Security Control Matrix

9 Security Control Matrix

Classification Level Data Type Control for Control for INTEGRITY [I] Control for AVAILABILITY [A]
CONFIDENTIALITY [C]

STORAGE

Public All Minimal/No Control required

Print Use cabinets  Document Version Control Duplicate copy to be maintained

to be followed

Document to be signed and
approved

Electronic  Storage in all drives  Document Version Control Information to be backed up
/ Other to be followed
 Access to only
Internal
authenticated and  Laptop/Desktop: Updated
authorized Antivirus and patches
personnel‟s/systems 
Server: Hardened as per
 Minimum audit SCD
requirements
1) Password protection –
optional

Print  Usage of locked cabinets  Document Version Control Scanned copy of the signed /
to be followed approved document to be stored
 Keys of the cabinet to be

kept with authorized  <CLIENT> stamp/Approver For other documents maintain
Confidential personnel‟s only signature to be present in an electronic/digital version
the document

Electronic  Storage in  Document Version Control Information be backed up
/ Other secured/encrypted drives to be followed 
Store copy of the backup tapes
 Confidential : For Internal Circulation Only
Information Security Team – Axis Bank
Data Life Cycle Protection Policy
9 Security Control Matrix
Classification Level Data Type Control for
CONFIDENTIALITY [C]
 Access to authenticated
and authorized
personnel‟s/systems
 Privilege rights on need to
know basis
 Standard Auditing to be
put in place
 Password protect the
document
1) Implement Data Leak
Prevention Solution –
Where feasible
Print  Usage of locked cabinet
 Stringent access control
measures to be
implemented.
 Keys to be kept with
authorized individuals only
Restricted
Electronic  Storage in
/ Other secured/encrypted drives
 Access to authenticated
and authorized
personnel‟s/systems
 Privilege rights on strictly
need to know basis
Control for INTEGRITY [I]
 Comprehensive Application
security testing
 Server: Hardened as per
SCD
1) Implement File Integrity
solution – Where feasible
2) Store hash value – Where
feasible
3) Implement Data Leak
Prevention Solution –
Where feasible
 Document Version Control
to be followed
 <CLIENT> stamp/Approver
signature to be present in
the document
 Document Version Control
to be followed
 Comprehensive Application
security testing
 Server: Hardened as per
SCD
4) Implement File Integrity
ISSP - 23
Version <5>
P a g e | 23
Control for AVAILABILITY [A]
in an secure offsite location
1) Implement offline/real-time
replication of data with DR site
2) Redundancy for systems –
Where feasible
 Scanned copy of the signed /
approved document to be stored
OR Authorized duplicate copy to
be maintained
 For other documents maintain
an electronic/digital version
 Information be backed up
 Store copy of the backup tapes
in an secure offsite location
 Implement offline/real-time
replication of data with DR site
 Redundancy for systems to be
 Confidential : For Internal Circulation Only ISSP - 23

Information Security Team – Axis Bank Version <5>

P a g e | 24
Data Life Cycle Protection Policy

9 Security Control Matrix

Classification Level Data Type Control for Control for INTEGRITY [I] Control for AVAILABILITY [A]
CONFIDENTIALITY [C]

Stringent Audit controls to solution – Where feasible implemented
be put in place 
5) Store hash value – Where Preventive maintenance to be
 Password protect the feasible done for the systems
document
 Implement Data Leak
 Implement Data Leak Prevention Solution
Prevention Solution

INFORMATION HANDLING

Copying Public ALL No Special precautions

Internal ALL Ensure best practices while copying/creating duplicate records


Confidential ALL Photocopy to be taken only on need basis

USB/External HDD Usage: Centralized security controls to be enforced to prevent unauthorized
duplication

Implement Data Leak Prevention Solution


Restricted ALL Photocopying/Duplicating only after explicit approval from the Data Owner

USB/External HDD Usage: Prohibited

Implement Data Leak Prevention Solution

Labeling Public ALL For hardcopy files & electronic documents, apply the sensitivity label on the first page at the lower
left hand corner, preferably in the Footer section.

Where applicable, apply the label "Approved for Public Release" along with the date when the owner
declared the information public at the lower left hand corner of the first page
 Confidential : For Internal Circulation Only ISSP - 23

Information Security Team – Axis Bank Version <5>

P a g e | 25
Data Life Cycle Protection Policy

9 Security Control Matrix

Classification Level Data Type Control for Control for INTEGRITY [I] Control for AVAILABILITY [A]
CONFIDENTIALITY [C]

Internal ALL For hardcopy files & electronic documents, apply the sensitivity label at the lower left hand corner of
every page (including Front Cover & Rear cover), preferably in the Footer Section. This also applies
to Fax messages, Microfiche, Microfilm

All instances in which data is displayed on a screen or otherwise presented to a computer user must
involve an indication of the classification level of the data

All tape reels, floppy disks, and other computer storage media containing sensitive information must
be externally labeled with the appropriate classification level

Confidential & ALL Apply the sensitivity label at the lower left hand corner of every page (including Front Cover & Rear
Restricted cover), preferably in the Footer section. Ensure that page numbering displays the total pages of the
document. This also applies to Fax messages, Microfiche, Microfilm

All instances in which data is displayed on a screen or otherwise presented to a computer user must
involve an indication of the classification level of the data

All tape reels, floppy disks, and other computer storage media containing sensitive information must
be externally labeled with the appropriate classification level

TRANSMISSION

By Spoken Public ALL No special precautions
Word

Internal ALL Reasonable precaution to prevent inadvertent disclosure

Confidential & ALL Active measures and close control to limit information to as few persons as possible
Restricted

Enclosed meeting areas. Public areas prohibited

Avoid proximity to unauthorized listeners, speaker phones etc

By Post / Public & ALL POST/EMAIL: No special precautions
 Confidential : For Internal Circulation Only ISSP - 23

Information Security Team – Axis Bank Version <5>

P a g e | 26
Data Life Cycle Protection Policy

9 Security Control Matrix

Classification Level Data Type Control for Control for INTEGRITY [I] Control for AVAILABILITY [A]
CONFIDENTIALITY [C]

Fax / Email Internal PRINTER/FAX: Located in area not accessible to the public
/ Print

Confidential ALL POST: Sealed envelope bearing the classification label. Traceable delivery method preferred e.g.
with return receipt mail.

E-mail: Data to be password protected. Digital signatures or other manual/automated forms of Non-
Repudiation measures to be adopted. Mass mailing discouraged.

Implementation of Data Leak Prevention solution to be considered, where applicable

FAX: Located in area not accessible to the public. Cover sheet labeled "Confidential" required.
Telephone notification prior to transmission and subsequent telephone confirmation of receipt
required

Printer: Located in an area not accessible to the public. Printed data not to be left unattended.

Restricted ALL POST: Use of POST strongly discouraged except in emergency situations. Sealed envelope bearing
the classification label. Notify recipient in advance. Traceable delivery method required e.g. with
return receipt mail.

E-mail: Use of email strongly discouraged except in emergency situations. Data to be password
protected. & Encrypted. Notify recipient in advance. Digital signatures or other manual/automated
forms of Non-Repudiation measures to be adopted. Mass mailing prohibited.

Implementation of Data Leak Prevention solution to be considered, where applicable

FAX: Use of FAX strongly discouraged except in emergency situations. Located in area not
accessible to the public. Cover sheet labeled "Confidential" required. Telephone notification prior to
transmission and subsequent telephone confirmation of receipt required

Printer: Located in an area accessible only to the authorized personnel‟s. Printed data not to be left
unattended.


Release to Public ALL To be released only after approval
 Confidential : For Internal Circulation Only ISSP - 23

Information Security Team – Axis Bank Version <5>

P a g e | 27
Data Life Cycle Protection Policy

9 Security Control Matrix

Classification Level Data Type Control for Control for INTEGRITY [I] Control for AVAILABILITY [A]
CONFIDENTIALITY [C]
Third Party 
Internal ALL Intended for use only within the organization. May be shared outside the organization only if there
is a legitimate business need to know and is approved by the Data Owner

Confidential ALL Access limited to need to know basis and not to be released externally, unless in accordance with
specified policies and procedures on release of information

Restricted ALL Access limited to as few persons as possible on a need to know basis. Release only permitted by
applicable policies

LAN / WAN Public ALL  No special precautions

/ Internet

Internal ALL LAN/WAN: No special precautions

Internet: Encryption of data can be considered

Confidential & Authentication Data Customer / Business Critical Data

Restricted
LAN Encrypted Server to Server Encryption
Desktop to Server encryption – Where feasible

WAN Encrypted Server to Server Encryption

Desktop to Server encryption – Where feasible

Internet Encrypted Encryption and signing using digital certificates

DISPOSAL / DESTRUCTION

Public ALL  No special precaution

 Confidential : For Internal Circulation Only ISSP - 23

Information Security Team – Axis Bank Version <5>

P a g e | 28
Data Life Cycle Protection Policy

9 Security Control Matrix

Classification Level Data Type Control for Control for INTEGRITY [I] Control for AVAILABILITY [A]
CONFIDENTIALITY [C]

Internal ALL  Destruction: No special precaution


Location of waste bin: No special precaution
 Paper recycling permitted

HDD/Magnetic Media/Diskette: No special precaution

Confidential ALL  Destruction: Use shredder for Paper Docs, Ensure deleted data is not easily recoverable

Location of waste bin: Secure area not accessible to unauthorized persons

Paper recycling: Prohibited, unless by special recycling program for confidential information

HDD/Magnetic Media/Diskette: Overwrite or reformat as per existing Hard Disk Data Destruction
Instructions

Restricted ALL  Destruction: Use shredder for paper docs. Ensure deleted data is not easily recoverable

Location of waste bin: Secure area not accessible to unauthorized persons
 Paper recycling: Prohibited

HDD/Magnetic Media/Diskette: Overwrite or reformat as per existing Hard Disk Data Destruction
Instructions

------ End of the Document ------