1、Designation:D832021Standard Practice forImplementing an Information Security Program in aCannabis Operation1This standard is issued under the fixed designation D8320;the number immediately following the designation indicates the year oforiginal adoption or,in the case of revision,the year of last re
2、vision.A number in parentheses indicates the year of last reapproval.Asuperscript epsilon()indicates an editorial change since the last revision or reapproval.1.Scope1.1 This practice covers recommendations for implementingan information security program to protect businesses operat-ing in the regul
3、ated cannabis industry.An information securityprogram is part of an overall security program that eachbusiness should implement.1.2 This practice applies to any legal business entity thathandles cannabis products,including cultivation,processing,manufacturing,transportation,warehousing,lab testing,d
4、istribution,retail,home delivery,and waste.This practice willinclude protections for analog(paper)and digital informationassets.1.3 Actual implementation will vary depending on organi-zational size and type,information asset types,sensitivity andvolume of assets,risk tolerance and resource constrain
5、ts of theorganization,and mandates particular to the organization.1.4 This standard does not purport to address all of thesafety concerns,if any,associated with its use.It is theresponsibility of the user of this standard to establish appro-priate safety,health,and environmental practices and deter-
6、mine the applicability of regulatory limitations prior to use.1.5 This international standard was developed in accor-dance with internationally recognized principles on standard-ization established in the Decision on Principles for theDevelopment of International Standards,Guides and Recom-mendation
7、s issued by the World Trade Organization TechnicalBarriers to Trade(TBT)Committee.2.Referenced Documents2.1 ASTM Standards:2D8205 Guide for Video Surveillance SystemD8217 Guide for Access Control SystemD8218 Guide for Intrusion Detection System(IDS)F3286 Guide for Cybersecurity and Cyberattack Mitig
8、ation3.Terminology3.1 Definitions of Terms Specific to This Standard:3.1.1 access control,nrestricting access to an asset.3.1.2 asset,ngenerally refers to anything of value to abusiness such as an employee,facility,computer equipment,computer system,intellectual property,and other informationassets.
9、3.1.3 availability,nability of authorized users to accessanalog or electronic information assets on demand.3.1.4 boundary defense,ncontrols the flow of trafficthrough network borders and polices content by looking forevidence of unauthorized access and attacks.Establishedmultilayered boundary defens
10、es typically include controls thatprotect perimeter networks,firewalls,and other network tools.3.1.5 cannabis products,nrefers to cannabis seeds,imma-ture plants,flower,cannabis concentrates regardless of form orextraction method and cannabis infused products,such asedibles,etc.3.1.6 chain of custod
11、y,nrefers to the process of docu-menting each person who had access and control of a particularasset from the time of creation through any changes of hands.3.1.7 classification level,nrefers to defined sensitivitylevels of information.People are granted access to informationof certain classification
12、 levels in accordance with their duties.Governments use labels such as top secret,secret,confidential,and unclassified(see role-based access).3.1.8 computer system,nhardware,software,network,transmission,storage.3.1.9 confidential,nrefers to the legally protected privacyof an information asset.3.1.1
13、0 controls,nrefers to physical,technological,andhuman(end user)measures and countermeasures intended toprevent,detect,or otherwise mitigate system vulnerabilitiesand potential threats of unauthorized access,misuse,damage,disruption or losses to information system infrastructure orinformation assets,
14、whether unintentional or by malicious1This practice is under the jurisdiction of ASTM Committee D37 on Cannabisand is the direct responsibility of Subcommittee D37.05 on Security and Transpor-tation.Current edition approved July 1,2021.Published August 2021.DOI:10.1520/D8320-21.2For referenced ASTM
15、standards,visit the ASTM website,www.astm.org,orcontact ASTM Customer Service at serviceastm.org.For Annual Book of ASTMStandards volume information,refer to the standards Document Summary page onthe ASTM website.Copyright ASTM International,100 Barr Harbor Drive,PO Box C700,West Conshohocken,PA 194
16、28-2959.United StatesThis international standard was developed in accordance with internationally recognized principles on standardization established in the Decision on Principles for theDevelopment of International Standards,Guides and Recommendations issued by the World Trade Organization Technical Barriers to Trade(TBT)Committee.1?attack.Controls include threat response and recovery proto-cols.Examples of controls:limiting access to locations andrecords,antivirus software,policy and procedur
