Skip to Content

8.1 - Asset Management Responsibility for Assets

  
Information Security Standard
 

8.1 - Asset Management
Responsibility for Assets
Version: 3.0
Status: Approved - 2016-09-21
Reference: ISO/IEC 27002:2013(E)
Contact: Chief Information Security Officer

PURPOSE
To achieve and maintain appropriate protection of VCCS assets.

SCOPE
In accordance with ISO/IEC 27002:2013(E), §8.1, Owners should be identified for all VCCS assets and the responsibility for the maintenance of appropriate security controls should be assigned. The implementation of specific security controls may be delegated by the owner as appropriate but the owner remains responsible for the proper protection of the assets.

APPLICABILITY
The Responsibility for Assets Standard is applicable to all offices and colleges of the Virginia Community College System (VCCS) and all third party contracted services that process or store VCCS information assets.  

STANDARD
The standards identified in this document define the minimum requirements for the controls that must be in place to protect VCCS information assets. This document comprises the following topics:
  • Inventory of assets;
  • Ownership of assets;
  • Acceptable use of assets;
  • Return of assets
 
Requirement:  §8.1.1 - Inventory of Assets
All assets will be clearly identified and an inventory of all important assets will be compiled and maintained. This control takes into account:
 
  • Identifying all assets and documenting the importance of these assets;
  • Requiring an asset inventory be compiled and maintained according to Commonwealth of Virginia and VCCS asset management policies and procedures that includes all the necessary information to recover from a disaster;
  • Ensuring that any information needed to support the technical vulnerability management requirements are included in the asset inventory;
  • Ensuring that delivered goods are properly inventoried upon arrival according to Commonwealth of Virginia, VCCS, and College asset management policies and procedures;
  • Ensuring that the inventory does not duplicate other inventories unnecessarily, while maintaining aligned contents;
  • Mandating that the ownership of assets and the classification of assets are agreed upon, and formally documented, and
  • Implementing a level of protection for an asset that is commensurate with the importance of the asset, its business value, and its security classification as determined during the business impact analysis and risk assessment process.
 
Requirement:  §8.1.2 - Ownership of assets
Information and assets that are associated with information processing facilities will be owned by a designated part of the organization. The “asset owner” will be assigned the overall responsibility for protecting individual assets. The asset owner is responsible for:
 
  • Ensuring that information and assets associated with information processing facilities are appropriately classified;
  • Defining and periodically reviewing access restrictions and classifications, taking into consideration applicable access control policies
Note: Ownership may be allocated to a business process; a defined set of activities; an application; or a defined set of data.

Requirement:  §8.1.3 - Acceptable use of assets
Rules for the acceptable use of information and assets associated with information processing facilities will be identified, documented, and implemented. The rules developed for this standard will:
  • Require all employees, contractors and third party users to follow rules for the acceptable use of information and assets associated with information processing facilities, including:
  • Rules for electronic mail and Internet usages;
  • Guidelines for the use of mobile devices, especially for the use outside the premises of the organization, and;
  • Specific rules or guidance will be provided by the relevant management.
Requirement:  § 8.1.4 - Return of Assets
All employees, contractors and third part users will return all of VCCS’s assets in their possession upon termination of their employment, contract or agreement.
 
The System Office and Colleges will establish termination and transfer practices that require return of agency logical and physical assets that provide access to sensitive IT systems and data and the facilities that house them.  These assets include but are not limited to:
  • Issued software
  • VCCS documents
  • VCCS equipment
  • Mobile computing devices
  • Credit cards
  • access cards
  • manuals
  • mobile electronic media
  • information stored on non-VCCS mobile electronic media
 
 
In cases where an employee, contractor or third party user purchases VCCS’s equipment or uses their own personal equipment, procedures will be developed and implemented to ensure that all relevant information is transferred to VCCS and securely erased from the equipment.
 
In cases where an employee, contractor or third-party user has knowledge that is important to ongoing operations, that information will be documented and transferred to VCCS prior to termination or change in employment.

Related Documents:
In supporting these requirements VCCS has adopted and implemented the following related documents:
VCCS Information Security Policy
VCCS IT Security Standards: 
  • 4.1 Assessing Security Risks.docx
  • 4.2 Treating Security Risks.docx
  • 5.1 Information Security Program.docx
  • 6.0 Information Security Governance and Organization.docx
  • 6.1 Internal Organization.docx
  • 6.2 Mobile Devices and Teleworking.docx
  • 7.1 Personnel Information Security Prior to Employment.docx
  • 7.2 Personnel Information Security During Employment.docx
  • 7.3 Personnel Information Security Termination or Change of Employment.docx
  • 8.1 Responsibility for Assets.docx
  • 8.2 Information Classification.docx
  • 8.3 Media Handling.docx
  • 9.1 Business Requirement for Access Control.docx
  • 9.2 User Access Management.docx
  • 9.3 User Responsibilities.docx
  • 9.4 Operating System Access Control.docx
  • 10.1 Cryptographic Controls.docx
  • 11.1 Secure Areas.docx
  • 11.2 Equipment Security.docx
  • 12.1 Operational Procedures and Responsibilities.docx
  • 12.2 Protection Against Malicious and Mobile Code.docx
  • 12.3 Backup.docx
  • 12.4 Monitoring.docx
  • 12.5 Control of Operational Software.docx
  • 12.6 Technical Vulnerability Management.docx
  • 12.7 Information Systems Audit Considerations.docx
  • 13.1 Network Access Control.docx
  • 13.2 Exchange of Information.docx
  • 14.1 Security Requirements of Information Systems.docx
  • 14.2 Security in Development and Support Processes.docx
  • 15.1 Supplier Relationships.docx
  • 15.2 Third Party Service Delivery Management.docx
  • 16.1 Management of Information Security Incidents and Improvements.docx
  • 17.1 InfoSec Aspects of Business Continuity of Business Continuity Management.docx
  • 17.2 Redundancies.docx
  • 18.1 Compliance with Legal Requirements.docx
  • 18.2 Information Security Reviews.docx
 
REVISION HISTORY
 
Date Version Reviewer List of Changes
2013-01-14 2.0 CISO Revised draft to final
2013-08-15 2.01 S. Bumpas Format changes; added revision page
2016-09-21 3.0 J. Skinker ISO 27000 Framework 2013 Update - Format Changes, Updated References, Updated Related Documents, added new § 8.1.4 - Return of Assets moved from old 8.3.2
       
       
       
 
 
Final Approval
Date Version Name Position
2016-09-21 3.0 VCCS Technology Council Approved
       
       
       
       
Back to top