Sample Information Handling Standard:: Difference between revisions

From HORSE - Holistic Operational Readiness Security Evaluation.
Jump to navigation Jump to search
No edit summary
 
No edit summary
 
(2 intermediate revisions by the same user not shown)
Line 1: Line 1:
=='''Sample Information Handling Standard'''==
==Sample Information Handling Standard==
<br>
This Information Handling Standard builds on the objectives established in the [[Sample_Asset_Protection_Policy:|'''Asset Protection Standard''']], and provides specific instructions and requirements for handling information assets. These instructions address handling requirements for printed, electronically stored, and electronically transmitted information.
The '''<Your Company Name>''' (the "Company") [[Sample Asset Protection Policy:|'''Sample Asset Protection Policy''']] defines objectives for establishing specific standards for protecting the confidentiality, integrity, and availability of Company information assets.<br>
 
<br>
==Objectives==
This Information Handling Standard builds on the objectives established in the [[Sample Asset Protection Policy:|'''Sample Asset Protection Policy''']], and provides specific instructions and requirements for handling information assets. These instructions address handling requirements for printed, electronically stored, and electronically transmitted information.<br>
<br>
=='''I. Scope'''==
<br>
All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises or who have been granted access to Company information or systems, are covered by this standard and must comply with associated guidelines and procedures.<br>
<br>
'''Confidentiality classifications''' are defined in the [[Sample Information Classification Standard:|'''Sample Information Classification Standard''']].<br>
<br>
'''Information assets''' are defined in the [[Sample Asset Identification and Classification Policy:|'''Sample Asset Identification and Classification Policy''']].<br>
<br>
'''Exchangeable media''' refers to diskettes, tapes, removable hard drives, compact disks, etc.<br>
<br>
=='''II. Requirements'''==
<br>
:'''A. Printed Information'''<br>
:'''A. Printed Information'''<br>
<br>
<br>
Line 42: Line 28:
<tr><td>Stored on fixed media with access controls</td><td></td><td></td><td></td><td></td></tr>
<tr><td>Stored on fixed media with access controls</td><td></td><td></td><td></td><td></td></tr>
<tr><td>Stored on fixed media without access controls</td><td></td><td></td><td></td><td></td></tr>
<tr><td>Stored on fixed media without access controls</td><td></td><td></td><td></td><td></td></tr>
<tr><td>Storage on removeable media</td><td></td><td></td><td></td><td></td></tr>
<tr><td>Storage on removable media</td><td></td><td></td><td></td><td></td></tr>
<tr><td>Disposal of electronic media</td><td></td><td></td><td></td><td></td></tr>
<tr><td>Disposal of electronic media</td><td></td><td></td><td></td><td></td></tr>
<tr><td>Disposal of information</td><td></td><td></td><td></td><td></td></tr>
<tr><td>Disposal of information</td><td></td><td></td><td></td><td></td></tr>
Line 62: Line 48:
</table>
</table>
</blockquote>       
</blockquote>       
<br>
==Document Examples==
Use these samples as a guide for your policy development. Fully customizable versions are available from [http://policy-machine.com The Policy Machine].<br>
<br>
<br>
=='''III. Responsibilities'''==
<gallery>
<br>
Image:Information Handling Standard.png|Information Handling Standard page one of ten.
The Chief Information Security Officer (CISO) approves the Information Handling Standard. The CISO also is responsible for ensuring the development, implementation, and maintenance of the Information Handling Standard.<br>
Image:Information Handling Standard(1).png|Information Handling Standard page two of ten.
<br>
Image:Information Handling Standard(2).png|Information Handling Standard page three of ten.
Company management, including senior management and department managers, is accountable for ensuring that the Information Handling Standard is properly communicated and understood within their respective organizational units. Company management also is responsible for defining, approving and implementing procedures in its organizational units and ensuring their consistency with the Information Handling Standard.<br>
Image:Information Handling Standard(3).png|Information Handling Standard page four of ten.
<br>
Image:Information Handling Standard(4).png|Information Handling Standard page five of ten.
Asset Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. The Owner is responsible for ensuring that the Information Handling Standard is properly communicated and understood within their respective organizational units, as well as defining, approving and implementing procedures in its organizational units and ensuring their consistency with the Information Handling Standard.<br>
Image:Information Handling Standard(5).png|Information Handling Standard page six of ten.
<br>
Image:Information Handling Standard(6).png|Information Handling Standard page seven of ten.
Asset Custodians (Custodians) are the managers, administrators and those designated by the Owner to manage, process or store information assets. Custodians are responsible for providing a secure processing environment that protects the confidentiality, integrity, and availability of information and coordinating with administrators to ensure proper handling of information during processing and storage.<br>
Image:Information Handling Standard(7).png|Information Handling Standard page eight of ten.
<br>
Image:Information Handling Standard(8).png|Information Handling Standard page eight of ten.
Users are the individuals, groups, or organizations authorized by the Owner to access to information assets. Users are responsible for familiarizing and complying with the Information Handling Standard and associated guidelines, and handling information in manner that is consistent with the Information Handling Standard.<br>
Image:Information Handling Standard(9).png|Information Handling Standard page ten of ten.
<br>
</gallery>
=='''IV. Enforcement and Exception Handling'''==
<br>
Failure to comply with the Information Handling Standard and associated guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.<br>
<br>
Requests for exceptions to the Information Handling Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Information Handling Standard.<br>
<br>
=='''V. Review and Revision'''==
<br>
The Information Handling Standard will be reviewed and revised in accordance with the [[Sample Information Security Program Charter:|'''Sample Information Security Program Charter''']].<br>
<br>
Approved: _______________________________________________________<br>
<br>
::Signature<br>
<br>
::<Insert Name><br>
<br>
::Chief Information Security Officer<br>
<br>

Latest revision as of 18:18, 23 January 2014

Sample Information Handling Standard

This Information Handling Standard builds on the objectives established in the Asset Protection Standard, and provides specific instructions and requirements for handling information assets. These instructions address handling requirements for printed, electronically stored, and electronically transmitted information.

Objectives

A. Printed Information


1. All printed information shall be handled based on its confidentiality classification. A description of handling requirements for each confidentiality classification category is provided in the following table:


RestrictedConfidentialInternal Use OnlyPublic
Labeling
Intra-Company or Office Mail
Duplication
Mailing of Documents
Disposal
Storage


B. Electronically Stored Information


1. All electronically stored information shall be handled based on its confidentiality classification. A description of handling requirements for each confidentiality classification category is provided in the following table:


RestrictedConfidentialInternal Use OnlyPublic
Labeling (application or screen)
Labeling (electronic media)
Stored on fixed media with access controls
Stored on fixed media without access controls
Storage on removable media
Disposal of electronic media
Disposal of information


C. Electronically Transmitted Information


1. All electronically transmitted information shall be handled based on its confidentiality classification. A description of handling requirements for each confidentiality classification category is provided in the following table:


RestrictedConfidentialInternal Use OnlyPublic
Local Area Network
Wide Area Network
Non-Secure/Public Networks
Electronic Mail
Fax
Voice-Mail


Document Examples

Use these samples as a guide for your policy development. Fully customizable versions are available from The Policy Machine.