| Anchor | ||||
|---|---|---|---|---|
|
Table of Contents
- Asset ManagementGetting Started | Asset ManagementOverview | Asset ManagementResources | Asset ManagementStandards
- Responsibility for Assets (ISO 8.1)
- Information Classification (ISO 8.2)
- Media Handling (ISO 8.3)
| Anchor | ||||
|---|---|---|---|---|
|
| Tip | ||
|---|---|---|
| ||
It is well known that you cannot secure what you do not know exists. Asset and data management is all about discovery, ownership, value, acceptable use, protection, and disposal of information-related assets. Assets can be tangible, like hardware, or intangible, like software and data. Whether you are with a small or large institution, a good place to start is:
Develop the 4 "knows" for a great start and, perhaps, successful finish to your asset and data management initiative. Each of the "knows" are expanded upon below. Know What You Have
At this point, you are ready to determine whether institutional assets are protected according to their classification and importance. |
Asset ManagementTop of page
| Anchor | ||||
|---|---|---|---|---|
|
Overview
An asset is defined as "an item of value". (Source: Merriam-Webster's Online Dictionary) Asset and data management is based on the idea that it is important to identify, track, classify, and assign ownership for the most important assets in your institution to ensure they are adequately protected. Tracking inventory of IT hardware is the simplest example of asset management. Knowing what you have, where it lives, how important it is, and who's responsible for it are all-important pieces of the puzzle.
Similarly, an Information Asset is an item of value containing information. The same concepts of general asset management apply to the management of information assets (e.g., data). To be effective, an overall asset management strategy should include information assets, software assets, and information technology equipment. In addition, the people employed by an organization, as well as the organization's reputation, are also important assets not to be overlooked in an effective asset management strategy.
An institution should be in a position to know what physical, environmental or information assets it holds, and be able to manage and protect them appropriately. Important elements to consider when developing an asset and data management strategy are:
- Inventory (do you know what assets you have & where they are?)
- Responsibility/Ownership (do you know who is responsible for each asset?)
- Importance (do you know how important each asset is in relation to other assets?)
- Establish acceptable-use rules for information and assets.
- Establish procedures for the labeling of physical and information assets.
- Establish return of asset procedures (do you have an employee exit procedure?)
- Protection (is each asset adequately protected according to how important it is?)
Asset Management Top of page
| Anchor | ||||
|---|---|---|---|---|
|
Responsibility for Assets (ISO 8.1)
| Panel | ||
|---|---|---|
| ||
Objective: To ensure adequate protection of organizational resources, all assets should be accounted for and each should have a designated responsible party. |
Asset Inventory
Do you know what assets you have and where they are?
...
Because assets can be many things and serve multiple functions, there will likely be more than one inventory process or system used to capture the range of assets that exist at an institution. Make sure you connect with other areas to see what form of hardware inventory already exists. Don't start from zero. Each inventory system should not unnecessarily duplicate other inventories that may exist.
Asset Management Top of page
Asset Responsibility/Ownership
Do you know who is responsible for each asset?
...
The owner(s) of the assets should be able to identify acceptable uses or provide information on which institutional policy governs its acceptable use. Work with the responsible owner, if need be, on acceptable uses. The acceptable uses should include items such as who assumes the risk of loss, gives access to the asset and how a critical asset is kept functional during or after a loss. Policies governing the use, preservation and destruction of hardware may originate from your Asset Management Officeasset management office. Many institutions also find it helpful to document expectations for the acceptable and responsible use of information technology assets in an Acceptable and Responsible Use Policies.
Identifying an owner, or responsible party, for physical hardware or software is relatively easy. Information assets may be a bit more difficult to identify, classify, and apply ownership.
Asset Management Top of page
Physical and Environmental Asset Importance
Do you know how important each asset is in relation to other assets?
...
A student computer lab machine, depending on its location, may have a lower score given it is good that the asset is available. The computer lab machine may be protected with anti-virus.
Asset Management Top of page
Acceptable Use of Assets Associated With Information
Have you defined, documented and communicated the acceptable use of assets?
...
See Sample Policies for an EDUCAUSE library collection of sample acceptable use policies from colleges and universities.
Asset Management Top of page
Return of Assets
Do you have employee exit procedures that include return of institutional assets when employment is terminated?
...
Don't forget about the contractors, consultants or any other external third party upon termination of contract or agreement. The same rules apply. You may wish to have a separate asset security checklist for all external agents and ensure this information is part of their contract or agreement.
Resources
| Panel | ||
|---|---|---|
| ||
The list of universities below are links to their asset management or data classification policies. |
Asset Management Top of page
| Anchor | ||||
|---|---|---|---|---|
|
Information Classification (ISO 8.2)
| Panel | ||
|---|---|---|
| ||
Objective: To appropriately protect various kinds of information, implement a classification scheme that states the relative importance of each type of information to the organization, as well as an appropriate level and method of protection for each. |
Data Protection and Privacy of Personal Information (Records Management)
The data every institution uses in its mission of teaching is a valuable resource that needs to be protected commensurate with how it is classified. Students and staff entrust the institution with a given data set and there is an implied bargain that the data so entrusted will be protected from any use or disclosure other than as agreed to when the data was given.
...
- Sensitivity Level. An institution should be classifying data as to sensitivity to assure that proper security protection is in place appropriate with the given data set. EDUCAUSE has excellent materials, including the Data Classification Toolkit.
- Retention Period. Consistent with records management practices, an institution needs to be aware of the period in which data is to be retained, to assure that data's availability and integrity for that retention period.
- Data Utilization. In every part of an institution that controls a given data set, appropriate procedures for how that data is utilized must be established. This includes access restrictions, proper handling, logging, and auditing.
- Data Back-up. How an institution creates back-up copies of data and software is a critical element. Procedures need be in place that memorialize and verify the implementation and inventory of back-up copies.
- Management of Storage Media. Processes to ensure proper management of storage media, including restrictions of types of media, audit trails for movement of media, secure disposal of media no longer in use, and redundant storage.
- Electronic Data Transfers.
- Disposal of Media. Visit the Guidelines for Information Media Sanitization for current practices and recommendations.
Asset ManagementTop of page
Information Asset Importance
Do you know how important each information asset is in relation to other assets?
...
This Data Classification Toolkit may be helpful to you in getting started.
Asset Protection
Is each asset adequately protected according to how important it is?
...
Many methods are employed to protect assets, ranging from legislative mandates (and their enforcement) to policies to technical security controls. Additionally, assets must be protected throughout their life cycle, from creation or purchase through final disposal or long-term storage.
Protection measures range from addressing purchasing controls to managing access by appropriate personnel to ensuring adequate physical security for assets throughout their lifetime.
...
Other institutions conduct regular security assessments of assets considered to be critical for the functioning of an institution. Institutions may also address asset protection through physical security measures, or through background checks for newly hired and continuing personnel.
Asset Management Top of page
Labeling of Information
Do you have your information and physical assets labeled?
...
Information needs labeling as well. Develop your information labeling procedures based on the data classification schema you developed previously. Metadata is a common type of information label. Do be careful how you manage the information you may have labeled as restricted or confidential. Because of the labeling, be careful how you manage restricted/sensitive or confidential information. It is much easier to steal or misuse when the assets are easy to identify.
Asset Management Top of page
Handling of Assets
Is information being handled and protected according to its classification?
...
All of the above bullet points can be incorporated into one procedural access handling document. Remember, keep it simple so others will be able to understand and comply with the requirements. Hold a session with your information and physical asset owners so they can help you define the requirements. It's important everyone feels ownership for this process.
Resources
| Panel | ||
|---|---|---|
| ||
|
Asset Management Top of page
| Anchor | ||||
|---|---|---|---|---|
|
Media Handling (ISO 8.3)
| Panel | ||
|---|---|---|
| ||
Objective: To prevent business disruptions due to the unauthorized disclosure, modification, removal or destruction of information and information technology resources. |
Management of Removable Media
Integrate necessary controls to manage media items, whether tapes, disks, flash disks, or removable hard drives, CDs, DVDs, or printed media, to ensure the integrity and confidentiality of university data. Guidelines should be developed and implemented to ensure that media are used, maintained, and transported in a safe and controlled manner. Handling and storage should correspond with the sensitivity of the information on the media. Procedures to erase media if no longer needed, to ensure information is not leaked, are also important.
Disposal
Procedures for handling classified information should cover the appropriate means of its destruction and disposal. Serious breaches of confidentiality occur when apparently worthless disks, tapes, or paper files are dumped without proper regard to their destruction.
Information Handling Procedures
Procedures for handling and storage of sensitive information, together with audit trails and records, are important. Accountability should be introduced and data classification and risk assessments performed, to ensure that necessary controls are applied to protect sensitive data. Appropriate access controls should be implemented to protect information from unauthorized disclosure or usage. Systems are also vulnerable to the unauthorized use of system documentation; much of this type of information should be regarded and handled as confidential. Security procedures, operating manuals, and operations records all come into this category.
- Electronic Records Management Toolkit
- Guidelines for Data De-Identification or Anonymization
- Bring Your Own Cloud: Data Management Challenges in a Click-Through World
Asset Management Top of page
| Anchor | ||||
|---|---|---|---|---|
|
Resources
Asset Management Top of page
| Anchor | ||||
|---|---|---|---|---|
|
Standards
27002:2013 Information Security Management | 800-30: Risk Management Guide for Information Technology Systems | APO01.06 | Req 9 | ID.AM-1 | 45 CFR 164.308(a)(1)(i) |
Asset ManagementTop of page
...
Questions or comments? 
Contact us.
...