Standard Practice for Implementing an Information Security Program in a Cannabis OperationName übersetzen
NORM herausgegeben am 1.7.2021
Bezeichnung normen: ASTM D8320-21
Ausgabedatum normen: 1.7.2021
Zahl der Seiten: 20
Gewicht ca.: 60 g (0.13 Pfund)
Land: Amerikanische technische Norm
Kategorie: Technische Normen ASTM
access control, analog, analysis, assessment, cannabis, continuous improvement, controls, computer, confidentiality, cyber security, cybersecurity, data, detection, digital, electronic, files, hardware, incident, information, information security, monitoring, notification, prevention, privacy, power supply, procedures, records, recovery, response, risk, security, software, testing, threats, two-factor, uninterruptible,
|Significance and Use|
5.1Information security programs and controls should be implemented by all cannabis businesses to protect information assets, which include information system infrastructure, architecture, analog (paper) and electronic data, files and records.
5.2The cannabis industry is in transition from an unregulated industry to a regulated industry, which involves substantial investment. Implementing an information security program helps organizations manage information security threats and protect the organization, employees, customers, vendors and other business partners from unauthorized access, misuse of information, crime, and costly exposure or loss.
5.3Cannabis customers and business partners place higher value on keeping information secure and have heightened concerns about information security due to the legal complexities and stigma around the industry.
5.4Information systems have multiple access points that present opportunities for vulnerabilities, such as user accounts, removable storage devices, internet connections, malicious malware and other attacks, scams, and poorly guided access controls.
5.5This practice intends to help organizations of all types and sizes find an acceptable balance of risks and costs of threat mitigation, recovery and remediation.
5.6When planning an information security program, a broad range of input from all departments (or functional areas), levels of staff, and areas of expertise (information technology, legal, compliance, human resources, tax/accounting) is ideal for identifying the highest information security risks to the organization and can make implementation go more smoothly.
5.7Information assets must be protected throughout the entire lifecycle (creation, transmission, review, storage, and destruction).
5.8Users of This Practice:
5.8.1This practice is written for cannabis business operations to be used by:
220.127.116.11Business owners and management to develop security controls to prevent, detect, and mitigate vulnerabilities and risk, enhance business planning, and respond to and recover from incidents;
18.104.22.168Consultants to provide guidance about information security assessments, analysis, controls and information audits;
22.214.171.124Authorities having jurisdiction to inspect the adequacy of information security; and
126.96.36.199Training organizations and certification bodies to train or certify individuals on the body of knowledge related to information security in the cannabis industry.
5.9Iterative Implementation Approach:
5.9.1Implementing an information security program is not a one-time sequence of tasks. Once an Information security program manager is assigned, team participants are educated, risk assessments and analyses are conducted, iterative cycles of implementing controls can begin. Initial plans will focus on higher priority assets and risks and easy to implement controls. Teams will monitor implementation, make adjustments, and repeat as needed.
5.9.2An information security audit should be conducted at least once a year.
188.8.131.52Audits can be assigned to internal or external auditors, depending on need for objectivity, independent review, or in accordance with legal mandates.
5.10Unique Business Entities:
5.10.1This practice is not a one-size-fits-all model to manage cybersecurity risk. Since each operation's risks, systems, procedures, digital usage, size, and scale are unique, the use of this practice requires ongoing engagement and continuous evaluation of prevention and countermeasures to stay abreast of ever-changing threats. This practice cannot be used by itself as an information security policy, procedure, or program; each entity must develop and monitor its own information security practice. This practice will guide the planning, assessment, implementation, audit, and improvement of an ongoing information security program.
5.11Compliance and Legal Considerations:
5.11.1Cannabis business mandates are complex and unique to each jurisdiction. Cannabis businesses must consult with legal, compliance, accounting, security, human resources and information technology professionals for guidance about protecting and sharing records.
5.11.2Multiple levels of jurisdiction can apply (local, state/province, country) and mandates can conflict rendering them unclear. For example, legal experts do not agree on whether U.S. HIPAA laws apply to cannabis businesses that sell to medical patients.
5.11.3Since remediation efforts are costly, all cannabis business entities must maintain an active information security program to prevent and detect threats with plans to respond and recover from incidents.
5.11.4Business entities should not rely solely on purchased software vendors for advice, because none can manage all the information security and related compliance, legal and business risks a cannabis business will face.
5.11.5Businesses should ensure that intellectual property and other business records, operational records, and customer records are considered and protected in consultation with legal and compliance professionals.
5.12Insurance, Contracts, and Tax Considerations:
5.12.1Cannabis business entities should review insurance policies and contracts to ensure adequate protections.
5.12.2Businesses should consider including elements such as nondisclosure, privacy and confidentiality, data breach protocols, testing and maintenance requirements, scope of work and functional requirements, using proprietary software, uptime, and clear measures of success in contracts.
5.12.3Cannabis businesses should ensure finance, budget, and tax professionals are consulted about information security plans to ensure team activities and controls are clearly written and implemented in alignment with those goals.
1.1This practice covers recommendations for implementing an information security program to protect businesses operating in the regulated cannabis industry. An information security program is part of an overall security program that each business should implement.
1.2This practice applies to any legal business entity that handles cannabis products, including cultivation, processing, manufacturing, transportation, warehousing, lab testing, distribution, retail, home delivery, and waste. This practice will include protections for analog (paper) and digital information assets.
1.3Actual implementation will vary depending on organizational size and type, information asset types, sensitivity and volume of assets, risk tolerance and resource constraints of the organization, and mandates particular to the organization.
1.4This standard does not purport to address all of the safety concerns, if any, associated with its use. It is the responsibility of the user of this standard to establish appropriate safety, health, and environmental practices and determine the applicability of regulatory limitations prior to use.
1.5This international standard was developed in accordance with internationally recognized principles on standardization established in the Decision on Principles for the Development of International Standards, Guides and Recommendations issued by the World Trade Organization Technical Barriers to Trade (TBT) Committee.
Bereitstellung von aktuellen Informationen über legislative Vorschriften in der Sammlung der Gesetze bis zum Jahr 1945.
Aktualisierung 2x pro Monat!
Brauchen Sie mehr Informationen? Sehen Sie sich diese Seite an.
Letzte Aktualisierung: 2021-09-25 (Zahl der Positionen: 2 527 132)
© Copyright 2021 NORMSERVIS s.r.o.