Back

Establish, implement, and maintain security classifications for organizational assets.


CONTROL ID
00005
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an access classification scheme., CC ID: 00509

This Control has the following implementation support Control(s):
  • Establish the criticality of the network and systems., CC ID: 00006
  • Limit the use of resources by priority., CC ID: 01448
  • Review connection requirements for all systems., CC ID: 06411


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Classification and assignment of ownership of information assets (Information Security Governance ¶ 4 Bullet 4, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Following sanitisation, highly classified volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time. (Security Control: 0835; Revision: 3, Australian Government Information Security Manual, March 2021)
  • If reclassifying media to a lower sensitivity or classification, the reclassification of all information on the media has been approved by the originator, or the media has been appropriately sanitised/destroyed and a formal administrative decision has been made to reclassify it. (Security Control: 0330; Revision: 3, Australian Government Information Security Manual, March 2021)
  • Databases and their contents are classified based on the sensitivity or classification of information that they contain. (Security Control: 0393; Revision: 7, Australian Government Information Security Manual, March 2021)
  • Following sanitisation, SECRET and TOP SECRET non-volatile flash memory media retains its classification. (Control: ISM-0360; Revision: 6, Australian Government Information Security Manual, June 2023)
  • Following sanitisation, SECRET and TOP SECRET non-volatile flash memory media retains its classification. (Control: ISM-0360; Revision: 6, Australian Government Information Security Manual, September 2023)
  • The organization should treat the equipment that is being maintained or repaired off-site with the same requirements as for the highest classification of the area that the equipment will be located in when it is returned. (Control: 0944, Australian Government Information Security Manual: Controls)
  • The connections between fixed networks and wireless networks should be treated the same way the organization treats connections between fixed networks and the Internet. (Control: 1313, Australian Government Information Security Manual: Controls)
  • In order to maintain the classification of its information assets, an APRA-regulated entity would benefit from implementing a process which identifies where the classification of information assets requires change as well as allowing for the classification of new information assets. This would norma… (28., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Under CPS 234, an APRA-regulated entity must have information security controls to protect its information assets commensurate with, amongst other things, the stage at which the information assets are within their life-cycle. This includes ensuring that information security controls remain effective… (34., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • Hardware, nonvolatile media, and volatile media with a continuous power supply should be classified at or above the classification of the information stored on the media. Volatile media can be treated as unclassified when the power is removed. (§ 3.4.9, § 3.4.10, § 3.4.12, § 3.4.13, Australian Government ICT Security Manual (ACSI 33))
  • Consider typical damage scenarios for defining protection need categories (§ 8.2.1 Subsection 2 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • All customer systems are classified according to the agreements (SLA) between the cloud provider and cloud customer regarding the criticality for the rendering of services. The assignment of classifications is reviewed regularly as well as after essential changes/events for all customer systems. Dev… (Section 5.13 SIM-02 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • An appropriate procedure shall be defined for the classification/categorisation (protection requirements category) and handling of the applications developed or run by the business unit's end users. (II.6.43, Circular 10/2017 (BA): Supervisory Requirements for IT in Financial Institutions, 14.09.2018)
  • Develop a strategy and plan for infrastructure maintenance, and ensure that changes are controlled in line with the organisation's change management procedure. Include periodic reviews against business needs, patch management, upgrade strategies, risks, vulnerabilities assessment and security requir… (AI3.3 Infrastructure Maintenance, CobiT, Version 4.1)
  • The digital asset management audit should include classifying all of the digital assets. (App A.9 (Recommendations for Piracy), IIA Global Technology Audit Guide (GTAG) 4: Management of IT Auditing)
  • (§ 4.3.1, ISF Security Audit of Networks)
  • (§ 4.3.4, ISF Security Audit of Networks)
  • Arrangements should be made to ensure that once changes have been applied, the classification of information associated with Information Systems and networks is reviewed. (CF.07.06.05f, The Standard of Good Practice for Information Security)
  • Arrangements should be made to ensure that once changes have been applied, the classification of information associated with Information Systems and networks is reviewed. (CF.07.06.05f, The Standard of Good Practice for Information Security, 2013)
  • ¶ 7.2 Identification Process. A recommended process for the identification and analysis of the communications related factors that should be taken into account to establish network security requirements, and the provision of an indication of the potential safeguard areas. When considering network c… (¶ 7.2, ¶ 11, ¶ 11.1, ¶ 11.2, ¶ 11.2 Table 2 Trust Environment "Low", ¶ 11.2 Table 2 Trust Environment "Medium"," ¶ 11.2 Table 2 Trust Environment "High", ¶ 11.2 Table 3 Row "Public Network Connection", ¶ 11.2 Table 3 Row "Private Network Connection", ¶ 11.2 Table 4 Row "LOW/PUBLIC", ¶ 11.2 Table 4 Row "MEDIUM/PUBLIC", ¶ 11.2 Table 4 Row "HIGH/PUBLIC", ¶ 11.2 Table 4 Row "LOW/PRIVATE", ¶ 11.2 Table 4 Row "MEDIUM/PRIVATE", ¶ 11.2 Table 4 Row "HIGH/PRIVATE", ¶ 12, ISO 13335-5 Information technology - Guidelines for the management of IT Security - Part 5: Management guidance on network security, 2001)
  • The access classifications of records should be reviewed to ensure they are current and applicable, in order to effectively manage the use of records. (§ 4.3.8 ¶ 2(g), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The classification of assets should be periodically reviewed by the asset owner to determine if the classification is still appropriate or if it should be changed. (§ 7.2.1, ISO 27002 Code of practice for information security management, 2005)
  • Procedures exist to classify data in accordance with classification policies and monitor and update the classification on a periodic basis. (Security Prin. and Criteria Table § 3.8, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Procedures exist to classify data in accordance with classification policies and monitor and update the classification on a periodic basis. (Availability Prin. and Criteria Table § 3.11, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Procedures exist to classify data in accordance with classification policies and monitor and update the classification on a periodic basis. (Processing Integrity Prin. and Criteria Table § 3.12, Appendix B: Trust Services Principles and Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy, TSP Section 100 Principles and Criteria)
  • Review the identifications in Requirement R1 and its parts (and update them if there are changes identified) at least once every 15 calendar months, even if it has no identified items in Requirement R1, and (B. R2. 2.1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - BES Cyber System Categorization CIP-002-5.1a, Version 5.1a)
  • Identify each asset that contains a low impact BES Cyber System according to Attachment 1, Section 3, if any (a discrete list of low impact BES Cyber Systems is not required). (B. R1. 1.3., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - BES Cyber System Categorization CIP-002-5.1a, Version 5.1a)
  • Identify each of the high impact BES Cyber Systems according to Attachment 1, Section 1, if any, at each asset; (B. R1. 1.1., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - BES Cyber System Categorization CIP-002-5.1a, Version 5.1a)
  • Identify each of the medium impact BES Cyber Systems according to Attachment 1, Section 2, if any, at each asset; and (B. R1. 1.2., North American Electric Reliability Corporation Critical Infrastructure Protection Standards Cyber Security - BES Cyber System Categorization CIP-002-5.1a, Version 5.1a)
  • For cloud computing services that use a hypervisor to transmit, process, or store scoped data, do all virtual machine's in the same host share the same risk and data classification level? (§ V.1.72.33, Shared Assessments Standardized Information Gathering Questionnaire - V. Cloud, 7.0)
  • CSR 2.5.3: The organization must establish classifications and criteria and communicate these to the resource owners. CSR 2.7.1: The organization must classify resources based on risk assessments. An appropriate senior official must approve the classifications. The classifications must be documented… (CSR 2.5.3, CSR 2.7.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • An appropriate senior official must approve classifications, and they must be documented and reviewed periodically. (CSR 2.7.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • DoD CSPs will, and commercial CSPs may (under DoD contract), instantiate their CSO architecture on DoD premises (DoD on-premises). Interconnection with DoD networks will be interoperable IAW engineering requirements that meet cybersecurity guidance and controls. Such implementations will be consider… (Section 5.2.1.1 ¶ 5, Department of Defense Cloud Computing Security Requirements Guide, Version 1, Release 3)
  • (AC-1.1, Federal Information System Controls Audit Manual (FISCAM), February 2009)
  • Classify workstations based on the capabilities, connections, and allowable activities. (§ 4.11.1 Bullet 3, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule, NIST SP 800-66, Revision 1)
  • The organization must develop and maintain the binding of security attributes to information in storage, in process, and in transmission. (App F § AC-16, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)