Beruflich Dokumente
Kultur Dokumente
Document Classification:
Document Ref. DOC-A08-4
Version: 1
Dated: 13 June 2019
Document Author: QHSE Department
Document Owner: QHSE Department
Asset Handling Procedure
Revision History
Distribution
Approval
Contents
1 INTRODUCTION ..................................................................................................................................... 4
2 ASSET HANDLING PROCEDURE ...................................................................................................... 6
2.1 LEVEL 0 – PUBLIC (OR UNCLASSIFIED) .................................................................................................... 6
2.1.1 Secure Processing ........................................................................................................................... 6
2.1.2 Storage ............................................................................................................................................ 6
2.1.3 Transmission .................................................................................................................................. 6
2.1.4 Declassification ............................................................................................................................... 6
2.1.5 Destruction ..................................................................................................................................... 6
2.1.6 Chain of Custody ............................................................................................................................ 7
2.1.7 Logging of Security-related Events ................................................................................................ 7
2.2 LEVEL 1 - PROTECTED .............................................................................................................................. 7
2.2.1 Secure Processing ........................................................................................................................... 7
2.2.2 Storage ............................................................................................................................................ 7
2.2.3 Transmission .................................................................................................................................. 7
2.2.4 Declassification ............................................................................................................................... 8
2.2.5 Destruction ..................................................................................................................................... 8
2.2.6 Chain of Custody ............................................................................................................................ 8
2.2.7 Logging of Security-related Events ................................................................................................ 8
2.3 LEVEL 2 - RESTRICTED ............................................................................................................................. 8
2.3.1 Secure Processing ........................................................................................................................... 8
2.3.2 Storage ............................................................................................................................................ 8
2.3.3 Transmission .................................................................................................................................. 9
2.3.4 Declassification ............................................................................................................................... 9
2.3.5 Destruction ..................................................................................................................................... 9
2.3.6 Chain of Custody ............................................................................................................................ 9
2.3.7 Logging of Security-related Events ................................................................................................ 9
2.4 LEVEL 3 - CONFIDENTIAL ........................................................................................................................ 9
2.4.1 Secure Processing ........................................................................................................................... 9
2.4.2 Storage .......................................................................................................................................... 10
2.4.3 Transmission ................................................................................................................................ 10
2.4.4 Declassification ............................................................................................................................. 10
2.4.5 Destruction ................................................................................................................................... 10
2.4.6 Chain of Custody .......................................................................................................................... 10
2.4.7 Logging of Security-related Events .............................................................................................. 11
3 CONCLUSION ........................................................................................................................................ 12
1 Introduction
The purpose of this document is to set out the specific controls that must be used
when handling information of a particular classification. For details of the criteria for
classifying information assets, please see the Information Classification Procedure.
Classified information must not be disclosed to any other person or organization via
any insecure method including, but not limited, to the following:
This control applies to all systems, people and processes that constitute the
organization’s information systems, including board members, directors, employees,
suppliers and other third parties who have access to
For each security classification level, a set of handling controls must be in place to
ensure that the information asset involved is appropriately protected at all times.
The following sections set out the main procedural components of these controls.
In general, there are no specific controls that must be placed on the processing of
such information although in should be borne in mind that items such as headed
stationery and their electronic equivalents should not be made freely available.
2.1.2 Storage
2.1.3 Transmission
2.1.4 Declassification
2.1.5 Destruction
Information falling within the Level 0 classification may be disposed of via normal
waste routes without need for controls such as shredding. Where possible, items
should be recycled.
2.2.2 Storage
2.2.3 Transmission
2.2.4 Declassification
Level 1 information may be declassified to “Public” with the permission of the asset
owner at which time the controls specified in section 2.1 above will apply.
2.2.5 Destruction
No specific controls are placed on the chain of custody for Level 1 information
although reasonable precautions should be taken to ensure that it stays within the
organization at all times.
Incidents where Level 1 information has been compromised should be recorded and
investigated in accordance with the organization’s security incident management
procedures.
2.3.2 Storage
2.3.3 Transmission
Restricted information may not be sent in the clear over unencrypted connections
and the use of file encryption is mandatory for items such as email attachments.
2.3.4 Declassification
2.3.5 Destruction
The chain of custody for Level 2 information should be clearly defined and tracked
via formal handovers including signatures for acceptance.
Information at this level of classification will be subject to very strict access controls
involving both physical security and authorised use logon with additional security
measures in place. Access will not be granted in public areas and output such as
printouts must be to areas where only those organization staff who are authorised to
the information asset can reach it.
2.4.2 Storage
2.4.3 Transmission
Level 3 information must not be sent in the clear over unencrypted connections and
the use of file encryption is mandatory for items such as email attachments
(although the use of email is to be discouraged).
2.4.4 Declassification
2.4.5 Destruction
The chain of custody for Level 3 information should be clearly defined and tracked
via formal handovers including signatures for acceptance. Where possible, copies of
the information should be numbered and its possession tracked at all times.
3 Conclusion
It is important that this procedure is followed in all cases so that the organization’s
assets are adequately protected in line with the appropriate classification.
The controls described in this procedure must be followed throughout the lifecycle
of information assets, including where they are transferred to third parties. Proper
handling of assets is fundamental to the correct operation of the ISMS and without it
many of the other controls that are in place will not be effective.
All employees and third parties who will come into contact with the organization’s
information assets must be aware of this procedure and the necessary arrangements
it specifies.