ASTM D8320-21
(Practice)Standard Practice for Implementing an Information Security Program in a Cannabis Operation
Standard Practice for Implementing an Information Security Program in a Cannabis Operation
SIGNIFICANCE AND USE
5.1 Information security programs and controls should be implemented by all cannabis businesses to protect information assets, which include information system infrastructure, architecture, analog (paper) and electronic data, files and records.
5.2 The cannabis industry is in transition from an unregulated industry to a regulated industry, which involves substantial investment. Implementing an information security program helps organizations manage information security threats and protect the organization, employees, customers, vendors and other business partners from unauthorized access, misuse of information, crime, and costly exposure or loss.
5.3 Cannabis customers and business partners place higher value on keeping information secure and have heightened concerns about information security due to the legal complexities and stigma around the industry.
5.4 Information systems have multiple access points that present opportunities for vulnerabilities, such as user accounts, removable storage devices, internet connections, malicious malware and other attacks, scams, and poorly guided access controls.
5.5 This practice intends to help organizations of all types and sizes find an acceptable balance of risks and costs of threat mitigation, recovery and remediation.
5.6 When planning an information security program, a broad range of input from all departments (or functional areas), levels of staff, and areas of expertise (information technology, legal, compliance, human resources, tax/accounting) is ideal for identifying the highest information security risks to the organization and can make implementation go more smoothly.
5.7 Information assets must be protected throughout the entire lifecycle (creation, transmission, review, storage, and destruction).
5.8 Users of This Practice:
5.8.1 This practice is written for cannabis business operations to be used by:
5.8.1.1 Business owners and management to develop security controls to prevent, dete...
SCOPE
1.1 This practice covers recommendations for implementing an information security program to protect businesses operating in the regulated cannabis industry. An information security program is part of an overall security program that each business should implement.
1.2 This practice applies to any legal business entity that handles cannabis products, including cultivation, processing, manufacturing, transportation, warehousing, lab testing, distribution, retail, home delivery, and waste. This practice will include protections for analog (paper) and digital information assets.
1.3 Actual implementation will vary depending on organizational size and type, information asset types, sensitivity and volume of assets, risk tolerance and resource constraints of the organization, and mandates particular to the organization.
1.4 This standard does not purport to address all of the safety concerns, if any, associated with its use. It is the responsibility of the user of this standard to establish appropriate safety, health, and environmental practices and determine the applicability of regulatory limitations prior to use.
1.5 This international standard was developed in accordance with internationally recognized principles on standardization established in the Decision on Principles for the Development of International Standards, Guides and Recommendations issued by the World Trade Organization Technical Barriers to Trade (TBT) Committee.
General Information
Relations
Standards Content (Sample)
This international standard was developed in accordance with internationally recognized principles on standardization established in the Decision on Principles for the
Development of International Standards, Guides and Recommendations issued by the World Trade Organization Technical Barriers to Trade (TBT) Committee.
Designation: D8320 − 21
Standard Practice for
Implementing an Information Security Program in a
1
Cannabis Operation
This standard is issued under the fixed designation D8320; the number immediately following the designation indicates the year of
original adoption or, in the case of revision, the year of last revision. A number in parentheses indicates the year of last reapproval. A
superscript epsilon (´) indicates an editorial change since the last revision or reapproval.
1. Scope D8218 Guide for Intrusion Detection System (IDS)
F3286 Guide for Cybersecurity and Cyberattack Mitigation
1.1 Thispracticecoversrecommendationsforimplementing
an information security program to protect businesses operat-
3. Terminology
ing in the regulated cannabis industry.An information security
program is part of an overall security program that each 3.1 Definitions of Terms Specific to This Standard:
business should implement.
3.1.1 access control, n—restricting access to an asset.
1.2 This practice applies to any legal business entity that
3.1.2 asset, n—generally refers to anything of value to a
handles cannabis products, including cultivation, processing,
business such as an employee, facility, computer equipment,
manufacturing, transportation, warehousing, lab testing,
computer system, intellectual property, and other information
distribution, retail, home delivery, and waste.This practice will
assets.
include protections for analog (paper) and digital information
3.1.3 availability, n—ability of authorized users to access
assets.
analog or electronic information assets on demand.
1.3 Actual implementation will vary depending on organi-
3.1.4 boundary defense, n—controls the flow of traffic
zational size and type, information asset types, sensitivity and
through network borders and polices content by looking for
volume of assets, risk tolerance and resource constraints of the
evidence of unauthorized access and attacks. Established
organization, and mandates particular to the organization.
multilayered boundary defenses typically include controls that
1.4 This standard does not purport to address all of the
protect perimeter networks, firewalls, and other network tools.
safety concerns, if any, associated with its use. It is the
3.1.5 cannabis products, n—refers to cannabis seeds, imma-
responsibility of the user of this standard to establish appro-
ture plants, flower, cannabis concentrates regardless of form or
priate safety, health, and environmental practices and deter-
extraction method and cannabis infused products, such as
mine the applicability of regulatory limitations prior to use.
edibles, etc.
1.5 This international standard was developed in accor-
dance with internationally recognized principles on standard-
3.1.6 chain of custody, n—refers to the process of docu-
ization established in the Decision on Principles for the
mentingeachpersonwhohadaccessandcontrolofaparticular
Development of International Standards, Guides and Recom-
asset from the time of creation through any changes of hands.
mendations issued by the World Trade Organization Technical
3.1.7 classification level, n—refers to defined sensitivity
Barriers to Trade (TBT) Committee.
levels of information. People are granted access to information
of certain classification levels in accordance with their duties.
2. Referenced Documents
Governments use labels such as top secret, secret, confidential,
2
2.1 ASTM Standards:
and unclassified (see role-based access).
D8205 Guide for Video Surveillance System
3.1.8 computer system, n—hardware, software, network,
D8217 Guide for Access Control System
transmission, storage.
3.1.9 confidential, n—refers to the legally protected privacy
1
of an information asset.
This practice is under the jurisdiction of ASTM Committee D37 on Cannabis
and is the direct responsibility of Subcommittee D37.05 on Security and Transpor-
3.1.10 controls, n—refers to physical, technological, and
tation.
human (end user) measures and countermeasures intended to
Current edition approved July 1, 2021. Published August 2021. DOI: 10.1520/
D8320-21.
prevent, detect, or otherwise mitigate system vulnerabilities
2
For referenced ASTM standards, visit the ASTM website, www.astm.org, or
and potential threats of unauthorized access, misuse, damage,
contact ASTM Customer Service at service@astm.org. For Annual Book of ASTM
disruption or losses to information system infrastructure or
Standards volume information, refer to the standard’s Document Summary page on
the ASTM website. information assets, whether unintentional or by malicious
Copyright © ASTM International, 100 Barr Harbor Drive, PO Box C700, West Conshohocken, PA 19428-2959. United
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.