This policy provides guidance on determining appropriate controls that must be implemented for information resources, based on the information classification of those resources. This policy also provides standards for handling, labeling, duplicating, distributing, storing, transporting and disposing of sensitive electronic or hard copy media.
Scope: This policy applies specifically to information owners, resource administrators and also contains information to which all Firm personnel must adhere.
Statement: Appropriate security controls must be built into the Firm's information resources. This protection must be commensurate with a resource's value to the Firm, as determined by the results of a formal risk assessment.
Key Points: Information resources must have a designated information owner
Information owners must classify their information resources into one of the following classifications: Internal Use Only, Confidential or Restricted
Information resources must have designated resource administrators who are responsible for implementing, maintaining, monitoring and reviewing information security controls
A formal risk assessment must be performed to determine the security controls required for implementation on information resources
Information resources must undergo an initial risk assessment evaluation and receive a "certification" prior to deployment in a production environment
Information resources must undergo a re-evaluation when specific events have taken place
Specific controls must be followed when handling, labeling, duplicating, distributing, storing, transporting and disposing of sensitive electronic or hard copy media