Information that the organization stores and uses shall be identified.
Guidance
- Start by listing all the types of information your business stores or uses. Define “information type” in any useful way that makes sense to your business. You may want to have your employees make a list of all the information they use in their regular activities. List everything you can think of, but you do not need to be too specific. For example, you may keep customer names and email addresses, receipts for raw material, your banking information, or other proprietary information.
- Consider mapping this information with the associated assets identified in the inventories of physical devices, systems, software platforms and applications used within the organization (see ID.AM-1 &ID.AM-2).
All connections within the organization's ICT/OT environment, and to other organization internal platforms shall be mapped, documented, approved, and updated as appropriate.
Guidance
- Connection information includes, for example, the interface characteristics, data characteristics, ports,
protocols, addresses, description of the data, security requirements, and the nature of the connection.
- Configuration management can be used as supporting asset.
- This documentation should not be stored only on the network it represents.
- Consider keeping a copy of this documentation in a safe offline environment (e.g. offline hard disk,paper hardcopy, …).
The information flows/data flows within the organization’s ICT/OT environment, as well as to other organization-internal systems shall be mapped, documented, authorized, and updated when changes occur.
Guidance
- With knowledge of the information/data flows within a system and between systems, it is possible to determine where information can and cannot go.
- Consider:
- Enforcing controls restricting connections to only authorized interfaces.
- Heightening system monitoring activity whenever there is an indication of increased risk to organization's critical operations and assets.
- Protecting the system from information leakage due to electromagnetic signals emanations.
Organisation must maintain a listing of used data systems and their owners. Owner is responsible for completing the related documentation and possible other security actions directly related to the data system.
Data system documentation must include at least:
The organization shall maintain a list of data sets contained in the data stores it manages.
The documentation shall include at least the following information:
Organisation must maintain a listing of controlled data stores and their owners. Owner is responsible for completing the documentation and other possible security actions directly related to the data store.
Data store documentation must include at least:
The organization must have measures and operating methods for the safe storage of incoming information, information being processed and outgoing information. Storage should take into account:
All stored information must be protected against theft, modification and destruction or any other event that affects their confidentiality, integrity or availability.
The organization must describe the administrative flows of communications. The description of administrative data flows complements the description of integrations between systems.
The organization maintains documentation of interfaces and other connections between data system and the data transmission methods used in the interfaces.
The documentation concerning the interfaces shall be reviewed regularly and after significant changes to data systems.
In Cyberday, all frameworks’ requirements are mapped into universal tasks, so you achieve multi-framework compliance effortlessly.
.png)
Elevate Your Knowledge with Exclusive Access to Weekly Webinars, Video Courses, Help Articles, and Blogs.
