Time
7 hours 56 minutes
Difficulty
Intermediate
CEU/CPE
8

Video Transcription

00:01
Listen, 11.4
00:03
a eight Asset management
00:08
In this lesson, we will cover an understanding of Control, said a eight
00:13
in relation item is as well as understanding examples of the controls and documentation required for each.
00:25
A eight asset management is made up of three control areas.
00:30
The first control area is 8.1 responsibility for assets.
00:36
The first control in this area
00:39
is a 8.1 point one
00:42
inventory of assets.
00:45
This control stipulates that an inventory or a list or a database
00:51
off all of your information assets
00:53
as well as your hardware and software assets, must be maintained.
00:59
It is important to keep the detail off these assets
01:04
as well as the owners of the assets.
01:10
You can leverage off tools such as your S, C, C M
01:15
or configuration management databases
01:18
to build these acid lists.
01:23
The next control is 8.1 point two
01:26
ownership of assets
01:29
as mentioned,
01:30
each asset needs to have a specific owner defined and assigned to that asset.
01:37
That owner can make decisions
01:40
regarding that assets.
01:42
It needs to be informed when control changes occur
01:46
regarding that s it.
01:49
The inventory and ownership of assets is an extremely important input into your information security risk management program.
02:00
The next control is a 8.1 point three
02:05
the acceptable use off assets.
02:08
If you work in an organization, you are probably familiar with this control
02:14
as un a periodic basis. You are required to read,
02:17
acknowledge and accept your organization's acceptable use policy.
02:23
This acceptable use policy is specific to the assets that are owned by the organization
02:30
but which the organization gives you rights to use for your job responsibilities.
02:36
This policy will stipulate certain Do's and dont's around these assets,
02:40
such as not using your personal work computer
02:45
to browse social media websites
02:47
to use it for other personal work or work outside of your current job,
02:53
or to download movies from turn sites and so forth.
03:00
The last control in the first control area
03:02
is a 8.1 point four
03:06
the return of assets.
03:09
When assets are issued to users within the organization,
03:14
it is important that these assets are returned within a timely basis,
03:19
either when the user is no longer working for the organization
03:23
upon handing in their resignation
03:25
or when the user has changed roles within the organization.
03:30
I said it's need to be tracked with whatever user they are assigned to throughout their life cycle
03:37
to help ensure that assets are returned by that user. When do
03:46
the second control area
03:47
is a 8.2
03:50
information classifications?
03:53
The first control in this area is 8.2 point one.
04:00
The classifications of information.
04:02
This control stipulates that your organization should establish a classification scheme and have this formally documented in a classifications. Policy
04:13
guidelines around what types of information
04:16
and which classifications should be applied to these different types should be documented and communicated to the relevant stock.
04:25
Your organization
04:27
will most likely already have an existing classification scheme,
04:30
depending on the industry that you fall in whether you're in government or private sector.
04:36
But generally the levels look something like
04:40
top secret secret and public information.
04:46
8.2 point two.
04:49
Labeling off information assets
04:54
for each asset or piece of information that is classified,
04:59
an appropriate and corresponding label should be applied.
05:03
This is true for documented information, such as documents that exist in a PDF or word document
05:11
as well as were possible information within systems and databases.
05:17
8.2 point three
05:19
Handling off assets.
05:23
This is the third control in the second control area,
05:26
and the handling of assets control
05:29
stipulates that all assets that are labeled and classified must be handled and protected in line with their classifications.
05:39
This policy should stipulate
05:42
for each classification of level off information
05:46
how that information should be handled and protected when it is being worked with,
05:50
transferred or sent,
05:53
as well as when it is stored or disposed off.
06:01
He lost control area
06:04
is 8.3. Media handling
06:09
the first control is 8.3 point one.
06:13
The management of removable media
06:16
removable media
06:18
implies any media that could be used to store information,
06:23
and that is also easily transportable,
06:26
such as flash drives, DVDs,
06:30
external hard drives,
06:31
even your cell phones
06:33
and so forth.
06:35
It is important to establish a policy to govern the management off this removable media.
06:44
It is especially important to ensure that any removable media that is used to transport your highest level of classified information
06:53
is properly equipped and guided to do so securely.
06:58
For example,
07:00
removable media should be
07:01
encrypted,
07:03
appropriately labeled to ensure that only the
07:06
correct level or classification of information is stored on that media
07:13
that media
07:15
is not lost or carelessly left lying around
07:18
that media is possible protected where possible,
07:23
that laptops are hard.
07:25
The hard drives of laptops are encrypted
07:28
to prevent information disclosure due to loss or theft.
07:33
The next next control is 8.3 point two.
07:39
The disposal of media
07:42
When an acid reaches end of life,
07:45
any storage media contained within that acid first needs to be appropriately sanitized and have all information stored on that media purged
07:58
the disposal of media needs to cater for the type of media.
08:03
For example,
08:05
a hard drive would have a different information sanitization procedure
08:11
to a solid state drive.
08:13
Sometimes the most effective method for ensuring that information cannot be accessed from storage media
08:20
is to destroy the media.
08:24
They will need to be evidence of this process and that this has been
08:28
conducted throughout the period under review. If a third party is used to dispose off media
08:35
and perform the information sanitization,
08:39
robust evidence off this as well as the controls to ensure that the third party is trustworthy and acting as required,
08:46
must be maintained.
08:48
Disposal of media also extends to your physically printed documents
08:54
a lot of sensitive information ends up being printed
08:56
and can be left lying around.
09:00
It is important to provide employees with a way to securely dispose of this information
09:05
and ensure that it is traded.
09:11
The last control pertains to a 8.3 point to physical media transfer.
09:20
Sometimes it is required for physical storage media to be transferred.
09:24
Often this media will contain information on it.
09:28
This control requires that a policy and guidelines for the transfer of media be established.
09:35
Security controls must also be established and implemented for this media,
09:41
for example,
09:41
encryption of the media,
09:43
anti tempering devices around the media
09:46
and chain of custody ease.
09:58
During this video, we covered the three control areas that make up control, said a eight,
10:03
which is acid management.
10:05
We took a look at a different controls.
10:09
Within this control. States
10:11
looked at some examples of controls
10:13
and also any documentation that would be required to support
10:18
and be used as evidence for these controls.

Up Next

ISO 27001:2013 - Information Security Management Systems

The ISO 27001:2013 - Information Security Management Systems course provides students with insights into the detail and practical understandings meant by the various clauses in the ISO 27001 Standard.

Instructed By

Instructor Profile Image
Judy Winn
CISO at NFA Solutions
Instructor