ASTM D8320-21

This international standard was developed in accordance with internationally recognized principles on standardization established in the Decision on Principles for the
Development of International Standards, Guides and Recommendations issued by the World Trade Organization Technical Barriers to Trade (TBT) Committee.
Designation: D8320 − 21
Standard Practice for
Implementing an Information Security Program in a
Cannabis Operation
This standard is issued under the fixed designation D8320; the number immediately following the designation indicates the year of
original adoption or, in the case of revision, the year of last revision. A number in parentheses indicates the year of last reapproval. A
superscript epsilon (´) indicates an editorial change since the last revision or reapproval.
1. Scope D8218 Guide for Intrusion Detection System (IDS)
F3286 Guide for Cybersecurity and Cyberattack Mitigation
1.1 Thispracticecoversrecommendationsforimplementing
an information security program to protect businesses operat-
3. Terminology
ing in the regulated cannabis industry.An information security
program is part of an overall security program that each 3.1 Definitions of Terms Specific to This Standard:
business should implement.
3.1.1 access control, n—restricting access to an asset.
1.2 This practice applies to any legal business entity that
3.1.2 asset, n—generally refers to anything of value to a
handles cannabis products, including cultivation, processing,
business such as an employee, facility, computer equipment,
manufacturing, transportation, warehousing, lab testing,
computer system, intellectual property, and other information
distribution, retail, home delivery, and waste.This practice will
assets.
include protections for analog (paper) and digital information
3.1.3 availability, n—ability of authorized users to access
assets.
analog or electronic information assets on demand.
1.3 Actual implementation will vary depending on organi-
3.1.4 boundary defense, n—controls the flow of traffic
zational size and type, information asset types, sensitivity and
through network borders and polices content by looking for
volume of assets, risk tolerance and resource constraints of the
evidence of unauthorized access and attacks. Established
organization, and mandates particular to the organization.
multilayered boundary defenses typically include controls that
1.4 This standard does not purport to address all of the
protect perimeter networks, firewalls, and other network tools.
safety concerns, if any, associated with its use. It is the
3.1.5 cannabis products, n—refers to cannabis seeds, imma-
responsibility of the user of this standard to establish appro-
ture plants, flower, cannabis concentrates regardless of form or
priate safety, health, and environmental practices and deter-
extraction method and cannabis infused products, such as
mine the applicability of regulatory limitations prior to use.
edibles, etc.
1.5 This international standard was developed in accor-
dance with internationally recognized principles on standard-
3.1.6 chain of custody, n—refers to the process of docu-
ization established in the Decision on Principles for the
mentingeachpersonwhohadaccessandcontrolofaparticular
Development of International Standards, Guides and Recom-
asset from the time of creation through any changes of hands.
mendations issued by the World Trade Organization Technical
3.1.7 classification level, n—refers to defined sensitivity
Barriers to Trade (TBT) Committee.
levels of information. People are granted access to information
of certain classification levels in accordance with their duties.
2. Referenced Documents
Governments use labels such as top secret, secret, confidential,
2.1 ASTM Standards:
and unclassified (see role-based access).
D8205 Guide for Video Surveillance System
3.1.8 computer system, n—hardware, software, network,
D8217 Guide for Access Control System
transmission, storage.
3.1.9 confidential, n—refers to the legally protected privacy
of an information asset.
This practice is under the jurisdiction of ASTM Committee D37 on Cannabis
and is the direct responsibility of Subcommittee D37.05 on Security and Transpor-
3.1.10 controls, n—refers to physical, technological, and
tation.
human (end user) measures and countermeasures intended to
Current edition approved July 1, 2021. Published August 2021. DOI: 10.1520/
D8320-21.
prevent, detect, or otherwise mitigate system vulnerabilities
For referenced ASTM standards, visit the ASTM website, www.astm.org, or
and potential threats of unauthorized access, misuse, damage,
contact ASTM Customer Service at service@astm.org. For Annual Book of ASTM
disruption or losses to information system infrastructure or
Standards volume information, refer to the standard’s Document Summary page on
the ASTM website. information assets, whether unintentional or by malicious
Copyright © ASTM International, 100 Barr Harbor Drive, PO Box C700, West Conshohocken, PA 19428-2959. United States
D8320 − 21
attack. Controls include threat response and recovery proto- architecture, paper (analog) and digital data, files, and records.
cols. Examples of controls: limiting access to locations and Information security includes cybersecurity.
records, antivirus software, policy and procedures, etc.
3.1.24 malware, n—any unauthorized program or file that is
3.1.11 cybersecurity, n—refers to protections from unau-
potentially harmful to a computer or computer system such as
thorized access or malicious attacks on information system
a virus, worm, or spyware.
architecture, infrastructure or electronic information assets.
3.1.25 organizational readiness, n—an organization’s readi-
3.1.12 data, n—facts and statistics collected together for
ness for change.
reference or analysis.
3.1.26 penetration test, n—simulated cyber-attack against a
3.1.12.1 Discussion—By many definitions information is
computer system to determine whether existing protections,
data that has been analyzed and organized into meaningful such as web application firewall (WAF) is adequate and works
thoughts, and data is simply a collection of raw facts and
as intended.
statistics. In this practice the use of the terms data and
3.1.27 phishing, n—fraudulent attempt to obtain sensitive
information are interchangeable.
information such as usernames, passwords, or financial details
3.1.13 data breach, n—refers to electronic information as-
by disguising oneself as a trustworthy entity in an electronic
sets that are improperly accessed, used, lost, stolen or released,
communication with the intent of illicit use.
whether unintentional or malicious.
3.1.28 protected health information (PHI), n—phrase that
3.1.13.1 Discussion—This term may refer to situations
refers to U.S. HIPAA statutory provisions related to the
where there is no confirmation the information was accessed,
health-related information of a specific person.
misused, or released (as with a lost or stolen laptop).
3.1.29 role-based access, n—a technique of granting the
3.1.14 data integrity, n—refers to protection of the correct-
minimum amount of access to information assets necessary for
ness and reliability of data and information retrieval.
a person to complete job duties.
3.1.15 electronic asset, n—refers to all information assets
3.1.30 quantitative risk analysis, n—an analysis of vulner-
that are not (only) paper records.
abilities and threats to information assets that includes cost-
3.1.16 encryption, n—a method of secure communication
benefits of implementing a variety of physical, technological,
transmission that typically uses symmetric key algorithm,
and human controls to minimize risk.
which is a message secured with a key and algorithm and
3.1.31 sensitive information, n—any information asset that
transmitted to the receiver who uses a similar key and
is restricted from certain staff, the public, or is otherwise
algorithm to decrypt and view the message.
confidential.
3.1.17 General Data Protection Regulation (GDRP),
3.1.32 short message service (SMS), n—method of commu-
n—mandate of privacy data that protects and restricts transfer
nicationthatsendstextbetweencellphones,orfromapersonal
of data into or out of the European Union.
computer or handheld computer to a cell phone with a
3.1.18 Health Insurance Portability and Accountability Act
maximum size of the text messages.
of 1996 (HIPAA), n—a United States statute to protect health
3.1.33 uninterruptible power supply, n—ensures continuous
information privacy and security.
operation by using a surge protector with a built-in backup
3.1.19 incident, n—aneventofunauthorizedaccess,misuse,
battery.
damage, disruption or loss of information assets, whether
3.1.34 vulnerability, n—an existing weakness that may be
unintentional or by malicious attack and whether electronic or
exposed to a threat.
analog.
3.1.20 incident response, n—an organized approach to ad-
4. Summary of Practice
dressing and managing a security breach or cyberattack, which
is intended to limit damage and recover data and reliable
4.1 Thispracticeprovidestheessentialelementstoestablish
system operations.
and manage an information security program for cannabis
businesses. It includes guidance on establishing a work group,
3.1.21 information asset, n—includes computer system in-
identifying information assets and potential threats, analyzing
frastructure and architecture, paper (analog) and digital data,
levels and types of risk to those assets, selecting appropriate
files, and records.
controls to mitigate vulnerabilities, and monitoring implemen-
3.1.22 information system infrastructure and architecture,
tation of the program for continuous improvement. This
n—refers to equipment, hardware (servers, PC’s, routers),
practice also provides practical information on implementing
operating systems, software (including office, seed to sale,
physical, technological, and human controls such as active
point of sale), networks, connections, and controls, etc. Note
prevention, detection and response techniques, policy and
that these are also “information assets” for the purpose of this
procedures, implementation guidance (training,
practice.
communications), continuous improvement strategies, and re-
sources to educate information security team members as
3.1.23 information security (IS), n—refers to the protection
of information system assets, which includes infrastructure, needed and for further program development.
D8320 − 21
4.2 The practice also presents considerations specific to the 5.5 This practice intends to help organizations of all types
cannabis industry and guidance about types of mandates that and sizes find an acceptable balance of risks and costs of threat
may apply (in addition to those of the authority having mitigation, recovery and remediation.
jurisdiction).
5.6 When planning an information security program, a
4.3 The primary goals of an information security program broad range of input from all departments (or functional areas),
are to prevent equipment and data from being lost, corrupted, levels of staff, and areas of expertise (information technology,
or stolen; to protect customer, employee, and business records;
legal, compliance, human resources, tax/accounting) is ideal
and to ensure uninterrupted, compliant, and efficient business for identifying the highest information security risks to the
practices.
organization and can make implementation go more smoothly.
4.4 Businesses should establish information security pro-
5.7 Information assets must be protected throughout the
grams with controls that protect information assets (including entire lifecycle (creation, transmission, review, storage, and
architecture, infrastructure, records, etc.) from unintentional
destruction).
and malicious unauthorized access, damage, and exposure.
5.8 Users of This Practice:
Information security program controls can effectively measure
5.8.1 This practice is written for cannabis business opera-
and maintain an acceptable level of risk when companies use a
tions to be used by:
team approach to assess and analyze priorities and develop
5.8.1.1 Business owners and management to develop secu-
controls and implementation plans. Once controls are in place,
rity controls to prevent, detect, and mitigate vulnerabilities and
organizations should continue the team to audit practices and
risk, enhance business planning, and respond to and recover
controls at regular intervals and when incidents occur.
from incidents;
4.5 The major activities to implement an information secu-
5.8.1.2 Consultants to provide guidance about information
rity program are:
security assessments, analysis, controls and information audits;
4.5.1 Establish objectives and responsibilities;
5.8.1.3 Authorities having jurisdiction to inspect the ad-
4.5.2 Form an information security team;
equacy of information security; and
4.5.3 Provide orientation and education for information
5.8.1.4 Training organizations and certification bodies to
security team members as needed;
train or certify individuals on the body of knowledge related to
4.5.4 Conduct an assessment to identify information assets,
information security in the cannabis industry.
potential threats to those assets, and the need for controls;
5.9 Iterative Implementation Approach:
4.5.5 Analyze risks, costs and feasibility of physical,
5.9.1 Implementing an information security program is not
technological, and human controls to mitigate threats
a one-time sequence of tasks. Once an Information security
(prevention, detection, respond, or recovery);
program manager is assigned, team participants are educated,
4.5.6 Select, plan and implement controls; and
riskassessmentsandanalysesareconducted,iterativecyclesof
4.5.7 Establish and monitor continuous improvement strat-
implementing controls can begin. Initial plans will focus on
egies.
higher priority assets and risks and easy to implement controls.
Teams will monitor implementation, make adjustments, and
5. Significance and Use
repeat as needed.
5.1 Information security programs and controls should be
5.9.2 An information security audit should be conducted at
implemented by all cannabis businesses to protect information
least once a year.
assets, which include information system infrastructure,
5.9.2.1 Audits can be assigned to internal or external
architecture, analog (paper) and electronic data, files and
auditors, depending on need for objectivity, independent
records.
review, or in accordance with legal mandates.
5.2 The cannabis industry is in transition from an unregu-
5.10 Unique Business Entities:
lated industry to a regulated industry, which involves substan-
5.10.1 This practice is not a one-size-fits-all model to
tial investment. Implementing an information security program
manage cybersecurity risk. Since each operation’s risks,
helps organizations manage information security threats and
systems, procedures, digital usage, size, and scale are unique,
protect the organization, employees, customers, vendors and
the use of this practice requires ongoing engagement and
other business partners from unauthorized access, misuse of
continuous evaluation of prevention and countermeasures to
information, crime, and costly exposure or loss.
stay abreast of ever-changing threats. This practice cannot be
used by itself as an information security policy, procedure, or
5.3 Cannabis customers and business partners place higher
value on keeping information secure and have heightened program; each entity must develop and monitor its own
information security practice. This practice will guide the
concerns about information security due to the legal complexi-
ties and stigma around the industry. planning, assessment, implementation, audit, and improvement
of an ongoing information security program.
5.4 Information systems have multiple access points that
5.11 Compliance and Legal Considerations:
present opportunities for vulnerabilities, such as user accounts,
removable storage devices, internet connections, malicious 5.11.1 Cannabis business mandates are complex and unique
malware and other attacks, scams, and poorly guided access to each jurisdiction. Cannabis businesses must consult with
controls. legal, compliance, accounting, security, human resources and
D8320 − 21
information technology professionals for guidance about pro- the information security program and accountable for all team
tecting and sharing records. activities. This role will be referred to as the information
5.11.2 Multiple levels of jurisdiction can apply (local, manager (IM) in this practice.
state/province, country) and mandates can conflict rendering 7.1.1.1 The IM should report to the highest executive levels
them unclear. For example, legal experts do not agree on and be part of multiple executive planning teams for the
whether U.S. HIPAA laws apply to cannabis businesses that organization and not only for the IS program.
sell to medical patients.
7.1.1.2 The IM must work with chains of command to
5.11.3 Since remediation efforts are costly, all cannabis establish reporting and approval processes for the program.
business entities must maintain an active information security
7.1.2 Identify Team Members—The IM shall identify team
programtopreventanddetectthreatswithplanstorespondand members to participate in the work group.
recover from incidents.
7.1.2.1 Team members should include representatives from
5.11.4 Business entities should not rely solely on purchased
different areas of expertise (security, IT, compliance,
software vendors for advice, because none can manage all the
operations, HR) and should represent all levels of staff and all
information security and related compliance, legal and busi-
functionalareasofthebusinesstoestablishthemostsuccessful
ness risks a cannabis business will face.
controls.
5.11.5 Businesses should ensure that intellectual property
7.1.3 Identify Subject Matter Experts—At a minimum,
and other business records, operational records, and customer
teams should invite legal, compliance, tax, and ITspecialists to
records are considered and protected in consultation with legal
participate after the assessment is completed to ensure the
and compliance professionals.
highest risks are addressed. (See Section 9.)
7.1.4 Initial Team Objectives—The IS Team will:
5.12 Insurance, Contracts, and Tax Considerations:
7.1.4.1 Conduct assessments to identify information assets
5.12.1 Cannabis business entities should review insurance
that should be protected and vulnerabilities and threats that
policies and contracts to ensure adequate protections.
need controls;
5.12.2 Businesses should consider including elements such
7.1.4.2 Conduct qualitative and quantitative analysis; and
as nondisclosure, privacy and confidentiality, data breach
7.1.4.3 Select, design, and implement physical,
protocols, testing and maintenance requirements, scope of
technological, and human (end user) controls for information
work and functional requirements, using proprietary software,
asset threat prevention, detection, incident response and recov-
uptime, and clear measures of success in contracts.
ery.
5.12.3 Cannabis businesses should ensure finance, budget,
7.1.5 Initial Meeting Preparation—Team leaders will re-
and tax professionals are consulted about information security
view the entire practice and references, will prepare meeting
plans to ensure team activities and controls are clearly written
materials, and distribute resources to educate team participants
and implemented in alignment with those goals.
about information security assets, threats, vulnerabilities, and
6. Information Security Program Implementation controls as needed. (See Guides D8205, D8217, D8218, and
F3286 and Appendix X1 – Appendix X6 for information
6.1 Sections 6–15 will establish the foundation of the
security education and recommended policy and procedures.)
practice and essential elements for implementing an informa-
7.1.6 The IM will ensure adequate documentation of major
tion security program. Businesses will establish a work group,
decisionsmadeineachphaseoftheprogramsothatknowledge
identify information assets and potential threats, analyze levels
is formally retained when there are staff changes.
and types of risk to information assets, select appropriate
controls to mitigate vulnerabilities and threats, and will estab-
8. Educate the Team
lish protocols for incident response and recovery and ways to
monitor implementation for continuous improvement. The
8.1 Implementing an information security program requires
practice will include references to Annex A1 – Annex A3,
knowledge of information security risks and controls that can
which are required as part of the practice, and to Appendix X1
mitigate those risks. Team members and participants will
– Appendix X6, which are optional, but provide education on
review AnnexA1 – AnnexA3 to become familiarized with the
risks and controls and recommended policy and procedure
tools of the practice and may review Appendix X1 – Appendix
elements.
X6 for an educational overview of components.
8.1.1 Annex A1 – Annex A3 are tools the team will use for
7. Establish the Information Security Program Team
assessment, analysis, and planning.
(Workgroup)
8.1.1.1 Annex A1: Information Security Self-Assessment
Question List
7.1 Robust information security (IS) programs require
8.1.1.2 Annex A2: Information Asset, Threat, and Control
participation, understanding, and buy-in from top leadership.
Assessment Worksheet
Business owners and senior managers should consider organi-
8.1.1.3 Annex A3: Control Matrix
zational readiness and make efforts to establish a culture that
actively protects information assets, including architecture, 8.1.2 Appendix X1 – Appendix X6 provides an educational
overview on information assets, cybersecurity threats, and
infrastructure, paper and digital data, files, and records.
7.1.1 Identify Leadership—Seniormanagementwillidentify different types of controls. Appendix X6 also includes specific
policy and procedure recommendations.
a chief security officer, chief information officer, director of
security, or project manager who is responsible for managing 8.1.2.1 Appendix X1: Information Security Education
D8320 − 21
8.1.2.2 Appendix X2: Information Asset Definitions 10. Gain Consensus on Information Asset and Threat
Priorities
8.1.2.3 Appendix X3: Vulnerabilities and Threats
10.1 The team will meet to achieve consensus on informa-
8.1.2.4 Appendix X4: Physical (Environmental) Controls
tion asset and threat priorities and whether (new) controls are
8.1.2.5 Appendix X5: Technological Controls
needed, using the information asset, threat, and control assess-
8.1.2.6 Appendix X6: Human Factor Controls and Recom-
ment worksheet (Annex A2) and control matrix (Annex A3).
mendations for Policy and Procedures
10.2 This section should be completed in conjunction with
Section 11.
9. Conduct Assessment: Identify and Prioritize
Information Assets and Threats to Control
11. Explore Controls (Physical, Technological, and
9.1 An assessment will be conducted to identify and priori-
Human Factor)
tizeinformationassets,vulnerabilities,andthreatstodetermine
11.1 To explore control options, teams will review the
whether additional controls should be implemented to lower
informationsecurityself-assessmentquestions(AnnexA1);the
business risks.Annexes must be customized to meet the needs
information asset, threat, and control assessment worksheet
of the business.
(AnnexA2); the control matrix (AnnexA3); and should review
9.1.1 First, the team will conduct a self-assessment, using
the information security education appendices on information
the information security self-assessment questions provided in
assets, threats, controls, and policy and procedure recommen-
Annex A1. Answers to these questions will help teams recog-
dations (Appendix X1 – Appendix X6).
nize current information assets, threats, and types of controls
11.1.1 These documents will help teams identify informa-
that could reduce risk to the business.
tion assets and types of controls to reduce risk along a
9.1.2 Next, the team will complete the information asset, continuum of prevention, detection, response, and recovery.
threat, and control assessment worksheet provided in Annex 11.1.2 The control matrix (Annex A3) can be used to assist
teams with more complex threats, or as a reminder to consider
A2 to conduct an inventory of information assets, rank
priorities, and identify whether (new) controls are needed. a broad range of control categories (physical, technological,
and human factor) on a control continuum (prevent, detect,
9.1.2.1 To complete an inventory of information assets,
respond, and recover) during discussions.
teams should list components of information system architec-
ture and infrastructure, and all types of paper and digital files
12. Conduct Qualitative and Quantitative Risk Analysis
and records. This task should be broken up so that people with
direct experience with the assets assist with the inventory.
12.1 To conduct analysis, teams will balance the following
five factors to analyze risks, needs, and feasibility of imple-
9.1.2.2 Teams should review organizational structure and
menting identified controls:
work activities for flows of information throughout the life-
12.1.1 Information asset priorities (based on sensitivity);
cycle. Every department and work location should be exam-
12.1.2 Vulnerability and threat priorities based on:
ined for reports, records, and other files created or maintained
12.1.2.1 Likelihood that identified threats will occur;
by staff.
12.1.2.2 Potential damage or loss of information assets if
9.1.2.3 Teams should have knowledge of, or seek out
the threat occurs;
informalpracticesandreviewformalpolicyandprocedures[or
12.1.2.3 Potential impacts on the organization if the threat
standard operating procedures (SOPs)], forms, checklists, and
occurs (lawsuits, loss of sales, etc.);
job aids; training materials, memos and other directives, and
12.1.3 Physical, technological, and human factor controls
even reminders tacked up in work areas to generate a compre-
that can mitigate risks;
hensive list of existing information assets and controls.
12.1.3.1 Cost estimates for implementing various controls
9.1.2.4 Teams should spend more time detailing sensitive
(tangible and intangible); and
information assets and considering threats and controls for
12.1.3.2 Organizational values, mandates, resource
those at higher risk levels. Higher risk information assets are
constraints, and tolerance for risk.
typically located around essential and proprietary business
12.2 To get started, teams should select a high priority asset
functionsandrecords,employee,customerandvendorrecords,
or high priority threat, specific controls from any of the three
any activities involving handling or moving cannabis products,
categories (physical, technological, human factor) that can
cash or cash equivalents and any mandates.
mitigate risk, and calculate cost-benefit estimates for controls
9.1.3 Team should address vulnerabilities and threats for
across the continuum (prevention, detection, response and
each inventory item by reviewing the adequacy of any existing
recovery).
controls to identify gaps.
12.2.1 Cost estimates should include tangible and intangible
9.1.4 Information managers may restrict items from the
elements tailored for the organization’s business type, level of
assessment upon approval of the security manager or designee.
IT expertise, mandates, resources and constraints, and organi-
(These discussions should be documented and retained to
zational tolerance for risk. This step is essential to make
verify that more than one person was involved in the decision decisions about which controls to put into place.
to restrict information from the team, as established as part of
12.2.1.1 Cost estimate considerations include those related
7.1.1.1.) to: staff time to design, implement, and monitor prevention,
D8320 − 21
detection, response and recovery controls; staff training; pur- routinely cover topics such as acceptable use, user accounts,
chasing equipment, hardware, software, electricity, back-ups, social media, and confidentiality. High risk controls may
and supplies; hiring security, compliance, legal, tax, and IT require signatures from staff indicating they have read and
staff or consultants; time to complete protocols for security understand the policy and have had the opportunity to ask
incidents; costs involved for potential sanctions and lawsuits, questionsaboutitemsthatarenotclear(seeAppendixX5),and
and losing licenses temporarily or permanently; staff time in lower risk controls may only require discussion with the
court or preparing for lawsuits; losing public trust and supervisor at the next staff meeting.
goodwill, etc. Intangible aspects of risk can be over- or
14.2 Communications:
under-estimated, though there are many acceptable methods
14.2.1 Staff should be notified about any new or updated
for estimating these kinds of costs.
documents in writing (by means of email or paper) and
12.3 Teams will repeat 12.2 until all high priority assets and supervisorsshouldreviewanynewlyapproveddocumentswith
threats are addressed. staff.
14.2.1.1 Maintain Policy Library—Policy and procedure
12.4 At this point, teams should have completed a thorough
documents and employee handbooks (currently in effect)
business process analysis to identify and prioritize assets and
should be readily available to staff.
threats, explored controls with cost-benefit and risk analysis,
14.2.1.2 Maintain Policy Archive—Business entities should
consulted with a variety of subject matter experts from
maintain a policy library of all documents in effect and should
operational and support departments (security, compliance, IT,
maintain all archived or superseded (approved) versions of
HR, PR, accounting, legal) and gained approval to move
policy and procedures, forms, job aids, employee handbooks,
forward with final control selections and implementation
etc., so they can be retrieved for verification of what was in
planning.
effect on the date of any incident. Businesses should retain
copies of email notifications and other communications that
13. Select and Design Controls
accompany issuance of any policy and procedure updates for
13.1 Information security controls can include physical
the archive. Businesses should generally retain these docu-
controlssuchasrestrictingaccesstotheserverandsurveillance
ments indefinitely, in accordance with a record retention plan.
rooms, technological controls such as installing reputable
14.2.1.3 When deemed necessary for high risk controls,
antivirus software, and human controls, such as implementing
written acknowledgements of receipt and understanding of a
policy and procedures and training staff not to open executable
new or updated policy or procedure should be retained in
files from email links.
individual training logs as described below.
13.2 Select Controls—Teams should initially select controls
14.3 Training:
that mitigate the highest priority information assets and threats,
14.3.1 Frequency—Training on information security and
or controls that are cost effective to implement and serve to
related policy and procedures or Employee Handbook items
mitigate many risks. Information security teams should con-
must be held for all staff when joining the organization, when
tinue to use the control matrix in Annex A3 and information
new or revised policy and procedures are issued, and at other
security education appendices (Appendix X1 – Appendix X6)
times when needed, such as after an incident or near-incident.
to consider physical, technological, and human (end user)
Highest risk controls may require annual refresher training.
controls for prevention, detection, response and recovery from
New roles and job positions may require additional training
specific disasters and threats.
when jobs change.
13.3 Design Controls—Upon approval, team members will
14.3.2 Training logs should be kept by employee, by date,
be assigned to design and finalize controls, such as developing
and by topic for verification and retrieval. Logs should contain
protocols or metrics for intrusion detection, penetration and
dates,trainingtopicscovered,instructorandparticipantnames,
recovery testing, writing policy and procedures, training
and copies of training materials provided to staff. Copies of
materials, or setting functional requirements for developers.
trainingmaterialsshouldberoutinelystoredwithsigninsheets
13.3.1 Design tasks will be completed internally, by con-
to verify attendance for each formal training session, and
tracted vendors, or by outside (hired) auditors or consultants
supervisors should document informal training and policy
and should include measurable criteria for monitoring, testing
discussions with staff. Training logs are often reviewed in the
and maintenance to evaluate effectiveness.
event of any incident, and businesses should be prepared to be
able to verify who attended which training and when, and what
13.4 Team members should review references and attach-
was covered. Businesses should generally retain these logs
mentsthroughoutthisprocesstolocateadditionalresourcesfor
indefinitely, in accordance with record retention plans.
exploring and designing internal and external controls.
14. Develop Implementation Plan: Communication and 15. Monitoring and Continuous Improvement
Training
15.1 Teams should establish measurable ways to monitor
14.1 Implementation plans must include strategies for com- the effectiveness and ongoing necessity of all controls.
municating new, updated, and archived policy and procedures 15.1.1 Monitor Internal Controls—The information security
and evaluating the need for formal or informal staff training. team should meet within 48 hours of any information security
Staff must be made aware of their role and duties related to all incident, and at least annually to review testing and monitoring
controls in any case. Orientation training, for example, should results, policy and procedures, employee handbooks, and any
D8320 − 21
concerns to determine whether controls should be updated, cyber security; cybersecurity; data; detection; digital; elec-
archived, or if new ones are needed. tronic; files; hardware; incident; information; information se-
15.1.2 Monitor External Controls—Businesses should care-
curity; monitoring; notification; prevention; privacy; power
fully review contracts and agreements to ensure controls that
supply; procedures; records; recovery; response; risk; security;
address information security are included and updated for
software; testing; threats; two-factor; uninterruptible
customers, vendors, volunteers, etc.
16. Keywords
16.1 access control; analog; analysis; assessment; cannabis;
continuous improvement; controls; computer; confidentiality;
ANNEXES
(Mandatory Information)
A1. INFORMATION SECURITY SELF-ASSESSMENT
A1.1 When considering questions, pull relevant reports, A1.4.2 Do you contract for or outsource any IT or IS work
SOPs, contracts, etc., for review. (serverhosting,websitehosting,emailmarketingmanagement,
offsite surveillance)?
A1.2 Organizational Culture Questions
A1.4.3 Do contracts include monitoring elements or other
A1.2.1 Do you have a written strategic plan or business
metrics related to information security?
continuity plan that includes language about information secu-
A1.4.4 How do you protect intellectual property like prod-
rity?
uct design, processes, genetics, patents, copyrights, etc.
A1.2.2 Are information managers included in executive-
A1.4.5 Are any controls built into contracts for contractors,
level meetings that are not primarily about IT matters?
volunteers, or vendors (off site surveillance, IT, software
A1.2.3 Do you believe your organization is ready to make
interfaces, social media fair use, etc.)? If so:
changes related to information security? Leadership? Line
A1.4.5.1 For whom? Describe controls and intersections
staff?
with the business entity.
A1.4.5.2 Do you know how information security is moni-
A1.3 Physical (Environmental) Security Controls
tored at any contracted vendor or outsourced company? Is it
A1.3.1 Where are data centers/tech areas located (server
required in your contracts with them?
room, surveillance room, etc.)?
A1.4.5.3 Do vendors have access to any files? Monitoring
A1.3.2 Isaccesstoequipmentlimitedtoauthorizedemploy-
and recording?
ees? Is this access logged? Is it audited or spot checked? Is
A1.4.5.4 Do vendor contracts contain data breach, uptime,
morethanonepersonincontroloftheinfo?Whoisresponsible
fair use, and confidentiality requirements, etc.?
for maintenance and calibration schedule?
A1.4.6 Do you have a computer network where multiple
A1.3.3 Where are paper (analog) records stored? Are there
employees can share the same folders or files?
keys to file cabinets? Does anyone actually lock desks or file
A1.4.7 Do you monitor access to data, files, and passwords
cabinets? Who has spare keys?
(reviewing logs, user account access controls, periodic review
A1.3.4 Do you have a map/index of information assets
of each employee’s access) to see if access is minimum
(architecture, infrastructure, files/records) and organized
necessary to complete job duties?
maintenance/calibration schedules?
A1.4.8 Do you have firewalls in place on all external
A1.3.5 Describe backup power sources for all servers,
network connections?
computers,printers,cameras,decks,andotherequipment(cash
A1.4.9 Do you have an intrusion detection system (IDS) or
registers, extraction equipment, etc.) How often are these
intrusion prevention system (IPS) in place? If so, is the
backup sources tested?
IDS/IPS system managed in-house or outsourced? Have you
A1.3.6 Describe the fire detection/suppression systems for
had any critical security events?
facility/facilities.
A1.4.10 Do you have periodic penetration tests performed
on your network? Internal or contracted out? How often are
A1.4 Technological (Network/Application) Security Con-
trols these tests performed? What were the results of the last test?
A1.4.1 Do you have custom software? Do you use seed-to- A1.4.11 Describe the antivirus and malware protections you
sale or point-of-sale software from an outside vendor? have in place.
D8320 − 21
A1.4.12 Do you have a wireless network? Have you con- A1.5.8 What are your encryption procedures for handling
ducted a scan for rogue wireless access points? customer confidential data? Are records redacted?
A1.4.13 Are the servers and hardware loaded with security A1.5.9 How do you protect this data while it is being
transferred?
service packs/patches? What is the technology, is it the latest
version?
A1.5.10 Is customer data encrypted while at rest?
A1.4.14 Is staff permitted to use personal devices or flash
A1.5.11 Is the system/service accessible by means of the
drives to access the network?
internet?
A1.4.15 Do you test and evaluate hardware (replacement
A1.5.12 Do end users access your system/service by means
schedule, upgrades)?
of browsers, mobile applications, or thick clients?
A1.4.16 Do you test and evaluate software (static, dynamic,
A1.5.13 Do contracts include monitoring elements?
interfaces, misuse case testing)?
A1.5.14 Are any other controls built into contracts with
A1.4.17 Do you monitor for network and system miscon-
contractors, volunteers, or vendors (off-site surveillance, IT,
figurations and security flaws (reviewing code, network, and software interfaces, etc.)?
web penetration testing, etc.)? If so, how? Is it adequate?
A1.6 Human Factor (User Access) Controls
A1.4.18 Do you verify backups (functionality)?
A1.6.1 Do you have a documented information security
A1.4.19 Do you review the effectiveness and technological
policy and procedures that cover social media, user accounts,
efficiencies of any existing controls?
and use of devices (see Annex A1 and Appendix X2)?
A1.4.20 Do you perform any (other) systematic tracking
A1.6.2 Howoftendotheemployeesacknowledgetheyhave
and monitoring or audits?
read and understand information security policy/SOPs?
A1.4.21 Have you had any previous tests or plans for
A1.6.3 Who has overall responsibility for ITsecurity within
identified risks and vulnerabilities? If so, are there any estab-
your company? Do any staff hold any IT or IS certifications?
lished (performance) metrics? What were the results?
A1.6.4 Is access to information assets granted on a need to
A1.4.22 Have you had any history of IS incidents, know basis (facilities, hardware/software, network, files/data/
problems, etc.? records)?
A1.6.5 Do you grant access to information on your network
A1.4.23 What does staff complain about regarding informa-
based on job functions and roles? Describe this process.
tion assets (all levels of staff)?
A1.6.6 Are customer/user/administrator passwords en-
A1.5 Technological (Data/Application) Security Controls
crypted when sent over electronic networks or stored in
A1.5.1 Do you assign access to data/files/records based on
memory? Describe this process.
sensitivity?(Thatis,public,companyrestricted,confidentiality
A1.6.7 Describe your password policy. (That is, password
mandates, etc?.) Please describe levels and procedures for
aging and ability to reuse old ones, password complexity?)
assigning access.
A1.6.8 Do you support multi-factor authentication (MFA)?
A1.5.2 Do you have a process for handling customer
A1.6.9 Does the system lock the user account after a certain
confidential information with respect to storing it, transporting
number of failed attempts? Other lock out controls?
it, and disposing of it? Do you have data breach protocols?
Please describe processes, legal mandates, and any special
A1.6.10 Where is the password table stored and encrypted?
protections for certain medical conditions, etc. (like HIV, child
A1.6.11 Are the passwords masked?
records, behavioral health, etc.).
A1.6.12 Are there pop-up warnings? (For example, you are
A1.5.3 How often is your data backed up? Where do you
about to view….; are you sure you want to delete.)
store the backup media? Is the media encrypted?
A1.7 Human Factor (Employee) Controls
A1.5.4 Do you use a third-party company to manage your
backup media? If so, who and where is it stored? Recordings?
A1.7.1 Do you perform background checks on applicants
Cloud storage?
before they are hired?
A1.5.5 Do you have a policy for destroying backup media?
A1.7.2 Do you require new hires to sign non-disclosure and
confidentiality agreements related to customer confidential
A1.5.6 Describe maintenance contract, protocols, and
data, other records?
schedule.
A1.7.3 Do your employees participate in information secu-
A1.5.7 What methods are used to transfer data or to share
rity training? Describe topics, frequency.
recordsbetweenthebusinessentityand(1)employeesworking
off site, (2) authorities having jurisdiction, (3) contracted A1.7.4 Is there a process in place for when employees leave
vendors, (4) law enforcement, and (5) authorized third parties or are terminated, what is the process for terminating their
(patient’s physician, courts, law suits, etc.)? computer/network access?
D8320 − 21
A1.7.5 Do you have policy and procedures related to A1.9.2 Haveyoueverhadanindependenttest(vulnerability
information security? assessment) of your software performed? If so, what were the
results?
A1.8 Policy and Procedure Checklist (also see
A1.9.3 Do you maintain an application test or development
Appendix X5)
environment separate from the production system?
A1.8.1 Employee Handbook—Nondisclosure,
A1.9.4 Do software developers have the ability to access or
confidentiality, social media, access to facilities, networks,
change the production environment?
files,usingonlyyourownkeycard,log-intoenterinformation,
etc.
A1.10 Information Security Incident Management
A1.8.2 Acceptable Use—Use of personal and company-
A1.10.1 Do you have any Incident response plans or proto-
issued devices, network, internet.
cols in place? Describe data breach (records, customer) and
A1.8.3 Access Control Systems—Setting, testing, auditing
unauthorized exposure (internal, external) protocols.
access controls (physical and electronic) logs, keys, visitor,
A1.10.2 Have you had any IS incidents? Please explain.
shipping and receiving, transportation, waste protocols (see
Guide D8217).
A1.11 Business Continuity Management
A1.8.4 Video surveillance system (see Guide D8205).
A1.11.1 Do you have a written bu
...