or destruction of assets, and interruption to business activities
PERFORMANCE INDICATOR
Percentage of physical backup/archive media that are fully encrypted.
AUTOMATION GUIDANCE
Not applicable
RELEVANT THREATS AND VULNERABILITIES
- Use of unapproved hardware and / or devices
- Physical theft of assets
- Retrieval of recycled or discarded media
APPLICABLE CONTROLS
Followings are controls applicable for this control family.
T1.2 RESPONSIBILITY FOR ASSETS
OBJECTIVE
To achieve and maintain appropriate protection of the entity’s information assets
PERFORMANCE INDICATOR
Percentage of employees who have authorized access to information systems only after signing an acknowledgment of that they have read and understood rules of behavior
AUTOMATION GUIDANCE
As a pre-requisite for any automation to be used, entities should identify assets and their owners, and then deciding and documenting which part of the entity and/or individuals are responsible for each component of a business process (including information, software, and hardware, IT, etc.).
The entity could use a tool to automate the following processes:
- Tracking of information asset inventory,
- Assignment of information assets ownership
- Defining the right use of information assets
Some entities maintain asset inventories using specific large-scale commercial products dedicated to the task, or they use free solutions to track and then sweep the network periodically for new assets connected to it. In particular, when entities acquire new systems, they record the owner and features of each new asset, including its network interface Media Access Control (MAC) address and location. This mapping of asset attributes and owner-to-MAC address can be stored in a free or commercial database management system.
The entity should determine which asset attributes, based on entity’s needs, should be tracked. The following list of potential attributes could be considered:
- Asset name
- Asset type
- Asset tag
- IP address
- MAC address
- Serial number
- Location; etc.
RELEVANT THREATS AND VULNERABILITIES
- Use of unapproved hardware and / or devices
- Use of counterfeit or copied software
- Destruction of Equipment or Media
APPLICABLE CONTROLS
Followings are controls applicable for this control family.
- T1.2.1 - P2 - INVENTORY OF ASSETS
- T1.2.2 - P2- OWNERSHIP OF ASSETS
- T1.2.3 - P2 - ACCEPTABLE USE OF ASSETS
- T1.2.4 - P2 - ACCEPTABLE BRING YOUR OWN DEVICE (BYOD) ARRANGEMENTS
T1.3 INFORMATION CLASSIFICATION
OBJECTIVE
To ensure that information receives an appropriate level of protection.
PERFORMANCE INDICATOR
Percentage of information assets that are classification based on it sensitivity, versus those that are not
AUTOMATION GUIDANCE
Not applicable
RELEVANT THREATS AND VULNERABILITIES
- Tempering with sensitive information with no appropriate protection
- Unauthorized access to sensitive information
APPLICABLE CONTROLS
Followings are controls applicable for this control family.
T1.3.1 - P3 - CLASSIFICATION OF INFORMATION
T1.3.2 - P3 - LABELING OF INFORMATION
T1.3.3 - P3 - HANDLING OF INFORMATION ASSETS
T1.4 MEDIA HANDLING
OBJECTIVE
To prevent unauthorized disclosure, modification, removal or destruction of assets, and interruption to business activities
PERFORMANCE INDICATOR
Percentage of physical backup/archive media that are fully encrypted.
AUTOMATION GUIDANCE
Not applicable
RELEVANT THREATS AND VULNERABILITIES
- Destruction of equipment or media
- Exploitation of backdoor or command and control channels
- Retrieval of recycled or discarded media
APPLICABLE CONTROLS
Followings are controls applicable for this control family.
