Significance and Use
5.1 Information security programs and controls should be implemented by all cannabis businesses to protect information assets, which include information system infrastructure, architecture, analog (paper) and electronic data, files and records.
5.2 The cannabis industry is in transition from an unregulated industry to a regulated industry, which involves substantial investment. Implementing an information security program helps organizations manage information security threats and protect the organization, employees, customers, vendors and other business partners from unauthorized access, misuse of information, crime, and costly exposure or loss.
5.3 Cannabis customers and business partners place higher value on keeping information secure and have heightened concerns about information security due to the legal complexities and stigma around the industry.
5.4 Information systems have multiple access points that present opportunities for vulnerabilities, such as user accounts, removable storage devices, internet connections, malicious malware and other attacks, scams, and poorly guided access controls.
5.5 This practice intends to help organizations of all types and sizes find an acceptable balance of risks and costs of threat mitigation, recovery and remediation.
5.6 When planning an information security program, a broad range of input from all departments (or functional areas), levels of staff, and areas of expertise (information technology, legal, compliance, human resources, tax/accounting) is ideal for identifying the highest information security risks to the organization and can make implementation go more smoothly.
5.7 Information assets must be protected throughout the entire lifecycle (creation, transmission, review, storage, and destruction).
5.8 Users of This Practice:
5.8.1 This practice is written for cannabis business operations to be used by:
22.214.171.124 Business owners and management to develop security controls to prevent, detect, and mitigate vulnerabilities and risk, enhance business planning, and respond to and recover from incidents;
126.96.36.199 Consultants to provide guidance about information security assessments, analysis, controls and information audits;
188.8.131.52 Authorities having jurisdiction to inspect the adequacy of information security; and
184.108.40.206 Training organizations and certification bodies to train or certify individuals on the body of knowledge related to information security in the cannabis industry.
5.9 Iterative Implementation Approach:
5.9.1 Implementing an information security program is not a one-time sequence of tasks. Once an Information security program manager is assigned, team participants are educated, risk assessments and analyses are conducted, iterative cycles of implementing controls can begin. Initial plans will focus on higher priority assets and risks and easy to implement controls. Teams will monitor implementation, make adjustments, and repeat as needed.
5.9.2 An information security audit should be conducted at least once a year.
220.127.116.11 Audits can be assigned to internal or external auditors, depending on need for objectivity, independent review, or in accordance with legal mandates.
5.10 Unique Business Entities:
5.10.1 This practice is not a one-size-fits-all model to manage cybersecurity risk. Since each operation's risks, systems, procedures, digital usage, size, and scale are unique, the use of this practice requires ongoing engagement and continuous evaluation of prevention and countermeasures to stay abreast of ever-changing threats. This practice cannot be used by itself as an information security policy, procedure, or program; each entity must develop and monitor its own information security practice. This practice will guide the planning, assessment, implementation, audit, and improvement of an ongoing information security program.
5.11 Compliance and Legal Considerations:
5.11.1 Cannabis business mandates are complex and unique to each jurisdiction. Cannabis businesses must consult with legal, compliance, accounting, security, human resources and information technology professionals for guidance about protecting and sharing records.
5.11.2 Multiple levels of jurisdiction can apply (local, state/province, country) and mandates can conflict rendering them unclear. For example, legal experts do not agree on whether U.S. HIPAA laws apply to cannabis businesses that sell to medical patients.
5.11.3 Since remediation efforts are costly, all cannabis business entities must maintain an active information security program to prevent and detect threats with plans to respond and recover from incidents.
5.11.4 Business entities should not rely solely on purchased software vendors for advice, because none can manage all the information security and related compliance, legal and business risks a cannabis business will face.
5.11.5 Businesses should ensure that intellectual property and other business records, operational records, and customer records are considered and protected in consultation with legal and compliance professionals.
5.12 Insurance, Contracts, and Tax Considerations:
5.12.1 Cannabis business entities should review insurance policies and contracts to ensure adequate protections.
5.12.2 Businesses should consider including elements such as nondisclosure, privacy and confidentiality, data breach protocols, testing and maintenance requirements, scope of work and functional requirements, using proprietary software, uptime, and clear measures of success in contracts.
5.12.3 Cannabis businesses should ensure finance, budget, and tax professionals are consulted about information security plans to ensure team activities and controls are clearly written and implemented in alignment with those goals.
1.1 This practice covers recommendations for implementing an information security program to protect businesses operating in the regulated cannabis industry. An information security program is part of an overall security program that each business should implement.
1.2 This practice applies to any legal business entity that handles cannabis products, including cultivation, processing, manufacturing, transportation, warehousing, lab testing, distribution, retail, home delivery, and waste. This practice will include protections for analog (paper) and digital information assets.
1.3 Actual implementation will vary depending on organizational size and type, information asset types, sensitivity and volume of assets, risk tolerance and resource constraints of the organization, and mandates particular to the organization.
1.4 This standard does not purport to address all of the safety concerns, if any, associated with its use. It is the responsibility of the user of this standard to establish appropriate safety, health, and environmental practices and determine the applicability of regulatory limitations prior to use.
1.5 This international standard was developed in accordance with internationally recognized principles on standardization established in the Decision on Principles for the Development of International Standards, Guides and Recommendations issued by the World Trade Organization Technical Barriers to Trade (TBT) Committee.