Content library
TISAX: Information security
1.3.2: Classification of information assets

How to fill the requirement

TISAX: Information security

1.3.2: Classification of information assets

Task name
Priority
Status
Theme
Policy
Other requirements
Personnel guidelines for safe processing of personal and confidential data
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Privacy
Processing principles and accountability
27
requirements

Task is fulfilling also these other security requirements

29. Processing under the authority of the controller or processor
GDPR
7.2.2: Information security awareness, education and training
ISO27 Full
18.1.4: Privacy and protection of personally identifiable information
ISO27 Full
12.1.1: Documented operating procedures
ISO27 Full
11.2.8: Unattended user equipment
ISO27 Full
1. Task description

The Data Protection Officer (or other responsible person) has drawn up operating instructions for personnel handling personal data. In addition, the Data Protection Officer is ready to advise the controller, personal data processing partners or their own staff on compliance with GDPR or other data protection requirements.

Personnel guidelines for reporting security incidents
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Incident management
Incident management and response
33
requirements

Task is fulfilling also these other security requirements

T06: Turvallisuuspoikkeamien hallinta
Katakri
24. Responsibility of the controller
GDPR
16.1.3: Reporting information security weaknesses
ISO27 Full
16.1.2: Reporting information security events
ISO27 Full
6.4: Menettelytavat virhe- ja ongelmatilanteissa
Self-monitoring
1. Task description

A process for reporting incidents is maintained to help staff report incidents efficiently and consistently.

Things to report as an incident include e.g.:

  • unauthorized access to data / premises
  • action against security guidelines
  • suspected security issue (e.g. phishing, malware infection)
  • data system outage
  • accidental or intentional destruction / alteration of data
  • lost or stolen device
  • compromised password
  • lost physical identifier (e.g. keychain, smart card, smart sticker)
  • suspected security weakness (e.g. on utilized data system or other procedures)

The personnel guidelines emphasize the obligation to report security incidents as soon as possible in accordance with the agreed process. The instructions also describe other operations in the event of an incident (e.g. recording seen error messages and other details).

Definition of data classifications and class-specific security procedures
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Management of data sets
Data classification
27
requirements

Task is fulfilling also these other security requirements

T07: Tietojen luokittelu
Katakri
8.2.1: Classification of information
ISO27 Full
8.2.2: Labelling of information
ISO27 Full
8.2: Information classification
ISO27 Full
8.2.3: Handling of assets
ISO27 Full
1. Task description

Data classification can be used to give data processors a quick view of how critical data is and how data should be processed and protected.

The data categories used and the corresponding security levels are defined. The category of information is defined by analyzing the confidentiality, integrity and availability of the information in question, as well as any other requirements. Each level is given a clear and descriptive name.

Data classifications can be, for example, the following:

  • disclosure of information does not cause harm (PUBLIC)
  • disclosure of information causes slight inconvenience or minor operational annoyance (CONFIDENTIAL)
  • disclosure of information has significant short-term effects on operations or tactical objectives (LIMITED)
  • disclosure of information has serious implications for long-term strategic objectives or jeopardizes the very existence of the organization (PROHIBITED)

CONFIDENTIAL paper information may require e.g. the following protections:

  • Locked cabinet
  • Trusted transfer partner
  • Sealed envelopes
  • Safe disposal process

CONFIDENTIAL electronic information may require e.g. the following protections:

  • Use the selected encryption level
  • Password protection
  • Safe disposal process
  • More limited access rights
Documentation of data classes for data sets
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Management of data sets
Data classification
19
requirements

Task is fulfilling also these other security requirements

T07: Tietojen luokittelu
Katakri
8.2.1: Classification of information
ISO27 Full
18.1.3: Protection of records
ISO27 Full
ID.AM-5: Resource prioritization
NIST
HAL-04.2: Suojattavat kohteet - luokittelu
Julkri
1. Task description

The dataset owners (or the owners of the related information asset, such as a data store or data system) are responsible for the classifications of the datasets and the correspondence of the classification to the definitions of the classes.

The owner updates the data classification over the life cycle of the asset according to variations in its value, sensitivity, and criticality.

Personnel guidelines for file usage and local data
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Management of data sets
Management of data sets
11
requirements

Task is fulfilling also these other security requirements

7.2.2: Information security awareness, education and training
ISO27 Full
11.2.9: Clear desk and clear screen policy
ISO27 Full
6.6.4: Fyysisten tilojen, laitteiden ja tulosteiden turvallisuus
Self-monitoring
FYY-04: Tiedon säilytys
Julkri
5.10: Acceptable use of information and other associated assets
ISO27k1 Full
1. Task description

Especially when local or unstructured data needs to be handled a lot due to the nature of the activity, it may be necessary to develop training that describes the risks involved for staff.

Common problems with local and unstructured data include e.g.:

  • no backups
  • no access management
  • hard to locate

For data you do not want to lose, that you want to control, or that is important to find in the future, staff should use data systems designed for it.

Personnel guidelines for safe disposal of paper data
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Physical security
Non-electronic data and copies
15
requirements

Task is fulfilling also these other security requirements

I17: Salassa pidettävien tietojen jäljentäminen - Tulostus ja kopiointi
Katakri
8.3.2: Disposal of media
ISO27 Full
6.6.4: Fyysisten tilojen, laitteiden ja tulosteiden turvallisuus
Self-monitoring
A.11.7: Secure disposal of hardcopy materials
ISO 27018
PR.DS-3: Asset management
NIST
1. Task description

Papers containing sensitive information should be disposed of in an agreed manner, for example, using a shredder or by incineration.

Prosessi ja ohjeistukset henkilöstölle salassapidettävän sähköisen tiedon turvallisesta tuhoamisesta
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Management of data sets
Removable media
2
requirements

Task is fulfilling also these other security requirements

TEK-21: Sähköisessä muodossa olevien tietojen tuhoaminen
Julkri
1.3.2: Classification of information assets
TISAX
1. Task description

Organisaation on huomioitava henkilöstön salassapidettävien tietojen turvallisen tuhoamisen prosesseissa. Organisaation tulee järjestää henkilöstölle yksikäsitteinen tapa tietojen tuhoamiseen ja ohjeistaa relevanttia henkilöstöä tämän tavan käyttämisessä.

Definitions and instructions on information classifications
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Management of data sets
Data classification
8
requirements

Task is fulfilling also these other security requirements

8.2.1: Classification of information
ISO27 Full
8.2.2: Labelling of information
ISO27 Full
12.1.1: Documented operating procedures
ISO27 Full
HAL-04.4: Suojattavat kohteet - merkitseminen
Julkri
5.13: Labelling of information
ISO27k1 Full
1. Task description

The ways in which information is classified and classifications marked are defined, markings are easily identifiable and they cover both physical and electronic information and assets. The marking must indicate to what extent the document is to be kept secret and on what basis the secrecy is based. Personnel are instructed on how to make markings.

Process for secure disposal of removable media containing confidential information
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Management of data sets
Removable media
14
requirements

Task is fulfilling also these other security requirements

8.3.2: Disposal of media
ISO27 Full
A.11.7: Secure disposal of hardcopy materials
ISO 27018
11.2.7: Secure disposal or re-use of equipment
ISO27 Full
PR.DS-3: Asset management
NIST
PR.IP-6: Data destruction
NIST
1. Task description

Unnecessary media should be disposed of in a safe, industry-accepted manner (such as by incineration, shredding or wiping) in accordance with formal procedures. Media that requires safe disposal must be clearly marked.

Data destroyed in accordance with the process should not be recoverable, even by forensic means.

Marking of equipment that needs safe disposal
Critical
High
Normal
Low
Fully done
Mostly done
Partly done
Not done
Management of data sets
Data classification
7
requirements

Task is fulfilling also these other security requirements

8.2.2: Labelling of information
ISO27 Full
8.3.2: Disposal of media
ISO27 Full
TEK-21: Sähköisessä muodossa olevien tietojen tuhoaminen
Julkri
5.13: Labelling of information
ISO27k1 Full
CC6.5: Discontinuation of logical physical protections when no longer required
SOC 2
1. Task description

There are agreed procedures for identifying and marking media that require safe disposal.

No items found.