17.3.10 Protection of Information Assets
In ensuring the basic protection of OIST information assets, users must handle Information Assets in a manner appropriate to the information classification they have been assigned. The security level of the devices used to access information assets and the mode of access must be commensurate with the sensitivity of the asset and conform to OIST information classification and device eligibility criteria [link: 17.8.9].
OIST information assets are to be used for business purposes only, users shall not use OIST information assets for any purpose other than the task for which they are intended. Access to Information Assets must be granted on a “need to know” basis, where required for a user to complete their duties, and in line with business needs.
The protection of personal information is further restricted by the regulations as detailed in [link: 12.3.8]. All users which will deal with personal information must familiarize themselves with, and remain abreast of changes to these rules.