Annex A 5.13 - Labelling of Information

Description

Title of Control: Labelling of Information

Introduction (what is it?): This control highlights the importance of developing and implementing procedures for labelling information based on the organization's information classification scheme. Labelling ensures that the classification of information is communicated effectively, aids in automating information processing, and supports proper information management.

What is the purpose of it? The purpose of this control is to establish clear procedures for labelling information and other associated assets in accordance with the organization's information classification scheme. By accurately labelling information, the organization can effectively communicate its classification, support automation processes, and ensure consistent handling of sensitive data.

What are the benefits of meeting these requirements? Meeting these requirements offers several benefits:

• Effective Communication: Labelling enables quick recognition of the classification of information, aiding personnel in understanding how to handle and protect it appropriately.

• Automation: Proper labelling facilitates automated processing and management of information based on its classification, enhancing efficiency and accuracy.

• Consistency: Labelling procedures ensure consistent application of classification labels across various formats and storage media.

• Metadata Utilization: Labelling using metadata supports search, control, and decision-making processes, especially for digital information.

• Information Sharing: Labelling enhances information sharing by clearly indicating its sensitivity and classification, aiding in proper dissemination.

How difficult is this control to meet? Establishing procedures for information labelling is of moderate difficulty. It involves defining clear labelling guidelines, considering various formats, storage media, and methods of attaching labels. Once established, these procedures need to be communicated, and personnel should be trained to ensure consistent and accurate labelling.

What are the sub-requirements?

1. Develop procedures for labelling information and other associated assets in all formats.

2. Align labelling with the established information classification scheme (5.12).

3. Provide guidance on where and how labels are attached based on the methods of access or handling.

4. Define cases where labelling might be omitted or not possible due to technical constraints.

5. Utilize labelling techniques such as physical labels, headers, footers, metadata, watermarking, and rubber stamps.

6. Leverage metadata to identify, manage, control, and search for information based on its classification.

7. Describe how to attach metadata, use appropriate labels, and handle data in alignment with the organization's information model and ICT architecture.

8. Ensure that systems add relevant metadata based on the information's security properties during processing.

9. Educate personnel and interested parties on labelling procedures and provide training to ensure accurate labelling and handling.

10. Apply appropriate classification labels to the output from systems containing sensitive or critical information.

Other information:

• Metadata attached to information can carry additional useful information such as the organizational process that created the information and its creation time.

• Labelling of information is essential for effective information sharing and dissemination.

• While labelling helps with proper handling and protection, it's important to consider potential negative effects, such as making classified assets more visible to malicious actors.

• In some systems, labelling may not occur at the individual file level but rather at the highest classification level contained within the information.

In conclusion, proper labelling of information is vital for effective communication, automation, and consistent handling of sensitive data. By developing clear labelling procedures and aligning them with the information classification scheme, organizations can enhance their information management practices, support automation processes, and enable accurate decision-making based on the sensitivity of their data.