Back

Establish, implement, and maintain an information classification standard.


CONTROL ID
00601
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Analyze organizational objectives, functions, and activities., CC ID: 00598

This Control has the following implementation support Control(s):
  • Take into account the accessibility to and location of the data or information when establishing information impact levels., CC ID: 04787
  • Take into account the organization's obligation to protect data or information when establishing information impact levels., CC ID: 04786
  • Take into account the context of use for data or information when establishing information impact levels., CC ID: 04785
  • Take into account the potential aggregation of restricted data fields when establishing information impact levels., CC ID: 04784
  • Classify the sensitivity to unauthorized disclosure or modification of information in the information classification standard., CC ID: 11997
  • Take into account the distinguishability factor when establishing information impact levels., CC ID: 04783
  • Classify the criticality to unauthorized disclosure or modification of information in the information classification standard., CC ID: 11996
  • Classify the value of information in the information classification standard., CC ID: 11995
  • Classify the legal requirements of information in the information classification standard., CC ID: 11994


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • As all data processed by AIs for their clients could be considered as customer data, AIs should classify the data into different levels of sensitivity or risks so as to determine the protection required, in line with section 3.1 information classification and protection of the SPM module on "General… (Annex A. ¶ 1, Hong Kong Monetary Authority Customer Data Protection, 14 October 2014)
  • Information can be classified into different categories according to the degree of sensitivity (e.g. highly sensitive, sensitive, internal and public) to indicate the extent of protection required. To aid the classification process, AIs should ideally develop guidelines and definitions for each clas… (3.1.2, Hong Kong Monetary Authority: TM-G-1: General Principles for Technology Risk Management, V.1 – 24.06.03)
  • Assigning initial information classification and periodically reviewing the classification to ensure it still meets business needs (Information owner ¶ 1 Bullet 1, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Under CPS 234, all information assets must be classified by criticality and sensitivity. This includes infrastructure, ancillary systems such as environmental control systems and physical access control systems as well as information assets managed by third parties and related parties. Furthermore, … (27., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • In order to identify and classify information assets, an APRA-regulated entity would benefit from maintaining a classification methodology that provides clarity as to what constitutes an information asset, granularity considerations and the method for rating criticality and sensitivity. The rating c… (29., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • APRA-regulated entities record information assets in various ways, sometimes at a very granular level and sometimes at an aggregated level. For example, a system can be seen as an aggregation of the underlying components (such as applications, databases, operating systems, middleware and data sets) … (30., APRA Prudential Practice Guide CPG 234 Information Security, June 2019)
  • An APRA-regulated entity must classify its information assets, including those managed by related parties and third parties, by criticality and sensitivity. This classification must reflect the degree to which an information security incident affecting an information asset has the potential to affec… (20., Australian Prudential Regulation Authority Prudential Standard CPS 234 Information Security, CPS 234 – 1)
  • § 4.2 ¶ 3 says that types of records within an organization should be classified and indexed based on what business activities they relate to and then linked to other records to facilitate description, control, retrieval, disposal and access. Step 8 § B.1 requires that the organization create a b… (§ 4.2 ¶ 3, Step 8 § B.1, The DIRKS Manual: A Strategic Approach to Managing Business Information, rev. July 2003)
  • incident, risk and information classification schemes. (ANNEX I ¶ 1(2)(c)(ii), Directive (EU) 2016/1148 OF The European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union)
  • In order to be able to appropriately protect information, their importance for the organisation must be clear. In order to easier exchange information on the value of certain types of information within an organisation, but also with other organisations, a classification scheme is necessary describi… (§ 4.2 Bullet 3 ¶ 1, BSI Standard 200-1, Information Security Management Systems (ISMS), Version 1.0)
  • Estimate the importance of business processes, specialised tasks and information (§ 3.2.4 Subsection 4 Bullet 4, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Thus, a reasonable approach will be to elaborate a classification scheme that enables all employees to derive from such scheme the correct classification for any type of information without requiring explicit identification of the same. The classification scheme should not be too complicated so that… (§ 5.1 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • In simple cases, such as in the context of Basic Protection, a two-level classification can be sufficient already in the beginning, e.g. by only differentiating between internal ("everything in the Intranet") and public information. In such case it is recommended to classify the information intended… (§ 5.1 ¶ 5, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Create a classification scheme enabling correct, uncomplicated and understandable classification of information (§ 5.1 Subsection 1 Bullet 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Appropriate protection of information requires that importance of such information for the organisation is clear. A classification scheme describing the levels of significance and the delimitation of the individual levels is required to be able to easily communicate on the value of information withi… (§ 5.1 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • Since the documents for security management contain sensitive data on the organisation as well as personal data, information security and data protection must be guaranteed. The integrity, and especially the confidentiality of the documents must be guaranteed in addition to their availability. The v… (§ 5.2.3 Subsection 5 ¶ 1, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The authorised recipients of each document should be named in the document. Access to the documents is to be limited to those persons who need the information they contain to perform their tasks ("need to know" principle). It is therefore recommended to modularise the documents accordingly. This all… (§ 5.2.3 Subsection 5 ¶ 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • The cloud provider uses a uniform classification of information and assets which are relevant to the development and rendering of the cloud service. (Section 5.4 AM-05 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The procedure and criteria for the classification of projects are documented. (1.2.3 Requirements (should) Bullet 1, Information Security Assessment, Version 5.1)
  • A consistent scheme for the classification of information assets with regard to the protection goal of confidentiality is available. (1.3.2 Requirements (must) Bullet 1, Information Security Assessment, Version 5.1)
  • Projects are classified while taking into account the information security requirements. (1.2.3 Requirements (must) Bullet 1, Information Security Assessment, Version 5.1)
  • These paragraphs provide a summary of the Business Impact Level tables, which are published in HMG Infosec Standard No. 1 (IS1), Technical Risk Assessment, Part 1, Appendix A (July 2007) and, as an extract from IS1, as Business Impact Table (March 2008). They define the impact levels (0 to 6) for co… (¶ 1 thru ¶ 6, Guidance on the use of the business impact level tables, March 2009)
  • (§ 3.3.1, § 4.2, OGC ITIL: Security Management)
  • (§ 3.1.1, § 5.2.3, OGC ITIL: Security Management)
  • The entity has a process for identifying, locating and classifying its PI. This process is clearly described as an essential aspect of its data governance program which is aligned with its information security controls. Relevant control activity policies and procedures have been designed and placed … (M1.4, Privacy Management Framework, Updated March 1, 2020)
  • Establish a classification scheme that applies throughout the enterprise, based on the criticality and sensitivity (e.g., public, confidential, top secret) of enterprise data. This scheme should include details about data ownership; definition of appropriate security levels and protection controls; … (PO2.3 Data Classification Scheme, CobiT, Version 4.1)
  • Store offsite all critical backup media, documentation and other IT resources necessary for IT recovery and business continuity plans. Determine the content of backup storage in collaboration between business process owners and IT personnel. Management of the offsite storage facility should respond … (DS4.9 Offsite Backup Storage, CobiT, Version 4.1)
  • Good privacy management is supported by the implementation of a data classification scheme that is based on sensitivity and data mapping. The organization should implement a corporate classification program for all privacy-protected data and sensitivity levels should be assigned. Some questions the … (§ 4.5 (Privacy Best Practices), § 5.3 ¶ 2, IIA Global Technology Audit Guide (GTAG) 5: Managing and Auditing Privacy Risks)
  • The organization should develop an information classification scheme to help in reducing or eliminating potential data losses from public statements made by the organization's spokesperson. (Pg 15-I-11, Protection of Assets Manual, ASIS International)
  • The information classification scheme should require that information classifications are reviewed and updated regularly. (CF.03.01.03c-1, The Standard of Good Practice for Information Security)
  • The information classification scheme should require that information classifications are reviewed and updated when changes are made. (CF.03.01.03c-2, The Standard of Good Practice for Information Security)
  • The system development methodology should require clarification of the organization's information classification scheme (i.e., the method of classifying information according to its level of confidentiality, such as top secret, company-in-confidence and public - and how it will be applied) be taken … (CF.17.01.06c, The Standard of Good Practice for Information Security)
  • There should be an information classification scheme that applies across the organization, which is used to determine varying levels of confidentiality of information (e.g., top secret, company-in-confidence, and public). (CF.03.01.01a, The Standard of Good Practice for Information Security)
  • There should be an information classification scheme that applies across the organization, which provides a description of each level of confidentiality. (CF.03.01.01b, The Standard of Good Practice for Information Security)
  • There should be an information classification scheme that applies across the organization, which takes into account the potential business impact from the loss of confidentiality of information. (CF.03.01.01c, The Standard of Good Practice for Information Security)
  • There should be an information classification scheme that applies across the organization, which lists examples of information types for each specific classification level. (CF.03.01.01d, The Standard of Good Practice for Information Security)
  • An information classification scheme should be established to classify information stored in physical form (e.g., contracts, Board meeting minutes, business plans, product designs, and employment contracts). (CF.03.01.02a, The Standard of Good Practice for Information Security)
  • An information classification scheme should be established to classify information stored in electronic form (e.g., files created using spreadsheet and database programs, word processors, and presentation packages). (CF.03.01.02b, The Standard of Good Practice for Information Security)
  • An information classification scheme should be established to classify electronic communications (e.g., messages sent via e-mail, instant messaging, and online collaboration systems). (CF.03.01.02c, The Standard of Good Practice for Information Security)
  • The information classification scheme should require 'sign-off' of the assigned classification applied to information by the relevant business owner. (CF.03.01.03b, The Standard of Good Practice for Information Security)
  • The information classification scheme should provide guidance on handling requirements for each level of classification at each stage of the information lifecycle (e.g., when creating, processing, copying, printing, storing, and destroying information). (CF.03.01.04a, The Standard of Good Practice for Information Security)
  • The information classification scheme should explain how to handle conflicting classifications. (CF.03.01.04b, The Standard of Good Practice for Information Security)
  • The information classification scheme should take into account requirements for document retention (based on the organization's document retention policy), including business requirements (e.g., ensuring staff have access to Intellectual Capital and business intelligence or customers have access to … (CF.03.01.05b, The Standard of Good Practice for Information Security)
  • The information classification scheme should take into account requirements for document retention (based on the organization's document retention policy), including technical requirements (e.g., relating to key audit trails, index cross-references, and configuration files). (CF.03.01.05c, The Standard of Good Practice for Information Security)
  • Digital Rights Management should be built upon a robust, recoverable technical infrastructure that is supported by an information classification scheme that enables information and documents to be classified and labelled according to their security requirements. (CF.08.08.03a, The Standard of Good Practice for Information Security)
  • The information classification scheme should require that information is protected in line with its assigned level of classification (e.g., top secret, company-in-confidence, or public). (CF.03.01.03a, The Standard of Good Practice for Information Security)
  • The information classification scheme should require that information classifications are reviewed and updated regularly. (CF.03.01.03c-1, The Standard of Good Practice for Information Security, 2013)
  • The information classification scheme should require that information classifications are reviewed and updated when changes are made. (CF.03.01.03c-2, The Standard of Good Practice for Information Security, 2013)
  • The system development methodology should require clarification of the organization's information classification scheme (i.e., the method of classifying information according to its level of confidentiality, such as top secret, company-in-confidence and public - and how it will be applied) be taken … (CF.17.01.06c, The Standard of Good Practice for Information Security, 2013)
  • There should be an information classification scheme that applies across the organization, which is used to determine varying levels of confidentiality of information (e.g., top secret, company-in-confidence, and public). (CF.03.01.01a, The Standard of Good Practice for Information Security, 2013)
  • There should be an information classification scheme that applies across the organization, which provides a description of each level of confidentiality. (CF.03.01.01b, The Standard of Good Practice for Information Security, 2013)
  • There should be an information classification scheme that applies across the organization, which takes into account the potential business impact from the loss of confidentiality of information. (CF.03.01.01c, The Standard of Good Practice for Information Security, 2013)
  • There should be an information classification scheme that applies across the organization, which lists examples of information types for each specific classification level. (CF.03.01.01d, The Standard of Good Practice for Information Security, 2013)
  • An information classification scheme should be established to classify information stored in physical form (e.g., contracts, Board meeting minutes, business plans, product designs, and employment contracts). (CF.03.01.02a, The Standard of Good Practice for Information Security, 2013)
  • An information classification scheme should be established to classify information stored in electronic form (e.g., files created using spreadsheet and database programs, word processors, and presentation packages). (CF.03.01.02b, The Standard of Good Practice for Information Security, 2013)
  • An information classification scheme should be established to classify electronic communications (e.g., messages sent via e-mail, instant messaging, and online collaboration systems). (CF.03.01.02c, The Standard of Good Practice for Information Security, 2013)
  • The information classification scheme should require 'sign-off' of the assigned classification applied to information by the relevant business owner. (CF.03.01.03b, The Standard of Good Practice for Information Security, 2013)
  • The information classification scheme should provide guidance on handling requirements for each level of classification at each stage of the information lifecycle (e.g., when creating, processing, copying, printing, storing, and destroying information). (CF.03.01.04a, The Standard of Good Practice for Information Security, 2013)
  • The information classification scheme should explain how to handle conflicting classifications. (CF.03.01.04b, The Standard of Good Practice for Information Security, 2013)
  • The information classification scheme should take into account requirements for document retention (based on the organization's document retention policy), including business requirements (e.g., ensuring staff have access to Intellectual Capital and business intelligence or customers have access to … (CF.03.01.05b, The Standard of Good Practice for Information Security, 2013)
  • The information classification scheme should take into account requirements for document retention (based on the organization's document retention policy), including technical requirements (e.g., relating to key audit trails, index cross-references, and configuration files). (CF.03.01.05c, The Standard of Good Practice for Information Security, 2013)
  • Digital Rights Management should be built upon a robust, recoverable technical infrastructure that is supported by an information classification scheme that enables information and documents to be classified and labelled according to their security requirements. (CF.08.08.03a, The Standard of Good Practice for Information Security, 2013)
  • The information classification scheme should require that information is protected in line with its assigned level of classification (e.g., top secret, company-in-confidence, or public). (CF.03.01.03a, The Standard of Good Practice for Information Security, 2013)
  • Security levels should be appropriate and proportionate to the value of and degree of reliance on the information systems and to the severity, probability and extent of potential harm, as the requirements for security vary depending upon the particular information systems. (Pg 29 Principle 5, ISSA Generally Accepted Information Security Principles (GAISP), Version 3.0)
  • Classify data according to its type and sensitivity level. (DSP-04, Cloud Controls Matrix, v4.0)
  • Risk assessments associated with data governance requirements shall be conducted at planned intervals. (DG-08, The Cloud Security Alliance Controls Matrix, Version 1.3)
  • Impact. An organization should assess impact as part of its ICT security program. Impact is the result of an information security incident, caused by a threat, which affects assets. The impact could be the destruction of certain assets, damage to the ICT system, and compromise of confidentiality, in… (§ 3.5, ISO 13335-1 Information technology - Security techniques - Management of information and communications technology security - Part 1: Concepts and models for information and communications technology security management, 2004)
  • ¶ 10.1.1 Loss of confidentiality. . An organization should consider what damage could arise from the loss of confidentiality of the asset(s) reviewed (intentional or unintentional). For example, loss of confidentiality might lead to • loss of public confidence, or deterioration of public image, â… (¶ 10.1.1, ¶ 10.1.2, ¶ 10.1.3, ¶ 10.1.4, ¶ 10.1.5, ¶ 10.1.6, ISO 13335-4 Information technology - Guidelines for the management of IT Security - Part 4: Selection of safeguards, 2000)
  • The creation of a classification system for data is recommended. This system should be based upon an analysis of the organization's business activities. (§ 9.5.2, ISO 15489-1:2001, Information and Documentation: Records management: Part 1: General)
  • A classification scheme based on business activities is key when it comes to conducting successful records management operations. A classification system that is related to business functions provides a framework for records management to be built upon. Analysis for the purpose of developing the bus… (§ 4.2.1(a), § 4.2.2.1, § 4.2.2.2, ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • Classification system developers may ensure classification systems have unambiguous terms that reflect organizational usage. (§ 4.2.2.2 ¶ 8(d), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • Classification system developers may ensure systems derive their terminology from business activities and business functions, not Organizational Unit names. (§ 4.2.2.2 ¶ 8(a), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • Classification system developers may ensure classification systems are specific for each organization and provide a standard and consistent way to share information amongst organizational units for interrelated functions. (§ 4.2.2.2 ¶ 8(b), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • Classification system developers may ensure classification systems are hierarchical. (§ 4.2.2.2 ¶ 8(c), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • Classification system developers may ensure the classification system have enough groupings and sub-groupings for all of the business activities and business functions that are being documented. (§ 4.2.2.2 ¶ 8(e), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • Classification system developers may ensure that classification systems have discrete groupings. (§ 4.2.2.2 ¶ 8(f), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • Classification system developers may ensure that classification systems are created in consultation with the records creators. (§ 4.2.2.2 ¶ 8(g), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • Classification system developers may ensure that classification systems are kept up-to-date to reflect changing business needs, business functions, and business activities. (§ 4.2.2.2 ¶ 8(h), ISO 15489-2: 2001, Information and Documentation: Records management: Part 2: Guidelines)
  • The information security coordination group should be responsible for approving the methodologies and processes used to determine the information classifications. All information should be classified into categories. This classification should be based on value, sensitivity, legal requirements, and … (§ 6.1.2, § 7.2.1, ISO 27002 Code of practice for information security management, 2005)
  • Publicly available information should be protected to prevent unauthorized modification and to ensure the integrity of the data. Formal approval should be obtained from management prior to making information available publicly. (§ 10.9.3, ISO 27002 Code of practice for information security management, 2005)
  • In addition to following the guidance given by ISO/IEC 27002, organizations processing personal health information should uniformly classify such data as confidential. (§ 8.2.1 Health-specific control, ISO 27799:2016 Health informatics — Information security management in health using ISO/IEC 27002, Second Edition)
  • the attribute requirements of identified information; (Section 7.5 ¶ 1(b) bullet 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • the quality requirements of identified information; (Section 7.5 ¶ 1(b) bullet 2, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • Information should be classified according to the information security needs of the organization based on confidentiality, integrity, availability and relevant interested party requirements. (§ 5.12 Control, ISO/IEC 27002:2022, Information security, cybersecurity and privacy protection — Information security controls, Third Edition)
  • The cloud service customer should label information and associated assets maintained in the cloud computing environment in accordance with the cloud service customer's adopted procedures for labelling. Where applicable, functionality provided by the cloud service provider that supports labelling can… (§ 8.2.2 Table: Cloud service customer, ISO/IEC 27017:2015, Information technology — Security techniques — Code of practice for information security controls based on ISO/IEC 27002 for cloud services, First edition 2015-12-15)
  • The entity classifies information by its relevant characteristics (for example, personally identifiable information, confidential customer information, and intellectual property) to support identification of threats to the information and the design and operation of controls. (CC2.1 ¶ 4 Bullet 3 Classifies Information, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (with Revised Points of Focus – 2022))
  • The organization should have an information classification policy and an information classification process. (Table Ref 1.2.3, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • The information classification policy should include the specific security policies and procedures and privacy policies and procedures that apply to each information Category. (Table Ref 1.2.3, Generally Accepted Privacy Principles (GAPP), CPA and CA Practitioner Version, August 2009)
  • Information Systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal; and (Section 4.C ¶ 1(4)(b), Insurance Data Security Model Law, NAIC MDL-668, Q4 2017)
  • Does the information security policy contain an information classification scheme? (§ B.1.20, Shared Assessments Standardized Information Gathering Questionnaire - B. Security Policy, 7.0)
  • Classified resource owners shall classify systems and documentation. (CSR 2.7, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • (§ 240.17Ad-7(f)(3)(III), 17 CFR Part 240.17Ad-7, Record retention)
  • If im services are running and connecting to services outside the dod, check to verify they are proxied at the enclave boundary. (ECIM-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • For health IT certified to (g)(6)(i)(A) of this section, create a data file formatted in accordance with the standard adopted in §170.205(a)(4) and (5) that demonstrates a valid implementation of each document template applicable to the certification criterion or criteria within the scope of the ce… (§ 170.315 (g) (6) (iii) (A), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • Health concerns. In accordance with the "Health Concerns Section" of the standard specified in §170.205(a)(4). (§ 170.315 (g) (6) (i) (C) (3), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • Goals. In accordance with the "Goals Section" of the standard specified in §170.205(a)(4). (§ 170.315 (g) (6) (i) (C) (2), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • Assessment and plan of treatment. In accordance with the "Assessment and Plan Section (V2)" of the standard specified in §170.205(a)(4); or in accordance with the "Assessment Section (V2)" and "Plan of Treatment Section (V2)" of the standard specified in §170.205(a)(4). (§ 170.315 (g) (6) (i) (C) (1), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • The data classes expressed in the standards in § 170.213 in accordance with § 170.205(a)(4) and (a)(5) and paragraphs (g)(6)(i)(C)(1) through (4) of this section for the time period up to and including December 31, 2025; or (§ 170.315 (g) (6) (i) (A), 45 CFR Part 170 Health Information Technology Standards, Implementation Specifications, and Certification Criteria and Certification Programs for Health Information Technology, current as of January 2024)
  • For health IT certified to (g)(6)(i)(A) of this section, create a data file formatted in accordance with the standard adopted in §170.205(a)(4) and (5) that demonstrates a valid implementation of each document template applicable to the certification criterion or criteria within the scope of the ce… (§ 170.315 (g) (6) (iii) (A), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • Health concerns. In accordance with the "Health Concerns Section" of the standard specified in §170.205(a)(4). (§ 170.315 (g) (6) (i) (C) (3), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • Goals. In accordance with the "Goals Section" of the standard specified in §170.205(a)(4). (§ 170.315 (g) (6) (i) (C) (2), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • The data classes expressed in the standard in §170.213, and in accordance with §170.205(a)(4) and (5) and paragraphs (g)(6)(i)(C)(1) through (3) of this section; or (§ 170.315 (g) (6) (i) (A), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • Assessment and plan of treatment. In accordance with the "Assessment and Plan Section (V2)" of the standard specified in §170.205(a)(4); or in accordance with the "Assessment Section (V2)" and "Plan of Treatment Section (V2)" of the standard specified in §170.205(a)(4). (§ 170.315 (g) (6) (i) (C) (1), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • Respond to requests for patient data (based on an ID or other token) for all of the data classes expressed in the standards in §170.213 at one time and return such data (according to the specified standards, where applicable) in a summary record formatted in accordance with §170.205(a)(4) and (5) … (§ 170.315 (g) (9) (i) (A) (1), 45 CFR Part 170, Health Information Technology: Initial Set of Standards, Implementation Specifications, and Certification Criteria for Electronic Health Record Technology, current as of July 14, 2020)
  • Infrastructure information will be collected by DoD on a voluntary basis and DoD ensures that measures and procedures are in place and will be followed to protect business-sensitive and proprietary information. The asset information will reside on a classified portal in an electronic asset portfolio… (§ 2.2, Defense Industrial Base Information Assurance Standard)
  • Critical asset data may be classified for national security and will be classified, handled, and disseminated according to the DoD CIP Security Classification Guide, dated January 2003. (§ 2.3 ¶ 2, Defense Industrial Base Information Assurance Standard)
  • Determine whether management has a comprehensive inventory of its electronic (or digital) and physical information assets, in accordance with the Information Security Standards. Evaluate whether management specifically identifies its information assets, determines the appropriate classification of t… (App A Objective 4:1, FFIEC Information Technology Examination Handbook - Architecture, Infrastructure, and Operations, June 2021)
  • An information classification strategy that is appropriate to the complexity of the system should be implemented by management. (Pg 22, FFIEC IT Examination Handbook - Operations, July 2004)
  • As shown in Table 3-2, below, SCRI describes or identifies the cybersecurity supply chain relevant characteristics and risk factors associated with a product, service, or source of supply. It may exist in various forms (e.g., raw data, a supply chain network map, risk assessment report, etc.) and sh… (3.2. ¶ 5, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, NIST Special Publication 800-161, Revision 1)
  • This reference describes security levels in terms of the objectives of security. These objectives are confidentiality, integrity and availability. Loss of confidentiality is unauthorized disclosure of information. Loss of integrity is unauthorized modification or destruction of information. Loss of … (Pg 6 thru Pg 10, FIPS Pub 199, Standards for Security Categorization of Federal Information and Information Systems, February 2004)
  • The following levels of identity authentication assurance (ensuring the card holder is the card owner) are defined in this standard: some confidence, high confidence, and very high confidence. (§ 6.1 ¶ 2, FIPS Pub 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors, Change Notice 1)
  • Impact of events is determined. (DE.AE-4, Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0)
  • The organization must assign assurance categories for all information types that can be associated with both user information and system information, and can be applicable to information in either electronic or non-electronic form. The organization must also assign appropriate assurance categories f… (Volume 1 § 2.2.2, Guide for Mapping Types of Information and Information Systems to Security Categories, NIST SP 800-60, Volume II, Revision 1)
  • Classify documents in accordance with classification guidelines. (T0595, National Initiative for Cybersecurity Education (NICE) Cybersecurity Workforce Framework, NIST Special Publication 800-181)
  • The organization should determine which factors to use to determine the Personally Identifiable Information confidentiality impact levels and create and implement policies and procedures using these factors. (§ 3.2, NIST SP 800-122 Guide to Protecting the Confidentiality of Personally Identifiable Information (PII))
  • The organization must define the information impact levels and the Information System impact levels. (SG.RA-3 Requirement 1, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must review the information impact levels and the Information System impact levels on a defined frequency. (SG.RA-3 Requirement 3, NISTIR 7628 Guidelines for Smart Grid Cyber Security: Vol. 1, Smart Grid Cyber Security Strategy, Architecture, and High-Level Requirements, August 2010)
  • The organization must apply a security categorization standard to the Information System by determining security priorities for the Information Systems and applying appropriate measures to adequately protect those systems, taking confidentiality, integrity, and availability into consideration. (§ 3.2, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must require Information Systems to meet an organization-defined level of trustworthiness. (App F § SA-13, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Classify documents in accordance with classification guidelines. (T0595, Reference Spreadsheet for the Workforce Framework for Cybersecurity (NICE Framework)”, July 7, 2020)
  • Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal. (Section 27-62-4(c)(4) b., Code of Alabama, Title 27, Chapter 62, Sections 1-11, Insurance Data Security Law)
  • Information systems, including, but not limited to, network and software design, as well as information classification, governance, processing, storage, transmission and disposal; and (Part VI(c)(3)(D)(ii), Connecticut General Statutes, Title 38a, Chapter 697, Part VI, Section 38a-38, Insurance Data Security Law)
  • An information system, including network and software design and information classification, governance, processing, storage, transmission, and disposal. (§ 8604.(c)(4) b., Delaware Code, Title 18, Chapter 86, Sections 8601-8611, Insurance Data Security Act)
  • Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal; and (§431:3B-202(b)(4)(B), Hawaii Revised Statute, Volume 9, Chapter 431, Article 3B, Sections 101-306, Insurance Data Security Law)
  • Information systems, including network and software design, and information classification, governance, processing, storage, transmission, and disposal. (Sec. 17.(4)(B), Indiana Code, Title 27, Article 2, Chapter 27, Sections 1-32, Insurance Data Security)
  • Information systems, including network and software design; and information classification, governance, processing, storage, transmission, and disposal. (507F.4 3.d.(2), Iowa Code, Title XIII, Chapter 507F, Sections 1-16, Insurance Data Security)
  • Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal. (§2504.C.(4)(b), Louisiana Revised Statutes, Title 22, Chapter 21, Sections 2501-2511, Insurance Data Security)
  • Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission and disposal; and (§2264 3.D.(2), Maine Revised Statutes, Title 24-A, Chapter 24-B, Sections 2261-2272, Maine Insurance Data Security Act)
  • Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal. (Sec. 555.(3)(d)(ii), Michigan Compiled Laws, Chapter 5A Sections 550-565, Data Security)
  • information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal; and (§ 60A.9851 Subdivision 3(4)(ii), Minnesota Statutes, Chapter 60A, Sections 985 - 9857, Information Security Program)
  • Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission and disposal; and (§ 83-5-807 (3)(d)(ii), Mississippi Code Annotated, Title 83, Chapter 5, Article 11, Sections 801 - 825, Insurance Data Security Law)
  • Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal; and (§ 420-P:4 III.(d)(2), New Hampshire Revised Statutes, Title XXXVIII, Chapter 420-P, Sections 1-14, Insurance Data Security Law)
  • data governance and classification; (§ 500.03 Cybersecurity Policy (b), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies)
  • data governance, classification and retention; (§ 500.3 Cybersecurity Policy (b), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)
  • Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal; and (26.1-02.2-03. 3.d.(2), North Dakota Century Code, Title 26.1, Chapter 26.1‑02.2, Sections 1-11, Insurance Data Security)
  • Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal; (Section 3965.02 (C)(4)(b), Ohio Revised Code, Title 39, Chapter 3965, Sections 1-11, Cybersecurity Requirements For Insurance Companies)
  • information systems, including network and software design, and information classification, governance, processing, storage, transmission, and disposal; and (SECTION 38-99-20. (C)(4)(b), South Carolina Code of Laws, Title 38, Chapter 99, Sections 10-100, Insurance Data Security Act)
  • Information systems, including network and software design, as well as information classification, governance, processing, storage, transmission, and disposal; and (§ 56-2-1004 (3)(D)(ii), Tennessee Code Annotated, Title 56, Chapter 2, Part 10, Sections 1-11, Insurance Data Security Law)
  • Information systems, including the classification, governance, processing, storage, transmission, and disposal of information. (§ 601.952(2)(c)2., Wisconsin Statutes, Chapter 601, Subchapter IX, Sections 95-956, Insurance Data Security)