|
|
| (2 intermediate revisions by the same user not shown) |
| Line 1: |
Line 1: |
| =='''Sample Information Labeling Standard'''== | | ==Sample Asset Information Labeling Standard== |
| <br>
| | This Information Labeling Standard builds on the objectives established in the [[Sample_Asset_Identification_and_Classification_Policy:|Asset Identification and Classification Policy]], and provides specific instructions and requirements for handling information assets. These instructions address handling requirements for printed, electronically stored, and electronically transmitted information. |
| The '''<Your Company Name>''' (the "Company") [[Sample Asset Identification and Classification Policy:|'''Sample Asset Identification and Classification Policy''']] defines objectives for establishing specific standards on the identification, classification, and labeling of Company information assets.<br>
| | |
| <br>
| | ==Objectives== |
| This Information Labeling Standard builds on the objectives established in the [[Sample Asset Identification and Classification Policy:|'''Sample Asset Identification and Classification Policy''']], and provides specific instructions and requirements for labeling information assets. These instructions address labeling requirements for printed and electronically stored information.<br> | |
| <br>
| |
| =='''I. Scope'''== | |
| <br>
| |
| All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises, or who have been granted access to Company information or systems, are covered by this standard and must comply with associated guidelines and procedures.<br> | | All employees, contractors, part-time and temporary workers, and those employed by others to perform work on Company premises, or who have been granted access to Company information or systems, are covered by this standard and must comply with associated guidelines and procedures.<br> |
| <br> | | <br> |
| '''Information assets''' are defined in the [[Sample Asset Identification and Classification Policy:|'''Sample Asset Identification and Classification Policy''']].<br>
| | All Restricted, Confidential, and Internal Use Only information must be labeled or marked with the appropriate information classification designation. Such markings must appear on all manifestations of the information. Specific instructions and requirements for labeling information assets are provided in the [[Sample_Information_Labeling_Standard:|Sample Information Labeling Standard]].<br> |
| <br>
| |
| '''Confidentiality/privacy''' classifications are defined in the [[Sample Information Classification Standard:|'''Sample Information Classification Standard''']].<br>
| |
| <br>
| |
| '''Exchangeable media''' refers to diskettes, tapes, removable hard drives, compact disks, etc.<br>
| |
| <br>
| |
| '''Sensitive information''' refers to information that has been classified as Restricted, Confidential, or Internal Use Only.<br>
| |
| <br>
| |
| =='''II. Requirements'''==
| |
| <br>
| |
| :A. Printed Information<br>
| |
| <br>
| |
| ::All printed sensitive information must be appropriately labeled or marked to indicate its confidentiality classification.<br>
| |
| <br>
| |
| ::The appropriate labels for cover/title pages and headers or footers are provided in the following table:<br>
| |
| <br>
| |
| <blockquote style="background: white; border: 1px solid black; padding: 1em;">
| |
| <table border="1">
| |
| <tr><td>'''Confidentiality Classification'''</td><td>'''Cover/Title Page Label'''</td><td>'''Header or Footer Label (each page)'''</td></tr>
| |
| <tr><td>'''Restricted'''</td><td></td><td></td></tr>
| |
| <tr><td>'''Confidential'''</td><td></td><td></td></tr>
| |
| <tr><td>'''Internal Use Only'''</td><td></td><td></td></tr>
| |
| </table>
| |
| </blockquote>
| |
| <br>
| |
| :B. Electronically Stored Information<br>
| |
| <br>
| |
| ::All exchangeable media that stores sensitive information must be appropriately labeled or marked to indicate its confidentiality classification.<br>
| |
| <br>
| |
| ::The appropriate external and electronic labels are provided in the following table:<br>
| |
| <br>
| |
| <blockquote style="background: white; border: 1px solid black; padding: 1em;">
| |
| <table border="1">
| |
| <tr><td>'''Confidentiality Classification'''</td><td>'''External Label'''</td><td>'''Electronic Label (if available)'''</td></tr>
| |
| <tr><td>'''Restricted'''</td><td></td><td></td></tr>
| |
| <tr><td>'''Confidential'''</td><td></td><td></td></tr>
| |
| <tr><td>'''Internal Use Only'''</td><td></td><td></td></tr>
| |
| </table>
| |
| </blockquote>
| |
| <br>
| |
| =='''III. Responsibilities'''==
| |
| <br>
| |
| The Chief Information Security Officer (CISO) approves the Information Labeling Standard. The CISO also is responsible for the development, implementation, and maintenance of the Information Labeling Standard.<br>
| |
| <br>
| |
| Legal counsel is responsible for informing company management about data labeling requirements generated by legislation, regulations, or contractual agreements, and ensuring that those requirements are covered by the Information Labeling Standard and associated procedures.<br>
| |
| <br>
| |
| Company management, including senior management and department managers, is accountable for ensuring that the Information Labeling Standard is properly communicated and understood within their respective organizational units. Company management also is responsible for defining, approving and implementing procedures in its organizational units and ensuring their consistency with the Information Labeling Standard.<br>
| |
| <br>
| |
| Asset Owners (Owners) are the managers of organizational units that have primary responsibility for information assets associated with their functional authority. When Owners are not clearly implied by organizational design, the CIO will make the designation. Owners are responsible for ensuring the proper labeling of sensitive information, and ensuring the information labeling requirements for electronically stored and printed information are properly communicated and understood by the Custodians and Users.<br>
| |
| <br>
| |
| Asset Custodians (Custodians) are the managers, administrators, and those designated by the Owner to manage, process, or store information assets. Custodians are responsible for understanding the information classifications and labeling requirements; applying the necessary controls, in accordance with the [[Sample Asset Protection Policy:|'''Sample Asset Protection Policy''']], to maintain and conserve the established information labels; and contacting the Owner when sensitive information is unmarked or labeled improperly.<br>
| |
| <br>
| |
| Users are the individuals, groups, or organizations authorized by the Owner to access information assets. Users are responsible for familiarizing themselves with the Information Labeling Standard and associated guidelines and procedures; maintaining and conserving the established information classification and labeling; and contacting the Owner when sensitive information is unmarked or labeled improperly.<br>
| |
| <br>
| |
| =='''IV. Enforcement and Exception Handling'''==
| |
| <br>
| |
| Failure to comply with the Information Labeling Standard and associated guidelines and procedures can result in disciplinary actions up to and including termination of employment for employees or termination of contracts for contractors, partners, consultants, and other entities. Legal actions also may be taken for violations of applicable regulations and laws.<br>
| |
| <br>
| |
| Requests for exceptions to the Information Labeling Standard should be submitted to <Insert Title> in accordance with the Information Security Standards Exception Procedure. Prior to official management approval of any exception request, the individuals, groups, or organizations identified in the scope of this standard will continue to observe the Information Labeling Standard.<br>
| |
| <br>
| |
| =='''V. Review and Revision'''==
| |
| <br>
| |
| The Information Labeling Standard will be reviewed and revised in accordance with the [[Sample Information Security Program Charter:|'''Sample Information Security Program Charter''']].<br>
| |
| <br>
| |
| Approved: _______________________________________________________<br>
| |
| <br>
| |
| ::Signature<br>
| |
| <br>
| |
| ::<Insert Name><br>
| |
| <br> | | <br> |
| ::Chief Information Security Officer<br> | | |
| | ==Document Examples== |
| | Use these samples as a guide for your policy development. Fully customizable versions are available from [http://policy-machine.com The Policy Machine].<br> |
| <br> | | <br> |
| | <gallery> |
| | Image:Asset Information Labeling Standard.png|Asset Information Labeling Standard page one of six. |
| | Image:Asset Information Labeling Standard(1).png|Asset Information Labeling Standard page two of six. |
| | Image:Asset Information Labeling Standard(2).png|Asset Information Labeling Standard page three of six. |
| | Image:Asset Information Labeling Standard(3).png|Asset Information Labeling Standard page four of six. |
| | Image:Asset Information Labeling Standard(4).png|Asset Information Labeling Standard page five of six. |
| | Image:Asset Information Labeling Standard(5).png|Asset Information Labeling Standard page six of six. |
| | </gallery> |
.png){kind=link}
.png){kind=link}
.png){kind=link}
.png){kind=link}
.png){kind=link}