IT equipment is classified and appropriately labelled.

]]> This section covers information relating to the classification and labelling of both evaluated and non-evaluated IT equipment.

]]> Non-essential labels are labels other than classification and asset labels.

]]> Much of today’s technology incorporates an internal data storage capability. When media is used in IT equipment there is no guarantee that the equipment has not automatically accessed classified information from the media and stored it locally to the device, without the knowledge of the system user. As such, the IT equipment needs to be afforded the same degree of protection as that of the associated media.

]]> Agencies MUST classify IT equipment based on the highest classification of information the equipment and any associated media within the equipment, are approved for processing, storing or communicating.

]]> The purpose of applying protective markings to all assets in a secure area is to reduce the likelihood that a system user will accidentally input classified information into another system residing in the same area that is of a lower classification than the information itself.

]]> Applying protective markings to assets also assists in determining the appropriate usage, sanitisation, disposal or destruction requirements of the asset based on its classification. This is of particular importance in data centres and computer rooms.

]]> Agencies MUST clearly label all IT equipment capable of storing or processing classified information, with the exception of HACE, with the appropriate protective marking.

]]> Agencies MUST clearly label all IT equipment in data centres or computer rooms with an asset identification and the level of classification to which that equipment has been accredited.

]]> High assurance products often have tamper-evident seals placed on their external surfaces. To assist system users in noticing changes to the seals, and to prevent functionality being degraded, agencies MUST limit the use of non-essential labels.

]]> Agencies MUST NOT have any non-essential labels applied to external surfaces of high assurance products.

]]> HACE often have tamper-evident seals placed on their external surfaces. To assist system users in noticing changes to the seals, and to prevent functionality being degraded, agencies MUST only place seals on equipment with GCSB approval.

]]> Agencies SHOULD seek GCSB authorisation before applying labels to external surfaces of HACE.

]]>