Information asset management
Classifying University data (information assets) is an important element of information security. It helps us understand how sensitive data is, who should access it and what level of protection we need to give it.
The following describes the remit of Information Asset Owners and, in so far as it relates to information security compliance, is provided as background information, particularly relevant for heads of division, heads of department and faculty board chairs.
In order to fulfil their information security responsibilities, Information Asset Owners must:
- Classify the information assets they are responsible for
- Develop appropriate handling rules for these information assets
- Ensure that all users are aware of and have confirmed their understanding of the handling rules
- Maintain an up-to-date inventory of all asset usage
- Monitor compliance against the information handling rules
- Review classification and handling rules annually
The main tasks of Information Asset Owners are classifying assets, establishing information handling rules and maintaining asset inventories.
Classification of assets
Information Asset Owners should, in accordance with the University Classification Scheme.
Categorise and classify information assets as:
- Internal (the default classification) or
Information Asset Owners may define sub-categories of information under these three primary information asset types. This could be according to type of information or usage, or time-related. For example:
- 'Sensitive personal data' may be classified as 'confidential', whereas 'Personal data' may be 'internal'
- 'Exam papers in preparation' may be 'confidential', while 'Exam past papers' may be 'public'
However information assets are categorised, Information Asset Owners should clearly maintain and publish a complete information asset list along with examples for each sub-category.
The Information Security Team can support Information Asset Owners with advice on the appropriate classification of information.
Information handling rules
Information handling rules may be based on the information handling guidelines maintained by the Information Security Team, and should cover:
- Where information can be accessed, stored or processed
- How information can be accessed, stored or processed
- Who can access, store or process information
Where third parties are accessing, storing or processing information assets on behalf of the University, rules for the acceptable usage of information assets must be included in contractual arrangements. The Information Security Team have worked with the Legal Services Office to develop a default information security schedule to be included in contracts. Information Asset Owners can contact Legal Services for more information on contractual issues.
To ensure that users have read, understood and signed up to all necessary handling rules, Information Asset Owners should have all users of information assets sign up to appropriate terms and conditions of use.
The Information Security Team offers advice on developing appropriate information handling rules.
Asset inventories and compliance
Information Asset Owners should maintain a high-level inventory of where and how their information asset is processed across the University. Asset inventories should include authorised users and usage of information assets. For example, a high-level information asset inventory for payment card data might include:
- Merchant IDs
- Types of credit card payments/transactions
They may require your division, department or faculty to maintain a more detailed list of systems on which their information asset is processed.
The Information Security Team are developing systems and processes to help Information Asset Owners maintain an inventory of their information assets and monitor compliance against the associated acceptable usage policies.
- Information Asset Owners should be identified for all University information assets
- Information assets should be handled according to how critical and sensitive they are
- Rules for the acceptable use of information assets should be documented and implemented