Date: Fri, 29 Mar 2024 12:56:50 +0000 (UTC) Message-ID: <1186386683.7973.1711717010278@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_7972_97190958.1711717010276" ------=_Part_7972_97190958.1711717010276 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
It is well known that you cannot secure what you do not know exists. Ass= et and data management is all about discovery, ownership, value, acceptable= use, protection, and disposal of information-related assets. Assets can be= tangible, like hardware, or intangible, like software and data. Whether yo= u are with a small or large institution, a good place to start is:
Develop the 4 "knows" for a great start and, perhaps, successful finish = to your asset and data management initiative. Each of the "knows" are expan= ded upon below.
Institutional asset inventory reports from departments respons= ible for purchasing and equipment asset inventory.
Institutional information security risk assessments.
Business Continuity and Disaster Recovery plans (good source for cri= tical systems).
Visit your institution=E2=80=99s CIO and data center management and = discuss what information resources are under their custody.
Visit major stakeholders (senior staff, administrative department he= ads, etc.,) and discuss what information systems and data their department = handles.
Create a spreadsheet of the items.
List the assets for each category.
Define distinct categories for the types of asset= s in your institution (e.g., infrastructure, data center hardware, informat= ion systems/applications, data).
Record the physical location of the asset in = your spreadsheet. You may want to divide them into Local and Hosted.
Include under Local institutional brick and mortar physical locations such as =
classrooms, data centers, labs, or offices. Example: the location of collab=
orative research materials on a file share may be Primary Data Center X.
Include under Hosted third-party vendor data = centers and other remote locations not owned by the institution. Example: t= he location of the learning management system is Vendor X data center locat= ed in Address.
Identify and record in your spreadsheet the O= wners and Custodians for each of the assets listed in your spreadsheet. Mos= t of the times, the individuals responsible for the security of the asset a= nd ensuring compliance are not the same as the individuals responsible impl= ementing security controls and day-to-day operations.
Example 1 (Local): the owner of the Student Information System may b= e the Registrar and the custodian may be the institution=E2=80=99s IT depar= tment.
Example 2 (Local): the owner of the network switches may be the Dire= ctor of Office of Network and Telecommunications and the custodian may be t= he same department.
Example 3 (Hosted): the owner of the Learning Management System may = be the Dean of the School of Business and the custodian may be Vendor X.
Review the federal or state laws, regulations= , rules or institutional policies that require protection of information re= sources. These could be FERPA, HIPAA, or a state law governing social secur= ity number use.
Review your institution=E2=80=99s Data Classi= fication Policy.
Determine from your sources from Step 1 wheth=
er your institution=E2=80=99s assets are classified in accordance with the =
Data Classification policy. If not,this Data Classification Toolkit<=
/a> may be helpful to you in getting started.
Create a simple classification schema (e.g., = Public, Restricted, Confidential).
Create a criticality rating for the assets. F= or example (highest to lowest):
1 =E2=80=93 critical is always available and protected<= /p>
2 =E2=80=93 very important this asset is available and protect= ed
3 =E2=80=93 important if this asset is available and protected=
4 =E2=80=93 good if this asset is available with minimal prote= ction
Record in your spreadsheet the asset classifi= cation and/or criticality ranking.
Example 1: The LMS system has a rating of 2.
Example 2: Student Records are Confidential and have a rating of 1.<= /p>
At this point, you are ready to determine whether institutional assets a= re protected according to their classification and importance.
Top of page
An asset is defined as "an item of value". (Source: Merriam-Web= ster's Online Dictionary) Asset and data management is based on the ide= a that it is important to identify, track, classify, and assign ownership f= or the most important assets in your institution to ensure they are adequat= ely protected. Tracking inventory of IT hardware is the simplest example of= asset management. Knowing what you have, where it lives, how important it = is, and who's responsible for it are all-important pieces of the puzzle.
Similarly, an Information Asset is an item of value containing informati= on. The same concepts of general asset management apply to the management o= f information assets (e.g., data). To be effective, an overall asset manage= ment strategy should include information assets, software assets, and infor= mation technology equipment. In addition, the people employed by an organiz= ation, as well as the organization's reputation, are also important assets = not to be overlooked in an effective asset management strategy.
An institution should be in a position to know what physical, environmen= tal or information assets it holds, and be able to manage and protect them = appropriately. Important elements to consider when developing an asset and = data management strategy are:
Top of page
Objective: To ensure adequate protection of organizational resources, al= l assets should be accounted for and each should have a designated responsi= ble party.
Do you know what assets you have and where they are?
In order to effectively manage an organization's assets, you must first = understand what assets you have and where your organization keeps them. Som= e institutional asset examples are IT hardware, software, data, system docu= mentation, and storage media. Supporting assets such as data center air sys= tems, UPS's and services should be included in the inventory. All assets sh= ould be accounted for and have an owner. If improperly managed, assets can = become liabilities.
So where do you begin?
Categorize your assets. Begin by defining distinct categories of the typ= es of assets in your institution. Each category should have its own invento= ry or classification structure based on the assets that category may contai= n.
(Category: Data Center Hardware)
Create a list of assets for each category. Creating a list of an institu= tion's assets and their corresponding locations is the beginning of your in= ventory. Often, the process of doing so helps identify additional assets th= at previously had not been considered.
(Category: Data Center Hardware; Asset: Core Network Switches)
Add a location for each asset. Location could be a brick and mortar phys= ical location such as a classroom, data center or office. It could also be = collaborative research materials on a file share or financial information s= tored in a database.
(Category: Data Center Hardware; Asset: Core Network Switches; Location:= Einstein Bldg., Rm. 0001)
Because assets can be many things and serve multiple functions, there wi= ll likely be more than one inventory process or system used to capture the = range of assets that exist at an institution. Make sure you connect with ot= her areas to see what form of hardware inventory already exists. Don't star= t from zero. Each inventory system should not unnecessarily duplicate other= inventories that may exist.
Top of page
Do you know who is responsible for each asset?
Once you have begun to capture an inventory of the potential assets and = their locations, start identifying the responsible party, or parties, for e= ach asset. An owner is a =E2=80=A8person, or persons or department, that ha= s been given formal responsibility=E2=80=A8for the security of an asset. Th= e owner(s) are responsible for securing asset(s) during the lifecycle of th= e asset(s). At this juncture in the exercise it is important to under= stand the distinction between the terms "owner" and "custodian" of assets.<= /p>
The custodian is responsible for ensuring that the asset is managed appr= opriately over its lifecycle, in accordance with rules set by the asset own= er. The custodian is often a subject matter expert (SME) or "owner" o= f the business process for a particular information asset. An owner o= f an information asset, Data Owners if you will, have direct operational re= sponsibility for the management of one or more types of data. Think o= f it in terms of an information security department. You have the "ow= ner", the person responsible for interpreting and assuring compliance. &nbs= p;That would be the Director or CISO. Then there is the custodian(s),= the person(s) responsible for the day-to-day operations and management of = the tools and processes that protect the information assets.
Identifying the owners will help determine who will be responsible for c= arrying out protective measures, and responding to situations where assets = may have been compromised. You will also quickly realize when it isn't clea= r who the appropriate responsible party is or when shared responsibility ma= y be an issue.
(Category: Data Center Hardware; Asset: Core Network Switches; Location:= Einstein Bldg., Rm. 0001; Owner: Director Thomas Stoltz Harvey)
The owner(s) of the assets should be able to identify acceptable uses or= provide information on which institutional policy governs its acceptable u= se. Work with the responsible owner, if need be, on acceptable uses. The ac= ceptable uses should include items such as who assumes the risk of loss, gi= ves access to the asset and how a critical asset is kept functional during = or after a loss. Policies governing the use, preservation and destruction o= f hardware may originate from your asset management office. Many institutio= ns also find it helpful to document expectations for the acceptable and res= ponsible use of information technology assets in an Acceptable and Responsible Use Policies.
Identifying an owner, or responsible party, for physical hardware or sof= tware is relatively easy. Information assets may be a bit more difficult to= identify, classify, and apply ownership.
Top of page
Do you know how important each asset is in relation to other ass= ets?
All assets add value to an organization. However, not all assets are cre= ated equal. Gaining a clear understanding of the relative importance of eac= h asset when compared to other organizational assets is an essential step i= f you are to adequately protect your assets. The importance of an asset can= be measured by its business value and security classification or label.
Create a rating system for the asset. It can be as simple as (highest to= lowest)
Building on the previous example and adding a rating system, it would lo= ok like
(Category: Data Center Hardware; Asset: Core Network Switches; Location:= Einstein Bldg., Rm. 0001; Owner: Director Thomas Stoltz Harvey; Rate: 1 (C= ritical))
A student computer lab machine, depending on its location, may have a lo= wer score given it is good that the asset is available. The computer lab ma= chine may be protected with anti-virus.
Top of page
Have you defined, documented and communicated the acceptable use= of assets?
After going through the asset inventory, categorization, and ownership i= dentification, ensure there is documented policies regarding the acceptable= use of assets. Define, and document, the rules that clarify the acceptable= uses of assets associated with information and information processing faci= lities. It is important, once the rules are clarified, that appropriate con= trols are implemented and the security requirements are communicated. Targe= t the communication of security requirements to employees and, if appropria= te, third parties who may use these assets. Accountability is key. Asset ow= ners should be responsible and accountable, even if the owner has delegated= responsibility, for their use of facilities and resources.
See Sample Policies = for an EDUCAUSE library collection of sample acceptable use policies from c= olleges and universities.
Top of page
Do you have employee exit procedures that include return of inst= itutional assets when employment is terminated?
It is critical that institutions protect their information on equipment = of employees when their employment is terminated. Make sure all relevant in= formation that will be needed by the institution is preserved, but all info= rmation on the asset is erased. Develop an employee exit checklist that add= resses the return of all institutional assets, physical or information, bef= ore the employee's last day. There are, of course, emergency situations dea= ling with immediate termination that may not lend itself to a measured chec= klist. Create a simple checklist for those instances as well. Get to know a= resource in your HR area and work with that resource to incorporate physic= al and electronic assets at termination.
As stated before, assets can be a variety of items. Employee knowledge i= s also an information asset to the institution. Preserve their relevant kno= wledge, document, before the individual leaves the institution and ensure t= hat knowledge is in the institution's possession. Once again, use the check= list to incorporate this aspect of asset return. A sample may include:
Don't forget about the contractors, consultants or any other external th= ird party upon termination of contract or agreement. The same rules apply. = You may wish to have a separate asset security checklist for all external a= gents and ensure this information is part of their contract or agreement.= p>
The list of universities below are links to their asset manageme= nt or data classification policies.
Top of page
Objective: To appropriately protect various kinds of information, implem= ent a classification scheme that states the relative importance of each typ= e of information to the organization, as well as an appropriate level and m= ethod of protection for each.
The data every institution uses in its mission of teaching is a valuable= resource that needs to be protected commensurate with how it is classified= . Students and staff entrust the institution with a given data set and ther= e is an implied bargain that the data so entrusted will be protected from a= ny use or disclosure other than as agreed to when the data was given.
To do this, each institution has to govern the data it uses so that it w= ill be received, made, used, stored, shared, or destroyed in a purposeful m= anner which recognizes the pact to protect data in an institution's daily m= ission. Areas to consider in a data governance program include:
Top of page
Do you know how important each information asset is in relation = to other assets?
Information assets may not be equally important, nor equally sensitive o= r confidential in nature, nor require the same care in handling. One common= method of ascertaining the importance of assets is data classification. In= formation assets should be classified according to its need for security pr= otection and labeled accordingly.
So where do you begin?
Start with federal or state laws, regulations, rules or institutional po= licies that require certain information assets be protected. These could be= FERPA, HIPAA, or a state law governing social security number use.
Pick a classification metric. Keep it simple. You may want to use someth= ing like (lowest to highest)
Perhaps your inventory of information assets might look like
(Category: Information; Asset: Student Records; Location: Banner Cluster= 1, database sis_prod; Owner: Dean of Admissions; Rate: 1 (Critical))
This Data Classification Toolkit may be helpful to you in getting starte= d.
Is each asset adequately protected according to how important it= is?
Different assets have different impacts on the continuity and reputation= of the organization. Once you have determined the importance of your vario= us organizational assets, you can begin the process of determining how best= to protect them.
Many methods are employed to protect assets, ranging from legislative ma= ndates (and their enforcement) to policies to technical security controls. Additi= onally, assets must be protected throughout their life cycle, from creation= or purchase through final disposal or long-term storage.
Protection measures range from addressing purchasing controls = to managing access by appropriate personnel to ensuring adequate phy= sical security for assets throughout their lifetime.
Some institutions have established Data Stewards= hip policies to help ensure responsibilities for protecting data are ef= fectively accomplished. It is important to note that data custodians/stewar= ds are the decision-makers when it comes to accessing records. There needs = to be a process in place for requesting access to both static and live data= . The process/policy should include contract language or review to determin= e what happens to institutional data when a contract with a vendor is no lo= nger in force. The data custodians/stewards can work with you to help devel= op policies if none are yet in place.
Other institutions conduct regular security assessments of assets consid= ered to be critical for the functioning of an institution. Institutions may= also address asset protection through physical security measures, = or through background checks for newly hired and continuing personnel= .
Top of page
Do you have your information and physical assets labeled?
Your institution may already have property control of assets where items= over a certain dollar amount are automatically tagged with an unique, usua= lly numeric, identifier by Property Control. If not, create one yourself. U= se your newly created inventory of assets to assign a unique identifier to = each one. Prepare labels that are easy to recognize and sturdy, and attach = them to a visible place on the equipment. Make sure you clarify when labels= should not be used on equipment. This could be based on dollar amount or t= he level of risk you've assigned to the asset.
Information needs labeling as well. Develop your information labeling pr= ocedures based on the data classification schema you developed previously. = Metadata is a common type of information label. Do be careful how you manag= e the information you may have labeled as restricted or confidential. Becau= se of the labeling, be careful how you manage restricted/sensitive or confi= dential information. It is much easier to steal or misuse when the assets a= re easy to identify.
Top of page
Is information being handled and protected according to its clas= sification?
Now that you have your assets identified, classified and labeled, you wi= ll need to develop procedures for handling assets associated with your info= rmation and information processing facilities. It is important that your as= set handling procedures respect and reflect how you classified it. Ensure t= hat
All of the above bullet points can be incorporated into one procedural a= ccess handling document. Remember, keep it simple so others will be able to= understand and comply with the requirements. Hold a session with your info= rmation and physical asset owners so they can help you define the requireme= nts. It's important everyone feels ownership for this process.
Top of page
Objective: To prevent business disruptions due to the unauthorized discl= osure, modification, removal or destruction of information and information = technology resources.
Integrate necessary controls to manage media items, whether = tapes, disks, flash disks, or removable hard drives, CDs, DVDs, or printed = media, to ensure the integrity and confidentiality of university data.= Guidelines should be developed and implemented to ensure that med= ia are used, maintained, and transported in a safe and controlled manner. H= andling and storage should correspond with the sensitivity of the informati= on on the media. Procedures to erase media if no longer needed, to ensure i= nformation is not leaked, are also important.
Procedures for handling classified information should cover = the appropriate means of its destruction and disposal. Seriou= s breaches of confidentiality occur when apparently worthless disks, tapes,= or paper files are dumped without proper regard to their destruction.
Procedures for handling and storage of sensitive information= , together with audit trails and records, are important. Acco= untability should be introduced and data classification and risk assessment= s performed, to ensure that necessary controls are applied to protect sensi= tive data. Appropriate access controls should be implemented to protect inf= ormation from unauthorized disclosure or usage. Systems are also vulnerable= to the unauthorized use of system documentation; much of this type of info= rmation should be regarded and handled as confidential. Security procedures= , operating manuals, and operations records all come into this category.
Top of page
EDUCAUSE Resources
Top of page
27002:2013 Information Security Manag=
ement |
800-30: Risk Management Guid=
e for Information Technology Systems |
APO01.06 |
Req 9 |
ID.AM-1 |
45 CFR 164.308(a)(1)(i) |
Top of page
Questions or= comments? Contact us.
Except wher= e otherwise noted, this work is licensed under a Creative Commons Attributi= on-NonCommercial-ShareAlike 4.0 International License (= CC BY-NC-SA 4.0).