Highlights of IS.004 Asset Management Standard
The IS.004 Asset Management Standard outlines requirements for the handling, classification and disposal of information by the Commonwealth of Massachusetts. The purpose of this standard is to document the requirements and key security considerations to enable the ongoing ownership and effective management of the Commonwealth’s information assets. The Standard includes:
- Information Asset Management including Inventories
- Information Classification (Confidential, Internal Use, Public)
- Information Labeling and Handling (to protect assets and comply with legal and regulatory requirements)
- Information Disposal (Accountability for assets and proper disposal of assets and data)
- Information Protection Requirements
- Information System Classification (Critical, High, Medium, Low)
- Endpoint Security (to protect against malicious software, viruses and malware,)
- Mobile Device Management (to prevent unauthorized access and disclosure of data)
See the Enterprise Information Security Standards Self-Assessment Questionnaire [Excel] that can be used to track compliance with implementing these internal controls. Departments should expect to be audited on compliance with these internal controls.
The Executive Office of Technology Services and Security (EOTSS) publishes Enterprise Information Security Policies and Standards which must be included in a Department’s Internal Control Plan, implemented, tested, and included in staff training. These standards apply to all Executive Department offices and agencies and are the default standard for non-Executive Departments.