Control objective: to achieve and maintain appropriate protection of organizational assets.
7.1.Responsibility for Asset
7.1.1 Inventory of assets
All information assets are clearly identified, and an inventory of all important assets has been drawn up and is maintained in line with the requirements of DOC 7.1
7.1.2 Ownership of assets
All assets associated with the information systems or services are ‘owned’ by a designated individual or part of the Organisation, and details of the Owner are identified on the asset inventory in line with DOC 7.1.
7.1.3 Acceptable use of assets
Rules for the acceptable use of information and assets associated with information processing facilities have been identified, documented and implemented.
7.1.3.1 The Civil Service Bureau, that ultimately reported to the Director General of IT, is responsible for ensuring that all users sign User Agreements (see sub section 11.2), which set out requirements for acceptable use of information assets and in which they also explicitly accept the Organisation’s Internet Acceptable Use Policy (DOC 7.2).
7.1.3.2These User Agreements (see sub section 11.2) also explicitly accept the Organisation’s Rules for Use of E-mail (DOC 7.3).
7.1.3.3The Information Security Manager is responsible for monitoring compliance, as set out in Work Instruction DOC 7.4, with the AUP as set out in 5.1.1 of this manual
7.1.3.4Guidelines for the use of mobile devices are included in the ‘mobile on the road’ annex to the User Agreement (see sub sections 11.2 11.7) for users issued with such devices.
7.2 Information Classification
Control objective: to ensure that information receives an appropriate level of protection
7.2.1 Classification guidelines
Information has been classified in terms of value, legal requirements, sensitivity and criticality to the Organisation
7.2.1.1 The Organisation has developed guidelines for information classification, which are suited to business needs (including legality, value, sensitivity and criticality) to both restrict and share information, and to the business impacts associated with those needs, and these are contained in DOC 7.6
7.2.2 Information labelling and handling
An appropriate set of procedures for information labelling and handling has been developed in accordance with the classification scheme adopted by the Organisation and this is set out in DOC 7.6
Adlin Hisyamuddin
Information Security Manager
____________________________
On:
08 November, 2007
____________________________
Change history
Issue 1 08 November, 2007 Initial issue