ISO/IEC 27001 Control 5.13: Labelling of information

Control

An appropriate set of procedures for information labelling should be developed and implemented in accordance with the information classification scheme adopted by the organization.

Necessity of MidPoint

MidPoint is optional for implementation of this control.

Implementation of this control without midPoint is feasible. However, midPoint provides considerable advantages for implementation of this control, making the implementation more efficient and reliable.

Implementation Overview

Applications can be classified using the defined classification scheme.

Implementation Details

Classification schemes can be applied to almost all midPoint objects, most notably applications and roles, efficiently creating information labels. Policies specified for the classifications can be enforced by using policy rules. Policy rules are applied transitively, even if classified applications are included in business roles or organizations.

Implementation Notes

  • Control for access control (5.15) asks for consistency between access rights and classification (controls 5.12, 5.13), which is given in midPoint by employing policy rules in classifications.

Rationale

As midPoint has integrated information classification mechanism, it can easily couple classifications, clearances and access control policies. This creates high-level governance policies that can be used to control correctness of complex configurations or RBAC structures. This approach is necessary to keep policies maintainable in large deployments.

Documentation

Version Title Description
Development Information Classification and Clearances Example demonstrating use of policy rules to enforce classification requirements
4.8 Information Classification and Clearances Example demonstrating use of policy rules to enforce classification requirements
Was this page helpful?
YES NO
Thanks for your feedback