BS ISO IEC 27010-2015 pdf Information technology一Security techniques一Information security management for inter-sector and inter-organizational communications

8.1.3 Acceptable use of assets ISO/IEC 27002:2013, control 8.1.3 is augmented as follows: Implementation guidance Information provided by other members of an information sharing community is an asset and should be protected, used and disseminated in accordance with any rules set by the information sharing community or by the originator. 8.1.4 Return of assets No additional information specific to inter-sector or inter-organizational communications. 8.2 Information classification 8.2.1 Classification of information ISO/IEC 27002:2013, control 8.2.1 is modifed as follows: Control Information should be classified in terms of legal requirements, value, credibility, priority, criticality and sensitivity to unauthorized disclosure or modification. Implementation guidance As well as the criteria given in ISO/IEC 27002:2013, information should be classified in terms of its credibility and priority. Credibility should be assessed in terms of the reputation of its source, technical content, and quality of description. Priority should indicate the need for urgent or immediate action, such as further distribution. Likewise, sensitivity can depend on many aspects of information beyond a need for maintaining its confidentiality, such as the impact of disclosure or potential to compromise the anonymity of its source. Care should be taken in interpreting classification markings assigned by other members of an information sharing community. EXAMPLE One well-known email client displays the message“Please treat this as Confidential” when displaying emails where the sensitivity header field has been set to “company confidential” (RFC 4021[1]). It is not clear in this case if the originator intended “company confidential” (and the message has been sent in error) or intended “confidential to you, the recipient”.
8.4.1 Information dissemination Control Information dissemination within the receiving member should be limited, based on pre-defined dissemination markings defined by the community. Implementation guidance Information which has no assigned dissemination marking should be given a default dissemination defined by the information sharing community. If in doubt, or where there is no generally accepted agreement on default dissemination, information should be treated conservatively. If possible, the recipient should request the originator to re-transmit with an explicit dissemination marking. Dissemination restrictions may include limitations on use such as controlling electronic copy and paste, preventing screen shots being taken, or preventing printing and export.