Oh no! No description found. But not to worry. Read from Tasks below how to advance this topic.
Information that the organization stores and uses shall be identified.
Guidance
- Start by listing all the types of information your business stores or uses. Define “information type” in any useful way that makes sense to your business. You may want to have your employees make a list of all the information they use in their regular activities. List everything you can think of, but you do not need to be too specific. For example, you may keep customer names and email addresses, receipts for raw material, your banking information, or other proprietary information.
- Consider mapping this information with the associated assets identified in the inventories of physical devices, systems, software platforms and applications used within the organization (see ID.AM-1 &ID.AM-2).
All connections within the organization's ICT/OT environment, and to other organization internal platforms shall be mapped, documented, approved, and updated as appropriate.
Guidance
- Connection information includes, for example, the interface characteristics, data characteristics, ports,
protocols, addresses, description of the data, security requirements, and the nature of the connection.
- Configuration management can be used as supporting asset.
- This documentation should not be stored only on the network it represents.
- Consider keeping a copy of this documentation in a safe offline environment (e.g. offline hard disk,paper hardcopy, …).
The information flows/data flows within the organization’s ICT/OT environment, as well as to other organization-internal systems shall be mapped, documented, authorized, and updated when changes occur.
Guidance
- With knowledge of the information/data flows within a system and between systems, it is possible to determine where information can and cannot go.
- Consider:
- Enforcing controls restricting connections to only authorized interfaces.
- Heightening system monitoring activity whenever there is an indication of increased risk to organization's critical operations and assets.
- Protecting the system from information leakage due to electromagnetic signals emanations.
Information that the organization stores and uses shall be identified.
Guidance
- Start by listing all the types of information your business stores or uses. Define “information type” in any useful way that makes sense to your business. You may want to have your employees make a list of all the information they use in their regular activities. List everything you can think of, but you do not need to be too specific. For example, you may keep customer names and email addresses, receipts for raw material, your banking information, or other proprietary information.
- Consider mapping this information with the associated assets identified in the inventories of physical devices, systems, software platforms and applications used within the organization (see ID.AM-1 &ID.AM-2).
All connections within the organization's ICT/OT environment, and to other organization internal platforms shall be mapped, documented, approved, and updated as appropriate.
Guidance
- Connection information includes, for example, the interface characteristics, data characteristics, ports,
protocols, addresses, description of the data, security requirements, and the nature of the connection.
- Configuration management can be used as supporting asset.
- This documentation should not be stored only on the network it represents.
- Consider keeping a copy of this documentation in a safe offline environment (e.g. offline hard disk,paper hardcopy, …).
The information flows/data flows within the organization’s ICT/OT environment, as well as to other organization-internal systems shall be mapped, documented, authorized, and updated when changes occur.
Guidance
- With knowledge of the information/data flows within a system and between systems, it is possible to determine where information can and cannot go.
- Consider:
- Enforcing controls restricting connections to only authorized interfaces.
- Heightening system monitoring activity whenever there is an indication of increased risk to organization's critical operations and assets.
- Protecting the system from information leakage due to electromagnetic signals emanations.
In Cyberday, requirements and controls are mapped to universal tasks. A set of tasks in the same topic create a Policy, such as this one.
In Cyberday, requirements and controls are mapped to universal tasks. Each requirement is fulfilled with one or multiple tasks.
When building an ISMS, it's important to understand the different levels of information hierarchy. Here's how Cyberday is structured.
Sets the overall compliance standard or regulation your organization needs to follow.
.svg)
.svg)
.svg)
Break down the framework into specific obligations that must be met.
.svg)
Concrete actions and activities your team carries out to satisfy each requirement.
Documented rules and practices that are created and maintained as a result of completing tasks.
