ISO IEC 17799 2000

TRANSLATED INTO PLAIN ENGLISH

Section 5: Asset Classification and Control

FREE DETAILED STANDARD

TO SECTION 4

MAIN MENU TO SECTION 6

ISO 17799 2000 is now OBSOLETE.
Please see
ISO IEC 17799 2005!

ISO 17799

ISO 17799 IS AN INFORMATION SECURITY MANAGEMENT STANDARD

5.1 MAKE INFORMATION ASSET OWNERS ACCOUNTABLE

 

Select an owner for each major information asset.

 

Make sure that asset owners have been asked to protect their assets.

 

Make sure that asset owners have been asked to implement controls.

 

Make sure that asset owners have been asked to maintain controls.

 

Hold asset owners accountable for the security of information assets.

5.1.1 COMPILE AN INVENTORY OF ALL INFORMATION ASSETS

 

Identify all of your information assets.

 

Compile an inventory of all information assets.

 

Compile an inventory of all databases and date files.

 

Compile an inventory of all system documentation.

 

Compile an inventory of all user manuals.

 

Compile an inventory of all procedures.

 

Compile an inventory of all training materials.

 

Compile an inventory of all continuity plans.

 

Compile an inventory of all fallback plans.

 

Compile an inventory of all archived information.

 

Compile an inventory of all software assets.

 

Compile an inventory of all application software.

 

Compile an inventory of all system software.

 

Compile an inventory of all development tools.

 

Compile an inventory of all the physical
assets that support your information systems.

 

Compile an inventory of all computer equipment.

 

Compile an inventory of all processors.

 

Compile an inventory of all monitors.

 

Compile an inventory of all laptops.

 

Compile an inventory of all modems.

 

Compile an inventory of all routers.

 

Compile an inventory of all PABXs.

 

Compile an inventory of all telephones.

 

Compile an inventory of all fax machines.

 

Compile an inventory of all answering machines.

 

Compile an inventory of all magnetic media.

 

Compile an inventory of all tapes and disks.

 

Compile an inventory of all power supplies.

 

Compile an inventory of all air conditioning units.

 

Compile an inventory of all the services
that support your information systems.

 

Compile an inventory of all computing services.

 

Compile an inventory of all communication services.

 

Compile an inventory of all utility services.

 

Define levels of protection for your information assets.

 

Assign a security classification to all information assets.

 

Classify all information assets according to how
valuable and important they are to your organization.

 

Make sure that your classification system
shows who owns each information asset.

 

Make sure that your classification system clearly
shows where each information asset is located.

 

Make sure that you provide a higher level of protection
for your most valuable and important information assets.

ISO17799 IS AN INFORMATION SECURITY MANAGEMENT STANDARD

5.2 USE AN INFORMATION CLASSIFICATION SYSTEM

 

Use a classification system to protect information.

 

Define a set of security levels for your information.

 

Make sure that your classification system specifies how information should be protected and handled at each security level.

5.2.1 DEVELOP INFORMATION CLASSIFICATION GUIDELINES

 

Develop guidelines for classifying information.

 

Make sure that your classification guidelines allow you to
re‑classify information when this is found to be necessary.

 

Make sure that your information classification system
allows you to share information when it should be shared.

 

Make sure that your information classification system restricts
access to information when it should be restricted.

 

Give the responsibility for classifying information
to the originator or owner of that information.

 

Give the responsibility for reviewing your information
classifications to the originator or owner of that information.

 

Make sure that your personnel understand how
to use your information classification system.

 

Make sure that you label information according to how valuable it is.

 

Make sure that you label information according to how sensitive it is.

 

Make sure that you label information according to how critical it is.

 

Classify all information according to how critical
or sensitive it is and how much protection it needs.

 

Make sure that your most critical or sensitive information receives
the highest level of protection and requires special handling.

 

Apply your classification system to documents.

 

Apply your classification system to data records.

 

Apply your classification system to data files.

 

Apply your classification system to disks.

5.2.2 USE INFORMATION HANDLING AND LABELING PROCEDURES

 

Develop information handling procedures for
each of your information security classifications.

 

Develop a copying procedure for each information security classification.

 

Develop a storage procedure for each information security classification.

 

Develop a transmission procedure for each security classification.

 

Develop a snail mail procedure for each security classification.

 

Develop an email procedure for each security classification.

 

Develop a fax procedure for each security classification.

 

Develop a telephone procedure for each security classification.

 

Develop a mobile phone procedure for each security classification.

 

Develop a voice mail procedure for each security classification.

 

Develop an answering machine procedure
for each information security classification.

 

Develop a face‑to‑face communications procedure
for each information security classification.

 

Develop an information destruction procedure
for each information security classification.

 

Develop an output labeling procedures
for each information security classification.

 

Make sure that your security labeling procedures expect
you to label information according to how valuable it is.

 

Make sure that your security labeling procedures expect
you to label information according to how sensitive it is.

 

Make sure that your security labeling procedures expect
you to label information according to how critical it is.

 

Make sure that your security labeling procedures
tell you how to label physical information assets.

 

Make sure that your security labeling procedures
tell you how to label intangible information assets.

 

Make sure that your security labeling
procedures tell you how to label reports.

 

Make sure that security labeling procedures
tell you how to label screen displays.

 

Make sure that security labeling procedures
tell you how to label recorded media.

 

Make sure that security labeling procedures
tell you how to label electronic messages.

 

Make sure that security labeling procedures
tell you how to label file transfers.

ISO17799 IS AN INFORMATION SECURITY MANAGEMENT STANDARD

TO SECTION 4

MAIN MENU TO SECTION 6
OTHER ISO 17799 2000 INFORMATION SECURITY WEB PAGES

ISO ISO 17799 2000 - Section 3: Security Policy

ISO 17799 2000 - Section 4: Organizational Structure

ISO 17799 2000 - Section 6: Personnel Security Management

ISO 17799 2000 - Section 7: Physical and Environmental Security

ISO 17799 2000 - Section 8: Communications and Operations

ISO 17799 2000 - Section 9: Access Control Management

ISO 17799 2000 - Section 10: Systems Development and Maintenance

ISO 17799 2000 - Section 11: Business Continuity Management

ISO 17799 2000 - Section 12: Compliance Management

ISO 17799 2005 (27002 2005) INFORMATION SECURITY WEB PAGES

Introduction to ISO 17799 2005 (27002) Information Security Standard

Overview of the ISO 17799 2005 (27002) Information Security Standard

ISO 17799 2005 (27002) Information Security Management Definitions

ISO 17799 2005 (27002) Security Standard Translated into Plain English

List of ISO 17799 2005 (27002) Information Security Control Objectives

ISO 17799 2005 (27002) Information Security Management Audit Tool

ISO 27001 2005 INFORMATION SECURITY WEB PAGES

Introduction to the ISO 27001 2005 Security Standard

Brief Comparison of ISO 27001 2005 and ISO 27002 2005

Overview of ISO 27001 2005 Information Security Standard

ISO 27001 2005 Security Standard Translated into Plain English

ISO 27001 Information Security Management Gap Analysis Tool

ISO 27001 2005 Standard in Plain English - Table of Contents

ISO 27001 AND 27002 ARE INFORMATION SECURITY MANAGEMENT STANDARDS

ISO 17799

ISO 17799  NAVIGATION GUIDE

       
Home Page Table of Contents Alphabetical Index Site Map
       
How to Order Our Products Our Prices Our Guarantee
       
 

ISO 17799

 
CONTACT INFORMATION
 
Praxiom Research Group Limited
9619 - 100A Street, Edmonton,
Alberta, T5K 0V7, Canada
Phone: (780)461-4514
Fax: (780)463-6034

info@praxiom.com
 

Legal Restrictions on the Use of this Page
Thank you for visiting this page. You are, of course, welcome to view our
 material as often as you wish, free of charge. And as long as you keep intact
 all copyright notices, you are also welcome to print or make one copy of this
 page for your own personal, noncommercial, home use.   But, you are not
 legally authorized to print or produce additional copies, or to copy and paste
 any of our material onto another web site.  If you would like to purchase our
 material, please contact our Sales Desk. Our staff would be very pleased to
 take your order or to answer any questions you might have.

Copyright © 2005 - 2007 by Praxiom Research Group Limited. All Rights Reserved.

Disclaimer and Limitation of Liability
The publisher and authors have used their best efforts in designing and
  developing this electronic publication. We make no representation or warranties
  with respect to accuracy or completeness of the contents of this publication and
  specifically disclaim any implied warranties or merchantability or fitness for any
  particular purpose and shall in no event be liable for any loss of profit or any
  other commercial damage, including but not limited to special, incidental,
  consequential, or other damages.

ISO 17799

This web page was updated on October 2, 2007

On the Web since May 25, 1997