T1.3.3 - HANDLING OF INFORMATION ASSETS Implementation Guidance
The entity shall handle assets in accordance with the information classification scheme adopted by the entity.
Back to T1.3.3 - P3 - HANDLING OF INFORMATION ASSETS
Critical entities shall also take into account any other NESA’s relevant issuances, guidance, and activities in this regard.
Procedures should be drawn up for handling, processing, storing and communicating information consistent with its classification. The following items should be considered.
- A. Handling of all media to its indicated classification level of the information stored on it
- B. Access restrictions to prevent access from unauthorized personnel
- C. Maintenance of a formal record of the authorized recipients of assets
- D. Protection of temporary or permanent copies of information to a level consistent with the protection of the original information; storage of IT assets in accordance with manufacturers’ specifications
- E. Keeping the distribution of assets to a minimum required to support the entity’s needs
- F. Clear marking of all copies of media for the attention of the authorized recipient
The classification scheme used within the entity may not be equivalent to the schemes used by other entities, even if the names for levels are similar; in addition, information moving between entities may vary in classification depending on its context in each entity, even if their classification schemes are identical.
Agreements with other entities that include information sharing should include procedures to identify the classification of that information and to interpret the classification labels from other entities.
