An asset is anything that has value. This includes not only the university's physical information technology equipment, but also its information, software, reputation, people, and services. It is important to identify, classify, track, and assign ownership for the most important assets related to information security and information privacy, to ensure they are adequately safeguarded.
Safeguards for Domain 4, Information Security & Privacy Program
Responsibility for assets
Ideally all assets would be tracked by an organization. However, it is usually too costly to track and assign ownership to every asset. Instead, an organization typically tracks those assets that are of importance to the institution. An asset's importance can be based on a number of factors, including its sensitivity, criticality, value, or the compliance requirements placed upon it. Important assets should have an assigned owner responsible for establishing and maintaining appropriate safeguards to protect those assets.
Every member of the Indiana University community has some responsibility and accountability for the security and privacy of data and information. Because operations at Indiana University are distributed, the ultimate responsibility and accountability for handling information appropriately rests with the unit and individual responsible for collecting, storing, manipulating, transmitting, or otherwise handling the information.
In order to identify which information assets are of importance to the institution and thus require tracking and protection, a data classification scheme is used. See the Information Classification section below for more information. The university's Committee of Data Stewards is responsible for establishing the classification levels, for classifying institutional data elements, and for establishing policies and standards that safeguard the university's institutional data.
University units that use information not under the purview of the Committee of Data Stewards must be aware of applicable legal, contractual, regulatory, policy, and compliance requirements that govern the information, and ensure important information elements are classified appropriately.
The Indiana University Intellectual Property Policy outlines who owns patentable and copyrightable information assets. For assistance in technology commercialization and the IP issues associated with such activities, see the Indiana University Research & Technology Commercialization Corporation.
Data owners and handlers should strive to provide accurate, complete, up-to-date, and relevant information for the purposes identified in order to minimize the chance of inappropriate information being used in the conduct of university business, and especially for decisions about individuals. When feasible, individuals are informed that they are responsible for providing the organization with accurate, complete, and up-to-date personal information, and for contacting the organization if correction of such information is required.
Physical assets are determined to be of importance to the institution when they have an acquisition value of at least $5,000 and a useful life expectancy of one year or more, as defined in Policy I-170 below.
It is important to note that physical assets also may inherit their importance from the information stored or processed in or on them. If those information assets are classified at a level that requires tracking, then the physical asset does as well.
- IT-01 Policy: Appropriate Use of Information Technology Resources
- Policy I-140 Off-Premise Capital Equipment Control Outlines proper controls and responsibilities for capital equipment removed from university premises for thirty-one (31) days or more.
- Policy I-170 Capital Movable Asset Physical Inventories, Tagging and Location Changes Outlines how physical inventories and tagging are completed to secure university capital assets, to verify location for compliance with OMB Circular A110, and to assist organizations with effective management of capital equipment.
- Policy I-270 Ownership of University Capital Assets Establishes ownership for university capital assets in the custody of Indiana University
- Policy I-390 Inventory States that a physical inventory of the items maintained in inventory for resale should be taken at least once every fiscal year.
- Policy P-14.0 Disposal and Redistribution of University Property outlines who is responsible for removing information from any type of storage device or computing technology prior to the equipment leaving their possession.
- Securely Removing Data discusses the risks associated with and the processes used to securely remove data from storage media. It also explains why a simple delete of the data files does NOT suffice.
- Purchasing maintains a list of vendors approved for paper Document Destruction or shredding.
- Policy P-14.1 Sale of Computing Equipment directs how computing technology with storage devices and institutional information shall be managed before the technology is removed from University campuses
Empowering People Strategic Plan, Recommendation 5 contains Action 17d which highlights Indiana University's need for a central asset tracking product, within which risk assessment surveys can be coordinated.
Information — like other assets — should be classified based on its sensitivity, criticality, value, or the compliance requirements placed upon it. Such an approach can help guide inventory and risk management approaches for other assets that store or process the university's information.
The university's Committee of Data Stewards is responsible for classifying the university's institutional data. Information elements or assets may be classified by the appropriate Data Steward into levels, which are based on the confidentiality (the sensitivity as it relates to its inappropriate disclosure) and the criticality (the relative importance of maintaining integrity and availability for business operations) of the information element or asset. This classification serves as a basis upon which asset protection measures are performed.
- Classifications of Institutional Data
- ISPP-25.2 Standard: Information Classification (in process)
University units that use data not under the purview of the Committee of Data Stewards must be aware of applicable legal, contractual, regulatory, policy, and compliance requirements that govern the data and perform risk assessments appropriately.
Summary of domain objectives
The primary objectives of this domain are to ensure:
- all important assets are accounted for
- all important assets have an assigned owner responsible for maintaining and protecting the assets
- information is classified to assist in the selection of appropriate safeguards
- What is institutional data? | IU Knowledge Base
- Protection of Sensitive Institutional and Personal Data
- NIST Special Publication 800-88 Guidelines for Media Sanitization
- EDUCAUSE/Internet2 Information Security Guide: Asset Management
- Do you plan to travel abroad and take your university issued laptop computer, digital storage device, or any encryption products with you? The Export Control Office in the Office of Research Administration can help you determine if your university-issued electronic components require a license prior to international travel, can provide tips for international travel with information stored on electronic components, and can provide a list of sanctioned and restricted parties and entities with whom IU is prohibited by federal law from doing business with. Contact them at firstname.lastname@example.org.