Safeguards for Domain 4
Information Security & Privacy Program
An asset is anything that has value. This includes not only the university's physical information technology equipment, but also its information, software, reputation, people, and services. It is important to identify, classify, track, and assign ownership for the most important assets related to information security and information privacy, to ensure they are adequately safeguarded.
|Standards-based expectations for this Domain||IU's Implementation of Safeguards for this Domain|
Responsibility for Assets
Ideally all assets would be tracked by an organization. However, it is usually too costly to track and assign ownership to every asset. Instead, an organization typically tracks those assets that are of importance to the institution. An asset's importance can be based on a number of factors, including its sensitivity, criticality, value, or the compliance requirements placed upon it. Important assets should have an assigned owner responsible for establishing and maintaining appropriate safeguards to protect those assets.
Every member of the Indiana University community has some responsibility and accountability for the security and privacy of data and information. Because operations at Indiana University are distributed, the ultimate responsibility and accountability for handling information appropriately rests with the unit and individual responsible for collecting, storing, manipulating, transmitting, or otherwise handling the information.
In order to identify which information assets are of importance to the institution and thus require tracking and protection, a data classification scheme is used. See the Information Classification section below for more information. The university's Committee of Data Stewards is responsible for establishing the classification levels, for classifying institutional data elements, and for establishing policies and standards that safeguard the university's institutional data.
University units that use information not under the purview of the Committee of Data Stewards must be aware of applicable legal, contractual, regulatory, policy, and compliance requirements that govern the information, and ensure important information elements are classified appropriately.
The Indiana University Intellectual Property Policy outlines who owns patentable and copyrightable information assets. For assistance in technology commercialization and the IP issues associated with such activities, see the Indiana University Research & Technology Commercialization Corporation.
The University Information Security Office (UISO) provides a site license to Identity Finder as a tool to help individuals and units discover sensitive data on workstations, storage devices, servers, and Web servers, so the data can be securely disposed of or protected.
Data owners and handlers should strive to provide accurate, complete, up-to-date, and relevant information for the purposes identified in order to minimize the chance of inappropriate information being used in the conduct of university business, and especially for decisions about individuals. When feasible, individuals are informed that they are responsible for providing the organization with accurate, complete, and up-to-date personal information, and for contacting the organization if correction of such information is required.
Physical assets are determined to be of importance to the institution when they have an acquisition value of at least $5,000 and a useful life expectancy of one year or more, as defined in Policy I-170 below.
It is important to note that physical assets also may inherit their importance from the information stored or processed in or on them. If those information assets are classified at a level that requires tracking, then the physical asset does as well.
Empowering People Strategic Plan, Recommendation 5 contains Action 17d which highlights Indiana University's need for a central asset tracking product, within which risk assessment surveys can be coordinated.
Information — like other assets — should be classified based on its sensitivity, criticality, value, or the compliance requirements placed upon it. Such an approach can help guide inventory and risk management approaches for other assets that store or process the university's information.
The university's Committee of Data Stewards is responsible for classifying the university's institutional data. Information elements or assets may be classified by the appropriate Data Steward into levels, which are based on the confidentiality (the sensitivity as it relates to its inappropriate disclosure) and the criticality (the relative importance of maintaining integrity and availability for business operations) of the information element or asset. This classification serves as a basis upon which asset protection measures are performed.
University units that use data not under the purview of the Committee of Data Stewards must be aware of applicable legal, contractual, regulatory, policy, and compliance requirements that govern the data and perform risk assessments appropriately.
Summary of Domain Objectives
The primary objectives of this domain are to ensure:
- all important assets are accounted for
- all important assets have an assigned owner responsible for maintaining and protecting the assets
- information is classified to assist in the selection of appropriate safeguards
- IU Knowledge Base: What is institutional data?
- "Protecting Red Hot Data" flippy book
- Protection of Sensitive Institutional and Personal Data
- NIST Special Publication 800-88 Guidelines for Media Sanitization
- EDUCAUSE/Internet2 Information Security Guide: Asset Management
- Do you plan to travel abroad and take your university issued laptop computer, digital storage device, or any encryption products with you? The Export Control Office in the Office of Research Administration can help you determine if your university-issued electronic components require a license prior to international travel, can provide tips for international travel with information stored on electronic components, and can provide a list of sanctioned and restricted parties and entities with whom IU is prohibited by federal law from doing business with. Contact them at firstname.lastname@example.org.