Back

Establish, implement, and maintain appropriate system labeling.


CONTROL ID
01900
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain configuration control and Configuration Status Accounting., CC ID: 00863

This Control has the following implementation support Control(s):
  • Include the identification number of the third party who performed the conformity assessment procedures on all promotional materials., CC ID: 15041
  • Include the identification number of the third party who conducted the conformity assessment procedures after the CE marking of conformity., CC ID: 15040


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • Installation of telephones for emergency allows immediate notification of fire or other state of emergency to a central control and monitoring station (central monitoring room, disaster control center, etc.) and relevant operational units. The telephones for emergency should be used only for disaste… (F38.2. ¶ 1, FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • To protect the line-related systems against destruction by unauthorized persons and to protect the security of computer network, do not install any label to the line-related systems such as signboard, display board, and other indications that identify the installed locations. (F83.1., FISC Security Guidelines on Computer Systems for Financial Institutions, Ninth Edition, Revised March 2020)
  • ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification. (Control: ISM-0294; Revision: 4, Australian Government Information Security Manual, June 2023)
  • ICT equipment, with the exception of high assurance ICT equipment, is labelled with protective markings reflecting its sensitivity or classification. (Control: ISM-0294; Revision: 4, Australian Government Information Security Manual, September 2023)
  • The organization must clearly label the information and communications technology equipment that stores information, except for High Grade Cryptographic Equipment, with appropriate markings. (Control: 0294, Australian Government Information Security Manual: Controls)
  • The organization must not place non-essential labels on the external surfaces of high assurance products. (Control: 0295, Australian Government Information Security Manual: Controls)
  • The organization must ask for Defence Signals Directorate authorization before it applies a label to the external surface of High Grade Cryptographic Equipment. (Control: 0296, Australian Government Information Security Manual: Controls)
  • Media should be labeled with the classification of the information contained on it and the label should be visually identifiable. The labels for portable computers and personal electronic devices should tell individuals what to do if the devices are found after being lost. (§ 3.4.15, § 3.4.64, Australian Government ICT Security Manual (ACSI 33))
  • The model designation of the consumer IoT device shall be clearly recognizable, either by labelling on the device or via a physical interface. (Provision 5.3-16, CYBER; Cyber Security for Consumer Internet of Things: Baseline Requirements, ETSI EN 303 645, V2.1.1)
  • Importers shall indicate their name, registered trade name or registered trade mark, and the address at which they can be contacted on the high-risk AI system or, where that is not possible, on its packaging or its accompanying documentation, as applicable. (Article 26 3., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • to affix the CE marking to their high-risk AI systems to indicate the conformity with this Regulation in accordance with Article 49; (Article 16 ¶ 1(i), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Providers of high-risk AI systems shall ensure that their systems undergo the relevant conformity assessment procedure in accordance with Article 43, prior to their placing on the market or putting into service. Where the compliance of the AI systems with the requirements set out in Chapter 2 of thi… (Article 19 1., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • The CE marking shall be affixed visibly, legibly and indelibly for high-risk AI systems. Where that is not possible or not warranted on account of the nature of the high-risk AI system, it shall be affixed to the packaging or to the accompanying documentation, as appropriate. (Article 49 1., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Before making a high-risk AI system available on the market, distributors shall verify that the high-risk AI system bears the required CE conformity marking, that it is accompanied by the required documentation and instruction of use, and that the provider and the importer of the system, as applicab… (Article 27 1., Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • the system bears the required conformity marking and is accompanied by the required documentation and instructions of use. (Article 26 1(c), Proposal for a Regulation of The European Parliament and of The Council Laying Down Harmonized Rules On Artificial Intelligence (Artificial Intelligence Act) and Ameding Certain Union Legislative Acts)
  • Label business processes with unique numbers or codes (§ 8.1.2 Subsection 1 Bullet 2, BSI-Standard 200-2 IT-Grundschutz Methodology, Version 1.0)
  • An organization must require that wireless devices be labeled with owner, contact information and purpose. (§ 4.6.1.D, Payment Card Industry (PCI) Information Supplement: PCI DSS Wireless Guideline)
  • Each device shall have a unique visible identifier affixed to it or should be identifiable using secure, cryptographically protected methods. (J7, Payment Card Industry (PCI), PIN Transaction Security (PTS) Hardware Security Module (HSM) - Security Requirements, Version 3.0)
  • Telecommunications cables (i.e., network and telephone cables) should be protected by attaching identification labels to communications equipment and cables. (CF.09.02.01a, The Standard of Good Practice for Information Security)
  • Telecommunications cables (i.e., network and telephone cables) should be protected by attaching identification labels to communications equipment and cables. (CF.09.02.01a, The Standard of Good Practice for Information Security, 2013)
  • The labeling for the product should be unique for each version. (§ 13.2, ISO 15408-3 Common Criteria for Information Technology Security Evaluation Part 3, 2008)
  • The product should have a label associated with it to ensure it can be differentiated from other versions of the same product. The labeling of the product should be consistent, that is, the version number should be the same on the documentation, on the media it is stored on, and on the actual produc… (§ 10.4.1.3.2, § 10.4.1.3.3, § 11.4.1.4.2, § 11.4.1.4.3, § 12.4.1.3.2, § 12.4.1.3.3, § 13.4.2.3.2, § 13.4.2.3.3, ISO 18045 Common Methodology for Information Technology Security Evaluation Part 3, 2005)
  • The system must automatically record the creation, modification, or deletion of integrity labels or confidentiality labels, when required by the information owner. (ECLC-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • Systems and information that display, process, store, or transit data in any format or form that has not been approved for public release must comply with the marking and labeling requirements located in policy and guidance documents. (ECML-1, DoD Instruction 8500.2 Information Assurance (IA) Implementation)
  • All system components must be conspicuously marked with the highest classification level of the system. (§ 8-306, NISPOM - National Industrial Security Program Operating Manual (DoD 5220.22-M) February 26, 2006, February 28, 2006)
  • A medical device manufacturer shall establish and maintain procedures for controlling product labeling, including label integrity (ensuring labels are printed and applied in a way that they will remain readable and affixed during processing, handling, distribution, storage, and use); labeling inspec… (§ 820.120, 21 CFR Part 820, Subchapter H - Medical Devices, Part 820 Quality System Regulation)
  • All hardware items should be labeled with unique identifiers. (Pg 7, FFIEC IT Examination Handbook - Operations, July 2004)
  • Federal Tax Information should be clearly labeled "Federal Tax Information." (§ 5.1, IRS Publication 1075: TAX INFORMATION SECURITY GUIDELINES FOR FEDERAL, STATE AND LOCAL AGENCIES AND ENTITIES; Safeguards for Protecting Federal Tax Returns and Return Information)
  • All labels must have at least one named tag set. The security policy and the restrictions imposed by the protocol that uses the labels determines if multiple named tag sets may be used. Multiple named tag sets may be helpful for maintaining an appropriate degree of protection when data is shared acr… (§ 4.1 ¶ 2, FIPS Pub 188, Standard Security Label for Information Transfer)
  • Information from the system should be examined for appropriate labels in accordance with procedures and policies. An examination should be conducted to ensure the system is configured to label information being processed, in storage, and during transmission. Organizational records and documents shou… (AC-16, AC-16.3, Guide for Assessing the Security Controls in Federal Information Systems, NIST SP 800-53A)
  • The organization should ensure all media is labeled appropriately and a sanitization method has been determined for each type of media. (§ 4.3, Guidelines for Media Sanitization, NIST SP 800-88, September 2006)
  • The organization marks [Assignment: organization-defined information system output devices] indicating the appropriate security marking of the information permitted to be output from the device. (PE-5(3) ¶ 1, Security and Privacy Controls for Federal Information Systems and Organizations, NIST SP 800-53, Revision 4)
  • Mark [Assignment: organization-defined system hardware components] indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component. (PE-22 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5)
  • Mark [Assignment: organization-defined system hardware components] indicating the impact level or classification level of the information permitted to be processed, stored, or transmitted by the hardware component. (PE-22 Control, Security and Privacy Controls for Information Systems and Organizations, NIST SP 800-53, Revision 5.1.1)