Data and privacy
CONTROL
STATUS
Classification of information
Information should be categorized based on legal needs, its importance, critical nature, and vulnerability to unauthorized disclosure or modification.
Labelling of information
An appropriate set of procedures for labeling information must be created and implemented according to the organization’s classification scheme.
Handling of assets
Procedures for asset handling should be developed and enforced in line with the organization’s classification scheme.
Management of removable media
Procedures for managing removable media should be implemented following the classification scheme adopted by the organization.
Disposal of media
When no longer needed, media should be disposed of securely using formal procedures.
Physical media transfer
During transportation, media containing information must be protected against unauthorized access, misuse, or corruption.
Information transfer policies
Formal policies, procedures, and controls should be established to secure the transfer of information through all communication channels.
Agreements on information transfer
Agreements should ensure the secure transfer of business information between the organization and external parties.
Protection of records
Records must be protected from loss, destruction, falsification, unauthorized access, and release, in compliance with legal, regulatory, contractual, and business requirements.
Privacy and protection of personally identifiable information
Privacy and protection of personally identifiable information must be guaranteed as required by relevant laws and regulations.
