Back

Establish, implement, and maintain classification schemes for all systems and assets.


CONTROL ID
01902
CONTROL TYPE
Establish/Maintain Documentation
CLASSIFICATION
Preventive

SUPPORTING AND SUPPORTED CONTROLS



This Control directly supports the implied Control(s):
  • Establish, implement, and maintain an Asset Management program., CC ID: 06630

This Control has the following implementation support Control(s):
  • Apply security controls to each level of the information classification standard., CC ID: 01903
  • Establish safety classifications for systems according to their potential harmful effects to operators or end users., CC ID: 06603
  • Establish, implement, and maintain the Asset Classification Policy., CC ID: 06642
  • Disseminate and communicate the Asset Classification Policy to interested personnel and affected parties., CC ID: 14851
  • Classify assets according to the Asset Classification Policy., CC ID: 07186


SELECTED AUTHORITY DOCUMENTS COMPLIED WITH



  • The organization shall, when preparing security-related documentation, assign a level of protection for the information in the computer system and provide for appropriate protection of it in the security policy. (O1.4(1), FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions, 7th Edition)
  • Its security/risk classification (Critical components of information security 3) ¶ 2 Bullet 4, Guidelines on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds)
  • Following sanitisation, highly classified non-volatile EPROM and EEPROM media retains its classification. (Security Control: 0358; Revision: 5, Australian Government Information Security Manual, March 2021)
  • System owners determine the type, value and security objectives for each system based on an assessment of the impact if it were to be compromised. (Control: ISM-1633; Revision: 0, Australian Government Information Security Manual, June 2023)
  • Following sanitisation, SECRET and TOP SECRET non-volatile EPROM and EEPROM media retains its classification. (Control: ISM-0358; Revision: 6, Australian Government Information Security Manual, June 2023)
  • Following sanitisation, SECRET and TOP SECRET non-volatile magnetic media retains its classification. (Control: ISM-0356; Revision: 6, Australian Government Information Security Manual, June 2023)
  • Following sanitisation, TOP SECRET volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time. (Control: ISM-0835; Revision: 4, Australian Government Information Security Manual, June 2023)
  • System owners determine the type, value and security objectives for each system based on an assessment of the impact if it were to be compromised. (Control: ISM-1633; Revision: 0, Australian Government Information Security Manual, September 2023)
  • Following sanitisation, SECRET and TOP SECRET non-volatile EPROM and EEPROM media retains its classification. (Control: ISM-0358; Revision: 6, Australian Government Information Security Manual, September 2023)
  • Following sanitisation, SECRET and TOP SECRET non-volatile magnetic media retains its classification. (Control: ISM-0356; Revision: 6, Australian Government Information Security Manual, September 2023)
  • Following sanitisation, TOP SECRET volatile media retains its classification if it stored static data for an extended period of time, or had data repeatedly stored on or written to the same memory location for an extended period of time. (Control: ISM-0835; Revision: 4, Australian Government Information Security Manual, September 2023)
  • Systems that store, process, and communicate compartmented information or caveated information must be accredited for that level of information. (Control: 0077, Australian Government Information Security Manual: Controls)
  • The Key Management Plan should include the classification or sensitivity of the cryptographic system hardware. (Control: 0510 Table Row "Sensitivity or classification", Australian Government Information Security Manual: Controls)
  • The Key Management Plan should include the classification or sensitivity of the cryptographic system software. (Control: 0510 Table Row "Sensitivity or classification", Australian Government Information Security Manual: Controls)
  • The Key Management Plan should include the classification or sensitivity of the cryptographic system documentation. (Control: 0510 Table Row "Sensitivity or classification", Australian Government Information Security Manual: Controls)
  • The Key Management Plan should include the classification or sensitivity of the information being protected. (Control: 0510 Table Row "System description", Australian Government Information Security Manual: Controls)
  • The Key Management Plan must have a level of detail that is consistent with the classification or sensitivity of the information being protected. (Control: 0511, Australian Government Information Security Manual: Controls)
  • The organization should classify its Information Technology assets according to criticality and sensitivity. The asset classification method should be determined by the business requirements. (¶ 20, APRA Prudential Practice Guide 234: Management of security risk in information and information technology)
  • As part of sound business continuity management, financial institutions should conduct business impact analysis (BIA) by analysing their exposure to severe business disruptions and assessing their potential impacts (including on confidentiality, integrity and availability), quantitatively and qualit… (3.7.1 78, Final Report EBA Guidelines on ICT and security risk management)
  • As part of the ICT risk management framework referred to in Article 6(1), financial entities shall identify, classify and adequately document all ICT supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their roles and depend… (Art. 8.1., Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011 (Text with EEA relevance))
  • All customer systems are classified according to the agreements (SLA) between the cloud provider and cloud customer regarding the criticality for the rendering of services. The assignment of classifications is reviewed regularly as well as after essential changes/events for all customer systems. Dev… (Section 5.13 SIM-02 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • Work instructions and processes for the implemented classification scheme of information and assets are in place in order to ensure the labeling of information as well as the corresponding handling of assets. This only refers to assets which store or process information. (Section 5.4 AM-06 Basic requirement ¶ 1, Cloud Computing Compliance Controls Catalogue (C5))
  • The organization should identify assets related to the design and use of AI that fall within the scope of the risk management process as defined in 6.3.2. Understanding what assets are within the scope and the relative criticality or value of those assets is integral to assessing the impact. Both th… (§ 6.4.2.2 ¶ 1, ISO/IEC 23894:2023, Information technology — Artificial intelligence — Guidance on risk management)
  • difficulty of controlling the characteristics of IT assets as described in Annex C. (Section 7.5 ¶ 1(a) bullet 2, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The organization shall determine the operation processes which are appropriate for the degree of management assurance required with respect to IT asset management. (Section 6.2.1 ¶ 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The organization shall ensure that required data about all core IT assets in scope is accurately recorded throughout the life cycle; and that there is documented information for all IT assets as to whether they are authorized or not. (Section 8.3 ¶ 1, ISO/IEC 19770-1, Information technology — IT asset management — Part 1: IT asset management systems — Requirements, Third Edition, 2017-12)
  • The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what level of protection is needed for those critical assets, and what the impact would be if that protection failed. (ID.RA-5.3, CRI Profile, v1.2)
  • The organization has established threat modeling capabilities to identify how and why critical assets might be compromised by a threat actor, what level of protection is needed for those critical assets, and what the impact would be if that protection failed. (ID.RA-5.3, Financial Services Sector Cybersecurity Profile, Version 1.0.0)
  • Is the owner of an information asset responsible to appropriately classify information and assets? (§ D.1.3.1, Shared Assessments Standardized Information Gathering Questionnaire - D. Asset Management, 7.0)
  • Are information assets classified? (§ D.2, Shared Assessments Standardized Information Gathering Questionnaire - D. Asset Management, 7.0)
  • Does the procedure for managing information assets include reclassification? (§ D.2.2.8, Shared Assessments Standardized Information Gathering Questionnaire - D. Asset Management, 7.0)
  • The organization must protect sensitive Medicare data, FTI, and data protected under the Privacy Act as sensitive information under the CMS Level 3 – High Sensitive security designation. (CSR 1.7.1, Pub 100-17 Medicare Business Partners Systems Security, Transmittal 7, Appendix A: CMS Core Security Requirements CSR, March 17, 2006)
  • Agencies shall implement audit and accountability controls to increase the probability of authorized users conforming to a prescribed pattern of behavior. Agencies shall carefully assess the inventory of components that compose their information systems to determine which security controls are appli… (§ 5.4 ¶ 1, Criminal Justice Information Services (CJIS) Security Policy, CJISD-ITS-DOC-08140-5.8, Version 5.8)
  • Uses the classification to determine the sensitivity and criticality of assets. (App A Objective 6.6.c, FFIEC Information Technology Examination Handbook - Information Security, September 2016)
  • Organizations should use the software inventories, technical and business/mission characteristics, and risk response scenarios to assign each asset to a maintenance group. A maintenance group is a set of assets with similar characteristics that generally have the same software maintenance needs for … (3.4 ¶ 1, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology, NIST SP 800-40, Revision 4)
  • Organizations should closely track and monitor all exceptions to maintenance plans. As explained in Section 3.4, maintenance groups should be defined to minimize assets considered "exceptions." However, having some exceptions is inevitable. All exceptions to maintenance plans should be reviewed regu… (3.5.5 ¶ 1, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology, NIST SP 800-40, Revision 4)
  • The organization should establish a security categorization for its information and Information Systems. This should be accomplished as an organization-wide activity with the involvement of senior-level organizational officials. (§ 1.4 ¶ 1, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • The organization must reconfirm the security categories and the impact levels when an event occurs that triggers the immediate assessment of the information system's security state. (§ 3.4 ¶ 2 Bullet 1, Recommended Security Controls for Federal Information Systems, NIST SP 800-53)
  • Prevent, detect, protect against, or respond to security incidents, identity theft, fraud, harassment, malicious or deceptive activities, or any illegal activity, investigate, report, or prosecute those responsible for any such action, and preserve the integrity or security of systems. (IC 24-15-8-1(a)(7), Indiana Code, Title 24, Article 15, Consumer Data Protection)
  • classification or sensitivity; (§ 500.13 Asset Management and Data Retention Requirements (a)(1)(iii), New York Codes, Rules and Regulations, Title 23, Chapter 1, Part 500 Cybersecurity Requirements for Financial Services Companies, Second Amendment)