OIST: Rules & Regulations

 

 Information Classification:   All digital and analog information recorded or maintained by the Asgardian government which is not intended for public distribution must be categorized and classified with labels as defined and assigned by the Controlled Information Act of Asgardia and the Asgardian Institute of Standards. All information should be clearly and conspicuously marked according to it's classification.

  • Official: Includes routine business operations and services, some of which could have damaging consequences if lost, stolen or published in the media, but are not subject to a heightened threat profile.
  • Secret: Sensitive information that justifies heightened protective measures to defend against determined and highly capable threat actors
  • Top Secret: Sensitive information requiring the highest levels of protection from the most serious threats. Compromise could cause widespread loss of life or threaten the security and/or economic well-being of the nation.

Communications, document holders, and packages shall be marked with "classified information" to give notice to the receiver that the information contained is marked by one of the above levels of sensitivity

 Data Storage & Processing:  Information classified as 'Official' or higher as well as information related to access control to any government system (such as user IDs, Passwords) must be strongly encrypted when they are stored or transmitted. Strong encryption is defined as cryptography based on industry-tested and accepted algorithms, along with strong key lengths and proper key-management practices.

 Access Controls:   All passwords to systems storing or processing data for Asgardia or Asgardian Residents must conform to the OIST complexity guidelines. Contact the OIST for the latest information on minimum requirements.

 Defunct Properties:   Digital Properties (Domains, Web Sites, Platforms) which are no longer maintained should be decommissioned within 90 days to prevent improper usage, dissemination of incorrect information, security breaches, and more.

 KYC Laws:   Know Your Customer (KYC) guidelines and regulations in financial services require professionals to verify the identity, suitability, and risks involved with maintaining a business relationship with a customer;   Austria's KYC requirements are here.

Government services which are accessible electronically are required to use two-factor authentication (2FA) to restrict login access. Exceptions must be applied for in writing and approved by the OIST.

  • OIST Audits: All entities, offices, departments, or individuals that store, transmit, or display data belonging to Asgardia or it's Citizens for commercial or public service purposes are required to complete an OIST audit at least once per calendar year. Proof of attestation is required in order to remain in service. Failure to comply with this policy will be considered cause for revocation of the rights to process data belonging to Asgardia or it's Citizens for commercial or public service purposes.