Asset Protection Questions

Recommended Policy	ISO Reference	Level of Compliance
S001-Security Policy Compliance: The business and/or system owner shall establish and ensure compliance with an Information Security Policy for the protection of company information assets.	3.1 Information security policy 6.1.4 Terms and conditions of employment 12.2.1 Compliance with security policy
S002-Access Management: A security mechanism (i.e., login, logout, timeout procedure) must ensure the following: a) the login process denies access to unauthorized users, b) a logout and/or timeout process locks out and/or disconnects access to the PC or workstation, and c) the logout and timeout process clears the screen and/or turns off the monitor (blanks the screen) after a given period of inactivity.	7.3.1 Clear desk and clear screen policy 9.2 User access management
S004-Protecting Sensitive Information: Mission critical and sensitive assets must be stored in a facility (e.g., safe, vault, cabinet) commensurate with classification level, value, etc.	7.1.3 Securing offices, rooms, and facilities 7.3.1 Clear desk and clear screen policy
S005-Operating System Commands: Access to operating system commands must be restricted to those who are authorized to perform system administration or management functions. Such authorized access should follow the principles of separation or segregation of duties.	*9.5 Operating System Access Control*
S010-Addressing Email: Make sure that email - initiated and forwarded - is sent to the correct address - especially if more than one person (in the company) has the same name and/or the email address (name) is not the same as the "given" name.	*8.7.4 Security of electronic mail*
S011-Inappropriate Use of Assets: There is no guarantee of privacy when using company assets; consequently, the company will use filters and/or monitoring devices to prevent or observe access to inappropriate information on the Internet.	*9.1.1 Access control policy*
S014-Data Aggregation: In order to prevent "data aggregation" - the collection of non-sensitive and/or unclassified information that becomes sensitive and/or classified when put together - sensitive and classified information and their key components should be co-located and/or have the same sensitivity or classification level.	*8.6.3 Information handling procedures*