ATTENTION: This page is intended to be viewed online and may not be printed or copied.
Annex E
(informative)
E. Confidentiality and Document Protection
There are numerous approaches and reference materials related to Sensitive Security Information (SSI) control, document classification, custodial care, maintenance, methods of distribution/transmittal/storage, and protection against disclosure to unauthorized entities. The methods of classification and restrictions related to distribution may have many variables depending upon the governing body, security clearance requirements and their contractual relationship with the assessor organization.
Confidentiality and document protection procedures should as a minimum determine and define:
-
The relationship between stakeholders and assessor(s);
-
Minimum expectations related to classification of:
-
Information;
-
Descriptive data or images, and photographic images;
-
Plans;
-
Media encryption; and
-
Methods in which information is to be controlled.
-
-
Control, classification and marking protocols;
-
Protection and custodial care of information, digital images, plans, notes and other site/facility specific documentation while travelling, transmitting and in possession of the assessor(s);
-
Protective storage and accessibility requirements, for all information and data, while in possession of the assessor(s) or stakeholder, method for obtaining access to, tracking distribution, reproduction and destruction requirements of specific information; and
-
Penalties along with mitigation, reporting, investigative and recovery requirement related to inadvertent or deliberate disclosure of SSI.
Next: Annex F