1.1 本实践涵盖了实施信息安全计划的建议，以保护在受监管的大麻行业中运营的企业。信息安全计划是每个企业应实施的整体安全计划的一部分。 1.2 这一做法适用于处理大麻产品的任何合法商业实体，包括种植、加工、制造、运输、仓储、实验室测试、分销、零售、家庭交付和废物。该实践将包括对模拟（纸质）和数字信息资产的保护。 1.3 实际实施将因组织规模和类型、信息资产类型、资产的敏感性和数量、组织的风险承受能力和资源约束以及组织特定的任务而有所不同。 1.4 本标准并非旨在解决与其使用相关的所有安全问题（如有）。本标准的用户有责任在使用前制定适当的安全、健康和环境实践，并确定监管限制的适用性。 1.5 本国际标准是根据世界贸易组织技术性贸易壁垒（TBT）委员会发布的《关于制定国际标准、指南和建议的原则的决定》中确立的国际公认标准化原则制定的。 ====意义和用途====== 5.1 所有大麻企业应实施信息安全计划和控制，以保护信息资产，包括信息系统基础设施、架构、模拟（纸质）和电子数据、文件和记录。 5.2 大麻行业正从一个不受管制的行业过渡到一个受管制的行业，这涉及大量投资。实施信息安全计划有助于组织管理信息安全威胁，保护组织、员工、客户、供应商和其他业务合作伙伴免受未经授权的访问、信息滥用、犯罪和代价高昂的暴露或损失。 5.3 大麻客户和业务合作伙伴更重视保持信息安全，由于该行业的法律复杂性和耻辱感，他们对信息安全的担忧也更高。 5.4 信息系统具有多个访问点，这些访问点存在漏洞，例如用户帐户、可移动存储设备、互联网连接、恶意软件和其他攻击、欺诈和引导不当的访问控制。 5.5 这种做法旨在帮助所有类型和规模的组织在风险和威胁缓解、恢复和补救成本之间找到可接受的平衡。 5.6 在规划信息安全计划时，来自所有部门（或职能领域）、员工级别和专业领域（信息技术、法律、合规、人力资源、税务/会计）的广泛投入是确定组织面临的最高信息安全风险的理想选择，可以使实施更加顺利。 5.7 信息资产必须在整个生命周期（创建、传输、审查、存储和销毁）中得到保护。 5.8 本实践的用户: 5.8.1 本规程适用于以下人员使用的大麻业务运营: 5.8.1.1 企业所有者和管理层制定安全控制措施，以预防、检测和缓解漏洞和风险，加强业务规划，并应对和恢复事件； 5.8.1.2 顾问就信息安全评估、分析、控制和信息审计提供指导； 5.8.1.3 有权检查信息安全充分性的机构；和 5.8.1.4 培训组织和认证机构就大麻行业信息安全相关知识体系对个人进行培训或认证。 5.9 迭代实现方法: 5.9.1 实施信息安全计划不是一次性的任务序列。一旦指派了信息安全项目经理，对团队参与者进行教育，进行风险评估和分析，就可以开始实施控制的迭代周期。 初步计划将侧重于更高优先级的资产和风险以及易于实施的控制。团队将监控实施，进行调整，并根据需要重复。 5.9.2 信息安全审计应至少每年进行一次。 5.9.2.1 审计可以分配给内部或外部审计师，这取决于客观、独立审查的需要，或根据法律授权。 5.10 独特的商业实体: 5.10.1 这种做法不是管理网络安全风险的一刀切模式。由于每项行动的风险、系统、程序、数字使用、规模和规模都是独特的，因此使用这种做法需要持续参与，并不断评估预防和对策，以跟上不断变化的威胁。 这种做法本身不能用作信息安全政策、程序或计划；每个实体都必须开发和监控自己的信息安全实践。该实践将指导正在进行的信息安全计划的规划、评估、实施、审计和改进。 5.11 合规和法律考虑: 5.11.1 大麻业务授权对于每个司法管辖区来说都是复杂而独特的。大麻企业必须咨询法律、合规、会计、安全、人力资源和信息技术专业人士，以获得有关保护和共享记录的指导。 5.11.2 可以应用多个级别的管辖权（地方、州/省、国家），并且任务可能会发生冲突，使其不明确。例如，法律专家不同意美国是否会采取行动。 S、 HIPAA法律适用于向医疗患者出售大麻的企业。 5.11.3 由于补救工作成本高昂，所有大麻商业实体都必须保持积极的信息安全计划，以预防和检测威胁，并制定应对和恢复计划。 5.11.4 商业实体不应仅依赖购买的软件供应商提供建议，因为没有一家公司能够管理大麻企业将面临的所有信息安全和相关合规、法律和业务风险。 5.11.5 企业应确保与法律和合规专业人士协商，考虑并保护知识产权和其他业务记录、运营记录和客户记录。 5.12 保险、合同和税务考虑: 5.12.1 大麻商业实体应审查保险单和合同，以确保充分的保护。 5.12.2 企业应考虑包括保密、隐私和机密性、数据泄露协议、测试和维护要求、工作范围和功能要求、使用专有软件、正常运行时间和合同成功的明确衡量标准等要素。 5.12.3 大麻企业应确保就信息安全计划咨询财务、预算和税务专业人士，以确保团队活动和控制的编写和实施与这些目标保持一致。

1.1 This practice covers recommendations for implementing an information security program to protect businesses operating in the regulated cannabis industry. An information security program is part of an overall security program that each business should implement. 1.2 This practice applies to any legal business entity that handles cannabis products, including cultivation, processing, manufacturing, transportation, warehousing, lab testing, distribution, retail, home delivery, and waste. This practice will include protections for analog (paper) and digital information assets. 1.3 Actual implementation will vary depending on organizational size and type, information asset types, sensitivity and volume of assets, risk tolerance and resource constraints of the organization, and mandates particular to the organization. 1.4 This standard does not purport to address all of the safety concerns, if any, associated with its use. It is the responsibility of the user of this standard to establish appropriate safety, health, and environmental practices and determine the applicability of regulatory limitations prior to use. 1.5 This international standard was developed in accordance with internationally recognized principles on standardization established in the Decision on Principles for the Development of International Standards, Guides and Recommendations issued by the World Trade Organization Technical Barriers to Trade (TBT) Committee. ====== Significance And Use ====== 5.1 Information security programs and controls should be implemented by all cannabis businesses to protect information assets, which include information system infrastructure, architecture, analog (paper) and electronic data, files and records. 5.2 The cannabis industry is in transition from an unregulated industry to a regulated industry, which involves substantial investment. Implementing an information security program helps organizations manage information security threats and protect the organization, employees, customers, vendors and other business partners from unauthorized access, misuse of information, crime, and costly exposure or loss. 5.3 Cannabis customers and business partners place higher value on keeping information secure and have heightened concerns about information security due to the legal complexities and stigma around the industry. 5.4 Information systems have multiple access points that present opportunities for vulnerabilities, such as user accounts, removable storage devices, internet connections, malicious malware and other attacks, scams, and poorly guided access controls. 5.5 This practice intends to help organizations of all types and sizes find an acceptable balance of risks and costs of threat mitigation, recovery and remediation. 5.6 When planning an information security program, a broad range of input from all departments (or functional areas), levels of staff, and areas of expertise (information technology, legal, compliance, human resources, tax/accounting) is ideal for identifying the highest information security risks to the organization and can make implementation go more smoothly. 5.7 Information assets must be protected throughout the entire lifecycle (creation, transmission, review, storage, and destruction). 5.8 Users of This Practice: 5.8.1 This practice is written for cannabis business operations to be used by: 5.8.1.1 Business owners and management to develop security controls to prevent, detect, and mitigate vulnerabilities and risk, enhance business planning, and respond to and recover from incidents; 5.8.1.2 Consultants to provide guidance about information security assessments, analysis, controls and information audits; 5.8.1.3 Authorities having jurisdiction to inspect the adequacy of information security; and 5.8.1.4 Training organizations and certification bodies to train or certify individuals on the body of knowledge related to information security in the cannabis industry. 5.9 Iterative Implementation Approach: 5.9.1 Implementing an information security program is not a one-time sequence of tasks. Once an Information security program manager is assigned, team participants are educated, risk assessments and analyses are conducted, iterative cycles of implementing controls can begin. Initial plans will focus on higher priority assets and risks and easy to implement controls. Teams will monitor implementation, make adjustments, and repeat as needed. 5.9.2 An information security audit should be conducted at least once a year. 5.9.2.1 Audits can be assigned to internal or external auditors, depending on need for objectivity, independent review, or in accordance with legal mandates. 5.10 Unique Business Entities: 5.10.1 This practice is not a one-size-fits-all model to manage cybersecurity risk. Since each operation's risks, systems, procedures, digital usage, size, and scale are unique, the use of this practice requires ongoing engagement and continuous evaluation of prevention and countermeasures to stay abreast of ever-changing threats. This practice cannot be used by itself as an information security policy, procedure, or program; each entity must develop and monitor its own information security practice. This practice will guide the planning, assessment, implementation, audit, and improvement of an ongoing information security program. 5.11 Compliance and Legal Considerations: 5.11.1 Cannabis business mandates are complex and unique to each jurisdiction. Cannabis businesses must consult with legal, compliance, accounting, security, human resources and information technology professionals for guidance about protecting and sharing records. 5.11.2 Multiple levels of jurisdiction can apply (local, state/province, country) and mandates can conflict rendering them unclear. For example, legal experts do not agree on whether U.S. HIPAA laws apply to cannabis businesses that sell to medical patients. 5.11.3 Since remediation efforts are costly, all cannabis business entities must maintain an active information security program to prevent and detect threats with plans to respond and recover from incidents. 5.11.4 Business entities should not rely solely on purchased software vendors for advice, because none can manage all the information security and related compliance, legal and business risks a cannabis business will face. 5.11.5 Businesses should ensure that intellectual property and other business records, operational records, and customer records are considered and protected in consultation with legal and compliance professionals. 5.12 Insurance, Contracts, and Tax Considerations: 5.12.1 Cannabis business entities should review insurance policies and contracts to ensure adequate protections. 5.12.2 Businesses should consider including elements such as nondisclosure, privacy and confidentiality, data breach protocols, testing and maintenance requirements, scope of work and functional requirements, using proprietary software, uptime, and clear measures of success in contracts. 5.12.3 Cannabis businesses should ensure finance, budget, and tax professionals are consulted about information security plans to ensure team activities and controls are clearly written and implemented in alignment with those goals.