• Created by Unknown User (dlwoodbe), last modified by Unknown User (carol.myers@paradisevalley.edu) on Apr 23, 2014

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »

Table of Contents

Overview

An asset is defined as "an item of value". (Source: Merriam-Webster's Online Dictionary) Asset management is based on the idea that it is important to identify, track, classify, and assign ownership for the most important assets in your institution to ensure they are adequately protected. Tracking inventory of IT hardware is the simplest example of asset management. Knowing what you have, where it lives, how important it is, and who's responsible for it are all-important pieces of the puzzle.

Similarly, an Information Asset is an item of value containing information. The same concepts of general asset management apply to the management of information assets. To be effective, an overall asset management strategy should include information assets, software assets, and information technology equipment. In addition, the people employed by an organization, as well as the organization's reputation, are also important assets not to be overlooked in an effective asset management strategy.

An institution should be in a position to know what physical, environmental or information assets it holds, and be able to manage and protect them appropriately. Important elements to consider when developing an asset management strategy are:

  • Inventory (do you know what assets you have & where they are?)
  • Responsibility/Ownership (do you know who is responsible for each asset?)
  • Importance (do you know how important each asset is in relation to other assets?)
  • Establish acceptable-use rules for information and assets
  • Protection (is each asset adequately protected according to how important it is?)

#Top of page

Standards

ISO

NIST

COBIT

PCI DSS

2014 Cybersecurity Framework

HIPAA Security

27002:2013 Information Security Management
Chapter 8: Asset Management
ISO/IEC 27005:2011

800-30: Risk Management Guide for Information Technology Systems
800-37: Guide for the Security Certification and Accreditation of Federal
Information Systems
800-53: Recommended Security Controls for Federal Information Systems
and Organizations

APO01.06
APO03.03
APO03.04
APO13.01
BAI02.01
BAI06.01
BAI09.01
BAI09.02
BAI09.03
BAI09.05
DSS05.02
DSS06.06

Req 9
Req 12

ID.AM-1
ID.AM-2
ID.AM-5
PR.DS-1
PR.DS-2
PR.DS-3
PR.DS-5
PR.IP-6
PR.IP-11
PR.PT-2

45 CFR 164.308(a)(1)(i)
45 CFR 164.310(c)
45 CFR 164.310(d)(1)

#Top of page

Getting Started
Asset Management is all about discovery, ownership, value, acceptable-uses and protection of assets.  Assets can be tangible, like hardware, or informational, like data.  Whether you are with a small or large institution, begin by

  1. Finding out what you have and who owns it.  Don't forget about items such as Data Center air systems and UPS'.
    1. Do something simple like create a spreadsheet of the items, where they are located and who is responsible for them.
  2. Classify them by importance.  Not all assets are created equal.  Some are more important than others.
  3. Protect the assets according to their importance.  Protection can be policy or technically based.

Don't forget about the Information Assets.  They are just as important as the physical assets.  The same inventory, classification and protection exercise that is done with hardware is done with information assets.  Start with federal or state laws or institutional policy requirements.  Keep your data classification schema simple.  Using something like Public, Restricted and Confidential as classification types can lead to a quick classification victory so you can make a determination on protection measures.  The Data Classification Toolkit in this guide will be helpful.

Responsibility for Assets (ISO 8.1)

Objective: To ensure adequate protection of organizational resources, all assets should be accounted for and each should have a designated responsible party.

Asset Inventory

Do you know what assets you have and where they are?

In order to effectively manage an organization's assets, you must first understand what assets you have and where your organization keeps them. Some institutional asset examples are IT hardware, software, data, system documentation, and storage media. Supporting assets such as data center air systems, UPS's and services should be included in the inventory. All assets should be accounted for and have an owner. If improperly managed, assets can become liabilities.

So where do you begin?

Categorize your assets. Begin by defining distinct categories of the types of assets in your institution. Each category should have its own inventory or classification structure based on the assets that category may contain.

(Category: Data Center Hardware)

Create a list of assets for each category. Creating a list of an institution's assets and their corresponding locations is the beginning of your inventory. Often, the process of doing so helps identify additional assets that previously had not been considered.

(Category: Data Center Hardware; Asset: Core Network Switches)

Add a location for each asset. Location could be a brick and mortar physical location such as a classroom, data center or office. It could also be collaborative research materials on a file share or financial information stored in a database.

(Category: Data Center Hardware; Asset: Core Network Switches; Location: Einstein Bldg., Rm. 0001)

Because assets can be many things and serve multiple functions, there will likely be more than one inventory process or system used to capture the range of assets that exist at an institution. Make sure you connect with other areas to see what form of hardware inventory already exists. Don't start from zero. Each inventory system should not unnecessarily duplicate other inventories that may exist.

#Top of page

Asset Responsibility/Ownership

Do you know who is responsible for each asset?

Once you have begun to capture an inventory of the potential assets and their locations, start identifying the responsible party, or parties, for each asset. An owner is a 
person, or persons or department, that has been given formal responsibility
for the security of an asset. The owner(s) are responsible for securing asset(s) during the lifecycle of the asset(s).

Identifying the owners will help determine who will be responsible for carrying out protective measures, and responding to situations where assets may have been compromised. You will also quickly realize when it isn't clear who the appropriate responsible party is or when shared responsibility may be an issue.

(Category: Data Center Hardware; Asset: Core Network Switches; Location: Einstein Bldg., Rm. 0001; Owner: Director Thomas Stoltz Harvey)

The owner(s) of the assets should be able to identify acceptable uses or provide information on which institutional policy governs its acceptable use. Work with the responsible owner, if need be, on acceptable uses. The acceptable uses should include items such as who assumes the risk of loss, gives access to the asset and how a critical asset is kept functional during or after a loss. Policies governing the use, preservation and destruction of hardware may originate from your Asset Management Office. Many institutions also find it helpful to document expectations for the acceptable and responsible use of information technology assets in an Acceptable and Responsible Use Policies.

Identifying an owner, or responsible party, for physical hardware or software is relatively easy. Information assets may be a bit more difficult to identify, classify, and apply ownership.

#Top of page

Physical and Environmental Asset Importance

Do you know how important each asset is in relation to other assets?

All assets add value to an organization. However, not all assets are created equal. Gaining a clear understanding of the relative importance of each asset when compared to other organizational assets is an essential step if you are to adequately protect your assets. The importance of an asset can be measured by its business value and security classification or label.

Create a rating system for the asset. It can be as simple as (highest to lowest)

  • 1 – critical this asset is always available and protected
  • 2 – very important this asset is available and protected
  • 3 – important if this asset is available and protected
  • 4 – good if this asset is available with minimal protection

Building on the previous example and adding a rating system, it would look like

(Category: Data Center Hardware; Asset: Core Network Switches; Location: Einstein Bldg., Rm. 0001; Owner: Director Thomas Stoltz Harvey; Rate: 1 (Critical))

A student computer lab machine, depending on its location, may have a lower score given it is good that the asset is available. The computer lab machine may be protected with anti-virus.

#Top of page

Information Classification (ISO 8.2)

Objective: To appropriately protect various kinds of information, implement a classification scheme that states the relative importance of each type of information to the organization, as well as an appropriate level and method of protection for each.

Information Asset Importance

Do you know how important each information asset is in relation to other assets?

Information assets may not be equally important, nor equally sensitive or confidential in nature, nor require the same care in handling. One common method of ascertaining the importance of assets is data classification. Information assets should be classified according to its need for security protection and labeled accordingly.

So where do you begin?

Start with federal or state laws, regulations, rules or institutional policies that require certain information assets be protected. These could be FERPA, HIPAA, or a state law governing social security number use.

Pick a classification metric. Keep it simple. You may want to use something like (lowest to highest)

  • Public, Restricted, Confidential

Perhaps your inventory of information assets might look like

(Category: Information; Asset: Student Records; Location: Banner Cluster 1, database sis_prod; Owner: Dean of Admissions; Rate: 1 (Critical))

This Data Classification Toolkit may be helpful to you in getting started.

Asset Protection

Is each asset adequately protected according to how important it is?

Different assets have different impacts on the continuity and reputation of the organization. Once you have determined the importance of your various organizational assets, you can begin the process of determining how best to protect them.

Many methods are employed to protect assets, ranging from legislative mandates (and their enforcement) to policies to technical security controls. Additionally, assets must be protected throughout their life cycle, from creation or purchase through final disposal or long-term storage.

Protection measures range from addressing purchasing controls to managing access by appropriate personnel to ensuring adequate physical security for assets throughout their lifetime.

Some institutions have established Data Stewardship policies to help ensure responsibilities for protecting data are effectively accomplished. It is important to note that data custodians/stewards are the decision-makers when it comes to accessing records. There needs to be a process in place for requesting access to both static and live data. The process/policy should include contract language or review to determine what happens to institutional data when a contract with a vendor is no longer in force. The data custodians/stewards can work with you to help develop policies if none are yet in place.

Other institutions conduct regular security assessments of assets considered to be critical for the functioning of an institution. Institutions may also address asset protection through physical security measures, or through background checks for newly hired and continuing personnel.

#Top of page

Media Handling (ISO 8.3)

Objective:  To prevent business disruptions due to the unauthorized disclosure, modification, removal or destruction of information and information technology resources.

Management of Removable Media

Integrate necessary controls to manage media items, whether tapes, disks, flash disks, or removable hard drives, CDs, DVDs, or printed media, to ensure the integrity and confidentiality of university data. Guidelines should be developed and implemented to ensure that media are used, maintained, and transported in a safe and controlled manner. Handling and storage should correspond with the sensitivity of the information on the media. Procedures to erase media if no longer needed, to ensure information is not leaked, are also important.

Disposal

Procedures for handling classified information should cover the appropriate means of its destruction and disposal. Serious breaches of confidentiality occur when apparently worthless disks, tapes, or paper files are dumped without proper regard to their destruction.

Information Handling Procedures

Procedures for handling and storage of sensitive information, together with audit trails and records, are important. Accountability should be introduced and data classification and risk assessments performed, to ensure that necessary controls are applied to protect sensitive data. Appropriate access controls should be implemented to protect information from unauthorized disclosure or usage. Systems are also vulnerable to the unauthorized use of system documentation; much of this type of information should be regarded and handled as confidential. Security procedures, operating manuals, and operations records all come into this category.

#Top of page

Resources

EDUCAUSE Resources

#Top of page

(question) Questions or comments? (info) Contact us.

(warning) Except where otherwise noted, this work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC BY-NC-SA 4.0).

  • No labels