"This guideline is organized into three primary sections. The first section offers a general framework and some guiding principles for developing an effective Information Assets Protection (IAP) policy within any organizational setting. The second section proposes recommended practices that may be applied in the implementation of a high-quality IAP program. The third section consists of two appendices that provide useful tools for any size organization. Appendix A consists of a Sample Policy on IAP. Appendix B is a Quick Reference Guide, a sample flow chart for assessing information protection needs that can be modified and customized to meet an organization’s needs."
The guideline recommends categorizing, classifying and valuing (or rather "valuating"!) the organization's information such as
● Proprietary information - customer lists, marketing plans, pricing strategies, test results etc.
● Trade secrets
● Patent information
● Copyright information
● Physical products - prototypes, models, molds, dyes and manufacturing equipment etc.
● Trademarks and service marks
● Privacy information - personal data, evaluations, credit info etc.
● Regulated information - health information, financial data, government
It recommends technical/logical, procedural/manual and physical security controls, although technical controls such as firewalls are merely noted and not explained. Information security awareness and training however merits a specific mention in section 12.7:
"Almost invariably, security awareness and training is one of the most cost effective measures that can be employed to protect corporate and organizational information assets. This is largely due to the fact that protecting information, generally more so than any other asset, is best achieved through routine business practices that permeate every element of an organization. Therefore, where each individual entrusted with sensitive information takes prudent measures and personal responsibility for protecting those assets, a robust security environment should occur naturally."
The sample organizational policy on information asset protection in Appendix A is a decent model for a high level/overarching information security policy such as that recommended by ISO/IEC 27002 section 5.