Unit Asset Identification Guideline

advertisement
Guideline Title:
Guideline Number:
Responsible Office:
Unit Asset Identification Guideline
IS-G1200
Office of Information Security
PURPOSE:
The purpose of the Unit Asset Identification Guideline and accompanying workbook is to provide units
with a tool set for maintaining and updating their asset inventory on a periodic basis, at least annually.
SCOPE:
This guideline covers all units that interact with Confidential University Data (CUD) or units that have a
legal, regulatory or contractual requirement related to any compliance program. Units that are not in
scope for the above may use this guideline and tool for maintaining and updating their asset inventory.
USING THE ASSET IDENTIFICATION WORKBOOK:
The Asset Identification Workbook is designed to assist units in completing an inventory, and updating it
periodically, at least on an annual basis. It is especially important that units maintain a complete
inventory of hardware, applications, networks, servers, and personnel if they interact with CUD or data
covered by legal, regulatory or contractual requirements.
The Workbook consists of three worksheets for collecting information on hardware, software, and
personnel. Units that interact with CUD or data covered by legal, regulatory or contractual
requirements should use all columns on each worksheet in the workbook in order to identification
requirements involving data flow. Units that do not interact with CUD or are not under any legal,
regulatory, or contractual obligation can use the workbook to collect high-level data as part of best
practices.
Questions to consider when completing inventory:
Some questions to consider in identifying inventory are:
1. Physical Environment: What physical facilities house sensitive data?
2. Hardware: What hardware is involved in processing or storing sensitive data (i.e., hard drives,
servers, filing cabinets, PDAs)?
3. Applications: What application software interacts with sensitive data?
4. Networks: What infrastructure supports or interacts with sensitive data (i.e., servers, physical
media, fax, topology)
5. Data: How sensitive is the data? Where is it stored? In what format is it stored?
6. People: Who are the people who will have access to this information and what is their role (i.e.,
third parties, employees)?
7. Processes: How is sensitive data processed?
Inventory Process:
Complete at least the hardware and application identification worksheets. If your unit has a
legal, regulatory or contractual requirement related to any compliance program, complete the
personnel identification worksheet as well.
Ensure that the unit name, number and inventory date are documented each time an inventory
is completed.
IS-G1200
1
Identification Worksheets:
1. Hardware
a. Asset type
b. Asset Owner (the primary staff member responsible for the asset)
c. Asset Location
d. Device Name (for example, the computer name displayed when viewing “properties”)
e. Device Brand
f. Device Model
g. Device operating system (if applicable)
h. Asset Tag or N Tag number
i. Device Serial Number
j. List of systems with which the user interacts when using the device
k. Device criticality (check all that apply)
l. If the device is used as part of any compliance program, or if the user interacts with sensitive
data while using the device, note which types of data may be accessed, transmitted or stored
(check all that apply)
2. Applications
a. Application name
b. Application version
c. Application use
d. Application source (commercial product, developed in-house, etc)
e. Location of primary permanent data storage (centrally, at the unit level, or outsourced)
f. Whether or not the application is web-based
g. Criticality of data that is used in conjunction with the application (check all that apply)
h. Classification of any sensitive data used in conjunction with the application (check all that apply)
3. Personnel (required for certain compliance programs, such as FERPA, PCI DSS, Export Control/ITAR,
HIPAA and Human Subjects Research)
a. Employee Name
b. UA NetID
c. Employee title
d. Employee phone number
e. Employee email address
f. Employee role (as part of compliance program in scope)
g. Physical location (building number and room number)
h. Criticality of data with which employee interacts (check all that apply)
i. Classification of any sensitive data with which employee interacts (check all that apply)
j. Data format (paper and/or electronic – check all that apply)
Requirements for units that fall under compliance programs:
The Asset Identification and the resulting completed inventory form the basis of completing a risk
analysis for each individual asset identified during the inventory process. Information assets identified
are then subjected to a detailed risk analysis, either one-by-one or by class of asset (e.g., all the laptops
IS-G1200
2
that store ePHI). Additionally, creating complete documentation here can come in handy in the event of
a security incident that may indeed be determined to be a breach.
1. Assets may not be grouped
2. Assets that interact with sensitive data covered by legal, regulatory or contractual requirements
should be considered throughout the flow of data
3. Owners of the inventory should be identified
4. Who are the owners that are ultimately responsible for the security of data?
5. If the asset interacts, stores, or transmits confidential information or ensures the integrity or
availability of that information, assign criticality to that category.
Retention:
All asset identification documentation must be retained according to the appropriate retention
requirement, as found in the Compliance Program Documentation Requirements Guideline (ISG101) or according to state or federal retention statutes.
Related Guidance
Information Security Policy (IS-100)
Information Security Terms Guideline (IS-G100)
Compliance Program Documentation Requirements Standard (IS-S101
Compliance Program Documentation Requirements Guideline (IS-G101)
Data Classification Standard (IS-S302)
Business Continuity and Disaster Recovery Planning Standard (IS-S900)
Business Impact Analysis Form (IS-G902)
Risk Assessment Standard (IS-S1200)
Risk Assessment Procedure (IS-P1200)
HIPAA Security Rule 45 CFR 164.308
NIST Special Publications
All italicized terms used in this standard are defined in the Information Security Terms Guideline (ISG100).
Revision History
Initial Draft
Effective Date (current version)
IS-G1200
11/15/12
11/15/12
3
Download